Exclusive: Student Data Needs Protecting, New Report Says. Hiring a Chief Privacy Officer Can Help Schools and Districts Do Just That
A principal names suspended students in a widely circulated newsletter, violating student privacy laws. A district inadvertently uploads students’ names, grades, and special education status to a public website. An ed tech company’s bankruptcy puts student records at risk of being sold.
Though the federal law protecting student privacy — FERPA — is more than 40 years old, the education world continues to experience large breaches of confidentiality. And as technology increasingly expands ways to collect, store, and retrieve data, the risk of theft or inappropriate access also increases. That’s why the Center for Democracy & Technology, a Washington, D.C.-based nonprofit, recommends in a new report that the education world turn to a resource used by business and other government entities: chief privacy officers.
In education, privacy responsibilities are often distributed across multiple people who have little training, said Elizabeth Laird, a student privacy senior fellow at the center who wrote the report. This results in data being kept far longer than it should and lax rules on the collection of student information by third-party vendors such as education technology companies.
“Your job of protecting data is never finished; policy and technology are constantly changing,” Laird said. “That is why you need a chief privacy officer who is keeping pace with those things.”
A chief privacy officer in the education sector would be responsible for setting privacy policies at the state, district, or school level. For example, the officer would determine who has access to what data, create rules for how long data is kept and when it is deleted, and make sure individual students cannot be identified from publicly reported information.
The officer would also train staffers responsible for collecting and reporting data and make sure security teams follow best practices. Chief privacy officers work closely with chief information security officers: The former implements the policy side — such as how long student records can be kept — and the latter is responsible for the technical side — destroying them.
To make this role a priority, the report recommends legislation creating a chief privacy officer at the state or district level. Providing funding for privacy efforts is also critical for upgrading or replacing data-storage systems, the report said.
Some states, including New York, West Virginia, Utah, and Georgia, have already begun. New York, for example, created the role of chief privacy officer at the state level in 2014 after ending a controversial partnership with a company that promised to store student data in a cloud-based service. The officer, Temitope Akinyemi, was appointed in 2016 and is responsible for protecting student, teacher, and principal data and setting up protocols to deal with data breaches.
The Family Educational Rights and Privacy Act was created in 1974 to protect students, but many argue that its protections have been weakened and provide loopholes that allow third-party vendors to collect and store student data. Last year, the FBI released a memo warning that data collected by education technology companies pose risks to students and can be exploited and used to threaten schools and sell identity information.
“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft or other means for targeting children,” the FBI said.
Not every education institution has the capacity for a chief privacy officer, the center’s report said. For those that can’t afford such a position, it recommends sharing an officer with other schools, creating a team specifically responsible for this work, or delegating part-time duties to a current staff member.
“Anytime you’re talking about students’ personally identifiable information, you should also be thinking about how you’re protecting it,” Laird said.Submit a Letter to the Editor