Privacy, Trust

Powering Education Improvement and Innovation while Protecting Student Privacy

Powering Education Improvement and Innovation while Protecting Student Privacy

This post is authored by Dan Goldhaber, director of the Center for Education Data & Research, and Aimee Rogstad Guidera, president and CEO of the Data Quality Campaign, as part of the Brookings Institution series Memos to the President on the Future of U.S. Education Policy.

The Situation

The passage of the No Child Left Behind (NCLB) Act in 2001 ushered in a new era of accountability and transparency by requiring that every state report students’ academic proficiency, disaggregated by specific populations. This new reporting requirement, the significant development of longitudinal data systems, and the increase in the use of new technologies in classrooms has led to richer, more robust data on student and school performance. The recently passed Every Student Succeeds Act (ESSA) returns a good deal of accountability authority to the states, but it maintains NCLB’s legacy of using data to illuminate and improve our schools.

The richer data picture has provided opportunities, which were previously impossible, to understand and improve schools and to tailor learning to every student. But data alone are powerless without analyses that can convert them into useful information. More specifically, data are not intrinsically valuable. Without research to turn data into meaningful information, data cannot clarify our understanding of how schools can positively impact student learning. But conducting education research is not a goal unto itself; it is a tool to uncover profound connections and identify solutions to our most pressing problems. And it has transformed our understanding of the connections between teachers, schools, and student learning.

For example, we now know that there is significant within-school variation in the quality of educational experiences students receive, due in large part to the differing effectiveness of teachers. Indeed, while the refrain that “teachers matter” is now common, it is only in the last decade that our concept about the importance of teacher quality has been transformed through research. We also now know that teacher quality tends to be unequally distributed across different student subgroups. This is a key reason that states are now required to develop plans to ensure that disadvantaged students have equitable access to high-quality teachers. Research has also led to interventions that tailor schooling experiences to the needs of individual students. For instance, Massachusetts’ Early Warning Indicator System uses K-12 indicators and outcomes to help identify and support struggling students. Chicago Public Schools has used research to identify trajectories and keep high school freshmen on track to graduation, raising the on-track graduation rate from 57 percent in 2007 to 84 percent in 2013. These examples from Massachusetts and Chicago highlight the fact that the data (combined with the research) themselves present opportunities for interventions designed to improve the lives of students.

But the increased collection, use, and visibility of data about students have raised concerns about how and why they are used, who has access to them, and how student privacy is protected. For many parents and educators, the use of data in education is unfamiliar and its value is unclear leading to the question of “what’s in it for me?” In addition, legitimate privacy concerns in almost every area of public life—from the National Security Agency to Amazon’s purchase recommendations—have spurred new and proposed data privacy laws (discussed below). Many of these laws run the risk of significantly devaluing foundational education data investments, limiting our abilities to conduct research on the policies and practices that impact student learning, and, in some cases, operate schools in productive ways.

While we have not seen the privacy violations in education that we have in other sectors, the fact these data breaches exist in other sectors underscores the need for the next presidential administration to take a proactive approach to ensure that student data are protected. But this must be done in such a way that the dual goals of supporting research and safeguarding data are seen as intertwined and inseparable parts of the effort to improve student achievement and education system performance.

The federal government has played an important role supporting education research and regulating data access—from providing critical funding for building data infrastructure, to creating incentives and mandates to reinforce the role of evidence, to establishing a common foundation for protecting personally identifiable information (PII). The next presidential administration will not be starting from scratch when working to support research and the effective use and protection of student data.

Every state now has a statewide longitudinal data system in large part thanks to close to half a billion dollars in federal grants. The creation of the Institute of Education Sciences, the What Works Clearinghouse, the Investing in Innovation program, and the new ESSA requirement to make intervention decisions based on proven results have all helped to nurture a culture that values research and evidence. And on the regulation side, the education sector’s main law regulating disclosure of student information, Family Education Rights and Privacy Act (FERPA), applies to any agency or institution receiving federal funds from the U.S. government; it prohibits the disclosure of PII to parties other than school administrators or a student’s family except under specific circumstances.

The past two presidential administrations and Congress have taken a number of steps to update privacy protections to keep up with the changes toward a more digital data landscape and to ensure that student data and privacy are safeguarded as data are used to support student learning. For instance, in early 2015 President Obama announced a comprehensive approach to improving cross-sector privacy, including education. More recently, the federal government has increased the capacity of the Department of Education and its Privacy Technical Assistance Center (PTAC) to provide data and privacy guidance to states, districts, and researchers.

