Comments on proposed regulations for NYS student privacy law Education Law §2-d

Comments on proposed regulations  for NYS student privacy law Education Law §2d

March 27, 2019

PDF version here.

Submitted by the Parent Coalition for Student Privacy, New York State Allies for Public Education and Class Size Matters by email: [email protected]

 Proposed regulations posted here: http://www.nysed.gov/common/nysed/files/programs/student-data-privacy/proposed-part-121-for-pii.pdf

Deadline for comments March 31, 2019

Summary:

  • In the Parent Bill of Rights, the following federal laws that afford parents and their children important rights to privacy must be included: Protection of Pupil Rights Amendment (PPRA), National School Lunch Act   (NSLA) and Children’s Online Privacy Protection Act (COPPA) .  Each of these laws provide parents with rights to protect their children’s personal data and is inexplicable why they have been omitted from the NYSED Parent Bill of Rights and the Student Privacy website for so long, especially as Education Law §2-d states that the Parent bill of rights  shall include all “State and federal laws [that] protect the confidentiality of personally identifiable information.
  • The Education Law §2-d also states that “The chief privacy officer, with input from parents and other education and expert stakeholders, shall develop additional elements of the parents bill of rights for data privacy and security. The commissioner shall promulgate regulations for a comment period whereby parents and other members of the public may submit comments and suggestions to the chief privacy officer to be considered for inclusion.”  This clause should be included in the regulations as over time there will likely be more threats to student privacy as districts contract with additional vendors collecting personal student data in digital form.
  • The personal information of former students and former teachers as well as current students and teachers should be explicitly protected and covered by the regulations.
  • The state should not be collecting the personally identifiable data on individual students regarding to their country of birth or their in-school or out-of-school suspensions, given the extreme sensitivity of this data.  If necessary, both categories of information can be reported to the state by districts in an aggregate basis and if the state is worried about its accuracy, this reporting should be audited.
  • The regulations omit  specific provisions in  Education Law §2-d, including that school districts shall not report to the department the following student data elements:(1) juvenile delinquency records;(2) criminal records;(3) medical and health records; and(4) student biometric information unless required by law except in the case of law or required educational enrollment data.  This should be added.
  • The words “license” should be added to the section on the Parent Bill of Rights and in the section on prohibiting the selling of data by districts or their vendors.  The latter provision should read as follows “Personally identifiable information maintained by educational agencies, including data provided to third-party contractors and their assignees, shall not be sold, licensedor used for marketing purposes.” There is no significant difference between selling and licensing data, and yet College Board exploits an unacceptable loophole, claiming they so not sell student data but instead “license” it for a fee to other companies and organizations, even as the US Department of Education points out that they are really selling it.
  • Each educational agency should publish its data security and privacy policy on its website and provide notice of these policies to parents, not just to employees.
  • Vendors who collect personal information of students on behalf of school districts must be responsible for making sure that their children’s data is available to parents upon request and correcting errors if challenged.
  • In order to receive personal student information,  vendors must have written contracts with education agencies or else all the specific requirements outlined in the law and the regulations for these contracts could be evaded.  This is implied in the law and the regulations but  it should be clearly stated.
  • Education agencies should be required to post all contracts with vendors that receive personal student data or make them available within a limited period of time upon request, including which categories of personal student data the vendors are collecting and how parents may request access to that data. Education agencies should also have to explain why they are providing vendors access to this data and what is the educational purpose for this access.
  • Breach notification to parents and affected parties should be carried out by snail mail and email; not phone calls, which are too difficult to verify and track.
  • The regulations should incorporate all the powers and responsibilities of the Chief Privacy Officer as stated in Education Law §2-d; right now many are omitted from the proposed regulations, including the responsibility to issue an annual report on data breaches and improper data disclosures, as well as the results of investigations into parental complaints.  This annual report should include information on how many districts are complying with the law, and providing the required training of staff in data privacy and security.  A deadline for the completion and release of this annual report should also be specified in the regulations.

More detailed comments are below.

§121.1 Definitions

 p. 6; lines 54-55:

 (o) Student means any person attending or seeking to enroll in an educational  agency.

Add: “or a former student” who must also be covered under the law.

lines 56-57:

(p)  Student Data means personally identifiable information from the student records of an educational agency.

