We're physically collecting thousands of data points per student per day," Jose Ferreira, founder and CEO of the education technology company Knewton, announced in 2012 (Upbin, 2012). A few years later, a profile of the company described it as "currently amassing hundreds of millions of bits of data on the learning histories of about 2 million American schoolchildren" (Herold, 2014).
Some may believe that this technology company's practice of amassing so much data is an outlier in the online education space. But in today's world of data-driven learning, testing, ranking, and scoring, Knewton's model is actually the rule. Now more than ever, schools, districts, companies, and government agencies routinely collect an immense amount of personal student data—medical records, behavioral information, online activity (social media use, Internet searches, e-mails), financial data, location information, and more. These records are digitized, used, disclosed, and stored without any meaningful oversight or accountability.
(Sort of) Protecting Student Privacy
Many decades before the ed tech boom, the U.S. Congress enacted the Family Educational Rights and Privacy Act of 1974 (FERPA), which set out meaningful oversight, transparency, and accountability for student records. FERPA prohibits education agencies and institutions from disclosing student records without student consent. Congress passed FERPA because it was keenly aware of the negative lifelong impact that misleading, embarrassing, or inaccurate records could have on students.
FERPA contains certain exceptions that permit education agencies and institutions to disclose student records without student consent. For example, schools are not required to obtain student consent before disclosing records to school officials who have "legitimate education interests" in the records or to researchers who are conducting studies for or on behalf of the school. But these exceptions were narrowly crafted to ensure that students' privacy remained protected. FERPA also grants students the right to access and amend their education records, and it requires schools to maintain an account of certain disclosures of student records.
FERPA is a landmark privacy law designed to provide meaningful safeguards for students' personal records. But over the last decade, the U.S. Department of Education has substantially weakened the student privacy law. In 2008 and 2011, the Education Department promulgated rules that permit schools, districts, universities, and state education departments to disclose student records to third parties without student consent. These parties include, but are not limited to, private companies providing school services (such as e-mail and online learning platforms) and local government agencies, including health and human services agencies. FERPA only regulates how schools, districts, and education departments disclose student records; it does not directly regulate private companies or other outside vendors and agencies. So when the Education Department granted non-FERPA regulated entities access to student information, students lost fundamental federal student privacy protections.
Students and their parents are largely unaware when their student records are disclosed to non-FERPA regulated entities. The 2008 and 2011 regulations leave students' personal records vulnerable to additional disclosures and questionable uses.
Although some parents have looked to the 1998 Children's Online Privacy Protection Act (COPPA) for added protections, COPPA does not combat the larger student privacy issues. COPPA places certain requirements on website operators regarding how the operators must protect the online privacy of children under age 13. COPPA was not enacted to, and generally does not, directly safeguard student records.
Students, parents, and educators are rightfully concerned about student privacy because they recognize that in the current push for big data in education, many fundamental privacy protections have been pushed aside.
What's the Harm?
Real consequences and harms arise from the wholesale collection of student data. Many entities that collect student information repurpose it for nonacademic uses. In 2013, my organization, the Electronic Privacy Information Center (EPIC), filed a complaint with the Federal Trade Commission over the business practices of a company that asked students for sensitive data, including sexual orientation, religion, political affiliation, and medical information. The company claimed it would use the information to provide students with scholarships and financial aid information, but the company didn't inform students that it was disclosing this personal information to its business partner. The business partner in turn sold the student data. At the time we filed our complaint, the business partner compiled data on students' sexual orientations to create a marketing distribution list of lesbian, gay, bisexual, and transgender students that it would sell to interested parties.
There are many other ways in which companies data-mine student records. In a 2013 court case, Google admitted that it read e-mails it had accessed through Google Apps for Education and used the information to serve targeted ads to students. After some public outcry, Google stated that it had made changes so that "Google cannot collect or use student data in Apps for Education services for advertising purposes" (Wong, 2013). Neither the Federal Trade Commission nor the U.S. Education Department investigated Google for its admitted practice of data-mining student e-mails.
Kept in the Dark
The education space has unfortunately joined the retail, medical, and government spheres in the frequency and scale of data breaches. Schools and their contractors are simply not able to protect all the information they collect. From local school districts to big universities, education institutions are under the constant threat of being hacked for student data.
FERPA does not require schools or their contractors to implement specific safeguards to protect student data. As a consequence, students have had their personal information leaked and posted online. Because FERPA does not permit students to sue schools, districts, or any third party, students are left with little recourse when their records are compromised.
