Can Parents Protect Their Kids' School-Collected Data?

Gone are the days when parents could tuck all their children’s homework in a drawer or rest assured that their child’s complete records were under lock and key, on paper, in the school’s main office. For the past few years, most American public schools have been moving student records online and many teachers have been assigning homework online. Children are logging on to school assignments in class, at home and on the go, generating a deluge of data.

With all this accumulation of data comes a distinct feeling of consternation on the part of some parents. The thought of losing control of a child’s personal information can be unnerving. Arielle Piastunovich, a social worker in San Francisco is concerned her kids’ data could be captured by a marketer or a predator, although the chances of the latter have proven to be almost negligible. “It’s a scary thought,” she says. “As a parent you want to protect your kids and make them safe in the world, and the world gets less and less safe.”

But some parents who work in the tech industry have more comfort with the idea of online data. “There is no problem aside from us adults having a very old-fashioned perspective on our privacy,” says Tomo Moriwaki, a father and video game developer in Los Angeles. “The most sinister thing they can try and do is profit from the information. Even spying on our kids because they might be terrorists is no big deal to me, aside from how much a waste of time and effort it represents.”

It’s futile to try and keep track of student data according to Simon Jones, a father of three and a marketer in Burlingame, Calif. “Privacy efforts are sort of like TSA agents. They make you feel better but you can’t protect your privacy in today’s world.” Jones finds comfort in believing that everyone is being tracked somehow and, “if it’s everybody, it’s nobody, you disappear into an ocean of names and numbers.” He says he doesn’t worry about privacy, because he believes there’s nothing he can do about it.

Laws Protecting Student Data

Not everyone is resigned to handing over student data to the wilds and will of the internet. “Privacy rules may well be the seatbelts of this generation,” said Arne Duncan in a recent speech on privacy. The Data Quality Campaign found that 80 student-data-privacy bills have been considered in 32 states in 2014 alone. In addition to the state laws under consideration, there are at least three federal laws already on the books designed to protect student data, FERPA, PPRA and COPPA.

The 1974 Family Educational Rights and Privacy Act or FERPA, mandates that schools must keep educational records confidential and that student data can only be used for educational purposes. Using student data to sell or market products is prohibited. But there is an exception: schools can share “personally identifiable” student information with a contracted third party, for example, an educational software company, provided that information is only used for the purpose the school requested.

Another statute, the Protection Pupil Rights Amendment or PPRA deals directly with sharing K-12 student data for marketing purposes. Under this amendment, “a school district must, with exceptions, directly notify parents of students who are scheduled to participate in activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes, or to sell or otherwise provide that information to others for marketing purposes, and to give parents the opportunity to opt-out of these activities.”

Neither FERPA nor the PPRA is airtight. According to the Department of Education “student information collected or maintained as part of an online educational service may be protected under FERPA, under PPRA, under both statutes, or not protected by either. Which statute applies depends on the content of the information, how it is collected or disclosed, and the purposes for which it is used.”

Finally, the Children’s Online Privacy Protection Act or COPPA is directed at operators of websites or online services directed at children under 13. Under COPPA, these operators have to get verifiable parental consent before collecting or using the personal information about children under 13. Under some circumstances, schools can act as a parent’s agent and consent to the collection of kids’ information, as long as that information is used for educational, not commercial purposes.

“Federal law provides only some of the guard rails for data and privacy practice. Much of the control over these issues lies in the policies of states and districts,” Duncan said.

How Parents Can Protect Their Child’s Data

Parents can play a significant role in protecting their kids’ information. Kathleen Styles, Chief Privacy Officer at the U.S. Dept. of Education, says parents must educate kids about where they share their information online. “Our children are now citizens in an online world, and conversations about privacy need to happen in schools but they need to happen at home as well,” Styles says.

Joni Lupovitz of Common Sense Media takes a more aggressive approach, advocating for careful parent scrutiny of a child’s online activity. “There’s no substitute for P-O-S. Parent Over Shoulder,” Lupovitz says. Common Sense Media has created a list of principles governing student privacy.

At school, parents concerned about privacy are encouraged to ask administrators how they’re collecting, storing and sharing data. “Make sure schools have self-awareness,” Styles says. “I would be looking for the currency of the privacy policy, evidence that the district is aware of what kind of data the schools and district are capturing and evidence that the data is classified by sensitivity -- that more sensitive data is being protected in a more stringent fashion.”

While some privacy advocates call for more intense policing of adults who deal with student data, Richard Culatta, Director of the Office of Educational Technology takes a more moderate approach. “I think it’s really important to ask good questions – but we need to be careful that we don’t get swayed by hype.” He adds, “I wouldn’t expect every parent to understand what 'encryption at rest' means… I think the question is, do they trust their schools? Is the school providing evidence that they are being stewards of data?”

If the school can show that it’s being responsible with data, then Culatta says parents can focus on leveraging student data to improve their child’s education.