Add: “or collected by vendor on behalf an educational agency.”

§121.2 Educational Agency Data Collection Transparency and Restrictions.

p. 7 – important to add:

d) No educational agency shall disclose personally identifiable information to any contractor or third party without a contract or written agreement that specifies its use and the conditions under which it will be kept private and secure.

This is implied – that contracts or written agreements are required but never explicitly stated in the text of the regs.

Also need to add from Ed Law §2D but missing in the regs:

e) Except as required by law or in the case of educational enrollment data, school districts shall not report to the department the following student data elements:(1) juvenile delinquency records;(2) criminal records;(3) medical and health records; and(4) student biometric information.

§121.3 Parents Bill of Rights for Data Privacy and Security

p. 7lines 92-93:

(a) Each educational agency shall publish on its website a parent’s bill of  rights for data privacy and security (“parent’s bill of rights”) that complies with the  provisions of Education Law §2-d (3).

The above should include the State Education website which currently lacks any mention of four prominent and critical applicable federal student privacy laws, including PPRA, IDEA, COPPA and NSLA.

Lines 115-116:

(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected .

The word “if” above should be deleted.   According to FERPA, parents and eligible students have the right to challenge the accuracy of any of the personal data that pertains to them.

p. 9, line 121:

(6) address encryption of the data as provided in Education Law §2-d 5(f)(5).

The mode of encryption should be spelled out as it is on p. 14 – Section 121.9

Also add: These contracts shall be posted on the agency’s website or be available upon request within 30 days.

And:  For each contract, information should be included as to whether parents may opt out of the specific data disclosure and if so, how they may do so.

§121.5 Data Security and Privacy Standard.

p. 10, lines 153-155:

(a)As required by Education Law §2-d (5), the Department adopts the National Institute for Standards and Technology Framework for Improving Critical  Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies.

As NIST Framework is updated regularly in order to respond to new cybersecurity threats, the regulations should say that these requirements may themselves be updated regularly.

lines 163-164:

c (1) every use of personally identifiable information by the educational agency shall benefit students and the educational agency (e.g., improve academic achievement, empower parents and students with information, and/or advance efficient and effective school operations).

The word “disclosure” should be added to the above; so that it reads “every use AND DISCLOSURE” of personally identifiable information.

p. 11 lines 169-172:

2(d) An educational agency’s data security and privacy policy shall include all  the protections afforded to parents or eligible students, where applicable, under FERPA and the Individuals with Disabilities Education Act (20 U.S.C. 1400 et seq.), and the  federal regulations implementing such statutes. 

It is important to add the protections granted under federal laws PPRA, NSLA and COPPA here as well as include them in the Parent Bills of Rights..

Lines 173-174:

2 (e) Each educational agency must publish its data security and privacy policy on its website and provide notice of the policy to all its officers and employees.

Add: “and to all parents.”

§121.6 Data Security and Privacy Plan.

Line 189:

4 comply with Education Law §2-d.

 Add: “or collected by vendor on behalf an educational agency.”

 §121.9 Third Party Contractors

p. 13 lines 217-218

A 2) limit access to personally identifiable information to only those employees or sub-contractors that need access to provide the contracted services

ADD: these sub-contractors shall be specified in the contract.

lines 221-223:

(4) except for authorized representatives of the third-party contractor such as  a subcontractor or assignee to the extent they are carrying out the contract and in compliance with state and federal law, regulations and its contract with the educational agency, not disclose any personally identifiable information to any other party:

Question: how does this differ from (2) above?

lines 231-234

(5) maintain reasonable administrative, technical and physical safeguards to  protect the security, confidentiality and integrity of personally identifiable information in  its custody as prescribed by state and federal law, regulations and its contract with the  educational agency;  

“Reasonable” has no substantive meaning here; it should instead say “industry best practices”

p. 14; lines 239-241:

(7) not sell personally identifiable information nor use or disclose it for any  marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.

Add the word “license” after sell – i.e. “not sell or license PII”

§121.10 Reports and Notifications of Breach and Unauthorized Release

lines 258-259

(d) Educational agencies shall report every discovery or report of a breach or unauthorized release of student or teacher data to the Chief Privacy Officer without unreasonable delay, but no more than 10 calendar days after such discovery .

