Student data privacy: a few final notes

The student data privacy blog posts (one and two) continue to generate responses and conversations. This final post on this topic—for now at least—will tie up a few loose ends and provide a few resources for readers interested in more information on the topic. Bob Moore of CoSN (the Consortium for School Networking) reminded me that CoSN has been doing extensive work on this topic, including some with the Data Quality Campaign. See this page for lots of information provided by CoSN on this topic. Bob also noted in particular the Security Questions to Ask of An Online Service Provider.

Two states have good information regarding security issues on their websites. Virginia has a good video (and some other info) on its federated data system. Also, Arkansas has done quite a bit of work on its security policy and security best practices. H/t to Rachel Anderson of DQC for these additional resources.

iNACOL recently published a federal update, House of Representatives Introduces Privacy Law. From the iNACOL summary:

"On Wednesday, July 22, the US House of Representatives introduced legislation to update the Federal student privacy law. Congress passed the Family Educational Rights and Privacy Act (FERPA) in 1974 and has not updated it since. Many education advocates agree that FERPA needs a rewrite for the digital age. (snip)

H.R. 3157 updates FERPA to account for digital age learning models, such as students taking online courses from external providers, and online storage of student educational records. For example, the bill permits schools to disclose student information without parental consent to a third party provider to which the school has outsourced institutional services or functions.

It maintains FERPA’s current provisions regarding parental inspection, review, and correction of student records, and keeps the allowable disclosure of student “directory information” in place. It requires educational institutions to have data security protections in place, including a response plan in the event of a data breach.

This measure does not allow providers to advertise or market a product or service but does allow providers to use personally identifiable information to develop, diagnose, or deliver services to improve a student’s academic outcomes. For example, the provider could use personal information to inform students about courses that would meet their academic needs, or be able to use feedback from the student to improve services."

Finally, the New York Times reminds us that perhaps Stolen Consumer Data Is a Smaller Problem Than It Seems. According to the story, “only a tiny number of people exposed by leaks end up paying any costs, and for the rare victims who do, the average cost has actually been falling steadily.” Still, I’m not sure if that’s much consolation to a parent whose children’s identifying information is stolen, and as the article goes on to state, “Even if the hackers don’t use your credit cards, there are instances in which leaked data of other kinds can be damaging in itself.”