United States: Student Data Protection In An Era Of Education Technology Innovation

Reaching a Congressional Consensus Will Likely Require Additional Deliberation

During the current 114th U.S. Congress, a variety of House and Senate bills have been introduced that propose different approaches to addressing the growing bipartisan concern about protecting the privacy of student data (below, "Personally Identifiable Information" or "PII"). The bills address PII maintained by public and private educational institutions and state educational agencies and, in some cases, PII maintained or accessible by technology service providers or other third parties doing business with these educational entities.

Consensus regarding how and whether to increase federal mandates and penalties concerning protection of PII has not yet been reached, but awareness exists that student PII, whether for K-12 students or older, is becoming increasingly vulnerable to unauthorized disclosure or misuse, in particular for marketing purposes. Another concern is that the Family Educational Rights and Privacy Act (FERPA)—the primary federal statute designed to protect private student information—may not be adequate to respond to technological changes in how PII is stored, shared and accessed, although how and whether to amend FERPA to address this concern is far from settled.

As summarized in this Alert, the congressional proposals introduced thus far take very different approaches, including establishing a study commission to develop legislative proposals with the input of the government and the private sector; imposing additional regulation on K-12 technology service providers; and strengthening and updating FERPA, with or without enhanced governmental and private enforcement mechanisms to incentivize compliance by educational institutions and service providers.

Approach 1: Establishment of a Study Commission

The Every Child Achieves Act of 2015 (S. 1177, the bill reauthorizing the Elementary and Secondary Education Act/No Child Left Behind), passed in the Senate in July with an amendment that would establish a "Student Privacy Policy Committee" made up of congressional, federal, state, local and private representatives; experts in education technology, data storage and student privacy; and educators and parents. The Committee would study the effectiveness of current federal laws and enforcement mechanisms to protect student privacy and parental rights relating to student information and develop recommendations regarding how to improve and enforce federal laws. Specifically, the Committee would:

  • Examine whether there is a need to provide or update standard definitions for terms related to student privacy, including: "(i) education record; (ii) personally identifiable information; (iii) aggregated, de-identified, or anonymized data; (iv) third-party; and (v) educational purpose";
  • Identify which federal laws should be updated and the appropriate federal enforcement authority to execute such laws;
  • Address data sharing in an increasingly technological world, including evaluating protections in place for student data when it is used for research purposes; establishing best practices for any entity that is charged with handling, or that comes into contact with, student education records; ensuring that identifiable data cannot be used to target students for advertising or marketing purposes; and establishing best practices for data deletion and minimization;
  • Discuss transparency and parental access to personal student information by establishing best practices for ensuring parental knowledge of any entity that stores or accesses their student's information; parental rights to amend, delete or modify their student's information; and the designation of a central contact in a state or a political subdivision of a state who can oversee transparency and serve as a point of contact for interested parties;
  • Establish best practices for the local entities who handle student privacy, which may include professional development for those who come into contact with identifiable data; and
  • Discuss how to improve coordination between federal and state laws.

Not later than 270 days after the date of enactment, the Committee would prepare and submit a report to the Secretary of Education and to Congress containing the findings of the study.

A House counterpart to S. 1177 passed in the House in July. This bill, H.R. 5, or the "Student Success Act," contains a "sense of Congress" provision, stating that the Secretary of Education has the responsibility to ensure every entity receiving federal funding under the Act holds PII in "strict confidence" and states that the Secretary should review regulations and ensure all PII is protected. The House bill, therefore, appears to urge the Secretary to more vigorously enforce current law.

In sum, both S. 1177 and H.R. 5 advocate a relatively modest approach to protecting student data privacy. These approaches would avoid establishing a new federal regulatory regime for student data privacy. The bills need to be conferenced, and it remains to be seen whether the proposals will make it into the final law in any form.

Approach 2: Target Operators Providing Certain Technology Services to K-12 Educational Institutions

Another approach that takes a direct aim at online applications used or designed and marketed for K-12 education purposes is set forth in a bill pending in the House Education and the Workforce Committee and the House Energy & Commerce Committee. The Student Digital Privacy and Parental Rights Act of 2015, H.R. 2092 [Rep. Messer (R-Ind.) and Rep. Polis (D-Colo.) co-sponsors], a counterpart to S. 1788, applies to any entity (other than an educational agency or institution) that operates Internet websites; online services, such as cloud computing services; online applications; or mobile applications that are used for K-12 purposes and were designed and marketed for K-12 purposes (defined as "operators" in the Act). The legislation would, among other things:

