As lawmakers run in place, databrokers and third-party vendors are sprinting ahead in the ways they collect and use students’ personally identifiable information, which includes student directory information. — Sheila Kaplan, Education New York
Sheila Kaplan (@SheilaLKaplan on Twitter) is a long-time student privacy advocate. For the more than one decade that I have followed – and admired – her advocacy, I have watched her sound, common sense recommendations to state legislators in New York often fall on deaf or politicized ears, while students remain at risk of their personal and sensitive information too easily falling into the hands of commercial entities.
Sheila’s right to be concerned. Laws that protect children’s data privacy do not necessarily or fully protect their privacy when the children are “students.” The federal law known as FERPA was never intended to comprehensively address student data privacy and infosecurity when it was first enacted in the 1970s, and even amendments or updates since then have left the law still inadequate to protect student data privacy. Yes, FERPA provided and provides some limitations on disclosure of personal information, but the law is simply inadequate for 21st century issues.
For information on state student privacy laws, see FERPASherpa’s resource.
One of Sheila’s most important recommendations concerns closing loopholes in what is considered “directory information” under FERPA. As she has repeatedly demonstrated by her experiences delving into directory information opt-out in New York City public schools, all too many parents are simply not aware of the need to opt-out by signing a form – and even those who are aware may not be sent the form by their child’s school district.
Sheila recently submitted comments to the New York State Education Department in response to their request for public input. As part of her comments, she focused on the ongoing concerns about too much information being too available as “directory information” and the urgent need to restrict such disclosures:
New York has an opportunity to be ahead of the curve to strengthen protection of students going forward. This would be best accomplished through comprehensive legislation and State Education rules and regulations that address specific areas of concern raised by privacy experts and parents. A model bill, “The Student Privacy Protect Act,” developed in collaboration with longtime privacy and information policy expert Robert Gellman, could serve best as a guide to drafting an exemplary bill. The proposed model bill recommends that a school may disclose directory information about a student as provided in 34 Code of Federal Regulations Section 99.37 only in the following cases:
(1) after giving the parent of the student or the eligible student at the school notice and opportunity to opt-out of the disclosure in accordance with Section 4;
(2) if the disclosure does not include any personally identifiable student information other than disclosable directory information; and
(3) if the disclosure is to a school newspaper; local newspaper; school club or organization; school yearbook; honor roll or other recognition list; graduation program; sports related publication which provides specific information about particular students for the purposes of a specific sports activity or function; or parent and teacher organization.Under this model bill, “personally identifiable student information” means personally identifiable information and directory information. “Disclosable directory information” means the student’s name; photograph; age; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full time or part time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors and awards received; and the most recent educational agency or institution attended.
It is important to note that disclosable directory information does not include a student’s place and/or date of birth and contact information. In addition, and further following the recommendations of this model student privacy bill, the State could close the opt-out loophole in Education Law §2-d that endangers children by amending Section A to specify that student personally identifiable information cannot be sold or released by the educational agency for any commercial or marketing purposes, even when parents have not submitted a FERPA or student directory information opt out.
Sheila’s suggestions strike a balance between a more radical approach that would restrict disclosures even more, and the need and desire of schools and parents to be able to share information at times, such as being able to tell the local newspaper about how a school sports team did and who scored points, etc. But do note her reference to endangering children. When parents do not opt-out of disclosures of “directory information,” their children may be at risk of being found by abusive, noncustodial parents. They may be at risk of being identified or found by government agencies that might deport or separate families.
We are living in increasingly dangerous times. Parents should not have to know to demand an opt-out form at the beginning of each school year. In my opinion, opt-out should be the default for directory information, directory information should be seriously limited as to types of information (as Sheila also recommends) and limiting directory information and making opt-out the default should be accomplished by statewide legislation, if not by federal regulation.
You can read all of Sheila’s comments in the document embedded below:
For those interested in student data privacy, in addition to following @SheilaLKaplan on Twitter, you may also wish to be aware of the work of these people and resources:
- Joel Reidenberg (@JReidenberg) and The Center on Law and Information Policy at Fordham Law School (@FordhamCLIP )
- Bill Fitzgerald (@FunnyMonkey)
- Doug Levin (@douglevin).
- Amelia Vance (@ameliaivance)
- Daniel Solove (@TeachPrivacy)
- Future of Privacy Forum (@FutureofPrivacy)
- FERPA Sherpa (@FERPASherpa)
- Susan M. Bearden (@Susan M. Bearden)
- Common Sense Privacy (@cs_privacy)
- California Department of Education Privacy (@cdeprivacy)
- Elana Zeide (@Elana Zeide)
- Collected Publications from the SPI
(I’m sure I’m forgetting people, but the above list should give you a solid starting point).
- For information on student data breaches, see the Education category of my other site, DataBreaches.net, and see Doug Levin’s excellent site, the K-12 Cybersecurity Resource Center (@K12CyberMap ).
- You can also follow me on Twitter @PogoWasRight