Fordham Law


Education Data: Privacy Backlash Begins

Joel Reidenberg in Information Week, April 26, 2013

Media Source

As increasing amounts of student, class and school data are captured and analyzed, some people have started to sound alarms about potential privacy violations and other kinds of misuse.

"I think it's totally illegitimate to take kids' data without parental consent," said Leonie Haimson, a parent activist and executive director of Class Size Matters, a nonprofit organization that wants smaller classes in New York City's public schools and the nation as a whole. "If these exact same records were in a doctor's office or hospital, it would be illegal to collect them without parental consent," she told InformationWeek in a phone interview. 

Haimson has taken special aim at inBloom, a nonprofit startup funded by the Bill & Melinda Gates Foundation and the Carnegie Corporation of New York that seeks to be a vendor-neutral data service to collect student data gathered in many different software systems and services.

Haimson and others worry inBloom and other efforts using student data -- such as the Ed-Fi Alliance, the Michael and Susan Dell Foundation-funded education data integration initiative -- may ultimately feed sensitive, personally identifiable information to for-profit companies. They also worry about accidental release of the data through, for example, hacking.

For its part, inBloom states in its FAQ that the company "has no ownership of student records." It continues: "Neither inBloom nor any other participating agency or vendor may sell or share confidential student data" unless "authorized by a state or district with legal authority over those student records."

[ For another take on student data issues, read Hope Battles Fear Over Student Data Integration. ]

Vendors of data collection, analysis and sharing platforms in education routinely say they are sensitive to privacy concerns. Personally identifiable information (PII) is programmatically anonymized for this very reason, they say.

But the critics aren't convinced.

"You can always put it back together, nothing is really ever anonymized," said Sheila Kaplan, who has been monitoring regulations around student directory information for years. Kaplan's website, Educationnewyork.com has become a clearinghouse for news and information about the topic.

Suspicions also involve the specific types of data being collected.

For example, Haimson wonders why inBloom needs to collect so much "incredibly individualized data," including a student's address, disciplinary history and special-needs status.

In April, InformationWeek asked inBloom about reports that its data set would include social security numbers. An inBloom spokesperson responded:

inBloom discourages districts and states from storing social security numbers in our data service; instead we agree with the industry-wide best practice many school districts and states have of assigning a unique student ID number that is separate from the student's social security number. That said, it's ultimately up to each school district or state to decide whether or not they track and store student social security numbers.

"That's a cop-out," Joel R. Reidenberg, a law professor and founding academic director of the Fordham Center on Law and Information Policy at Fordham University School of Law, told InformationWeek in a phone interview. "InBloom includes [the social security number] as a data field, and if they didn't include it, schools would have to use something else. The choice of data fields is a policy decision."

Separately, inBloom has said its data privacy and security protections exceed Family Educational Rights and Privacy Act (FERPA) requirements. FERPA is a decades-old federal law that protects the privacy of student education records and provides parents certain rights to their children's education records.

But FERPA itself has been the target of privacy activists.

A lawsuit, filed by the Electronic Privacy Information Center in January against the U.S. Education Department, argues that its 2011 regulations undercut student privacy and parental consent in FERPA. The suit contends the changes effectively allow individuals, and both private and public entities, access to student records.

"EPIC has brought some very strong claims," Reidenberg said. And however the EPIC suit is decided, states will start to enact restrictions on student data collection and sharing, Reidenberg predicted, because FERPA lacks any recourse rights for children or their parents.

"Data breaches are going to happen," he said, noting that even in the heavily regulated financial services industry, which spends substantial amounts of money on information security, "data exposures happen on a regular basis."

Perhaps because of the growing outcry, the Department of Education's chief privacy officer recently issued informal guidance on FERPA and student privacy.

But, if data privacy objections prompt new rules or regulations, will that will stunt the use of data-driven technologies in education? We asked Cameron Evans, Microsoft's national and chief technology officer of U.S. education, for his opinion.

"We do see some uses of student data that need to be addressed and foreclosed, including advertising and marketing uses by cloud service providers," Evans said in an email response. He also wrote: "We can enable data-driven technologies in learning by being fully transparent with schools on how we use the student data we collect, and most importantly, ensuring our schools that this data will never be used for commercial interests unrelated to the IT services we are providing them and their students."

But some critics are skeptical about the stated goals of educational data collection per se, which proponents claim is entirely around improving student performance through technology.

"No, I don't think their goal is to improve education," Kaplan said. "It's to make money."

Likewise, Haimson rejected the heralded benefits of data collection, sharing and analysis in education.

"We're not fooled by the PR spin about a 'tech revolution in learning,'" she said. "There's no proven value to any of this stuff -- no research to show any of this stuff works." The real goal of theses high-tech projects, she declared, is simply to get cut costs by getting rid of teachers and putting larger and larger classes online.

What change might satisfy Haimson?

"Opt-in would satisfy me," she said, referring to parental opt-in to collect or use PII by the school or third parties.

But Reidenberg was dubious an opt-in mechanism would solve the problem. "The complexity and sophistication of the data uses would make it difficult for the average parent to know what they're consenting to," he said.