Student data privacy laws try to protect our children, but confusion still reigns
School districts know that educational institutions are key targets for cybercriminals. It would help if there was a clear strategy for protecting our children. However, between the Federal government and state legislatures, student data privacy laws consist of a jumble of regulations. The lack of consistent strategy makes it much more difficult to protect student data.
The Family Educational Rights and Privacy Act (FERPA)
FERPA is the only federal regulation that covers both student data privacy and security issues. President Ford signed FERPA into law in 1974. The purpose of the Act is to protect the confidentiality of student records.
The Act wasn’t originally a law unto itself. It is commonly called the Buckley Amendment because it was originally offered as an amendment to the Elementary and Secondary Education Act of 1965. As a result of how FERPA evolved, there were no legislative committee reviews or public hearings on the topic of student privacy.
Congress and the Department of Education (ED) amended FERPA nine times in its history. Many people believe that ED has weakened what started out as a strong privacy law. Many parents agree and want the states to provide more regulation on the topic.
The Status of State Student Data Privacy Laws
As of August 2019, there were 126 state laws covering student data privacy. This indicates that most states are trying to patch the gaps in FERPA by passing student data privacy laws. But it also creates confusion about the best strategies to follow to ensure that privacy.
The Parent Coalition for Student Privacy and the Network for Public Education recently released a report that grades each state on their privacy laws. The report gives points in the five core principles created by the Parent Coalition for Student Privacy, along with two additional categories that were added later. Those categories are:
- Parental and student rights
- Limitations on commercial use of data
- Data security requirements
- Oversight, enforcement, and penalties for violations
- Parties covered and regulated
Unfortunately, this report card showed significant shortfalls in what the states are doing. For example, no state received an “A” grade. Four states received a grade in the “B” range, and 11 states received a grade of “F” because they have no student data privacy laws. The state of Louisiana, which has passed seven laws between 2014 and 2018, received a “C-“ grade.
According to stakeholders in the area of student data privacy, there’s still a long way to go before the states protect student privacy to the degree necessary in each of the identified categories.
Some States are Moving in the Right Direction
There are some notable state laws that are moving legislation in the right direction. Here are some examples.
Texas Student Data Privacy Laws
Senate Bill 820 is notable because it details requirements for a school district’s cybersecurity framework. The framework must meet requirements set by the Department of Information Resources and secure the district’s infrastructure against attacks. It must also include a program to plan for cybersecurity risk assessment and mitigation.
In addition, the superintendent of each district must designate a cybersecurity coordinator to maintain contact between the district and the education agency. The coordinator must report any unsuccessful or successful cyberattacks to the education agency.
California Student Privacy Laws
California passed six bills related to student data privacy between 2014 and 2018. Those bills:
- Restrict the use of student data to administering public services or programs
- Mandate provisions in a Local Educational Agency (LEA)’s contracts to cover how LEA or the vendor will secure student data
- Mandate that school districts use student identification numbers rather than social security numbers in whole or in part
- Prohibit operators of websites or online services from using information about elementary or secondary school students except in stated circumstances
New Hampshire Student Privacy Laws
New Hampshire passed 10 student data privacy laws between 2014 and 2018. Those bills cover a range of topics including:
- Requiring the LEA to create data security and breach notification policies, and to publish an annual breach report
- Prohibiting any school or LEA from providing student PII to testing entities except in named circumstances
- Giving a student or a parent the right to have all student data destroyed after the student’s graduation
Utah Student Privacy Laws
Utah passed 10 student data privacy laws between 2015 and 2019. Those bills cover a range of topics including:
- Requiring the LEA to make recommendations to the Legislature about updating student data privacy laws
- Requiring the LEA or school to notify parents of a data breach involving student PII
- Repealing provisions that allowed the LEA to share data with the Utah Registry of Autism and Developmental Disabilities, and the State Board of Education to share data with the State Board of Regents.
There’s no doubt that the Federal government and the states will continue to struggle with the issue of student data privacy laws, encouraged by parent groups and security experts. Because the question of why student data privacy matters is about more than just legal compliance. The impact of student data being used for a variety of reasons—whether by criminals, companies, or bullies—has long-lasting and potentially devastating effects on the child and their family.
In the end, everyone wants to fix the trouble with student data privacy laws. If you’re struggling with security in your district, you can use our Cloud Application Security Checklist as one tool for improving your data security for your students, parents, and your schools.