  • Prohibit an operator of a school's Internet or online service that is designed and marketed for K-12 educational or administrative purposes from presenting students or parents with targeted advertisements that are selected based on information obtained or inferred from students' online behavior, use of online or mobile applications or PII about the students. (The proposed Act would exempt from these prohibitions online advertisements that are contextually relevant and selected based on a single visit or session of use during which the advertisements are presented, provided that information about the students' online behavior is not collected or retained over time.)
  • Prohibit an operator from selling students' personal information to third parties or collecting student information to create a personal profile or for purposes unrelated to educational instruction, school collaboration or administrative activities.
  • Require operators to implement information security procedures and a process for responding to data breaches; to notify the Federal Trade Commission (FTC) and students, parents, educational agencies or institutions, school officials or teachers of unauthorized acquisitions of, or access to, personal information; and to delete certain student information that is not required to be maintained by the school within 45 days after a request from an educational agency, institution or student's parent, or within one year after the operator ceases to provide the service.
  • Require operators to disclose publicly the types of personal information they collect or generate, the purposes for which the information is used or disclosed to third parties and the identity of any such third parties.
  • Instruct operators to establish procedures for parents and system users to access and correct certain information.
  • Allow operators to disclose students' information only for certain lawful purposes or pursuant to a process that requires the student's or parent's express affirmative request. It requires an operator to receive the student's or parent's request before providing transcripts for admission to an institution of higher education or to a potential employer.
  • Provide authority to the FTC to enforce the Act and treat violations as unfair or deceptive acts or practices under the Federal Trade Commission Act.

Approach Three: Amend FERPA to Strengthen Student and Parent Protections and Enhance FERPA Enforcement Mechanisms

The remaining approaches all involve proposed amendments to FERPA.

1. The Student Privacy Protection Act, H.R. 3157 [Rep. Rokita (R-Ind.), Rep. Fudge (D-Ohio), Rep. Kline (R-Minn.) and Rep. Scott (D-Va.)] was introduced on July 22, 2015, and referred to the House Education and the Workforce Committee. The bill applies to public and private elementary and secondary schools, local educational agencies and institutions of higher education, as well as to education service providers defined as any provider other than a school official or employee of services developed and targeted to students for an educational purpose, whether specifically marketed to schools, institutions of higher education, educational agency or institutional employees or officials, or other individuals primarily engaged in the provision of educational services. The bill would, among other things:

  • Amend FERPA to strengthen privacy protections for students and parents through expanding parental access rights to information held by an educational agency or institution, or state educational authority, for the purpose of inspecting, reviewing, challenging and correcting information in the education records of minors.
  • Require that an educational agency or institution, and the state educational authority:

    • establish, implement and enforce policies and procedures regarding information security practices that: serve to protect the education records (and PII contained therein) held or maintained by that educational agency or institution, or state educational authority; and require any party that is given access to such education records (or PII contained therein) on behalf of the educational agency or institution, or state educational authority, to have information security practices that serve to protect such records and information;
    • designate an official who is responsible for maintaining the security of education records; and
    • establish a breach notification policy in the case of a breach of the security practices or the release of the education records or information, under which the educational agency or institution, or state educational authority provides notification of the breach or violation to parents in not less than three days of being made aware of such breach and works with the third parties involved with such breach or violation to gather the information necessary to provide such notification.
  • Establish a marketing and advertising ban that prohibits any person with access to an education record or a student's PII contained in the education record from marketing or otherwise advertising directly to students with the use of the information gained through access to such record or information.
  • Prohibit an educational agency or institution or state educational authority from contracting with or entering into an agreement with an education service provider that has a policy or practice of using, releasing or otherwise providing access to PII in the education record of a student to advertise or market a product or service or for the development of commercial products or services.

    • The Act makes exceptions for contracts related to official school pictures, class rings, yearbooks or other traditional school-sanctioned commemorative products, events or activities; for PII that may be used by an education service provider to develop, diagnose or deliver services to improve a student's academic outcomes or to assist an educational agency or institution to develop, diagnose or deliver services to improve a student's academic outcomes; for an educational agency or institution or state educational authority sharing information on educational opportunities offered by such agency, institution or authority; or for a case in which the parent of a student at an educational agency or institution has provided written consent for an educational service provider to utilize PII.
  • Vest enforcement in the Secretary of Education and authorize the Secretary to terminate federal assistance and impose fines on an educational agency or institution, or state educational authority. Fines may be imposed for a failure to voluntarily comply with the law or for a substantial violation of the law (even a single violation). Fine amounts are a minimum of $100 and a maximum of $1,500,000, depending on the severity of the violation, except in no case may such a fine exceed 10 percent of the annual budget of such agency or institution, or authority. The Act states that action to terminate federal assistance may be taken only if the Secretary finds there has been a failure to comply with the law and the Secretary has determined that compliance cannot be secured by voluntary means.
  • Extend enforcement of the Act, with respect to a release of an education record or PII contained therein, which was made by a party that is not subject to a fine by the Secretary (i.e., education service provider and others), by authorizing the Secretary to:

    • refer such violation, and the supporting material for such violation, to the Commissioner of the Federal Trade Commission or the Attorney General for action; and
    • require the educational agency or institution, or local educational agency or state educational authority involved, to prohibit access to such PII by such party (or individuals who worked for or with such party at the time of such violation) for a period of not less than five, and not more than 12 years, as determined by the Secretary.
  • Establish or designate an office within the Department of Education for the purpose of investigating, processing, reviewing and adjudicating violations of this section and complaints that may be filed concerning alleged violations.