However, one specific area of growing concern has to do with two distinct “exceptions” under FERPA that permit much of the education research conducted but are neither as clear nor as simple as they appear. First, FERPA permits the use of individual student-level data so long as the student records are considered “directory information” (guidance for what is typically considered “directory information” is listed in FERPA and is generally understood as information which is not “harmful or an invasion of privacy if disclosed”). The second exception applies to studies that are “for the purpose of: developing, validating, or administering predictive tests; administering student aid programs; or improving instruction.” The studies exception allows PII disclosure but also requires parties to establish a formal written agreement, articulating which PII will be shared and other important details governing the terms of use.

FERPA, however, dates back to 1974, well before much of the data typically included in records today—data on student test scores, race/ethnicity, and disability and poverty status—were widely available. As education data are collected and used in different ways, it is increasingly difficult to define precisely which data should be used by whom and for what purposes. And some recent federal actions designed to clarify data protections, notably the Bush administration’s 2008 FERPA regulations which further articulated provisions related to researcher access to data, ironically added to public concern that the federal government was weakening FERPA’s privacy protections. In addition, some parents and privacy rights groups (e.g. the Parent Coalition for Student Privacy) are concerned about the disclosure of student information even if it does not include PII and are worried that education technology companies are conducting research using student data with the sole focus of increasing profits, not improving education.

In response to many of these public concerns, Congress has debated a variety of changes to FERPA, including several proposals that would both increase data protections but also significantly limit permissible research. Recently proposed amendments to FERPA would have, for instance, limited allowable research to studies that directly benefit the students or institutions providing the data, a change that on the surface might seem sensible, but would greatly limit research since the benefits of research often cannot be tied directly to the students who were included in the study. This is largely because many studies use retrospective data to examine interventions in grades that students are no longer enrolled in by the time research is complete. Other drafted amendments have required parents to be notified by schools when their students’ data was being used, even if not personally identifiable, and/or that data only be available at the aggregate (e.g. school level). These changes might help to protect the privacy of individual students but they would place a high burden on schools (likely affecting their willingness to participate in research). These changes would also likely impede the ability of research to detect the impact of interventions targeting students within schools and obscure how such interventions differentially affect individual student types.

Policy Options

Given the federal role to date, the current landscape of opportunities and concerns, what are the options for the next administration to promote both the use of evidence in education and the protection of the data necessary to fuel this evidence?

First, the next administration could choose not to take action. Federal law governing the privacy of school records already exists and failure to amend FERPA does not necessarily mean no additional actions to safeguard data would be taken. In the past three years alone over 400 bills to regulate student data privacy and access have been introduced at the state level. Online service providers and other vendors who work with student data have created a pledge to parents that data will be protected. And education constituency organizations have issued Student Data Principles that commit to using data to support student learning and to protect this sensitive information. But researcher, company, and school system self-regulation and state laws do not ensure consistency or quality in privacy protections. Indeed, we believe that absent federal action, concerns about data security and privacy are likely to lead to additional state privacy laws; while the vast majority of the recent 75 bills signed into law have been constructive, some have been severely detrimental to both research and the functioning of schools. This does not help to make schools better for anyone.

A second option would be to focus the efforts of the federal government on building the capacity of local and state governments and data users to collect and protect data effectively. Congress took a step in this direction by calling out data privacy training as an allowable use of Title II dollars, but the work is far from finished.

A third option, the one we favor, is for the federal government to combine capacity building with a structured process that leads to revisions to FERPA. A deliberative and thoughtful federal role in encouraging and supporting education data use and research, and creating a floor of consistent data protections, is critical to building transparency and trust about how data are collected, shared, and protected across the country. Despite the risks associated with opening the Pandora’s box of revising FERPA, we believe the next administration should take this important step. In the section that follows, we propose specific recommendations for this strategic federal role.


We suggest the following four actions to ensure student data are protected:

  1. Provide clear, consistent guidance on how federal privacy laws work together to govern education privacy and research.

The federal government should provide clearer guidance on how states and districts interpret and implement federal privacy laws. Currently, data needed for important education research may exist across federal agencies, but currently states and districts must navigate a patchwork of education and privacy laws and priorities that apply to these different types of data.

In addition, members of Congress have recently expressed an interest in amending both FERPA and creating new legislation that would regulate student data collected by online service providers. This legislation would treat data collected by schools and districts differently from data collected and used by online services. In addition, these different data laws would be enforced by different agencies (the Department of Education and the Federal Trade Commission respectively).