 This seems to repeat the same words as in (b) above, lines 253-253; see below:

(b) Each educational agency shall in turn notify the Chief Privacy Officer of 252 the breach or unauthorized release no more than 10 calendar days after it receives the 253 third-party contractor’s notification in a format prescribed by the Department

p. 15, line 261:

(e) Educational agencies shall notify affected parents, eligible students, teachers and/or principals in the most expedient way possible ….

Add:  former students should be informed to the degree possible if their PII has been breached

lines 275-281 etc.:

(g) Notifications required by this section shall be clear, concise, use language 275 that is plain and easy to understand, and to the extent available, include: a brief 276 description of the breach or unauthorized release, the dates of the incident and the 277 date of discovery, if known; a description of the types of personally identifiable 278 information affected; an estimate of the number of records affected; a brief description 279 of the educational agency’s investigation or plan to investigate; and contact information 280 for representatives who can assist parents or eligible students that have additional 281 questions .

ADD: Notifications shall also include what actions affected individuals can take to mitigate the damage from the breach, as well as what actions the party responsible for the breach will take to mitigate the damage.

p. 16: lines 283-284:

(h) Notification must be directly provided to the affected parent, eligible student, teacher or principal byfirst-class mail to their last known address; by email; or by telephone.

Notification should occur by email AND first-class mail; not by telephone as there will be no record of the message and thus no proof of whether it occurred.  Also former students should be notified as well if their PII is breached.

§121.12 Right of Parents and Eligible Students to Inspect and Review Students Education Records

lines 350-351:

(c) Requests by a parent or eligible student for access to a student’s education records must be directed to an educational agency and not to a third-party contractor.

 ADD: “and the educational agency shall arrange for the records to be delivered to the parent or eligible student.”

  1. d)Educational agencies are required to notify parents annually of their right  to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.

ADD: or any student data stored or maintained by a contractor on the agency’s behalf.

  • 121.13 Chief Privacy Officer’s Powers

pp. 19-20

There are many more powers and responsibilities enumerated of the CPO in Section 2D of the Education Law than those mentioned here. These should all be included here,  including the responsibility to issue “ an annual report on data privacy and security activities and progress, the number and disposition of reported breaches, if any, and a summary of any complaints.” 

This report for the previous school year should be released to the public and posted on the State Education Department website by Jan. 1 of each year, and made available upon request to any interested party.  All of the following  functions of the Chief Privacy Office included in Education Law §2-d should be incorporated into the regulations:

b.The functions of the chief privacy officer shall include, but not be limited to:

  1. (1) promoting the implementation of sound information practices for privacy and security of student data or teacher or principal data;(2) assisting the commissioner in handling instances of data breaches as well as assisting the commissioner in due process proceedings regarding any alleged breaches of student data or teacher or principal data;(3) providing assistance to educational agencies within the state on minimum standards and best practices associated with privacy and the security of student data or teacher or principal data;(4) formulating a procedure within the department whereby parents, students, teachers, superintendents, school board members, principals, and other persons or entities the chief privacy officer determines is appropriate, may request information pertaining to student data or teacher or principal data in a timely and efficient manner;(5) assisting the commissioner in establishing a protocol for the submission of complaints of possible breaches of student data or teacher or principal data;(6) making recommendations as needed regarding privacy and the security of student data on behalf of the department to the governor, the speaker of the assembly, the temporary president of the senate, and the chairs of the senate and assembly education committees; and

    (7) issuing an annual report on data privacy and security activities and progress, the number and disposition of reported breaches, if any, and a summary of any complaint submitted pursuant to subparagraph five of this paragraph.

    c. The chief privacy officer shall have the power to:

    (1) access all records, reports, audits, reviews, documents, papers, recommendations, and other materials maintained by an educational agency that relate to student data or teacher or principal data;

    (2) to review and comment upon any department program, proposal, grant, or contract that involves the processing of student data or teacher or principal data before the commissioner begins or awards the program, proposal, grant, or contract; and

    (3) any other powers that the commissioner shall deem appropriate.

