Home > Students’ Right to Data Privacy– Guidance for Drafting Legislation and Policy
Header Ideas

Students’ Right to Data Privacy– Guidance for Drafting Legislation and Policy

Student data privacy is by no means a new policy concept, nor is it a new concern. There is often strong bipartisan support for measures to strengthen privacy protections and ensure students, and their valuable information, are safe and secure. However, education technology is quickly evolving. With the expanded use of artificial intelligence (AI) and other cutting-edge technologies used in remote and hybrid learning models, the ways that students’ private information can be compromised are growing rapidly.

Neither All4Ed nor state policymakers have access to a crystal ball to see what threats to student data privacy might arise in the future, but there are measures state policymakers and advocates can adopt now to strengthen existing laws that protect student data. Adopting laws that are adaptable to emerging technologies and scenarios is critical to meeting the future uses of education technology in a way that is innovative and effective, while still protecting students.

Below, All4Ed offers drafting guidance for state policymakers, highlighting promising policies coming out of states that can be used to strengthen existing student privacy state laws and to make them more able to meet current and emerging education technologies and tools.

For an individual consultation on how these suggestions can be incorporated into your specific state, please contact our Director of State Government Relations, Jenn Ellis, jellis@all4ed.org.

States should consider modernizing their privacy policy definitions

Before adopting new requirements, lawmakers should consider improving existing statutory and regulatory definitions to ensure that student data privacy requirements reflect the current education landscape, including positioning them to address emerging education technologies like artificial intelligence. A few key definitions to evaluate for possible amendment in state law include:

“De-identified Data”. While properly de-identified data generally need not be subject to privacy protections, advances in computing power and the widespread availability of large datasets have made it increasingly difficult to ensure that data remains truly anonymous. To safeguard privacy in this evolving landscape, it is essential for states to modernize their definitions of “de-identified data” to account for the growing risk of re-identification. The below definition builds on the high bar set by federal law for de-identified data. For more information on how the federal law utilizes this term, guidance is available from the Department of Education.

Proposed language:

“De-identified Data” means records and information that have had all personally identifiable information removed or sufficiently obscured, such that the remaining information does not reasonably identify a specific individual, including, but not limited to, any information that, alone or in combination, whether through single or multiple releases, and taking into account other reasonably available information is linkable to a specific student and provided that the educational agency or institution has made a reasonable determination that a student’s identity is not personally identifiable, taking into account reasonably available information. For data to be truly de-identified, the de-identification must be irreversible.

“Disclose or Disclosure”. Clearly defining what it means to “disclose” data under a student privacy law—including which categories of student information are covered and under what circumstances—is essential to protecting student privacy while enabling the appropriate, efficient, and lawful use of data for educational purposes. If this term is currently undefined in the state law or the definition is dated, state leaders should consider adopting a definition of “disclose” or “disclosure” that reflects the ways that schools share data for legitimate educational purposes.

Such a definition should adhere closely to the one found in the Family Educational Rights and Privacy Act (FERPA) which focuses on student’s personally identifiable information as showcased in the proposed language below. Another example is found in Illinois’ definition of “breach”, which gets to the same conclusion through a different means, specifically, defining when a disclosure is illegal.

Proposed language:

“Disclose” or “Disclosure” means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written or electronic means, to any party except the party identified as the party that provided or created the student data.

“Educational technology”. As new technologies, like AI, continue to evolve and expand in education, it is essential for states to adopt a definition of educational technology that encompasses current tools, emerging innovations, and potential future applications in learning environments. As an exemplar, New Mexico’s Digital Equity in Education Act provides an open definition of education technology designed to be flexible and grow with the field. For more information on New Mexico’s work on digital equity, see All4Ed’s interview with Representative Brian Baca.

Proposed language:

“Educational technology” means all applications of technology in the learning process, including internet connectivity, digital information, electronic devices and evidence-based software applications used to facilitate and enhance teaching and learning.

“Operator.” Technology companies deliver critical administrative, instructional, and other services to schools—services that often involve access to students’ personally identifiable information. To safeguard this data, laws and regulations must clearly limit how these companies—commonly referred to as “operators” under state law—can use and disclose it. A clear and precise definition of “operator” and the related concept of “PreK–12 school purpose” is essential to ensuring these protections are effective.

