Ed Tech Must Embrace Stronger Student Privacy Laws

[ILLUSTRATION OMITTED] Our legal expert explains why districts (and vendors) would benefit from more robust protection of educational data. During the past 50 years, the way that school records are created and stored has drastically changed. In the 1960s, student records were generally paper files created using a writing instrument or a typewriter, and they were stored in school administration offices or in a central district location. The 1970s saw the adoption of mainframe computer systems. During the 1980s, database management systems were deployed in K-12 schools. Then came the introduction of distributed applications and databases built on network operating systems and client/server architectures. While each of these technologies created new privacy concerns, student data was generally stored on servers owned by school districts and located within their physical jurisdiction. This meant that access to student records was generally limited to teachers, school administrators, parents, legal guardians and others who had a legal right to access the information. Schools didn't have the technology to collect and archive every single student data point and all digital activity. New Technology, New Privacy Concerns During the past five years, schools have deployed new digital learning tools such as apps and cloud-based computing services that have the ability to track and store every single keystroke and activity performed on their platforms. Adoption of these technologies has raised significant questions about student privacy because vendors are storing personal student data on servers located outside of a district's physical jurisdiction. Some vendor agreements state that student data may be processed and stored in any location around the world where the vendor or any of its agents maintains a facility. Being able to store data anywhere may offer price flexibility by enabling a provider to build its data servers in a low-cost area, but it may also enable some providers to process and archive personal student information in locations with weak student-privacy protections. Any state where a student's e-mail or other digital data is processed may potentially claim jurisdiction if a legal claim arises. For example, if a Maryland school district contracts with a California-based provider and student e-mails are processed in servers located in Iowa and then stored in Georgia, multiple state laws may potentially govern access to the information. Since at least 47 states plus multiple U.S. territories have enacted data breach notification laws and each law is slightly different, some vendors may avoid processing and storing student data in states with more robust legal requirements. Privacy Laws Lagging Behind Technology The most comprehensive student privacy law is the federal Family Education Rights and Privacy Act (FERPA), which was enacted in 1974 when educational records were generally physically static and contained a limited number of data points about students. While technology has drastically changed during the past 40 years, FERPA has not been amended to account for these innovations. Many electronic learning tools collect a tremendous amount of metadata about students, and some of this information may be highly sensitive. Since most of this information isn't inserted into an official school file, it isn't considered an educational record under FERPA and is therefore not protected. As Kathleen Styles, the U.S. Department of Education's chief privacy officer, has said, "I don't think it's necessarily an easy decision, what is and what is not the 'educational record'.... It's very contextual. A lot of metadata won't fit as an educational record." This admission by the person charged with protecting our students' privacy clearly demonstrates that more needs to be done to better protect the personal information of students. Companies Using Student Data to Target Advertising Some companies have taken advantage of FERPA's inadequacy and have provided schools free learning tools that also mine students' data for non-educational purposes. …