Additional federal legislation may be needed to protect data on students

Congressman John Kline, a Republican from Minnesota and the ranking minority member of the House Committee on Education and Labor, publicly expressed concerns last week about potential risks to personal information on students that collected and maintained in state-level data warehouses. Kline spoke after an April 14 hearing on data used to track performance of K-12 school children, during which the Committee heard testimony from state and local education administrators as well as the lead author of a 2009 Fordham Law School study on children’s educational records and privacy. Kline stressed the need for federal, state, and local level measures that ensure student and privacy family rights are protected. While such sentiments may seem prosaic, when focusing on state or district-level databases maintained by authorities other than educational institutions, there does seem to be a significant gap in the coverage of current federal laws on the privacy of student information. Joel Reidenberg, Director of Fordham’s Center on Law and Information Policy, reiterated in his testimony before the Committee that many state practices observed and reported in the course of the Center’s study violate provisions in relevant federal laws, but without consequence because the laws in question do not apply to state or local government actions.

The prevailing federal law on privacy of information in student records is the Family Educational Rights and Privacy Act (FERPA), which includes a variety of rights for adult students and parents of minor students as well as restrictions on the use and disclosure (without consent) of student records by educators, school administrators, and institutions in general. FERPA applies at federal, state, and local levels, but only covers schools receiving funding from a U.S. Department of Education program. Significantly, this exempts many private, parochial, and charter schools, although with respect to the state data warehouses about which Rep. Kline noted his concerns, it seems unlikely that data on non-public school students would be collected as regularly as would data on public school students. To the extent that state educational databases are maintained by state government agencies or similar authorities, rather than institutions themselves, FERPA’s rules simply do not apply.

Without specific attention to student records or education information, there are other federal laws that constrain data collection from individuals, particularly children. The most general of these is the Privacy Act (5 U.S.C. §552a), which stipulates several prerequisites and conditions that must be met before personally identifiable information can be collected from any U.S. citizen. The Privacy Act reflects the Fair Information Principles published in 1973 by the U.S. Department of Health, Education, and Welfare, notably including transparency (that is, databases should not be secret), notice of intended use, and prevention of additional uses without consent. The Fordham study suggests that many states fail to provide transparency about the data they collect and maintain, and that they impose few restrictions on purposes for use of their data, including new or additional uses distinct from the purposes for which the data was originally collected.

A much more narrowly defined set of privacy practices stems from the Children’s Online Privacy Protection Act (COPPA), which lays out a number of requirements for online entities that collect personal information from children under age 13. COPPA applies to all personal information, but focuses only on data collected online from individuals, so does not cover transfers of data between institutions, even for children under 13. The law also says nothing about data collection from minors older than 13. Despite the general lack of direct relevance to the state educational database situation, privacy advocacy organization such as the Electronic Privacy Information Center (EPIC) have cited the Fordham study as an example of practice that violate the spirit, if not the letter, of COPPA by ignoring the sort privacy protections codified into the law in less narrowly defined contexts.

The failure of most current federal legal requirements to apply to state or local government authorities is one possible explanation for the apparently common practice at the state level of ignoring well established privacy principles that are codified into law constraining the behavior of educational institutions like schools and school districts and of federal agencies. One possible resolution for this problem would be to extend student record privacy protections to apply not only to institutions collecting and storing information on their students, but also to public and private sector entities that receive, aggregate, or make available student records or data contained in them.