In 2019 Maryland policymakers convened a Student Data Privacy Council to study emerging technologies, exemplar policies, and best practices, and to make recommendations for strengthening the state’s Student Data Privacy Act. The Council recommended changes to the definition of “Operator” and found that the state’s definition of “PreK-12 school purposes” was already strong. Both are offered as models below.

Proposed language – Operator:
  1. “Operator” means an individual or an entity who engages with institutions under the school official exception of the federal Family Educational Rights and Privacy Act and is operating in accordance with a contract or an agreement with a public school or local school system in the State to provide an Internet website, an online service, an online application, or a mobile application that processes covered information and–
    1. Is used for a PreK–12 school purpose; or
    2. Is issued at the direction of a public school, a teacher, or any other employee of a public school, local school system, or the Department.
  2. “Operator” includes a division of a parent entity if the division:
    1. Serves education clients; and
    2. Does not share covered information with the parent entity.

Proposed language – PreK–12 School Purpose:
  1. “PreK–12 School Purpose” means an activity that:
    1. Takes place at the direction of a public school, a teacher, an administrator, or a local school system; or
    2. Aids in the administration of public school activities.
  2. “PreK–12 school purpose” includes:
    1. Instruction;
    2. Home instruction;
    3. Administrative activities;
    4. Collaboration among students, public school employees, and parents;
    5. Maintaining, developing, supporting, improving, or diagnosing the Operator’s site, service, or application; and
    6. An activity that is for the use and benefit of the public school.

“Covered Information.” Federally, FERPA creates minimum standards for protecting a student’s personally identifiable information, but states have expanded the definition of what constitutes student data to capture a broad and emerging list of information and identifiers that can put students at risk. The definition below is modeled after the language in California’s Student Online Personal Information Protection Act, but other state examples include Maryland, and Illinois’ definition for “covered information.”

Proposed language:

“Covered information” means personally identifiable information or materials, in any media or format that meets any of the following:

  1. Is created or provided by a student, or the student’s parent or legal guardian, to an Operator in the course of the student’s, parent’s, or legal guardian’s use of the Operator’s site, service, or application for K–12 school purposes.
  2. Is created or provided by an employee or agent of the K–12 school, school district, local education agency, or county office of education, to an Operator.
  3. Is gathered by an Operator through the operation of a site, service, or application and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student’s educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.

“Targeted Advertising”. Many states have enacted laws that prohibit companies serving schools from using student information for advertising or marketing purposes. For example, California’s Student Online Personal Information Protection Act includes a specific prohibition on targeted advertising using student information. Hawaii’s Student Personal Information Protection law also offers a definition of targeted advertising, modeled below.

Proposed language:

“Targeted advertising” means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred over time related to that student’s online behavior, usage of applications, or student data. “Targeted advertising” does not include advertising to a student at an online location based upon that student’s current visit to that location, or in response to that student’s request for information or feedback, without the retention of that student’s online activities or requests over time for the purpose of targeting subsequent advertisements.

Every state should adopt and cultivate strong state privacy governance structures and practices

In addition to reviewing and considering updates to the definitions found in their student privacy policies, states should carefully review their laws and regulations to ensure they reflect robust governance structures that provide oversight, support, and the capacity to adjust and grow with technological changes.

State Chief Privacy Officer and State Student Privacy Council. Even when robust student data and privacy laws are present, states need systems designed to build state and local capacity to support proper implementation, compliance, evaluation, and improvement. To build robust governance systems, states should consider the creation or enhancement of a Chief Privacy Officer role and/or a Student Data Privacy Council.

Chief Privacy Officer positions play a valuable role in centralizing the implementation and enforcement of privacy policies, ensuring compliance with applicable laws and regulations, providing technical assistance, and reviewing privacy agreements in real time. A Privacy Council would be concurrently tasked with reviewing existing laws in light of new technological and educational developments, examining the work of other states, and making recommendations for improvements in both laws and regulations. 