An aligned federal foundation that is coherent and complementary across applications, and a continued commitment to coordinated communications, can provide consistent definitions and standards for those on the ground. Federal agencies responsible for regulating data relevant to education should issue joint guidance to help states and districts navigate and implement federal privacy laws and inform complementary state laws and policies. This joint guidance and information can also help clarify for the public which federal laws govern education research and how they apply in various school settings.

  1. Build federal capacity to support states and districts with the tools and resources they need to conduct effective education research and safeguard data privacy.

The federal government should continue to invest in its ability to provide useful guidance, tools, and technical assistance to states and districts. Much of education policy is state- and locally controlled. ESSA’s emphasis on state flexibility and innovation affirms this. But states and local districts need expert guidance around the best practices when it comes to data access and use. Increased federal capacity to respond to state and local concerns and requests can help them craft constructive policies and practices that help protect PII, while making sure that researchers and state and local administrators have the ability to engage in high-quality research and use the results to improve student outcomes.

Federal agencies have already taken steps to support the field. The Department of Education’s PTAC, for example, has provided great value to states and districts through its hotline and its guidance on important issues such as data suppression techniques. Additional federal capacity, however, is needed to provide more timely and efficient guidance that addresses issues that arise around research and the protection of personally identifiable information. It is important, for instance, for states and localities to have exemplars for data access policies and data-sharing agreements. In addition, federal funding for improving the data literacy within state and local education agencies will also support strong, secure research practices within states and districts and nurture a culture that encourages productive research and values evidence.

  1. Support the work of the bipartisan, congressionally created Evidence-Based Policymaking Commission and ensure any findings are thoughtfully translated for the education sector.

The convening of the bipartisan Evidence-Based Policymaking Commission provides an unparalleled opportunity to examine the role of data and research in creating an information-driven education sector. Commissioned by Congress and appointed by Representatives Paul Ryan and Nancy Pelosi, Senators Mitch McConnell and Harry Reid, and President Obama, the Commission is charged with studying and making recommendations around how to best use federal data from across agencies to inform policy decisions. The Commission represents an unheralded collaborative effort between the administration and Congress that the next administration and federal agencies should look to for guidance on data regulation, governance, and management. The Commission’s recommendations, to be released after an 18-month period of hearings, conversation, and study, will apply to all federal agencies, not only to education. Still, the recommendations should be used by the next administration and Congress to inform thinking on the role of research and data use in improving education and shape thoughtful, constructive congressional and administrative action going forward.

  1. Building on the recommendations of the Evidence-Based Policymaking Commission, amend FERPA to ensure that federal law articulates clear permissions for research and that data collected through the use of education technology are governed effectively.

Federal law should establish a strong foundation of baseline privacy and security protections for educational research that addresses all types of student data and establishes a consistent floor for acceptable privacy guarantees across states. Current federal law (FERPA) describes when PII from student records can be shared with researchers, but lacks clarity and does not govern other types of student data, such as data collected through the use of online applications or services. Any changes to FERPA or its regulations must clarify how federal law protects the different types of student data, recognize the importance of education research, and provide clear guidance to states and districts about how they can permit researcher access to data and how they can best use the research analysis and findings to inform their policies and practices and achieve their education goals.

FERPA also presents an opportunity to strengthen research privacy protections by delineating the governance, transparency, and accountability measures that education agencies would need to have in place to share PII with researchers. Strong data governance allows states and districts to establish stable procedures for reviewing and approving data sharing and research requests that comply with federal laws.


We need data and research to inform education policy and decisionmaking to help ensure that our schools are productive and our students are well served. But we also have to ensure that the sensitive data that are collected about students are well protected and used in appropriate ways. The next president and Congress must take the opportunity to not only weigh in on how education data are handled and protected, but also to make clear that data and research are critical to creating a culture of evidence so that we innovate and invest in what works to further student learning.

Without strong federal leadership and guidance, the efforts to promote the use of data in education will become merely a compliance exercise with little benefit to students. If the federal government takes an overly prohibitive stance to privacy concerns such that the K-12 schooling data that are collected are no longer useful for research and other activities that help power school improvement, we will lose one of our most powerful tools for understanding and serving our nation’s students. Education is largely a state function, but the federal government plays a unique role in spurring innovation in schooling and helping to ensure equity. Data are necessary to both of these goals, and in order to accomplish them, the federal government must get its own data governance house in order and provide the resources, guidance, and tools that states and districts need to do the same on behalf of the students they serve.


Download this memo as a PDF or see the full series here.