Secure, appropriate, and ethical use of data is critical to the effective, meaningful use of data—and states’ policies, practices, and communications must reflect the moral and legal responsibility to protect data. In doing so, states will ensure the privacy and confidentiality of students’ personally identifiable information, mitigate risks related to the intentional and unintentional misuse of data, and ensure clarity of roles and responsibilities around data use.

Take Action: Policy, Stewardship, Transparency, Capacity, and Communication

Education stakeholders at every level have the responsibility to safeguard student data. Policymakers and district and school leaders should create and implement policies to minimize risk and protect privacy, security, and confidentiality while maximizing effective data use to improve student achievement. Parents, educators, and other members of the public must ask their education leaders questions such as these to ensure they get value from the data collected:

  • Why do data need to be collected, by whom, and for what purposes?
  • What policies and practices govern how data are collected, stored, shared, accessed, retained, and used?
  • Which of the best practices and policies around security (including those from other industries and sectors) is my state using to ensure sensitive information is secure?

The state plays a critical role in developing, enforcing, and communicating the policies that supplement FERPA and other federal laws to protect the privacy, security, and confidentiality of student data. Keeping student data secure is not just an IT issue. State policymakers need to understand their role and implement policy mechanisms to ensure that quality data are used while keeping sensitive information secure. In addition, policymakers need to communicate with parents and other members of the public about the value of education data and how states and districts are protecting the data they collect.


Create Policies to Ensure Security: Ensure the state implements student privacy and data security policies to supplement federal laws. Most states have laws around data security, breach responses, and SSN protection.

Establish Roles for Data Stewardship: Define and clearly communicate the authority, responsibility, and accountability for decisionmaking, management, and security of data that an empowered P–20W data governance body may be responsible for. Communicate as well whether the body is vested with the authority to establish, oversee, and enforce a publicly available privacy policy and security plan. In 2014, nine states have developed formalized, transparent data governance with a clear mission, broad and representative membership, and strong authority and processes.

Ensure Policy Documentation, Transparency, and Enforcement: Education stakeholders must understand federal regulations and guidance, especially FERPA, as well as state- and district-level policies on how to use data for continuous improvement while protecting student data. In addition, it is imperative for states to document laws, policies, and decisions related to data governance and communicate them in an accessible way to stakeholders, including parents, students, agency staff, and the public. The US Department of Education’s Privacy Technical Assistance Center is a one-stop resource for state and local education agencies and the postsecondary community regarding data privacy, confidentiality, and security in education databases. Currently 46 states make data privacy and security policies publically available.

Support Organizational Capacity: Ensure that the state has the capacity and resources to implement and sustain these policies and procedures, including skilled staff and technical system infrastructure.

Communicate with the Public: Ensure that parents and other members of the public receive clear communication about the value of education data to help children succeed, as well as accurate information on how states and districts are protecting the data they collect.