One powerful state example of a law creating a Chief Privacy Officer is New York’s Section 2-d. An example of a law governing a Student Data Privacy Council is Maryland House Bill 245.  Both examples were used as models for the proposed language featured below.

Proposed language:

STATE CHIEF PRIVACY OFFICER. The [STATE] Department of Education shall appoint a Chief Privacy Officer responsible for overseeing and enforcing data privacy compliance when using websites, applications, and platforms for K-12 school purposes within the state. The Chief Privacy Officer shall have the following responsibilities:

  1. Provide technical assistance and guidance to educational agencies and institutions regarding compliance with data privacy regulations and best practices, including, but not limited to: 
    1. implementing robust data security and privacy policies;  
    2. ensuring the deletion, destruction, or sufficient de-identification of student data when it is no longer needed for K-12 school purposes;
    3. reviewing an Operator’s data privacy and security policies and practices to ensure that such policies comply with the requirements of this title; and 
    4. collaborating with educational agencies and institutions to investigate and resolve concerns and complaints about an Operator’s data privacy practices. 
  2. Develop and maintain resources, training materials, and professional learning opportunities for educational agencies and institutions on student data privacy matters. Make all such materials publicly available and distribute directly to all relevant educational agencies and institutions. 
  3. Issue guidance, recommendations, and reports to promote data privacy and security awareness and compliance among educational agencies and institutions and their Operators.
  4. Serve as a central point of contact for parents, legal guardians, and educational agencies and institutions seeking information or assistance regarding student data privacy policies when using websites, applications, and platforms for K-12 school purposes within the state. 
  5. Act as the primary point of contact for state student data protection administration in assisting the [STATE] Department of Education in administering this title.
  6. Investigate complaints of alleged violations of this part.
  7. Report violations of this title to the [STATE] Department of Education and applicable educational agencies or institutions, and, in the event of a breach of student data, follow all requirements to address and remedy such breach under state and federal law. 
  8. Assist the Attorney General in establishing a protocol for the submission of complaints of possible breaches of student data.
  9. Issue an annual report on data privacy and security activities and progress, the number and disposition of reported breaches, if any, and a summary of any complaint submitted.
  10. Other responsibilities deemed by the [STATE Department of Education] to be necessary to safeguard the privacy and security of student data when using websites, applications, and platforms for K-12 school purposes within the state, including developing and implementing strong data governance practices within the [STATE] Department of Education.

STATE STUDENT DATA PRIVACY COUNCIL. There shall be established a Student Data Privacy Council (hereafter “The Council”).

  1. The Council shall consist of the following members:
    1. One member of the Senate, appointed by the President of the Senate;
    2. One member of the [House of Delegates], appointed by the Speaker of the House;
    3. The State Superintendent of Schools, or the Superintendent’s designee;
    4. The Secretary of Information Technology, or the Secretary’s designee;
    5. The Executive Director of the Public School Superintendents’ Association of [STATE], or the Executive Director’s designee;
    6. The Executive Director of the [STATE] Association of Boards of Education, or the Executive Director’s designee;
    7. The President of the [STATE] State Education Association, or the President’s designee;
    8. The President of the [STATE] PTA, or the President’s designee; and
    9. The following members appointed by the Chair of the Council:
      1. One School or District Data Privacy Officer or the Officer’s designee;
      2. One School or District Information Technology Officer, or the Officer’s designee;
      3. One representative of a company, trade association, or group who has professional experience in the area of student data privacy or online educational technology services;
      4. One member of the academic community who studies K–12 student data privacy;
      5. One advocate for student data privacy who does not have a professional relationship with a provider of online educational technology services; 
      6. One attorney who is knowledgeable in the laws and regulations that pertain to local school systems;
      7. One school–based administrator from a public school in the State; and 
      8. One teacher from a public school in the State.
  2. The State Superintendent of Schools or the Superintendent’s designee shall chair the Council and is responsible for the administration of the Council.
  3. The State Department of Education shall provide staff for the Council.
  4. The Council shall: 
    1. Study the development and implementation of this title to evaluate the impact on:
      1. the protection of student data from unauthorized access, destruction, use, modification, or disclosure;
      2. the implementation and maintenance of reasonable security procedures and practices to protect student data under this title; and
      3. the implementation and maintenance of reasonable privacy controls to protect student data under this title;
    2. review and analyze similar laws and best practices in other states;
    3. review and analyze developments in technologies as they may relate to student data privacy; and
    4. make recommendations regarding statutory and regulatory changes to this title based on the findings of the Council.
  5. On or before [DATE], the Student Data Privacy Council shall report its findings and recommendations to the Governor and the General Assembly.
  6. The Council shall remain effective for a period of [1 year] and, at the end of [DATE], with no further action required by the General Assembly, shall be abrogated and of no further force and effect.
  7. The Council shall be reassembled every three years to reevaluate any potential statutory and regulatory changes to this title based on compliance with this title, advances in technology, legislative developments in other states, or other developments that impact privacy or educational opportunities for students. 

