Today the Data Quality Campaign releases Student Data and Consent Policies: Avoiding Unintended Consequences, a new brief with recommendations for policymakers around student data privacy and the role of consent policies.
Federal law grants parents certain rights regarding the data collected on their child by education institutions. The Family Educational Rights and Privacy Act (FERPA) requires parental consent (with a few exceptions) before a student’s personally identifiable information (PII) can be shared. This law also gives parents the right to opt out of having directory information (e.g., name, address, phone number) shared.
But recently many have wondered if parental consent and opt-out provisions need to be broadened and adopted into state and federal policy, as parents have raised serious and legitimate concerns about the nature of student data collection: What is being collected about my child? Who has access to it? What rights do I have to ensure their privacy?
State and federal policymakers have begun to ask about the feasibility of opt-out and consent provisions as they seek to address parent concerns. Though there has been little research done on this topic as it relates to education, the issue is not new for privacy experts in other fields. In an attempt to bridge this gap, the Future of Privacy Forum released a paper this week, Student Data: Trust, Transparency, and the Role of Consent, that examines the implications of expanding parental consent in student information practices. They take an extensive look at current privacy law and how consent is handled in other fields. The authors conclude that “rules around notice and choice must balance individuals’ right to privacy with organizations’ need to collect, use, and share personal information for normal business purposes. . . . Only when student data can be used for noneducational purposes should choice be mandated.”
Requiring parental consent before any party can collect, access, or use student data for instructional, administrative, or assessment and measurement purposes could weaken the quality of the student learning experience, reduce efficiency, and increase workload for teachers and administrators. If it simply isn’t feasible to allow parents to limit the data that schools collect, then what options are available for policymakers as they seek to ensure student privacy? Developed in consultation with our partners, privacy experts, and state and district representatives, DQC has outlined actions that policymakers should take now:
- States and districts should clearly post what type of student data are being collected, who they’re shared with, and how they’re protected on websites so that parents can easily access facts as questions arise.
- Policies should require accountability and transparency through the contract process, including ensuring that contracts articulate what data providers receive, permissible uses of those data, and consequences for violating contract provisions.
- Individuals handling personally identifiable information about students must receive adequate training in how to ensure privacy, security, and confidentiality.
Many of these recommendations are relatively low-lift and can be done quickly, while others will require a little more investment of time and resources.
States and districts have set ambitious goals to ensure that all students graduate college and career ready. These goals can’t be met if policymakers, educators, and families don’t have access to the information they need in order to make good decisions, and data collection alone isn’t sufficient. Policymakers must take action now to establish trust with parents if they are to continue in their efforts to provide stakeholders with high-quality information.