Data Privacy Legislation Scrutinized in NASBE Report

The tangle of data privacy regulation for education is heating up as state and federal lawmakers increasingly consider laws intended to protect students. Last year 187 bills in 48 states were introduced that touch on some aspect of student data privacy, up from 110 in the previous year; 34 states have passed new laws on student data privacy; and the United States Congress has seven bills under consideration related to the topic. Simultaneously, the Every Student Succeeds Act (ESSA) calls for states to use "evidence-based interventions" in order to improve school performance. That evidence is generated through education research, which in turn requires access to student data. What's a state to do?

A new example-rich report from the National Association of State Boards of Education (NASBE) offers guidance to state policymakers worth considering before they take action. Report author Amelia Vance, NASBE's director of education data and technology, has been immersed in the subject for two years, providing technical assistance to policymakers in five states, holding meetings attended by representatives from over 30 states, publishing analyses on student data privacy, and speaking with "nearly every state education agency" on the topic, as well as compiling every state law, policy and regulation that deals with education data privacy.

Vance has condensed what's she's learned into seven lessons, shared in "Policymaking on Education Data Privacy: Lessons Learned."

State boards of education (SBEs) are well positioned to be the responsible parties for ensuring "purposeful collection and use of data." Currently, in 36 states the state board has some level of authority over education data privacy; in 18 states, the SBEs write data collection policy. As Vance wrote, "Many state legislators recognized that SBEs are well placed to protect student privacy. Boards can work directly with parents and educators by holding public hearings and creating committees, and they can respond quickly to changing technologies by developing regulations, guidance and best practices."

Stating the value of data, especially to parents, is essential. If parents don't understand why data is being collected or how it's used, they'll simply "demand that the data not be collected at all," Vance wrote. She advised SBEs and other policymakers to use their public "bully pulpits" to explain the value of student data to parents and others.

Building trust requires being transparent. Achieving transparency about what data is being collected and why requires more than "long and complicated" privacy policies, the report stated. Vance quoted from a 2014 article by education journalist Audrey Watters, who offered some obvious ways to improve transparency on school Web sites, such as "using clear language, avoiding jargon when talking about data and privacy policies, and keeping the information up to date." Also important: providing the means for the parent to contact the appropriate person within a school or district with questions.

Early-adopter SBEs influence the laws that come after their own. Most of the states that have enacted student data privacy laws in the last two years have modeled their regulations on two primary sources, wrote Vance: Oklahoma's Student DATA Act and California's Student Online Personal Information Protection Act (SOPIPA). That may turn out to be good or bad, the report suggested, depending on unintended consequences resulting from reuse of these early laws.

Legislation needs to be continually improved. For example, California's SOPIPA, which went into effect in January 2016 to regulate how student data may be used by companies, bans "targeted advertising," but doesn't define what that means. As laws in other states modeled on SOPIPA are written, they need to address areas of confusion in their own versions to "adequately balance privacy and data use in education and ensure implementers fully understand policymakers' intent."

Student data privacy laws can cause "unintended harms," and SBEs need to be positioned to address problems. The report, which gave a great deal of attention to this topic, cited the example of New Hampshire. In 2015 the state passed a law that required teachers and teacher candidates to get written approval from the school board, parent and supervising teacher before video recording themselves in class. School districts were required to hold public hearings before video recordings could be made. Because video recordings are often used for professional development purposes and to get education faculty feedback, the state's current and future teachers were left in confusion regarding how to maintain their credentials or fulfill their course requirements. "It is essential for all data privacy legislation to be vetted with a fine-toothed comb for vague language that may unnecessarily restrict the positive use of data," wrote Vance. "SBEs are ideally placed to fix these problems."

Because human error Is the biggest factor in privacy violations, training is essential. Of the 300-plus bills that have been introduced over the last couple of years related to data privacy, "few mention training," noted Vance. Policymakers need to take those aspects under consideration too and make sure the funding and resources are available to deliver training.

"Data privacy will be ever more important as education becomes more personalized and dependent on technology," the report concluded. "By taking advantage of the current spotlight on privacy and using it to make positive changes that balance privacy and good data use, state boards can improve education and create a system where the appropriate use of data can help all children succeed."

The 16-page report is freely available on the NASBE Web site.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.