Beware the School Privacy Juggernaut!

The privacy revolution is hitting America’s schools. While this is generally a good thing for the privacy interests of America’s students and their parents, there is likely to be significant collateral damage as other social objectives are impacted. I don’t believe the policymakers have fully recognized the impact of these laws on nonprofits that serve students. I am quite sure that most nonprofits working in schools have no idea about the laws that are about to apply to them. Nonprofits that are active in America’s schools need to be aware of this privacy revolution, determine whether these changes affect their programs, and begin thinking about compliance.

First, a bit of history. The Family Educational Rights and Privacy Act (FERPA) was originally passed in 1974. This was in an age before the Internet, before mobile phones, and before companies were collecting information about every online interaction. FERPA is enforced against schools, and the main sanction is withholding of federal funds.
In recent years, educational technology companies have dreamed of using rapidly advancing technology to help America’s children learn more effectively. The Holy Grail of this field (especially in special education) has been individualized learning, where educational content, technology, and practices adapt to the student for the best outcomes.

With the goal of improving the ability to achieve these lofty goals, there were significant efforts to devise better ways to collect student data. One of the leading projects, InBloom, was funded by the Bill and Melinda Gates Foundation, among others. The goal of InBloom was to make the sharing of student performance data much easier for educational technology companies by creating a common platform and database. Unfortunately, InBloom was caught up in a political controversy in 2013, over concerns from parents and activists regarding the sensitive data being shared. In response, state legislators passed laws making it difficult for student data to be shared, and InBloom shut down in 2014. But, that shutdown did not stop a surge of legislation. At least twenty states now have enhanced privacy laws on the books, and more are considering them. Congress is also considering updates to federal student privacy legislation, including updating FERPA. Many of the provisions are laudable: treating the data of students the way most people would like their sensitive financial or medical information treated. Many of these new laws are explicitly aimed at stopping the use of student data for commercial purposes or targeting advertising. A few are aimed at limiting data sharing with the federal government.

The legislators don’t mention the legislation’s impact on nonprofits; they don’t seem to be the target. At the same time, there are often no distinctions made between commercial and nonprofit uses of student data. The nonprofits serving students through partnerships with America’s schools are generally ill-prepared to meet these security provisions. In addition, some of the laws include provisions that are difficult to meet, especially for organizations with limited resources. This blog post is designed to alert the field to what’s already happening in some states and encourage nonprofits to engage in the policy debate and prepare to comply with these new privacy requirements.

These laws are mainly aimed at protecting student data and addressing concerns about educational technology companies using student data to target them for marketing, much like the ways Google and Facebook track their users. But, these laws aren’t written in a targeted way; they apply to any organization handling student Personally Identifiable Information (PII), such as student name and date of birth. Although nonprofits have little problem avoiding behavioral marketing, they should be careful about using student data in fundraising. Even so, the data security provisions are well beyond the current practices at most nonprofits.

Benetech’s Role

Our nonprofit organization is active across the United States, working with over 350,000 students in over 25,000 schools, school districts, colleges, and universities. Because of our widespread presence, we are being asked to sign agreements with school districts that are at the forefront of new legislation. These districts are issuing contracts designed to comply with the new state laws that affect them. Even though Benetech is not charging schools for our services (we’re funded at the federal and state levels), we are being approached because we handle information about students that is covered by these new laws such as student name, date of birth, and disability status.

Benetech is lucky because we already have multiple ways to respond to these privacy concerns without denying services to students who truly need them. First of all, we are a technology nonprofit knowledgeable about privacy given our work for more than a decade handling the confidential data of human rights groups. We’ve already built in technology safeguards, as well offering options for addressing privacy. We have a way for parents (or guardians) of students to sign them up for our service directly, which solves privacy concerns (parental permission addresses the privacy issue). We also implemented a way for schools to use our service without providing PII, by supplying us with unique identifiers for individual students. Still, most schools do supply us with PII under the “school official” exception to FERPA, because we are helping the school deliver required accessible educational materials.