Submitted by the Parent Coalition for Student Privacy, NYS Allies for Public Education and Class Size Matters

For more information, please contact [email protected]

 

Here’s how to check your student’s school-issued GSuite account.

by Cheri Kiesecker

Google defends Gmail data sharing, gives few details on violations-Reuters

With mounting concerns about school safety, screen addiction,  screen time’s known health and brain effects, increase in internet crimes against children, along with hyper focused national attention on data misuse, location tracking, breaches, Gmail data sharing, and data privacy–what about schoolchildren?

As this Google Transparency Project explains, Google is promoting itself via GSuite products and Apps into many classrooms across America (and the globe).  What is Google doing with student data?  Why is Google allowed to track Location, Voice Activity, Web & App Activity, Device Information, YouTube videos Searched and Watched of K-12 school children? How are these data being used and shared?

What data are being collected and stored (and shared?) via your child’s school issued Google GSuite account? We’ll show you how to start checking.

In August of 2018 Missouri Education Watchdog wrote this article detailing how one Springfield, Missouri family, discovered that their school district’s Google’s GSuite platform was collecting and storing surprising amounts of personal data about students and, apparently even storing information from parents’ and family members’ personal accounts (family members’ passwords to banking, work, shopping, bills).  Others reported on this issue here and here.

Missouri Education Watchdog recently followed up with a story highlighting a group of parents and educators asking to stop online advertisements to students.  The blog documents many pop ads (some very inappropriate) that students are receiving when logged into their school accounts, including recommendations from YouTube (owned by Google) and Apps available in the Google Play Store.

We wonder, how many parents have seen and agreed to these Terms of Service for your student to use GSuite at school?

—-PARENTS, HAVE YOU EVER SEEN AND AGREED TO THIS NOTICE?

Since reporting on this issue, we have been contacted by parents across the country who have reported similar experiences and many have raised questions on how to check their child’s school issued Google/GSuite account.

None of the parents we have spoken to thus far were shown the Google Terms of Service that their child had to agree to. In fact, many of the students themselves did not see the Terms of Service, either.  Presumably, schools are consenting to the Terms of Service for the children, in place of parents, (as parent agent).

Some parents, when asked if their child could NOT use Google GSuite in school, have been told that if their student does not use the GSuite products (i.e., Google Classroom, Google Drive, Google Docs, or Gmail), it will be impossible for them to attend this school.  Have other parents been told that their child must agree to use GSuite products as a condition of attending their public school?

How do you check settings in your child’s school issued Google GSuite account?

We are posting instructions below that we have found helpful. Your experience may be different, but we suggest parents click on the Learn More links, and any / all links within the Google Account.  Set aside some time–or do it in pieces.  You could take days and still find links, more permissions.  TAKE NOTES or screen shots (hold down Print Screen and Control on your key board).  Interestingly, parents have anecdotally reported that changes they make to their child’s permissions have NOT been saved, have reverted back to allow tracking or syncing, or even back to the original password after they have changed the GSuite password. We would be curious if this is happening to other parents and students. Talk to your school’s IT administrator, share your concerns and findings with others to see if they can replicate.

Start here:

1.–Log into your child’s school Google GSuite  Account.  (Schools sometimes refer to these as Google Drive accounts, or Gmail, or Google Docs… but they are all part of the GSuite package.)

2.–Click on the little circle icon at the top right of the screen (might be a photo of your child, or your child’s initials.).

3.–Click Google Account.

4.–Start looking and documenting.

Below is what you might see if you go to Security Check up and then Activity Controls and then also look at Manage Activity.  Are these tracking permissions turned ON or are they “Paused”? Notice the fine print such as, “activity may be saved from time to time” even if you have Web and App Activity paused.    Maybe that’s why they label it “paused” and not STOPPED or OFF?

https://myaccount.google.com/activitycontrols

YouTube Search History and YouTube Watch History tracking are ON for most students we have spoken to. Ask your school IT admin why this tracking is on. Ask if they will turn this off for ALL students.

YouTube in K-12 schools.

If YouTube Search or Watch is ON for your student, BE SURE to click MANAGE ACTIVITY.  You, and Google, and school administration can see every YouTube searched and watched while logged into GSuite.