States should consider expanding privacy requirements applicable to schools and their private sector partners

Responsibilities of Education Agencies or Institutions.  If they have not already done so, states should establish stronger data use limitations and protection requirements on the companies that work with schools (the “Operators” defined earlier). States should also expand the privacy obligations of education agencies or institutions subject to FERPA. For education agencies and institutions, state laws should also consider strategic and targeted expansion of the protections offered by FERPA.

New or expanded requirements on these entities should include:

  • language that requires written agreements specifying the scope of allowable data uses and outlining related protections before educational agencies or institutions disclose any personally identifiable data to Operators;
  • requirements to limit the collection and disclosure of student data to the minimum required by agencies or institutions and the Operators they hire;
  • adoption and implementation of robust physical, administrative, and technical data security measures in consultation with experts on cybersecurity and education (e.g, the NIST Cybersecurity Framework);
  • clear and accessible notification procedures for parents and students regarding what data is collected, how it will be used, and how it will be protected;
  • requirements to delete and destroy data that is no longer needed for the legitimate educational purposes for which it was collected or disclosed; and
  • designation by school districts of a Student Data Manager to serve as the primary contact for the State Privacy Officer and ensure data requirements, procedures, and rules are consistently followed.

The featured language below includes a section on contract transparency modeled on Colorado’s Student Data and Transparency Law and the designation of a Student Data Manager modeled on Utah law.

Proposed language:

RESPONSIBILITIES OF EDUCATIONAL AGENCIES AND INSTITUTIONS. Educational agencies or institutions shall:

