Draft legislation seeks to update federal data privacy law to cover both education institutions and third parties.
A proposed amendment to the Family Educational Rights and Privacy Act (FERPA) would expand parental rights, set record handling guidelines for third parties and education institutions, and establish penalties for failing to follow the guidelines.
Several dozen organizations received a draft copy of the proposal on Monday, April 6, from two congressmen in the U.S. House of Representatives' Committee on Education and the Workforce. Bobby Scott (D-Virginia) and John Kline (R-Minnesota) asked groups including the Data Quality Campaign to share the draft with their networks and provide feedback on it.
As staff members at the Data Quality Campaign analyze the draft, they're looking for at least three things: Strong baseline protection for student information, clear-cut guidance for education administrators and an acknowledgement of the need for data training. They're also considering how this proposed legislation compares to the Children's Online Privacy Protection Act and draft legislation from Reps. Jared Polis (D-Colorado) and Luke Messer (R-Indiana) that circulated in March.
"With our increasing reliance on technology and information to more personalize learning in the classroom for students, there are new policies and laws that we need to take a look at," said Paige Kowalski, vice president of policy and advocacy at the campaign. "But we need to get it right because we don't want to unnecessarily limit the potential of those same tools."
In taking a closer look at this 35-page draft, which affects both K-12 and higher education institutions, it clearly spells out the responsibilities of education institutions and agencies to give parents access to their students' educational records when requested. This parental access applies to both local and state education agencies. Education institutions can decide how quickly they will respond to these requests, but can't take more than 30 days to fulfill them.
Through a hearing, education institutions also must allow parents to challenge and correct records, and add an explanatory note if applicable. And they need parental consent to release records to third parties that contain personally identifiable information other than directory information such as names.
The legislation also included a long list of specific exceptions to the parental consent rule, including for relevant education processes, legal investigations and emergencies. Notably, an education service provider qualifies for an exception as long as they comply with the security practices, written agreement and access requirements outlined in the bill.
The draft proposal requires education agencies to establish security practices that protect student records and personally identifiable information. In turn, they have to hold third parties to at least the same information security standards.
Along with strong security practices, the legislation would require education agencies to enter into a written agreement with a third party before sharing any information, and specify what that information is and how it will be transferred. This agreement would prohibit third parties from sharing information with others except for approved subcontractors mentioned in the agreement and federal law compliance. And it would also guarantee the security of that information and establish penalties for security breaches.
The third component of sharing data with third parties is providing access to appropriate people. That includes keeping the same or better privacy protections in place as educational institutions have, establishing a process to challenge records and maintaining records of access requests.
If third parties break any of these requirements, then the education agency would not be allowed to transfer personally identifiable information to them for at least 12 years. Likewise, both third parties and education agencies face fines of $2,000 per student up to a maximum of $500,000 for violations, and federal funding for guilty schools could be cut.
As education leaders look at this draft legislation, it's important to search for four different things, Kowalski said.
1. Increased protections for student data. By identifying these increased protections, administrators will be able to communicate to parents how they're safeguarding student data. This proposal includes a number of situations where schools need to notify parents of what data they're sharing, who has access to their data and what their rights are under this amendment. They also need to give parents time to opt out of information sharing, including the sharing of directory information.
2. Additional burdens or responsibilities the bill places on school administrators. For example, education agencies would be required to designate an official to handle education record security, and would also need to keep a record of who has access to students' records and why they're interested in them.
3. Limits on the ability to use tools and resources schools need to provide a quality education to students.
4. Compatibility with existing state privacy laws.
What would you add or take away from this draft?