Regulating student data privacy – issues for policymakers

notes from ‘The Policymaker’s Guide to Student Data Privacy’ from the Future of Privacy Forum (published: April 2019)

As data breaches and privacy issues continue to capture public attention, it’s up to policymakers to develop thoughtful approaches to student data privacy: legislation, rules, policies, and technical safeguards that protect student data and can adapt to a quickly evolving technological environment” (p.2)


School data is increasingly recognised as a matter for government regulation and policymaking. As is often the case in educational policy, the US has taken a lead in addressing these issues – especially in wake of the In-Bloom school data controversy of 2014.

At a Federal level, the two laws that most readily address issues of student privacy predate recent concerns over digital forms of school datafication. The most substantial of these is the Family Educational Rights and Privacy Act (FERPA) – introduced in 1974 to guarantee parental access to their children’s education records, while also restricting other parties to whom schools can disclose students’ education records without consent.

Significantly, FERPA’s definition of ‘education records’ stretches beyond information directly related to individual students collected by the school, and also includes records maintained by other educational agencies and ‘parties acting on their behalf’. Regulators enforcing FERPA have the authority to prohibit schools from working with third parties that are deemed to have violated these criteria, and/or withhold federal funds from offending education institutions.

 Aside from FERPA, student data also comes under the aegis of the Federal ‘Children’s Online Privacy Protection Act’. This aims to restrict the information that can be collected from children under the age of 13 by providers of websites, apps and games. Similarly, some state-level general privacy laws also have a broad enough scope to apply (albeit unintentionally) to school contexts. These often include state-level ‘Electronic Communications Privacy’ and ‘Consumer Privacy’ acts

Tellingly, most direct steps to address issues of student data privacy have been taken by State government legislators. These policies and interventions usually take one of two approaches. First is the regulation of schools and state-level education agencies. These acts tend to set out what is considered permissable forms of data collection, alongside requirements for thesecurity, access, and uses of student data – including how access to student data may be granted. A second approach has been to also regulate companies that collect and use student data – covering similar stipulations regarding (un)acceptable data practices.

Policymakers are finding a continued need to draft and redraft such policies. As such, the FPF report concludes with a list of issues to consider – all of which resonate with similar efforts in countries such as Australia. These issues include:

  • Recognising public concerns over maintaining school safety through digital/data surveillance. Amidst general concerns over the mis-use of student data, a substantial proportion of teachers, parents and the public also hold concerns over maintaining school safety and security. Policymakers need to be mindful that there is likely to be pushback against any regulation that is perceived to restrict student data uses related to surveillance and monitoring. 
  • Unintended restriction of the activities of school vendors and third-party services. Policies that are phrased in a broad manner run the risk of inadvertently curtailing the activities of benign actors who are working in schools. For example, restrictions on the sharing of ‘biometric information’ might impinge on the taking of class and yearbook photographs. Banning the sale of student data might inadvertently include student data in transcripts sent to colleges. School-related studies by academic and student researchers might also be impeded.
  • Unintended consequences of increased parental rights. Student data policies often include increased rights for parents regarding their children’s data -such as opt-in parental consent for student data use. These measures can curtail some potentially beneficial uses of student data – especially when schools interpret these laws in a risk-adverse manner. The FPF report cites instances of schools shying away from printing news stories about local football teams and publishing yearbooks.
  • The need for well-defined guidelines for school data governance and security. The FPF report highlights the need for policies to clearly define formal roles for school officials to play in terms of data management and monitoring. It is also important to clearly set out limits on the access, disclosure and use to existing school data, as well as how new forms of data can be collected, stored, accessed, and used.
  • The need to support student data policies with adequate provision for school staff.  Finally, the FPF report highlights the need for policymakers to ensure that any new laws are supported by with adequate provision for training school staff expected to implement privacy protections. The report raises the best practice in Utah, which requires an annual course for educator relicensure. An underlying aim of any policy implementation should be to develop a culture of data awareness and data privacy within schools.