Public schools have generated and maintained massive amounts of student information for decades. Standardized test scores, grades, conduct records, psychological and medical information, student assessments, child and parent personal information, and teacher evaluations of children’s performance are all essential to providing and improving educational services. But with such massive amounts of data comes great risk that it will be misused.

Congress recognized the sensitivity of this information in the early 1970’s and passed the Family and Education Records Protection Act (FERPA) in 1974. FERPA guarantees families access to their child’s educational records, and also protects against disclosure of student data for non-educational purposes. However, the rapid technology advances of the past decade far outstripped the ability of FERPA to provide risk solutions, so individual states have begun to fill the regulatory gap with their own laws and requirements. These state laws address both data privacy and data security and continue the emphasis on transparency and accountability begun by FERPA.

Technology has rapidly enhanced the ability of schools to assess a student’s strengths, isolate learning deficits, and deliver learning systems that are individualized to maximize educational gains and teaching efficiency. The aggregate of individuals’ microdata creates vast amounts of macrodata that allow schools to determine which learning systems are most effective, which should be modified or discarded, and which provide value platforms that are consistent with school boards’ limited financial resources. Data collection, sharing and analysis are powerful tools in the modern educational product market. But all of that data is sensitive and private to individuals, and its use needs to be thoughtfully regulated and protected.

The Data Quality Campaign has released a Summary of 2016 State Legislation that analyzes the growth and content of state bills and laws governing school-based data. The DQC Report states that 15 states passed 18 new data privacy laws in 2016, with particular emphasis on three concerns:

  1. regulating the data use and privacy activities of online service providers;
  2. enhancing transparency around how student data is managed and used; and
  3. mandating greater responsibility for safeguarding data both internally and from cyber-threats.

Schools and educational technology providers will be well-advised to work together collaboratively to maximize learning opportunities for students while minimizing the risks of data compromise or inappropriate use of personal data. Only where the integrity of technology systems is assured will parents and the general public trust schools and learning product vendors with the data of our children. And experience teaches that every time a breach or abuse occurs, the response will be greater and more onerous legislation.