  1. Only disclose student data to an Operator pursuant to this title.
  2. Prior to disclosing student data to an Operator, enter into a written agreement with the Operator that:
    1. Designates the Operator who is authorized to receive student data;
    2. Indicates the name and title of the person providing authorization on behalf of the educational agency or institution and attests that the person has the authority to do so;
    3. Specifies– 
      1. the K-12 school purpose(s) for which the student data is disclosed and limits the Operator’s use and disclosure of student data to only specified K–12 school purpose(s); and 
      2. The student data to be disclosed;
    4. Provides that the Operator is under the educational agency or institution’s direct control with regard to the use, disclosure, and maintenance of the student data collected pursuant to school authorization;
    5. Sets forth the Operator’s data retention policy; and
    6. Requires the Operator to comply with the requirements for Operators established under this title.
  3. Limit the amount and categories of student data disclosed to Operators to only the minimum amount of student data necessary for the Operator to fulfill the permitted data processing activities to achieve the specified K-12 school purpose(s) specified in the written agreement.
  4. Require that any Operator collecting or receiving student data comply with all applicable federal and state data privacy laws and regulations.
  5. Implement robust data security and privacy policies in consultation with privacy, security, cyber-security, and education experts that have experience with personal data protection, including but not limited to: 
    1. Data privacy protections, including criteria for determining whether the potential risks of a proposed disclosure or use of student data outweigh the potential benefits, and processes to ensure that student data is not included in public reports or other public documents; 
    2. Data security protections, including data systems monitoring, data encryption, incident response plans, limitations on access to student data, safeguards to ensure personally identifiable information is not accessed by unauthorized persons, and deletion, destruction, or sufficient de-identification of student data when no longer needed; and 
    3. Application of all such restrictions, requirements, and safeguards to Operators. 
  6. Provide clear and accessible notice to parents, and students detailing: 
    1. The types of student data collected, how it is used, and with whom it may be shared under what circumstances; 
    2. Information about the educational agency or institution’s process for allowing parents and students to request additional information the educational agency or institution must disclose; 
    3. The procedures that a parent or student may use to exercise the rights granted under section 444 of the General Education Provisions Act (commonly known as the `Family Educational Rights and Privacy Act of 1974′) (20 U.S.C. 1232g(a)(1)); 
    4. Contact information for an individual or group of individuals whom a parent or student may direct questions or concerns regarding any Operator’s access to student data; and
    5. A list of all the Operators that the educational agency or institution has a written agreement with to disclose student data and a copy of each written agreement. The list must include: 
      1. the name of the Operator; 
      2. the purpose and scope of the written agreement; 
      3. the duration of the written agreement; 
      4. the types of student data that the Operator holds under the written agreement; 
      5. the use of the student data under the written agreement; and 
      6. the length of time for which the Operator may hold the student data.
  7. Upon request from a parent or student, provide: 
    1. A list of all Operators with whom the educational agency or institution has a written agreement that is currently in effect to disclose student data related to that student;
    2. The types of student data disclosed to each Operator to whom the educational agency or institution discloses student data related to that student; and
    3. An opportunity to inspect a complete copy of the educational agency or institution’s written agreement with any Operator to whom the educational agency or institution discloses student data related to that student.
  8. Delete, destroy, or sufficiently de-identify, and require all Operators and third parties to delete, destroy or sufficiently de-identify, student data when it is no longer needed for K-12 school purposes or as required by law.
  9. Designate at least one employee to be a Student Data Manager. 
    1. The Student Data Manager shall: 
      1. authorize and manage the educational agency or institution’s disclosure of student data with Operators as described in this title;
      2. act as the primary point of contact for the Chief Privacy Officer at their educational agency or institution; and
      3. fulfill other responsibilities described in the data governance policies and procedures of the educational agency or institution.
    2. A Student Data Manager can be designated and serve in that position for multiple educational agencies or institutions.

Responsibilities of Operators. In addition to the responsibilities of educational agencies and institutions, it is critical that state laws specify rules and responsibilities for Operators who collect and use student data when working with schools, as well as, in some permitted circumstances, share access to said data with other third-party vendors for legitimate education purposes. 

These responsibilities should include:

  • prohibiting the use of student data for advertising or other commercial purposes;
  • prohibiting the re-disclosure of data except as permitted or required by state and federal law; and prohibiting the use of student data for any purpose not authorized by a written agreement with an educational agency or institution and not serving a legitimate educational interest;
  • provisions requiring Operators to implement reasonable and robust security measures for all student data consistent with a nationally recognized standard such as the NIST Cybersecurity Framework;
  • timely notification of education agencies and institutions of any breach of student data;
  • allowing the education agency or institution to conduct privacy audits and allowing access of data for parents and students as requested; and
  • deleting and destroying data when it is no longer needed for the legitimate educational purpose for which it was collected.

The proposed language below includes provisions to ensure state laws comply and incorporate best practices from the federal Children’s Online Privacy Protection Rule (COPPA). Iowa’s Student Personal Information Protection law was used for the provisions related to accepted commercial uses of student data, while language requiring adequate training on state and federal privacy laws was modeled on New York’s section 2-d.

Proposed language:

RESPONSIBILITIES OF OPERATORS. 

