Protecting Students’ Privacy in the Data Age

By Matthew Saleh, J.D., M.S.

Since the widespread adoption of Response to Intervention (RTI), public schools have increased the amount of information they gather on students in special education, raising concerns among some about the safety and privacy of your child’s records.

In fact the practice and concerns are not just limited to special-education students. Many schools, districts, and state education departments have begun collecting massive amounts of general education data, including: contact information, student characteristics, standardized test scores, grades, disciplinary data, and curricular planning.

The purpose of all this information gathering is to improve your child’s education: RTI requires “student-centered” data for intervention, screening, and referral, while broader data collection aims to provide research-based learning standards for the general student population.

Both state and federal laws have requirements about the collection, maintenance, and reporting of student special education data, but the question is how effective are those regulations, and are they robust enough to protect the privacy of your child?

Implementation Snafus

When it comes to answering those questions, the jury is still out. But privacy advocates agree that red flags abound, including a general lack of oversight. Many state and local education departments sub-contract with independent data-management services to carry out their data gathering programs. In these instances, some schools or districts are not directly overseeing the maintenance or security of student information.

A recent audit of the New York City Department of Education’s Special Education Student Information System (SEIS) revealed serious concerns about the security and protection of student data.

The broader the scope of data collection by schools, the greater the potential for hiccups in the process. Among the most blatant concerns are situations such as the following:

  • It is not uncommon for schools to provide student files, parental correspondence, or other documents to a parent who is not authorized to receive such information.
  • Human errors can—and do—result in writing the wrong student’s name on an evaluation or entering student data incorrectly.
  • Budget cuts and fiscal constraints may result in cutting corners on properly protecting data from unauthorized viewing or usage.

The U.S. Department of Education has even noted that, “significant confusion in the education field surrounding what are permissible disclosures of personally identifiable student information from education records” has occurred. While the federal government is taking steps to clarify where and how student data should be stored and disseminated, the fact remains that there is significant inconsistency in data systems between schools, districts, and states.

Privacy Protection

The Family Education Rights and Privacy Act (FERPA) is the leading federal law protecting the privacy of personally identifiable information from student education records.

Generally, schools must have written permission from the parent or eligible student (18 years or older) to disclose any personally identifiable information from that students education record.

FERPA allows schools to disclose personally identifiable information from student educational records without consent under certain limited circumstances (e.g., health and safety emergency, “directory information” not considered harmful to student privacy, for the purposes of audit or evaluation, etc.).

In addition, FERPA requires that information about the dissemination of student information must be kept in student records. In other words, records must contain all information about what information was disclosed, when it was disclosed, and to whom. Parents and eligible students must be able to obtain information on such disclosures.

Bottom Line

The general rule is that parents must be consulted about the dissemination of student data. Regulations are currently in the works that would increase the penalties and enforcement frameworks for wrongful dissemination of student information.

Parents should not hesitate to exercise their right to know when, where, and to whom their child’s data has been provided. However, until the data systems themselves are subjected to greater oversight and legal enforcement, it seems that problems of security and collection are likely to persist.

Matthew Saleh is a Research Fellow at Cornell University’s Employment and Disability Institute and a Research Associate at the Campaign for Educational Equity at Teachers College, Columbia University. He received his J.D. from the Syracuse University College of Law and is currently a doctoral candidate at Columbia University.