Legal and educational policy experts urged lawmakers on Thursday to improve security safeguards in student privacy laws and update them to better reflect the rapid leaps in technology.
“Unless Congress . . . clarifies what information can be collected, how that information can be used and if that information can be shared, student privacy will not be properly protected,” said Rep. Todd Rokita, R-Ind., who led the hearing before a House Education and the Workforce subcommittee.
The law, the Family Educational Rights and Privacy Act – known as FERPA – was written in 1974 to protect student records. It only covers schools receiving federal money. An update of the regulations in 2012 permitted greater disclosure of the data.
But with the increasing ability of hackers and others to pierce firewalls that shield personal, corporate and government material, federal and state officials are looking for ways to protect student privacy.
Legislators in 32 states have introduced more than 100 student privacy bills. California legislators last fall passed the Student Online Personal Information Protection Act, becoming the first state to prohibit the education technology industry from selling student information and using it to target students with advertisements.
Last month, President Barack Obama offered a similar legislative fix.
Under FERPA, parents have the right to inspect the records, but schools have the right to disclose them under certain circumstances. Schools can also make them available as “directory” information but must inform parents or age-eligible students and allow them time to object.
But the emergence of digital record-keeping has placed students and administrators in a precarious position, according to Joel Reidenberg, an expert on privacy and the Internet at the Fordham University School of Law.
He testified that information is exposed to hackers and to data collections used for non-educational purposes. Most of the information is stored in a cloud and usually not deleted even after students graduate, several witnesses said.
“The approach of FERPA is outdated,” Reidenberg said. “It is focused on privacy and parental access, but it does not cover the use of the information collected.”
Greater transparency on where the information goes, what it is being used for and why it is used would create more trust between teachers, parents and school administrators, said Shannon Sevier, a parent of five and a representative from the National PTA, which opposes the collection of student data.
Most of the student data is collected through contracted third-party companies, which are not covered under current FERPA regulations, Allyson Knox, director of education policy and programs for Microsoft, told the hearing.
Microsoft, Apple and Google are among a host of companies that provide cloud storage space to schools for student information. They are also among more than 100 companies, Knox said, which have signed a pledge to safeguard student data from targeted advertising and non-educational purposes.
In Sheryl Abshire’s Louisiana school district, the information collecting in clouds remains anonymous and is usually used to measure student progress and is kept within the school district.
“It is called informed consent,” testified Abshire, chief technology officer of Calcasieu Parish Public Schools. “Our parents are allowed to opt in and out for digital records.”