  1. Operators shall not knowingly engage in or permit third parties to engage in any of the following activities with respect to student data:
    1. Target advertising on the Operator’s site, service, or application, or on any other site, service, or application.
    2. Use student data created, or gathered by the Operator’s site, service, or application, to amass a profile about a student or about students with similar characteristics, except in furtherance of K–12 school purposes identified in the Operator’s written agreement with the educational agency or institution.
    3. Use student data for any secondary purposes not specified in the written agreement, unless written consent is obtained from the educational agency or institution prior to such use.
      1. For the purpose of this paragraph, a secondary purpose is any purpose not directly related to fulfilling the K-12 purpose(s) for which student data was shared. A secondary purpose does not include:
        1. supporting an Operator’s internal operations, as permitted by 16 CFR 312.2 (the regulations implementing the `Children’s Online Privacy Protection Act of 1998′); or
        2. product development and improvement directly related to the service authorized by the educational agency or institution.
    4. Use student data for any commercial purpose, including but not limited to, marketing or advertising to a student or parent. 
      1. This prohibition does not apply to 
        1. providing the specific services contracted for by an educational agency or institution;
        2. the purchase, merger, or other type of acquisition of an Operator by another entity, provided that the Operator or successor entity complies with this section with respect to previously acquired student data;
        3. an assessment or scholarship provider, if:
          1. the provider provides clear and conspicuous notice to the educational agency or institution, a parent, or a student over the age of eighteen that includes a description of–
            1. the types of student data to be used and the purposes it will be used for;
            2. the entities that will be able to access that student data; and
            3. the benefits that may come from sharing student data;
          2. the provider secures the express written consent of– 
            1. the educational agency or institution, if it is determined that such disclosure is permissible under section 444 of the General Education Provisions Act (commonly known as the `Family Educational Rights and Privacy Act of 1974′)  (20 U.S.C. 1232g) and the educational agency or institution determines that sharing the student data is in the best interests of that student; or
            2. the parent, or a student over the age of eighteen; and
          3. the student data is used solely to provide access to employment, educational scholarships or financial aid, or postsecondary educational opportunities, so long as the marketing and provision of any of these services is not unfair or deceptive as defined under both Section 5 of the FTC Act, 15 U.S.C. § 45 and [the state’s unfair or deceptive acts or practices law]. 
      2. An Operator or its successor entity may not use, retain, or disclose previously acquired student data in any manner that differs from the scope of this title unless the Operator provides written notice to the educational agency or institution and obtains written opt-in consent from the educational agency or institution for such use.  
    5. Disclose student data unless the disclosure is made:
      1. In furtherance of the K–12 school purpose of the site, service, or application for which the Operator has entered into a written agreement with the educational agency or institution, provided the Operator–
        1. Notifies the educational agency or institution prior to disclosure;
        2. Maintains a record of all third parties to whom they disclose student data that the educational agency or institution can review upon request; and
        3. Enters into a written agreement with the third-party recipient of student data that:
          1. prohibits the third party from using any student data for any purpose other than providing the contracted service to, or on behalf of, the Operator;
          2. prohibits the third party from disclosing any student data provided by the Operator with subsequent third parties; and
          3. subjects the third party to the same restrictions and obligations as Operators under this Section and their written agreement with the educational agency or institution;
      2. As required by state or federal law, so long as the Operator complies with the requirements under applicable law for such disclosure;
      3. As permitted under 34 CFR 99.31(a) (the regulations implementing the `Family Educational Rights and Privacy Act of 1974′);
      4. To respond to or participate in, or support the educational agency or institution in their ability to respond to or participate in, the judicial process, so long as the student data is relevant for the Operator or educational agency or institution to proceed with the legal action as plaintiff or defend itself;
      5. To an educational agency or institution, as permitted by state or federal law; or
      6. To protect the security and integrity of the site, service, or application.
    6. Nothing in this Section shall be construed to prohibit the Operator’s use of information for maintaining, developing, supporting, improving, or diagnosing the Operator’s site, service, or application, provided the use is directly related to and in furtherance of the service the school authorized in the written agreement with the Operator.
  2. An Operator shall:
    1. Abide by the terms of their written agreement with the educational agency or institution established pursuant to this Section;
    2. Implement and maintain reasonable privacy procedures and practices appropriate to the amount and sensitivity of the student data, including requiring all officers and employees with access to student data to complete training on the Federal and State laws governing confidentiality of such data prior to receiving access;
    3. Establish, implement, and maintain a written data retention policy that sets forth the K-12 school purpose(s) for which student data is collected and retained, and a timeframe for deletion of such information that precludes indefinite retention;
    4. Notify the disclosing educational agency or institution of any breach of security resulting in an unauthorized release of student data by the Operator or third parties in violation of applicable State or Federal law or the written agreement, without unreasonable delay. The Operator shall disclose all information necessary to enable the educational agency or institution to fulfill their requirements under this title;
    5. Limit access to student data to only those officers or employees of the Operator who need access to the information to fulfill the activities specified in the written agreement;
    6. Assist educational agencies and institutions, upon their request, with facilitating the ability of parents and eligible students to exercise their right to access student data under 34 CFR 99.10 and request that inaccurate student data be amended under 34 CFR 99.20(a) (the regulations implementing the `Family Educational Rights and Privacy Act of 1974′);
    7. Implement and maintain reasonable security procedures and practices proportionate to the amount and sensitivity of the student data, taking into account current state of the art technologies and available resources, that meet or exceed industry standards to protect all student data from unauthorized access, destruction, use, modification or disclosure. This includes implementing and maintaining a monitoring system to facilitate the detection of any breach of privacy or security resulting in the unauthorized access, destruction, use, modification, or disclosure of student data;
    8. Permit the educational agency or institution or their designee, at the educational agency or institution’s discretion, to conduct periodic privacy assessments or otherwise audit the Operator’s data privacy practices to verify compliance with the written agreement and relevant law; 
    9. Delete, destroy, or otherwise de-identify student data collected or maintained pursuant to a written agreement with an educational agency or institution within [X] days of one of the following events occurring–
      1. reaching a date specified in the written agreement or data retention policy as when the Operator must delete student data;
      2. when the information is no longer needed for the K-12 purpose(s) specified in the written agreement; or
      3. upon request from the educational agency or institution; and
    10. Establish policies and procedures, consistent with this title and other Federal and State confidentiality and privacy provisions, to protect student data from further disclosure (except back to the disclosing educational agency or institution) and unauthorized use.