Question:  why does GSuite offer YouTube to k-12 students, without parent consent, when YouTube’s terms of service clearly state that users must be 18 years of age or have parent consent prior to using YouTube.

Even more curious:  YouTube Live Chat is apparently available to students.

YouTube Live Chat for students?

This screen shot is from a 12 year old elementary student’s account, when signed into the school issued GSuite account.  Who can communicate with an elementary student via YouTube Live Chat? Why is this offered to students?

Speaking of chats.

Can anyone outside of the school send an email to your child’s school gmail account? Can strangers communicate with school children via Google Hangouts?   Can, as this report from in Australia suggests, total strangers communicate with and potentially groom children via Google Docs or other chats available via GSuite and Google Apps?

Given that the FBI recently warned that,  EdTech could present unique exploitation opportunities for criminals….and could help child predators identify new targets”,  the ability for strangers to potentially contact k-12 children, via school issued GSuite accounts would seem a legitimate security concern.

Connected Devices.

The FBI warning also mentions using device information to track children:

Inter-connected Networks and Devices

“EdTech connected to networked devices or directly to the Internet could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments.”

More Questions:

Does Google consider a Device/IP address as personal information? Why do devices (regardless of whether it is a Chromebook or Mac, or Windows or cellphone) sync and stay signed-in even after logging out?

When checking Account Activity in the student’s Google Account, even with Location tracking and Device tracking “paused,“ and after logging out of GSuite account after every use, this 13 year old student still had 11 devices “signed-in”, complete with device information and location. (Many of these were home or family personal devices that the student had logged into to complete homework.)

Logging out is not enough?

Students must Remove the Device, after every use, in order to not be signed in.  Do schools, parents, teachers, students know this?

Who else has access to your child’s GSuite Account?   Check Apps and Third Parties.

Why should Google allow third party access /connections to school children’s shopping habits, social media, etc? Does your child’s GSuite account link to any third party shopping services?

————————————————————————

Check if passwords are set to Auto-Save, Auto Sign-In. See what passwords have been saved in your child’s account.

There’s plenty more to look at, but this should get you started. Let us know what you find.

Thanks to the federal student privacy law FERPA being weakened in 2011 and 2008, a student’s personal data can be shared outside of school walls, without parents’ knowledge or consent. The data can be shared and analyzed by government agencies, nonprofits, businesses, researchers, and edtech companies who can further share with third parties, (or even sell student data), or used for advertising to students.

If you are concerned, talk to your school administrator, your legislators. Ask for strong student data privacy, security, transparency laws that allow opt-in consent, enforceable penalties and private right of action, like those passed in Europe (GDPR) and California (CCPA).

Privacy Bills by State Chart

Privacy Bills by State Chart

State Bill Description
Arizona HB 2088 (2016)

 

Survey notification, consent & transparency
SB 1314 (2017)

 

SOPIPA (Student Online Personal Information Protection Act); opt-out of technology
Arkansas HB 1241 (2015)

 