But, these new state laws are much more specific than the current version of FERPA and create new challenges for compliance. As the nation’s largest online library for students with disabilities, we have significant technical, operational, and legal resources compared to many nonprofits active in local school districts. We will ultimately be able to comply with these requirements (or provide options for continuing to provide services without needing the personally identifiable information), but we wanted to spread the word about these requirements to other nonprofits.

We are not providing legal advice in this blog post; we are merely sharing issues we think far more nonprofits need to be thinking about.

The New Provisions

Imagine that your nonprofit works in a school and you have data about the students you serve that includes Personally Identifiable Information. Here is a sample of some of the provisions that you could be subject to:

• You need to back up the data securely every day
• You need to be able to erase the information on short notice from the school, or when the student leaves the school, or when the information is no longer needed to deliver services
• Parents (or guardians) have the authority to challenge or change data on their student
• You can’t use the information for purposes other than for what it was provided to your organization
• Access limitations: only organization staff with a requirement to access the information should be able to do so
• New York requires that encryption meet the requirements of HIPAA, the health care privacy law
• Anti-federal provisions: some states don’t want data about students being sent to the federal government or certain federal programs
• You need to have a data breach policy in place, and to inform the school if a breach has taken place.

Finally, if the information is on a laptop or a tablet or a smartphone:

• The laptop needs to have its hard drive encrypted,
• You need the ability to erase the data remotely if a device is stolen or lost
• Laptops need locks

Does your organization do all of these things today?

Some of the new laws include monetary penalties for data breaches and even criminal sanctions. If a nonprofit refuses to sign one of the new data sharing agreements, they may lose their ability to serve students. It seems likely that some nonprofits will sign these agreements without actually being in compliance, which would be worrisome.

What Can Your Organization Do?

Here are some possible strategies to discuss with your operational staff and attorney:

1. Don’t collect PII about students digitally in the first place. Think about whether your program can serve students simply with student counts or with data that can’t be linked back to individual identities.
2. Replace PII with pseudonyms or identifiers that can’t be linked back to the student’s identity. This would be essential if tracking individuals is important, but the actual name of the individual isn’t. Information is lost when we deal only in aggregate activities, and unique ids can help us access this information while addressing privacy.
3. Get parental (or guardian) permission for handling PII.
4. Implement the full security requirements that are primarily aimed at educational technology vendors. This is a major project for any organization.

What Does this Mean?

Treating student data with respect is an important social good. In today’s world, where technology companies monitor our every move, it shouldn’t be surprising that parents, educators, and policymakers want to protect children from these intrusions when it comes to data collected in schools.

Even though increased privacy provisions for student data are generally advantageous, we need to recognize the impacts of these changes. Laws that discourage data collection about educational and social programs for students make it harder to measure effectiveness. I doubt this is what legislators had in mind when they passed these laws, but nonprofits may choose to stop tracking detailed information at the student level rather than invest in the changes needed to comply with these new laws. Increased privacy protections may make it more difficult to respond to students’ needs because:

• A specific student’s relevant records can’t be matched up because they are in the database with an anonymous ID
• Data from a prior period has been deleted
• The information is housed at another organization that doesn’t have the ability to share the information
• The need is not directly connected to the reason the data was originally collected
• The measurements of student performance are not linkable to the provision of content or services

The solutions to some of these privacy concerns often create new demands on educators who are already carrying heavy burdens in today’s educational system. Systems that don’t track an explicit student name to avoid triggering privacy issues end up forcing teachers to look for patterns in educational data to determine which students match up with which identifiers. These approaches can drive the design of educational technology to be much less user-friendly, which in turn might defeat the purpose of using that technology.

Conclusion

The world is changing. More and more data is being collected about more and more aspects of more and more peoples’ lives. Data privacy constraints will be a cost of doing business going forward, especially for organizations that work with students. Organizations, especially nonprofits that are focused on social mission, need to address privacy issues. In most cases, they will choose a path for compliance.

However, nonprofits are not bystanders in these events. We have to take an active role in striking a reasonable balance that advances privacy and educational and social goals. We can and should refuse to agree to provisions we can’t reasonably comply with and work to develop other options. We can and should advocate for changes in these laws if the costs outweigh the benefits. We should always be optimizing for what’s best for the children we all serve.