Both the U.S. House and Senate have proposed student privacy legislation that would prohibit companies from repurposing student information for targeted advertising and marketing. But some of the biggest harms that students face arise when the data are first collected. Online education platforms collect, store, and digitize not only completed tests, quizzes, and homework, but also essays—in both draft and final form—and students' personal e-mails and online chats sent via the school-sanctioned platforms. This level of student surveillance not only violates student privacy, but also threatens the academic environment of intellectual freedom.
Moreover, the decision-making process behind all the information gathered on students is entirely opaque. It's bad enough for students to lose control of data about objective, clearly defined grading standards, like class attendance, quiz scores, and assignments completed. But even more disturbing is the potential of subjective "universal screening" tools that apply systematic monitoring to assess student social-emotional functioning, labeling students with nebulous terms like "defiant," "disruptive," "anxious," and "shows enthusiasm" (Singer, 2013). This kind of data analysis keeps students in the dark about how they are actually evaluated. As a consequence, students cannot challenge the new automated decision-making processes governing student data.
The Safeguards We Need
Student data collection acts almost like a one-way mirror, in which students see what data they put in, but cannot see how companies and educators on the other side analyze their every move. This information asymmetry creates a power imbalance. Accordingly, the onus to protect student data doesn't rest with students and parents, but rather with the educators, schools, districts, companies, and government agencies to which students and parents have entrusted their information.
In 2014, the Data Quality Campaign and the Consortium for School Networking, which aim to promote effective student data collection, developed a set of ten student data principles. Unfortunately, these principles don't go far enough to safeguard student data. Although they include certain favorable data privacy and security practices—such as only granting access to "minimum student data," disclosing student data only for "legitimate educational purposes," and requiring data security—they don't incorporate other fundamental safeguards, like permitting students to amend inaccurate or misleading information and holding schools and companies accountable for their practices. These safeguards are crucial in today's world of bulk student data, where inaccurate data can have long-lasting negative impacts on a student's life. And above all, accountability and enforcement of any framework is key to ensuring that privacy practices are not simply aspirational.
At the Electronic Privacy Information Center, we have incorporated fundamental safeguards into our Student Privacy Bill of Rights. This framework is based on the well-established Fair Information Practices developed in 1972 by the Health, Education, and Welfare Advisory Committee on Automated Data Systems, which have shaped modern privacy law.
The rights envisioned in the Student Privacy Bill of Rights would rest with parents or legal guardians until the student turns 18 or enters college. The rights would then transfer directly to the student and would apply to former students.
The EPIC Student Privacy Bill of Rights calls on educators, companies, and government agencies to implement and enforce the following practices:
- Access and amendment. Students have the right to access and amend their erroneous, misleading, or otherwise inappropriate records, regardless of who collects or maintains the information.
- Focused collection. Students have the right to reasonably limit what student data ompanies and schools collect and retain.
- Respect for context. Students have the right to expect that companies and schools will collect, use, and disclose student information solely in ways that are compatible with the context in which students provide data.
- Security. Students have the right to secure and responsible data practices.
- Transparency. Students have the right to clear and accessible information privacy and security practices.
- Accountability. Students should have the right to hold schools and private companies handling student data accountable for adhering to the Student Privacy Bill of Rights.
How to Make Privacy a Priority
In light of the U.S. Education Department's failure to adequately protect student data, Congress should enact this framework to restore student privacy rights.
On the local level, educators and school administrators play a vital role in implementing the Student Privacy Bill of Rights and safeguarding student data. For one thing, educators should be wary of so called "freemium" ed tech services. These online platforms offer student services—testing, classroom exercises, e-mail, and so on—ostensibly for free. These "deals" seem almost too good to be true. And in many instances, they are: Reading the privacy policy often reveals that companies offering free platforms disclose student records they collect to nameless (and countless!) third-party affiliates and business parties. These platforms and services may be "free" for the educator, but they come at the price of student privacy.
Next, educators should prioritize privacy enhancing technology. This technology minimizes or eliminates the collection of personal information while still offering services. One example would be an online platform permitting students to practice exercises without having to provide personally identifiable information. Another example would be a company that permits students and educators to download student files and then, after the completion of the course, removes the files from company records. This practice gives students and educators access to the information they need, while substantially decreasing the threat that the company will later use the student records for secondary purposes or that the students' records will be hacked or otherwise breached.
Before collecting student information, educators must also consider the sensitivity of the information. Social Security numbers and medical records are just a few examples of information that, if in the wrong hands, can have grave consequences for students.
Data collection in schools should help students, not hurt them. Lax privacy safeguards and data security practices place students at risk for having their data used against them. Educators must prioritize student privacy to protect today's—and tomorrow's—students.