2. The Protecting Student Privacy Act of 2015, S. 1322 [Senator Markey (D-Mass.), Senator Hatch (R-Utah) and Senator Kirk (R-Ill.)] was introduced on May 13, 2015, and referred to the Senate Committee on Health, Education, Labor and Pensions. The bill applies to educational agencies and institutions, including local educational agencies, receiving federal funding and to any "outside party"—meaning "a person that is not an employee, officer, or volunteer of the educational agency or institution or of a Federal, State or local governmental agency and includes any contractor or consultant acting as a school official or authorized representative or in any other capacity." Among other things, the bill would:

  • Amend FERPA to prohibit programs administered by the Department of Education from making funds available to any educational agency or institution that has not implemented information security policies that protect PII in education records and require each outside party to whom PII from education records is disclosed to have a comprehensive security program to protect such information.
  • Prohibit such funds from being made available to any educational agency or institution that has a policy or practice of using, releasing or providing access to PII to advertise or market a product or service.
  • Require state agencies receiving such funds, and each educational agency or institution, to ensure that any outside party (including any contractor or consultant acting on behalf of or with the school's authority) with access to such records to: provide parents with access to any PII it holds about their students; provide a process to challenge, correct or delete any inaccurate, misleading or inappropriate data through a hearing by the agency or institution providing the outside party with access; maintain a record of all individuals, agencies or organizations that have requested or obtained access to the education records of a student; and have information security procedures in place.
  • Prohibit funds from being made available to any educational agency or institution, or any state educational agency, unless the agency or institution has a practice that promotes data minimization by meeting requests for student information with non-PII and requires PII held by any outside party to be destroyed when the information is no longer needed for the specified purpose.

It is important to note that the bill's enforcement mechanism is tied solely to federal funds access and would thus place the burden on educational entities to ensure outside party compliance with the law.

3. The Student Privacy Protection Act, S. 1341 [Senator Vitter (R-La.)], was introduced on May 14, 2015, and referred to the Senate Committee on Health, Education, Labor and Pensions. The bill applies to educational agencies or institutions as currently defined in FERPA and defines "student data" as "information about a student collected and maintained by an educational agency or institution, by a person or third party collecting or maintaining such information through the active intervention, facilitation, or authorization of such agency or institution, or by a person or third party acting for such agency or institution."

The legislation would:

  • Amend FERPA to prohibit funding of educational agencies or institutions that allow third parties to access student data, unless:

    • the agency or institution, prior to receiving parental consent, notifies parents of the data that would be accessed, that the data will be made available to the third party only if the parent consents, that the parent has the ability to access and correct inaccurate data and that the agency or institution and the outside party are liable for violations;
    • the agency or institution can ensure that the data cannot be used to determine the student's identity;
    • the student data remains the property of the agency or institution and is destroyed when the individual is no longer served by the agency or institution; and
    • the third party agrees to be liable for FERPA violations.
  • Extend FERPA rights to parents of any students for whom the agency or institution maintains student data, including home-schooled students who do not attend such agency or institution.
  • Remove an exception that currently allows educational agencies or institutions to permit the release of student educational records without parental consent to organizations studying predictive tests, student aid programs and instruction.
  • Require parental consent before authorized representatives under the direct control of the Comptroller General, the Secretary of Education or state educational authorities may access records for audits and evaluations of federally supported education programs administered by state or local public education agencies or institutions, or enforcement of federal legal requirements.
  • Prohibit the Department of Education or fund-receiving educational agencies or institutions from appending student data with PII obtained from federal or state agencies through data matches.
  • Bar funds from being used to track a student's educational and career progression activities or obligate an elementary or secondary school student to involuntarily select a career or related job training.
  • Require aggregation, anonymization and de-identification of student data permitted to be released or collected under various exceptions.
  • Make federal agencies and fund-receiving educational agencies, institutions and third parties that do not comply with FERPA civilly liable for a monetary award to affected persons.
  • Prohibit psychological testing or predictive modeling of behaviors, beliefs or value systems. It would also bar video monitoring or computer camera surveillance without a public hearing and consent of teachers and parents.
  • Prohibit surveys soliciting specified information about students or their families, including information on political affiliation, religious practices or gun ownership.

This legislation would likely place greater responsibility on educational institutions to require compliance with the law by third parties with access to PII and includes a private right of action for violations.

If you have any questions about this Alert, please contact Katherine D. Brodie, Michelle Hon Donovan, Alison Haddock Hutton, John M. Neclerio, any of the attorneys in our Education Practice Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Patterson Belknap Webb & Tyler LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Patterson Belknap Webb & Tyler LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions