February 11, 2015
Dear Representatives Polis and Messer:
We write on behalf of the Parent Coalition for Student Privacy, a nationwide network of parents, citizens, and privacy advocates, concerned with the widespread, rampant, and poorly regulated data collection, data-sharing, data-tracking, data-warehousing, data-mining, and commercial exploitation of personally identifiable student information. We thank you for your interest in this important topic and for your ongoing efforts to strengthen student privacy protections.
As you are well aware, parents across the country are increasingly alarmed about the everyday uses and abuses of their children’s personal data. Many parents are only recently learning how much of their children’s most sensitive information is being collected and shared via their schools with commercial vendors, private organizations, state agencies, and other third parties. Though the evidence of the benefits of this widespread collection and disclosure of children’s personal information is weak, the risks are all too evident. Families are mobilizing to counter this virtually unfettered third-party access to their children’s private data, and have demonstrated the effectiveness of their advocacy at the state level.
While we welcome federal legislation to strengthen student privacy protections, we are concerned that this effort may be incomplete, inadequate, or co-opted by special interests. As the tide of opposition to non-consensual capture, disclosure, and re-disclosure of student educational data has grown, various groups have sought to placate parents with various assurances. These assurances, however, are weak, as they fail to deal with student privacy within the framework of fair information practices. The recent voluntary corporate Student Privacy Pledge, for example, was a first step in addressing these issues; but the Pledge has deficiencies and gaps that render it ineffective in addressing our legitimate concerns.
One of our crucial concerns is the current lack of a clear affirmative obligation on the part of schools and districts to notify parents about what student data is being collected, what data is being shared with which third parties, and under what conditions. Another crucial concern is the lack of a clear legal obligation on the part of schools and districts to notify parents about which vendors the schools have authorized to collect information directly from children in class, as schools – not vendors – are the sole contact point for most parents.
Accordingly, we are writing to urge you to draft legislation that deals with educational and student privacy in a more comprehensive and effective manner. Here is a framework that we respectfully ask you to consider:
- All personally identifiable data collected directly from students, by vendors or other third parties, whether collected in school or assigned by teachers in class or for home, should require that the school provide full notification and informed consent to parents, or to the students themselves if they are over age 18. At a minimum, parents should be informed of what data is being collected, the purpose of the data collection, how long the data will be retained and by whom and where, and the security provisions and safeguarding practices utilized by the third party. As pursuant to COPPA, parents must be afforded the right to opt out of any collection of their child’s data, at any time, if they so choose;
- All disclosures of students’ personally identifiable information by schools, districts, and states to third-parties must require parental notification. There must be written agreements specifying the use of the data, and these agreements must be made publicly available. The agreements should also specify that only employees of the company or organization with a legitimate educational interest be allowed to access it, that adequate breach prevention and notification technologies and policies are in place, including levels and standards of encryptions for data in-motion and at-rest, that independent audits be required, and that the third party will assume financial liability for any damages caused by any breach;
- Parents must be afforded the opportunity and ability to inspect any personal student data that is collected, shared, or warehoused, correct if it is wrong, request that it be deleted, and opt out of further collection;
- Parental consent must be required before any school, district or state can share any student data with any third party that includes sensitive information that could harm a child’s future if breached or abused, including but not limited to their grades, test scores, disabilities, health conditions, biometric information, disciplinary or behavior records;
- There should be an absolute ban on selling any student data, including in case of a bankruptcy, merger, or sale of a company, as well as a ban on using personal student data for advertising or marketing purposes, or for developing or refining commercial products;
- There must be protections against schools or vendors creating “learner profiles” of students, whether through “predictive and adaptive analytics” or other measures. These profiles could lead to a student being stereotyped or their chances of future success undermined;
- Absolutely no re-disclosures or repurposing of personally identifiable student information by third parties without informed parental consent should be allowed;
- Tough monitoring and enforcement provisions should be required, including substantial fines to be levied on any school, state agency, nonprofit organization, or third party vendor that violates the law’s provisions;
- A clear private right of action should be created, with parents afforded the right to sue if schools, districts, state agencies, nonprofit organizations, or third party vendors have violated the law and their children’s privacy;
- Each state must publicly report all the data elements being collected for their state longitudinal student databases, as well as publicly report with which governmental and non-governmental third parties they plan to disclose and/or share such data;
- State advisory boards made up of stakeholder groups, including parents, security experts, and privacy advocates, should be created to ensure that these state longitudinal databases collect the minimum amount of personal data necessary, and develop rigorous restrictions on access to such data;
- Any new federal law should recognize the right of states to legislate more robust requirements and provide for more vigorous privacy and security protections. Federal law should therefore not preempt state laws if such state laws are stronger.
Only if these principles and provisions are adopted in a new federal student privacy law will parents be assured that the unregulated and irresponsible trafficking of personal student data will have been adequately addressed. We thank you for your leadership on this important issue and stand ready to work with you and your colleagues to ensure that a strong, workable federal student privacy law is enacted as soon as possible.
Yours sincerely,
Leonie Haimson and Rachael Stickland
Co-chairs, Parent Coalition for Student Privacy