Michigan Lawmakers Seek To Protect Student Data

Due to the influx of technology in the classroom, many lawmakers are taking precautions to protect the personal information entered in by students.

by Lori Higgins, Detroit Free Press / November 30, 2015
An app rating system would evaluate educational applications based on how they handle student data. Marcus Kwan on Flickr

(TNS) -- The apps your kids use at school. The software that helps them improve their reading skills. The consultant who helps analyze test scores.

Chances are they all have access to some information about your child. Now, Michigan lawmakers want to make sure no one can sell that personally identifiable information or use it and students' online behavior to target them with advertising. It comes in the form of three bills now before legislators in the Michigan House.

It's a welcome effort to parents like Tammy Luty of Farmington Hills.

"Technology use ... is here and it's staying and it's the wave of the future," said Luty, the federal legislative chair for the Michigan PTA, which is urging lawmakers to pass legislation. But "there's nothing regulating student data privacy."

Luty testified this fall before the House Education Committee, saying she has become increasingly concerned about the privacy of information about her three children, who are in the third, eighth and 12th grades.

Who owns the data? Who owns the reports her children write? How long will the information be stored and saved? Will this information later be released or shared, and possibly impact them when applying for college or a job? Those are all questions she raised, particularly as many online services used by schools are run by third-party companies.

Many states are starting to address the issue. In 2013, only one state had a law targeting student data privacy. Today, there are 33 states with laws, and many others have bills winding their way through state legislatures, said Rachel Anderson, senior associate for policy and advocacy at the Data Quality Campaign, a Washington-based nonprofit that advocates for the effective use of education data.

At issue is the voluminous amount of information contained in a student's education record. The record may vary from student to student, but generally includes the student's name, parents' names, address, birth date, gender, grade level, race, residency status and a unique identification number. It can also include test scores, disciplinary information, an attendance record, report cards, progress reports and medical information.

Schools have been collecting this information for years, but the potential for abuse is greater as students engage in online learning and parents access attendance information, grades and classroom assignments online. Some programs need personal student information to allow teachers to create classroom assignments, communicate with students and allow students to communicate with each other online.

The absence of federal and state guidelines means it's left up to school districts to police themselves. And while some have strict guidelines, others have no rules on what teachers or others are looking at and no agreements surrounding the privacy of online student data, Anderson said.

While the federal Family Education Rights and Privacy Act sets some guidelines and the federal protects the privacy of children under 13 when they're using commercial websites and online services, neither addresses the growing use of technology in schools.

Laws must be modernized to better protect student information, the national PTA said in a recent statement.

Two bills before the Michigan Legislature target third-party companies that work with schools and have access to student data. They wouldn't be able to sell that information or use it to target advertising at students.

Another bill would bar school districts, the Michigan Department of Education (MDE) and the state Center for Educational Performance and Information (CEPI) from selling student information. The state agencies would have to be transparent about the information they collect, and school districts would be required to provide that information if parents ask.

Officials at both the MDE and CEPI said they already have strict protocols in place to protect student data. CEPI, for instance, outlines online what data it collects and what it does to keep that data private.

"Protecting student privacy and data security has been a CEPI priority ever since it was established in September 2000," said Kurt Weiss, spokesman for the department. "While we will need to carefully review the bills should they pass, we think we’re well-poised to meet their provisions as currently written."

Sen. Phil Pavlov, R-St. Clair, the main sponsor of the two Senate bills, said lawmakers are trying to get in front of the issue.

"More and more of our K-12 educational opportunities are being routed through learning portals, online services and at the very front of this conversation is protecting the privacy of the students that are trying to learn in a safe environment," he said.

The bills are less about fixing existing problems in the state and more about addressing fears and looking ahead, Pavlov said.

A national survey of about 1,000 parents, conducted this spring for the Washington, D.C.-based , found that most parents say they support the use of their child's information if it helps improve teaching and learning. But they want some justification for why the information is necessary, on the survey.

When asked who they're comfortable with having access to their child's records, parents overwhelmingly were OK with principals, teachers, and colleges and universities. But far fewer were comfortable with companies that create educational software, websites and apps having that access.

Pavlov's bills — Senate Bill 33 and Senate Bill 510 — passed unanimously in the Senate earlier this month. A separate bill — House Bill 4894 — is before the House Education Committee. Its primary sponsor is Rep. Jim Tedder, R-Clarkston.

Meanwhile, an effort is afoot to have companies that work with schools sign a pledge promising to safeguard student privacy. So far, more than 200 companies — including Microsoft and Google — have signed on.

But those pledges can't replace the presence of strong laws, Luty said. She cited the example of a company that had a privacy policy in place but went bankrupt. When that happened, the records of millions of students from middle school to college ended up with other companies that bought pieces of the bankrupt company.