Restricts disclosure of student data to the US Department of Education; (PARCC delay, but not included in this analysis)
HB 1961  (2015) SOPIPA (Student Online Personal Information Protection Act)
HB 1793  (2017) Creates a panel to study statewide longitudinal data systems (SLDS); establishes Chief Privacy Officer (CPO) & Chief Data Officer (CDO)
California AB 1584 (2014) Contract requirements for cloud-based data storage services
SB 1177 (2014) SOPIPA (Student Online Personal Information Protection Act)
SB 2799 (2016) SOPIPA (Student Online Personal Information Protection Act) – preschool & prekindergarten
AB 2097 (2016) Prohibits collection of Social Security numbers
Colorado HB 1294 (2014) Student Data Accessibility, Transparency & Accountability Act
HB 1423 (2016) SOPIPA (Student Online Personal Information Protection Act); contract & on-demand provider requirements
Connecticut SB 949 (2015) Development of a statewide longitudinal data system (SLDS); state agency data security & breach in written agreements
HB 5469 (2016) SOPIPA (Student Online Personal Information Protection Act); contractor & operator requirements
HB 7207 (2017) Delay implementation of CT SOPIPA (Student Online Personal Information Protection Act)
HB 5444 (2018) Weakens transparency and data deletion of CT SOPIPA (Student Online Personal Information Protection Act)
Delaware SB 79 (2015) SOPIPA (Student Online Personal Information Protection Act)
District of Columbia B21-0578 (2016) SOPIPA (Student Online Personal Information Protection Act); (1-to-1 devices, but not included in this analysis)
Florida SB 188 / HB 195 (2014) Restricts collection of sensitive information; makes disclosure of Social Security numbers voluntary
Georgia SB 89 (2015) SOPIPA (Student Online Personal Information Protection Act); Student Data Accessibility, Transparency & Accountability Act
Hawaii SB 2607 (2016) SOPIPA (Student Online Personal Information Protection Act)
Idaho SB 1372 (2014) Student Data Accessibility, Transparency & Accountability Act
Illinois 105ILCS 10/2 Disclosure of student records: permanent vs. temporary
HB 3527 (2016) School social media privacy protections
SB 1796 (2017) SOPIPA (Student Online Personal Information Protection Act)
Indiana HB 1003 (2014) Statewide longitudinal data systems (SLDS) data accessibility, restrictions, & oversight
Iowa HF 2354 (2018) SOPIPA (Student Online Personal Information Protection Act)
Kansas SB 367 (2014) General student privacy act
HB 2008 (2016) SOPIPA (Student Online Personal Information Protection Act)
Kentucky HB 232 (2014) Cloud-computing services requirements
Louisiana HB 1076 (2014)

 

(originally HB 946)

