Schools have lots of data about the children who attend, from basic student identifying information such as date of birth, name, gender, and address, to more sensitive information such as children’s disabilities, family status, and behavioral problems. In prior years, this data stayed in a paper file, and a student left those records behind when he or she moved on into adulthood. But today, this data is being shared with private companies that are managing various functions for school districts. It’s a growing and lucrative industry, as school districts scramble to properly track and analyze information regarding each pupil.
Why do private companies have school records in the first place? In recent years, Congress has made changes to the Family Education Rights and Privacy Act (FERPA) that have created a potentially broad loophole regarding who has access to student data. School districts are now outsourcing data storage, processing, and analysis to private companies. These contractors—third-party vendors—are stepping in to provide school services such as data processing, test analysis, and even the maintenance of databases of health records. Contractors are now able to access to student data (including data linked to personally-identifiable information) without parents’ being given notice, or having to give their consent, before the data is shared and transferred. Accordingly, it’s a bit like the Wild West—with districts signing contracts that contain few safeguards against the data’s being used by other entities, which may then sell that data to others or use it in marketing.
Should parents be concerned? Yes, because it is unclear whether the data at issue are stored securely, and also unclear whether those contractors are using that data for marketing and other purposes. Whether your kid is a big soda drinker at the cafeteria may seem to be an innocuous fact now, but if that data ends up in an insurer’s file many years from now, it may have different consequences.
Companies that process data say that the industry has developed a set of best practices, so that privacy advocates are raising false alarms. That may be the case, but school districts also need their own best practices to ensure that the contracts that they sign are ones that protect student privacy in clear terms.
In this column, I will examine the contractor exception to federal student privacy laws, and look at two examples of why this phenomenon is problematic. I will also discuss how Senator Ed Markey and the Electronic Privacy Information Center (EPIC) are trying to get Congress to fix this problem, and to provide parents with greater clarity as to who has their hands on students’ records.
Changes to FERPA Created the Broad Contractor Exception
FERPA requires schools to obtain parental permission before sharing information from their children’s educational records. The updated rules, however, permit schools to share student data with companies to which they have outsourced core functions like scheduling, data management, or test analysis. This change allows private contractors to have the same access to data that school officials would have. And to make matters worse, parents likely have little or no knowledge of these changes. The exception requires school districts to have direct control over such contractors’ use of student information; if contractors misuse the data, regulators may ban districts from sharing further data with those companies.
So what does this contractor exception mean? If a contractor is given access to student records, that access must be under the direct control of the school district. Contractors must ensure that only individuals with legitimate educational interests have access to students’ personally-identifiable information.
2011 FERPA amendments require school districts to use “reasonable methods” to ensure that teachers and other school officials, including outside contractors, obtain access to student records in which they have “legitimate educational interests. High-risk records, such as those containing Social Security Numbers enjoy greater protection than medium- or low-risk records would receive.
At the end of the day, to what type of data do contractors have access? The answer varies, but the scope is broad. Student educational records include information that is not just academic, such as test performance, but also regards disabilities, family relationships, disciplinary data, health, teen pregnancy, and who knows what else.
The problem is that it is unclear what sanctions an outside company might face if it did violate FERPA. A company might lose a school district contract, but as these vendors do not receive direct federal funding, they are not subject to the same carrots and sticks that school themselves are, with respect to FERPA compliance.
What’s apparent, too, is that the contracts that the school district may be signing with contractors do not turn FERPA or privacy best practices into contractual terms. Thus, even if the law states that students’ privacy should be protected no matter who has the data, what is happening in practice may not reflect what the law requires in terms of school districts’ maintaining control over student data.
The inBloom Controversy
Education technology software for pre-kindergarten to 12th grade is a reported $8 billion market, according to the Software and Information Industry Association. One major reason for that is the Common Core Standards, a program to standardize certain curricula testing nationally. To prepare for future Common Core assessment tests, many districts are investing in software to track and evaluate student performance.
Earlier this year, inBloom Inc, a student-data-collection venture funded by the Bill & Melinda Gates Foundation sparked controversy because of plans to compile students’ private information into a national database for business contracting with public schools. Many school districts subsequently severed their ties with the database.
inBloom, is a nonprofit corporation based in Atlanta. It offers a lucrative and enticing proposition: It can collect information from a school district’s databases and store it in the cloud, thereby making access easier. Services like inBloom want to speed the introduction, and lower the cost, of student-assessment tools by standardizing data storage and security. inBloom also wanted to become an open-source platform, so that other educational software and app developers could develop programs that would be interoperable with its databases. The company has impressive backing : $100 million in seed money from the Gates Foundation, along with the Carnegie Corporation of New York. Beyond storing data, it promised to help personalize learning.