Anderson said states rushing to enact student data privacy laws shouldn't treat it as a "check the box and move on" type of issue. "They need to keep revisiting these questions as educational opportunities and technologies change."

Pavlov is already looking ahead, saying the next step is to look at what data is being collected and why.

"Are we collecting this info to benefit vendors? Are we collecting this info to drive test scores and outcomes? And are we using this information in an appropriate, educational way?"

A look at the bills

Three bills before the Michigan Legislature would create new guidelines on student data privacy. Here's a rundown:

Senate Bill 33 (primary sponsor, Sen. Phil Pavlov, R-St. Clair):

  • The Michigan Department of Education (MDE) and the state Center for Educational Performance and Information (CEPI) would be barred from selling any information that is part of a student's education record.
  • MDE and CEPI would have to post on their websites a notice of the information collected for a student's education record.
  • MDE and CEPI would be barred from disclosing any information they collect or create unless it is in accordance with a policy adopted by the State Board of Education or the state budget director.
  • Any contracts MDE and CEPI have with vendors that allow access to education records must contain provisions requiring the vendor to protect the privacy of the records and include penalties for not complying.
  • If a parent or legal guardian requests it, he or she must be notified if MDE and CEPI disclose personally identifiable information about a student to anyone other than the school district, charter school, charter authorizer, preschool or post-secondary institution in which the student is enrolled or was formerly enrolled. The notification must happen within 30 days of the written request of the parent or legal guardian.
  • School districts, charter schools and charter authorizers would not be allowed to sell any personally identifiable information to a for-profit business. The exception is a charter school that has a management agreement with a for-profit educational management organization — if the information is necessary for standardized testing and if the information is necessary to providing educational support services to the student.
  • If a parent or legal guardian requests it, the school district, charter school or charter authorizer must disclose any personally identifiable information that is collected or created and if any of that information has been disclosed to a person, agency or organization.

Senate Bill 510 (primary sponsor, Pavlov):

  • The operator of an Internet website, online service, online app or mobile app is barred from using personally identifiable information to target advertising to students, create student profiles and sell student information.
  • The operator is also barred from disclosing personally identifiable information unless it is done for a handful of allowable purposes, such as responding to a lawsuit.
  • The operator must have security procedures and practices in place to protect personally identifiable information from unauthorized access, destruction, use, modification or disclosure.
  • The operator must delete a student's personally identifiable information if the K-12 school or district requests deletion.
  • The operator may use or disclose personally identifiable information if doing so is required by federal and state law, if it's done for legitimate research purposes or if it's to a state or local educational agency.

House Bill 4894 (primary sponsor: Rep. Jim Tedder, R-Clarkston)

  • The boards of school districts and charter schools must ensure that any contract they enter into for someone to provide access to educational websites or online services spells out that the person is prohibited from selling personal student information or targeting advertising to students.
  • The contract may allow the person to process personal student information to provide, improve, develop or maintain the integrity of the services.

Pledges signed by companies

More than 200 companies nationwide — most of whom provide educational software and online programs to schools — have signed a pledge to protect student data. Here's what the companies pledge:

  • Not to sell student information
  • Not to target advertising
  • Not to change privacy policies without notice and choice
  • To use data for authorized educational purposes only
  • To enforce strict time limits on data retention
  • To support parental access to, and correction of errors in, their children's information
  • To provide comprehensive security standards
  • To be transparent about collection and use of data

What information is collected

The state Center for Educational Performance and Information collects information about students and schools that is used for school funding, accountability, transparency and to analyze education policies and practices. Here are a few examples of the kind of data collected and who submits the data to the state.

Data collected:

  • Student demographics, enrollment, program participation and outcomes
  • School safety practices and incidents of crime
  • School directory information
  • School expenditures and revenues
  • Who submits data?
  • Public K-12 school districts and intermediate school districts.
  • Providers of the Great Start Readiness Program, the state-funded preschool program.

National PTA calls for stronger policies

The national PTA released a statement in October calling for stronger policies surrounding student data privacy. Many of its recommendations are already addressed in legislation introduced in the Michigan Legislature. Here are some other guidelines it says should be part of policies:

Inform parents and families about the relevant federal, state and local laws on student data privacy and security, including consent and notification provisions

Ensure school districts and online service providers' privacy and security policies are clear, easy to read and accessible to all parents and families.

Require school districts to designate a privacy and security officer to ensure compliance with privacy law and coordinate the necessary professional development for teachers, principals and other school employees who handle student data.

Require school districts and online service providers to have policies and procedures in place to effectively handle data breaches, including procedures to notify students, families and educational institutions about the breach.

©2015 the Detroit Free Press Distributed by Tribune Content Agency, LLC.