Collection & disclosure of personally identifiable information; contract service
HB 1283 (2014) Written agreement transparency & requirements
HB 718 (2015) Prohibits predictive modeling by contractors
SB 270 (2016) Requires data sharing for enrollment verification
Maine LD 59 (2014) Adds privacy protections to some private schools
LD 454/SP 183 (2015) SOPIPA (Student Online Personal Information Protection Act)
LD 1276 (2015) Restricts sensitive data collection & dissemination via state assessments
LD 678 (2017) Student Social Security numbers; collection and deletion
LD 1616 (2017) Adds permitted disclosures to ME SOPIPA (Student Online Personal Information Protection Act)
Maryland HB 298 (2015) SOPIPA (Student Online Personal Information Protection Act)
SB 1165 (2017) Extends the amount of time education and workforce data are linked in the statewide longitudinal data system (SLDS)
HB 568 (2018) Limits access to student data in the statewide longitudinal data system (SLDS); requires development of security plan
Michigan SB 33 (2016) Student data transparency; limits selling student data; gives opt out to certain directory information disclosures
SB 510 (2016) SOPIPA (Student Online Personal Information Protection Act)
Missouri HB 1490 (2014) Student Data Accessibility, Transparency & Accountability Act
Nebraska LB 512 (2017) SOPIPA (Student Online Personal Information Protection Act)
Nevada AB 221 (2015) Transparency, Security; & Contracted Services
SB 463 (2015) SOPIPA (Student Online Personal Information Protection Act)
New Hampshire HB 1587 (2014) Restricts collection of student data for the statewide longitudinal data system (SLDS), & disclosure of student data
HB 206 (2015) AN ACT establishing a committee to study non-academic surveys or questionnaires administered by a public school to its students and relative to non-academic surveys or questionnaires given to students
HB 322 (2015) Requires development (but not implementation) of security plan
HB 507 (2015) Protection of teacher personally identifiable information; & classroom video recording
HB 520 (2015) SOPIPA (Student Online Personal Information Protection Act)
HB 301 (2016) Establishes a committee to study statewide longitudinal data systems (SLDS)
HB 1497 (2016) Exception for college entrance exams (ACT/SAT)
HB 1372 (2016) Allows video & audio recording of students
HB 275 (2017) Prohibits inclusion of statewide exam results in transcripts without consent
SB 43 (2017) Non-academic surveys & questionnaires
HB 1551 (2018) Retention & deletion of Individualized Education Program (IEP) data
HB 1612 (2018) Strengthens NH SOPIPA (Student Online Personal Information Protection Act); adds security, & digital badges
New York AB 8556 (2014) Strengthens NH SOPIPA (Student Online Personal Information Protection Act); adds security, & digital badges
North Carolina SB 815 ( 2014) Student Data Accessibility, Transparency & Accountability Act
HB 632 (2016) SOPIPA (Student Online Personal Information Protection Act)
North Dakota SB 2326 (2015) Statewide longitudinal data system (SLDS) development & oversight; authorized employees who may access student data
Ohio HB 487 (2014) Statewide data system safeguards
Oklahoma HB 1989 (2013) Student Data Accessibility, Transparency & Accountability Act
Oregon HB 2655 (2015) Privacy standards; (exam opt-out, but not included in this analysis)
SB 187 (2015) SOPIPA (Student Online Personal Information Protection Act)
Pennsylvania HB 1606 (2016) Student data collection reduction; & establishes a data advisory committee
Rhode Island H 7124 (2014) Cloud computing services requirements; & social media privacy
South Dakota SB 63 (2014) Survey requirements & restricts student data disclosure to USED
Tennessee HB 1549 (2014) Student Data Accessibility, Transparency & Accountability Act
SB 1835 (2014) Prohibits commercial use, & disclosure of student personally identifiable information to the US Department of Education
HB 1931  / SB 1900 (2016) SOPIPA (Student Online Personal Information Protection Act)
HB2690 / SB2029 (2018) Mental health screening notification
Texas HB 4046 (2015) Student record confidentiality
HB 2087 (2017) SOPIPA (Student Online Personal Information Protection Act)
Utah HB 68 (2015) Mandates student privacy study & Chief Privacy Officer (CPO)
HB 163 (2015) Student data breach requirements
HB 358 (2016) SOPIPA (Student Online Personal Information Protection Act) contracted services requirements; prohibits collection of Social Security numbers
SB 102 (2017) Create list of authorized employees who may access education records; requires privacy training
SB 163 (2017) Weakens UT SOPIPA (Student Online Personal Information Protection Act) contracted services requirements; targeted advertising & national assessment provider (ACT/SAT) exceptions
SB 207 (2018) Amends UT SOPIPA (Student Online Personal Information Protection Act) contracted services requirements; revokes national assessment provider (ACT/SAT) exceptions
Virginia SB 242 (2014) Higher education ban on selling student data
HB 1334 (2015) State Department of Education breach notification
HB 1698 (2015) Restricts surveys & questionnaires
HB 2350 (2015) Establishes a security plan, group & Chief Privacy Officer (CPO)
HB 1612 (2015) SOPIPA (Student Online Personal Information Protection Act)
HB 519 (2016) Expands VA SOPIPA (Student Online Personal Information Protection Act) definitions
HB 749 (2016) Weakens VA SOPIPA (Student Online Personal Information Protection Act)
HB 750 (2016) Weakens VA SOPIPA (Student Online Personal Information Protection Act) with a college & career assessment (ACT & SAT) exception
HB 524 (2016) Confidentiality of student & teacher data held in teacher personnel files
SB 438 (2016) Higher education social media privacy
SB 951 (2017) Amends VA SOPIPA (Student Online Personal Information Protection Act) with providing student access to personal information
HB 1 (2018) Limits disclosure of PII in Freedom of Information requests
Washington State SB 5419 / HB 1495 (2015) SOPIPA (Student Online Personal Information Protection Act)
West Virginia HB 4316 (2014) Student Data Accessibility, Transparency & Accountability Act
HB 4261 (2016) Amends WV Student Accessibility, Transparency, Accountability Act to include state assessments’ (ACT & SAT) use of student data
Wyoming SF 79 (2014) Development of a student data security plan & report
HB 08 (2017) Implementation of student privacy & security guidelines

Press Release: New Report Card Grades Each State On How Well it Protects Student Privacy

For immediate release: Wednesday, Jan. 23, 2018

For more information contact: Rachael Stickland, [email protected]; 303.204.1272

 

In the first of its kind, the Parent Coalition for Student Privacy and the Network for Public Education have released a report card that grades all fifty states on how well their laws protect student privacy.

The State Student Privacy Report Card analyses 99 laws passed in 39 states plus DC between 2013 and 2018, and awards points in each of the following five categories, aligned with the core principles put forward by PCSP: Transparency; Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; and Oversight, Enforcement, and Penalties for Violations.