InBloom sounded like an innovative way for schools to manage data and allow for innovation. Analysts say, however that its practices also awakened parental fears about the potential for mass-scale surveillance of students.
With inBloom, school administrators can choose to fill in more than 400 data fields about a student. Many are facts that schools already collect and share with various companies including grades, attendance records, and course levels. Administrators can also upload data that parents may be uncomfortable sharing with vendors. inBloom’s data categories include family relationships (“foster parent” or “father’s significant other”) and reasons for exit or withdrawal and enrollment changes (“withdrawn due to illness” or “transfer to an institution”) . Privacy advocates have also been troubled by the disciplinary details that could be uploaded to inBloom. Its system allows for subjective designations of students such as “perpetrator,”or “victim” and “on the “principal’s watch list.” Students can also be categorized as “pregnant teens.”
In the end, several school districts challenged the current format. Of the nine states that originally signed up with inBloom, only one, New York, is reportedly still using the service.
Student Data in the Clouds
In a recent study by the Fordham Law School Center for Information Policy, Privacy and Cloud Computing in Public Schools, researchers found that as public schools adopt cloud-based services and technology-based learning systems, they tend to transfer “increasing quantities” of student information to third-party vendors without proper privacy protections. The study found that strong data-security protections or limitations on the use of student data for marketing were missing from contracts.
The Fordham team chose a national sample of school districts that included small, medium, and large school systems from regions throughout the U.S. The researchers used state open-records laws to request from each district all of its cloud service agreements, notices to parents, and computer use policies for teachers.
In a cloud-based computing model, companies provide software that users can access remotely, rather than installing it on their own computers. Data also gets stored remotely, rather than on a school district server. Vendors may offer their services at a low-cost or even free, in the hope of making money off the data they collect. Almost none of the districts that were examined specifically restricted the marketing of student information by the vendors. The study also revealed other gaps. Only a quarter of districts inform parents when cloud services are used. Also, many have gaps in their contract documentation, including missing privacy policies.
FERPA, however, generally requires districts to have “direct control” of student information when it is shared with third-party contractors. Yet the cloud service agreements seem to do anything but provide the school districts with control. Fewer than 25 percent of such agreements specify the purpose for disclosures of student information, and less than seven percent of contracts restrict the sale or marketing of student data by vendors. Indeed, many agreements actually allow vendors to change the contract terms without notice. The cloud service contracts signed by school districts don’t generally provide for data security, and even allow vendors to “retain student information in perpetuity with alarming frequency.”
What to Do About this Situation: Some Initial Steps
As noted above, many contracts, the study found, failed to list the type of information that was being collected, while others did not prohibit vendors from selling personal details. The Fordham study suggests that school districts have wildly varying degrees of legal and privacy knowhow.
School districts and the US Department of Education (DOE) need to develop protocols as to how information can be transferred to, and shared with contractors, and steps for continuing oversight to ensure that the data at issue is used as promised, and kept securely.
The Fordham study urged that contracts should specify the type of services that a company provides; list the types of information collected; and limit the disclosure of students’ details. The researchers also recommended that school officials notify parents about the nature of the information that can be disclosed to third parties, and post information about privacy protections on school-district websites.
Some districts are making an effort to be vigilant. The South Orangetown Central School District in Blauvelt, N.Y., for example, is conducting an information audit to examine how its third-party contracts cover sharing or reuse of student information.
Senator Edward Markey recently sent a letter to DOE requesting information on the “impact of increased collection and distribution of student data” on student privacy rights. He, too, is worried about the oversharing of student data, and he has asked whether the DOE has any federal standards as to how private companies should store and use private student data. For example, Senator Markey asks if there is a minimization requirement that requires private companies to delete information that is not necessary to the function they are performing. Does the DOE require that adequate security measures are in place when information is transferred? And, more generally, does the DOE believe that parents, and not schools, should have a right to control information regarding their children when that information is in the hands of a private company, and also to determine what can be shared, and what will not be shared, with such companies?
The Electronic Privacy Information Center (EPIC), has also been advocating for Congress and the DOE to take a broader look at the FERPA contractor exception, and to take proper steps to ensure that student data is not overshared, and reused by contractors. EPIC tried to bring a legal challenge to the FERPA amendments in federal court, but was found to lack standing to bring such a claim, since EPIC itself, the court concluded, has not been injured by the FERPA rules.
It seems that the changes in FERPA may not have led to strong privacy practices by schools. The rush is on to share data, move it into the cloud, and create bigger and better databases—but the quality of privacy practices has not yet caught up. Let’s hope for some stronger privacy protections in this area, especially given the fact that children are involved.