• United States




Whose privacy matters most?

Jun 01, 20158 mins

Regulations help to protect the privacy of student data by ensuring its proper use

hands raised classroom kids
Credit: Thinkstock

No one wants their private information falling into the wrong hands, but this is especially true of the younger generation, as they lack the resources to address such a compromise directly, and parents often don’t think to monitor their child’s personal records or usage.

Yet, student information is out there, though, which means, personally identifiable information (PII) about children is as much in jeopardy of being compromised as the data collected around any other group.

Despite the fact that all data is at risk, legislation safeguards the collection, storing, and sharing of student data more than any other public sector; however, they need strict regulations to protect everyone’s private information, not just that of students.

According to FierceGovernmentIT, senators Edward Markey (D-Mass.) and Orrin Hatch (R-Utah) reintroduced the Protecting Student Privacy Act which will, if passed, set forth requirements for collecting student data, but what are the risks involved? Are they different from or greater than the risks to customer data?

From the doctor’s office to the online shopping expedition, people provide a lot of detailed information about their health, personal interests, and account numbers. It’s a matter of convenience, and organizations know that employees and consumers are more often willing to compromise their privacy in exchange for efficiency or convenience.

According to Bruce Schneier, CTO at Resilient Systems, there are no particular risks to collecting student data. “We are just hyper-sensitive about threats against our children,” Schneier said. Sure, the school’s network is at risk just as any other network is. “Children’s data is on it,” he said “but there is no super special school network that is more at risk.” For any breach or any network, “the risk is that your data will be used against you,” Schneier said.

To a certain extent, Brenda Leong, senior counsel and director of operations at Future of Privacy agreed. “All data is data, and many of the same concerns exist for all of it. There are laws about student data because it has received enough attention, but there is no general legislation about privacy. It’s always sector specific,” Leong said. What is special about the collection of student data as opposed to any other information is that students don’t have a choice in attending school.

“The information is collected mandatorily by the school system which puts a burden of responsibility to protect that information and ensure that it is only used for educational purposes,” Leong said. The Federal Educational Rights and Privacy Act (FERPA) demands that schools, researchers, analysts, and third party vendors do just that in part because so much information about students and their families is stored as part of a student’s educational record.

Aside from financial risks, general privacy risks are a paramount concern when it comes to student data. Bret Cohen, Associate at Hogan Lovells US LLP, said, “A breach of student information can lead to consequences,” but there are few scenarios where a breach would not have consequences.

Bret Cohen, Associate at Hogan Lovells US LLP

Because a school’s network hosts everything from the inventory of a school store to entire education profiles, many stakeholders are concerned. “Storing information about disciplinary actions for years on end could be problematic,” said Cohen. “That information can follow them to college or even future employers.”

Rebecca Herold, CEO, The Privacy Professor, and CVO and Partner, SIMBUS Information Security and Privacy Services and Solutions agreed. “Student data is concerning because that information is valuable to a variety of groups who are marketing and selling to teens, and that’s not even including those with malicious intent.”  

As a high school teacher, I was surprised to learn that, “many online tools that students are asked to use are able to track student activity even outside of the classroom,” said Herold. Teachers are encouraged to use educational apps to enhance student learning, but some of those online tools and mobile apps track students through their devices, which isn’t widely known.

Surveillance is a concern. Identity theft is a concern, and “there is an increasing trend to track students through the devices students are using,” Herold said. Student data collection is different, Herold contended, because a breach of their information can “impact their futures before they have even had a chance to try to protect their information.”

Specific to the collection of student data is the question of who has access to that shared information and for what purposes. Even Sen. Markey notes that “Data analysis holds promise for increasing student achievement,” and the business of analyzing student data to help schools predict learning outcomes is growing exponentially. Yet Markey remains concerned that data collection does pose privacy threats.

“Student data is big business,” says Cohen, and researchers, analysts, and software developers are “using data to generate insight and learn what you can do to improve student outcomes. Analyzing student data can predict what types of things make a successful student so that schools can customize the student experience.”

Though the law strictly prohibits selling school data for marketing purposes, there are oodles of outsiders with whom schools want to share data from vendors who sell class rings and yearbooks to books and fundraising products. Leong said, “Third parties are required to meet the same standards from the collection to the use and deletion of information when it’s done.”  

Leong said, “The idea is that privacy encompasses protection and proper handling and using data for the purpose intended. You don’t expect a bank to provide information to a third party that is not a financial institution.”

[ ALSO ON CSO: You are responsible for your own Internet privacy ]

For that reason, student information cannot be disclosed without parent consent, except if it is for a legal obligation. Cohen said, “There are also provisions that permit disclosure to researchers and service providers, contractors, and consultants provided that they serve an institutional function.” That seems like a lot of loopholes.

Though the reality is that student data is no more vulnerable than any other data, their information is much more protected because of FERPA and other federal and state regulations, but, “one big law to cover many different industries would be great,” said Herold.

As more educational technology products are created and marketed to the K-12 sector, laws and regulations continue to pop up that are directly targeted at these third-party providers, particularly since these vendors and contractors can “provide and maintain a more sophisticated system of records more easily, accurately, and securely,” Cohen said.

“Privacy is about protection and proper handling of data,” Leong said. While data analysis has the potential to determine best practices for increasing student performance, privacy advocates are not willing to sacrifice their children’s privacy for the possibility of higher test scores.

“Amending FERPA” is a good step, said Herold, “but it doesn’t go far enough to address all the types of data that can be collected. Why don’t we make FERPA all encompassing, focus on all student privacy issues?” The answer is in the lobbying, Herold suggested, because reusing data that users put out there is big money.

But with an ever evolving market, do regulations, especially those with loopholes that are only sector specific do anything to protect privacy?

Regulations matter because, “insecurity is too cheap,” said Schneier. “What we need are very strong rules requiring companies to protect the data they have.” He used the analogy of polluting a river in arguing that short of strict regulations and harsh consequences, little is going to change around privacy issues. The suggestion is that people are only as just as the law requires them to be. “This isn’t a sound bite problem. What we have is a market failure. The way we fix a market failure in a market economy is through regulation. We need to raise the cost of insecurity,” Schneier said.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author