Squaring the Student Data Privacy Law Triangle

Education providers and government agencies collect data - that is a given. However, students and parents expect that providers will only collect what is necessary and that the data they do collect is treated with appropriate levels of privacy. So, when the government is found to have shared that data with private sector companies, it rightly raises questions about best practice in guarding student data.

Failure to Secure Data Exposes Students

It was revealed at the end of January 2020 that the Department for Education (DfE) had allowed a third party to access data from the Learning Record Service (LRS) database. The database contains information on 28 million students in England, Wales and Northern Ireland taking part in further education and work-based learning. The data breach was uncovered by The Sunday Times which reported that student data was accessed by a company that used the data for age and identity verification services for its clients; this included gambling businesses. The LRS provides students over the age of 14 with a Unique Learner Number (ULN) to create a Personal Learning Record (PLR), which stores information about the student and their awards. This data should only be accessible to students or education providers wanting to validate student qualifications or awards. It appears that this was not the case and the data was accessed by a third party using a registered learning provider.

The amount of data being collected by learning providers on behalf of education authorities is growing. Schools and government agencies have always collected a wide array of data on student activity and progress, without which they would not be able to accurately report on student progress and attainment. In recent years we have seen a favouring of evidence-based approaches within England to support pedagogy decision making. This approach is based on the collection of student data and school inspections. However, organisations such as the LRS are starting to leverage data in support of other services. The LRS positions itself as offering “a suite of IT products that support the government’s digital strategy and the principle to create once and share multiple times with users across the education sector”. While this helps to reduce reporting demands on institutions and provides students and education providers with a single source of truth, access needs to be controlled.

Yet there are growing concerns about the use of this data. A 2019 survey by Jisc, a not-for-profit company which supports post 16 and higher education with advice, digital resources and networking services found that less than a third of university students agreed that they were told how their personal data is stored and used. Is there a gap developing in the oversight of how this data is used? There are certainly less independent bodies from the Department of Education that have a view on this. The Local Education Authorities have much less of a role now than they previously have and the removal of Becta allowed schools more freedom to pursue their own approaches to technology, but this also disregarded the importance of an independent body with responsibility for policies on school technology. While the DfE provides advice on keeping data safe through toolkits such as the Data protection: a toolkit for schools document, increasingly schools are being tasked to self-regulate.

The US Experience

The problem is not confined to the UK. In the US student data is highly prized as it is tightly regulated. Student data is protected by two federal legal frameworks: the Family Educational Rights and Privacy Act of 1974 (FERPA) and the Children’s Online Privacy Protection Act (COPPA) of 2000. FERPA covers institution-maintained records containing personally identifiable information (PII) of students; it was adopted in response to what was seen at the time as growing evidence of the abuse of student records across the nation. COPPA applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services exist to protect student information.

Both FERPA and COPPA contain grey areas over the collection and use of student data which came to light in 2013 when a data warehouse project called inBloom was launched. inBloom was aimed at standardising the collection of student data and storing it in a secure cloud offering. However, the data would be made available to enterprises to aid the development of and marketing of products. The push back from students, parents and privacy advocate groups was so strong that states withdrew from the project, forcing it to eventually end.

In response to inBloom states have introduced their own laws to close the gaps in existing legislation. California was the first state to address this through the Student Online Personal Information Protection Act, (SOPIPA). SOPIPA prohibits an operator of an internet website, online service, online application, or mobile application from knowingly engaging in targeted advertising to students, their parents or legal guardians, using covered information to amass a profile about a K–12 student, selling a student’s information, or disclosing covered information.

SOPIPA has been adopted by other states but some have gone further. In 2015 the state of Georgia introduced the Student Data Privacy, Accessibility and Transparency Act. The Act requires certain third parties that receive student-generated content as a result of K-12 school purposes to implement certain security practices and prohibits them from engaging in targeted advertising, selling student data, building profiles on students, or sharing student data except under limited circumstances. The Act creates a Chief Privacy Officer within the State Department of Education, whose primary responsibility consists of ensuring department-wide compliance with all student data privacy, security laws and regulations.

Since 2013, states have introduced 125 state laws covering student data privacy, an indication that states are trying to patch gaps in existing legislation to protect student data. However, this has created a patchwork of complex and difficult-to-follow set of privacy laws, making it difficult to define best practice education that institutions should follow. This has also done nothing to stop the development of a market in providing student data for marketing purposes. In 2018 Fordham Law School Centre on Law and Information Policy (Fordham CLIP) released a study which looked at how marketplaces for student data had grown, despite the raft of legislation aimed at controlling the collection and access of student data. The study found “student lists are commercially available for purchase on the basis of ethnicity, affluence, religion, lifestyle, awkwardness, and even a perceived or predicted need for family planning services”.

The legal landscape is set to become more complex. Currently working its way through the US legislative system is The College Transparency Act (CTA). The CTA would create a student unit record system to track student performance at specific colleges and universities across America, which in turn would allow new and potential students and their families to more readily compare programs across institutions. Advocates of the Act say it is not qualitatively different from other federal data collection efforts and is a less onerous method of collecting the same data. The Act would also help students to make better choices about where best to invest in their education. Opponents argue that such record-keeping would be a violation of federal privacy law and would present significant privacy concerns. Both sides agree that there is a need for better information to aid students and there needs to be more transparency in how much data is being collected, for what purposes and how this data will be kept secure.

What can be Learnt from the LRS and US Cases?

In comparison to England where the trend is much more on self-regulation, the US has many more laws governing the use and access of student data. However, this has not stopped private sector enterprises from accessing and collecting student data for commercial purposes. There are growing calls for greater transparency into data collection and for allowing students and parents to have greater access to their data. At the same time, governments want to collect data so they can provide a better view on student progress and outcomes, which helps education providers to better tailor courses. They also want to be able to reuse this data either to provide assurance of qualifications gained or entitlement to services.

So how to square the triangle? It is important to ensure strong protection of PII but this needs to be balanced against any legitimate educational use of student data. This will be a key challenge that needs to be addressed in 2020. Creating a central pool of personally identifiable information (PII) on students and opening this up to authorised parties, combined with poor data security policies, insufficient privacy controls or data misuse, will only lead to poor outcomes for students. Neither over-regulation nor self-regulation have been proven to work. There needs to be a balance between the two extremes, and this cannot only be arrived at by government, vendors, schools and students sitting down and talking through what is acceptable, what is not and how to deliver it.

What can vendors do to help? Students, parents, educators and government agencies must rely on the combined power of effective regulation and oversight with technology, such as authentication services and encryption to ensure that student data is protected and to maintain compliance with data legislation. Governments also need to engage better with industry leaders to help shape guidelines and policies tailored towards usage guidelines.

About the author

Chris Pennell

Chris Pennell is a Principal Analyst for Futuresource Consulting, leading Futuresource’s research across the Connectivity and Services practice. His research focuses on emerging technologies transforming enterprises' use of AV solutions.

Chris's recent research covers areas such as the shift to IP-connected devices, the use of managed and cloud-based services, and the impact of Pro AV solutions on the Future of Work. Working with various vendors and end users has enabled Chris to explore and build knowledge of the innovative ways enterprises use AV technologies to address ongoing challenges. Outside work, Chris is happiest helping raise his young family and supporting his local Scout troop.