Two more categories were added to the evaluation: Parties Covered and Regulated and Other, a catch-all for provisions that did not fit into any of the above categories, such as prohibiting school employees from receiving compensation for recommending the use of specific technology products and services in their schools.

No state earned an “A” overall, as no state sufficiently protects student privacy to the degree necessary in each of these areas. Colorado earned the highest average grade of “B.” Three states – New York, Tennessee and New Hampshire– received the second highest average grade of “B-“.  Eleven states received the lowest grades of “F” because they have no laws protecting student privacy: Alabama, Alaska, Massachusetts, Minnesota, Mississippi, Montana, New Jersey, New Mexico, South Carolina, Vermont and Wisconsin.

The report tracks specific versions of state laws over time.  For example, many of the state privacy laws enacted since 2013 were modeled after the California’s 2014 law known as the Student Online Personal Information Protection Act (SOPIPA). While California barred all school vendors from selling student data, eight states subsequently passed laws that allowed the College Board and the ACT to do so.  Laws with specific loopholes to allow  these companies to sell student data were enacted in Arizona, Colorado, District of Columbia, Nebraska, North Carolina, Texas, Utah and Virginia –presumably because of lobbying efforts.

The issue of data security is also critical.  The primary federal student privacy law known as FERPA requires no specific protections against data breaches and hacking, nor does it require families be notified when inadvertent disclosures occur.  In recent years, the number of data breaches from schools and vendors have skyrocketed, and some districts have even been targeted by hackers with attempted blackmail and extortion.  A recent report rated the education industry last in terms of cybersecurity compared to all other major industries.  As a result, this fall the FBI put out an advisory, warning of the risks represented by the rapid growth of education tech tools and their collection of sensitive student data,  saying that this could “result in social engineering, bullying, tracking, identity theft, or other means for targeting children.”

“The inBloom debacle in 2013 exposed the longstanding culture of fast and loose student data sharing among government agencies, schools and companies,” said Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, parent of two public school children in Colorado and the primary author of the report. “Consequently, parents across the nation began urging their state legislators to address the problem, resulting in a complex web of state privacy laws that are difficult to untangle and understand. Our hope is to bring attention to state laws that make a reasonable effort to protect student privacy and identify those that need improvement. Parents and advocacy groups can use our findings to advocate for even stronger measures to protect their children.”

NPE Executive Director Carol Burris noted, “This report card provides not only critical information regarding the existing laws, but also serves a blueprint for parents to use for lobbying for better protections for their children.”

As Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, pointed out, “FERPA was passed over forty-five years ago and has been weakened by regulation over time to allow for the sharing of personal student data by schools and vendors without parent knowledge or consent.  State legislators have stepped up to the plate to try to fill in some of its many gaps and to require more transparency, security protections, enforcement, and the ability of parents and students to control their own data. Yet none of these laws are robust enough in each of these areas.  Congress must strengthen and update FERPA, but meanwhile, this report card can serve as a guide to parents and advocates as to which state laws should be strengthened and in which specific ways.”

An interactive map that shows the grades of each state, both overall and in each of the categories is posted here. The report is posted here ; here is a technical appendix with a more detailed account of how each law was evaluated.   There is also a downloadable matrix with links to all of the state laws, as well as specifying how many points were awarded in every category.

###

Sign up for our free Jan. 20 webinar on how educators can better protect their students’ privacy — and their own

A few weeks ago, it was reported that the personal information of 500,000 San Diego students, former students and school staff was exposed in a massive breach. At about the same time, education institutions and organizations were rated as the worst sector for cybersecurity in a 2018 report.

We invite you to join us for a short webinar on Jan. 20, with important tips on how teachers and district/school staff members can better protect their students’ privacy of and their own.

We will be offering guidance along with Marla Kilfoyle of the Badass Teachers Association from our  Educator Toolkit for Teacher and Student Privacy, released this fall. Educators will receive a certificate of participation. Don’t miss out! Space is limited!

When? Sunday, January 20 from 6-7 PM EST (3-4 PST). We’re saving lots of time for questions!

How? Sign up here – it’s free!

We hope to see you on the 20th.

Leonie Haimson  and Rachael Stickland
Co-Chairs, Parent Coalition for Student Privacy

www.studentprivacymatters.org