The main federal laws designed to protect student privacy, the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PRPA) have not been updated to keep pace with the Digital Age. The lack of legal protections for our students' personal information that is stored in the cloud has made Ms. Barnes' Student Privacy Bill of Rights a necessity. It enumerates six basic rights for students and I believe that in the age of Big Data, students have "certain unalienable Rights" regarding their personal privacy. The Rights are listed below:
Right
#1 Access and Amendment: Students have the right to access and amend
their erroneous, misleading, or otherwise inappropriate records, regardless of
who collects or maintains the information.
While growing up in the 1980's, I didn't have to worry that everything I said to my classmates and/or teachers would be on my permanent record forever. When I attended elementary, middle, and high school, the primary form of communication was in person, on the phone, and handwritten/typed letters. In college, I recall sending out my first email and then in law school email began to gain traction.
While growing up in the 1980's, I didn't have to worry that everything I said to my classmates and/or teachers would be on my permanent record forever. When I attended elementary, middle, and high school, the primary form of communication was in person, on the phone, and handwritten/typed letters. In college, I recall sending out my first email and then in law school email began to gain traction.
As an adjunct professor at a major
international university, I have noticed that students prefer email as their
primary form of communication outside of class.
Students sometimes make inappropriate remarks in class and/or email. However, students attend school to learn how
to communicate and I believe the content of their school work and their school related
communications should be protected and off limits from data mining. My students and children should be afforded
the same privacy protections I experienced in school without fear that every
single student-teacher and student-student
digital interaction may be used against them in the future.
Right
#2 Focused collection: Students have the right to reasonably limit
student data that companies and schools collect and retain.
Schools, along with their vendors,
and sub-contractors should be limited to what type of data they are able to
collect and retain about students. For
example, some schools require student-athletes to install cyber-monitoring
software onto their personal computers and personal digital media accounts so all
of their online postings may be captured and archived indefinitely. One school vendor was caught a couple years
ago by Time Magazine
abusing its access to personal student data and utilizing their content for advertising
purposes. Therefore, it is imperative
that students have the right to reasonably limit the type of personal
information that is collected and retained about them by companies that
contract with schools.
Right
#3 Respect for Context: Students have the right to expect that companies
and schools will collect, use, and disclose student information solely in ways
that are compatible with the context in which students provide data.
Unfortunately, some companies have
not been honest about the manner in which they collect and utilize personal student
information. Education Week
recently reported that Google is abusing its privilege as a school learning platform
provider because it is using its Apps For Education offering to surreptitiously
data mine student emails for potential advertising.
Whether its through cloud computing,
mobile communication devices, apps, or old school personal computer networks, a
tremendous amount of information is being collected by third parties and this
data is not under the direct control of our schools. Therefore, schools and their vendors must be
required to disclose exactly what is happening to student information that is
stored digitally.
Right #4 Security: Students have the right to secure and responsible data practices
Secure data practices do not happen
overnight and requires cooperation from both schools and their vendors. Professor Dan Solove of George Washington
University has been advocating for years that schools hire chief privacy
officers to educate and provide leadership on these issues. Earlier this year, Prof. Solove told USA Today, “[w]ithout
a privacy officer in schools, there will be no one looking out for privacy
issues,”
Recent high profile data breaches at the University of Maryland
and Indiana University
demonstrates the need for educational institutions to implement policies and
practices that better protect our students' privacy.
Right #5 Transparency: Students have the right to clear and accessible information privacy and security practices.
Transparency is key to fostering successful privacy and security practices. Educational institutions and their contractors need to be required by law to be fully transparent about the type of information they collect, how it is utilized, how long it is archived, and who has access to it. School vendors such as Google who have not been transparent about their privacy and security practices put our students' privacy and personal security at risk. If schools are unable to provide clear and accessible information about their contractors' privacy and security practices, students should have the right to opt-out of participating in a school provided platform that harms their privacy and puts their personal security at risk.
Right #6 Accountability: Students should have the right to hold schools and private companies handling student data accountable for adhering to the Student Privacy Bill of Rights.
FERPA has no private right of action against school vendors. This is a huge
loophole that puts the burden of protecting our children's privacy squarely on
academic institutions even though many schools are ill equipped and
under-funded to do so. New state and/or
federal laws/regulations are needed to hold school contractors accountable for
violating the privacy of our students.
A
recently released report on Big Data and "alternative
credit scoring" by the World Privacy Forum
reinforces the need for greater regulation to protect our privacy. The report discusses unfairness and
discrimination issues that may soon become widespread because our current legal
and regulatory privacy framework was designed before email, apps, and the cloud
became ubiquitous. Students shouldn't
have to worry about whether their school related research, questions, communications, and/or
projects on disabilities, HIV, personal sexuality, pregnancy, sexually transmitted diseases, etc... will be data mined
and/or sold to the highest bidder.
If third party vendors mislead schools,
parents, or students about their data handling or protection practices, they need
to be held legally and financially responsible for privacy violations.
For example, students who utilize Google Apps For Education through their
schools should be able to hold Google legally and financially accountable for data mining their school digital interactions, content, work etc...for non-educational purposes.
Soon after the Education Week article that uncovered Google's very troubling student data mining practices was published, I reached
out to Ms. Barnes and asked her to comment about these new revelations. In an email Ms. Barnes stated, "Google's data
mining admissions underscore the importance of the Student Privacy Bill of
Rights. Here's a situation where students lost total control over their
information. The students first lost control when the schools made a choice on
behalf of students, without first adequately vetting Google's data practices
and ensuring that those practices don't put students at risk. Second, students
lost control when Google decided to read students' emails. Google's practices
contravene the Student Privacy Bill of Rights by repurposing student data for
commercial use. Google should be held accountable to students, the Education
Department, and the Federal Trade Commission for violating student trust."
As
a society, we need to do more to protect our children's privacy in the Digital
Age. A first step would be to adopt the
principles advocated by Ms. Barnes' in her Student Privacy Bill of Rights.
Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.
