State policymakers introduced 110 bills on student data privacy in 36 states this session, with 30 of them passing both houses and 24 being signed into law, according to an analysis by the Data Quality Campaign. Four companion bills were not signed into law because they did the same thing that their counterparts did in the other house, and two bills in California are still on the governor's desk for review.
These bills tackled biometric, social and personal information, and they generally fall into two types of approaches: governance and prohibitive. Some bills included a mix of both types, but the ones that focused more on data governance tended to make it into law, said Rachel Anderson, associate for policy analysis and research at the Data Quality Campaign.
"A lot of the bills that are going to have the greatest impact in states are those that are looking very carefully at the value of data and really looking at what the state can be doing with the data to help students," Anderson said.
Quite a few states built off of each other's language, and the Idaho, Colorado and West Virginia bills are based on Oklahoma's HB 1989 that passed last year, Anderson said. Colorado's new law, HB 1294, requires the state's Department of Education to publish both an index of the types of data they use and privacy policies that lay out who has access to the data and what students' and parents' data rights are. It also requires the creation of data retention and destruction policies and guidance for school districts and staff about data use.
In West Virginia, HB 4316 mandates that the state's Department of Education publish a data inventory, privacy policies and procedures, and a data security plan, among other things. The bill also establishes a data governance manager position appointed by the state superintendent that will be responsible for the department's privacy policy.
This flurry of legislative action stems from a number of incidents and activities in the last year that have driven the public to associate data with bad things, said Thomas Murray, state and district digital learning director at the Alliance for Excellent Education, who testified before Congress on student data privacy in June. These incidents include a high-profile Target breach, the National Security Agency "spying" incident, and increased awareness of school and state collection of student data for accountability purposes. As a result, parents and legislators have been looking for answers about what happens with their children's data.
With more schools and states contracting with online education companies, legislators saw a need to lay out practices and procedures for these contracts, particularly with the news that Google mined student email for advertising purposes until earlier this year. Twelve new state laws spell out what those third-party contracts need to include, established procedures for security breach notification and data deletion, and prohibited companies from advertising to and selling data from students.
"The good thing that we've seen is that the bills haven't been overarching to the point of limiting classroom instruction," said Murray, a former classroom teacher, principal and technology director.
While schools need the services that these education technology companies provide, they also need to ensure that the student data stored on them is protected. In light of these new laws, Murray recommends that technology directors and other administrators do the following:
- Review third-party contracts carefully to identify how student data will be kept secure and what happens to student data when the contract ends.
- Educate teachers so they understand how to keep sensitive data secure and within the guidelines of privacy legislation including the federal FERPA law.
While many bills went through state legislatures this year, Anderson cautioned that student data privacy will pop up in the next legislative session as lawmakers take a closer look at issues such as biometric data. Many of the 14 states with new laws that address biometrics will have to deal with it again in the future as they consider ways that special education programs use biometric data with students.
"Privacy is not a one-time activity," Anderson said. "This is going to be an ongoing conversation for states, and an important one."