States should ensure any new privacy obligations accommodate legitimate educational or other appropriate data uses

The proposed language below offers some additional provisions that can be added to state law or regulation to ensure privacy protections do not have unintended consequences, such as limiting legitimate educational uses of student data.

Proposed language:

OTHER PROVISIONS. Nothing in this title shall be construed to: 

  1. Create a private right of action against the [STATE] Department of Education, the Chief Privacy Officer, an educational agency or institution, or an employee of an educational agency or institution;
  2. Transfer or otherwise convey an ownership interest in student data to an Operator when student data is disclosed, created, received, or maintained pursuant or incidental to a written agreement with an educational agency or institution;
  3. Limit education research and development that is permitted pursuant to the studies exception and the audit and evaluation exception in section 444 of the General Education Provisions Act (commonly known as the `Family Educational Rights and Privacy Act of 1974′) (20 U.S.C. 1232g(b)(1)(A) and (F));
  4. Prohibit an Operator from using sufficiently de-identified student data–
    1. Within the Operator’s site, service, or application or other sites, services, or applications owned by the Operator to improve educational products; or
    2. To demonstrate the effectiveness of the Operator’s products or services, including in their marketing;
  5. Prohibit an Operator from sharing aggregated, sufficiently de-identified student data for the development and improvement of educational sites, services, or applications;
  6. Limit the authority of a law enforcement agency to obtain any content or information from an Operator as authorized by law or pursuant to an order of a court of competent jurisdiction;
  7. Limit the ability of an Operator to use student data for adaptive learning or customized student learning purposes when permitted pursuant to the written agreement with an educational agency or institution;
  8. Apply to general audience online websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an Operator’s site, service, or application may be used to access those general audience sites, services, or applications;
  9. Limit internet service providers from providing Internet connectivity to schools or students and their families;
  10. Limit the use of student data by a person acting exclusively in their capacity as an employee of an educational agency or institution as permitted in section 444 of the General Education Provisions Act (commonly known as the `Family Educational Rights and Privacy Act of 1974′) (20 U.S.C. 1232g); 
  11. Prohibit an Operator of an internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of student data obtained by the Operator through the provision of services covered under this title; or
  12. Prohibit an Operator or educational agency or institution from producing and distributing, for free or for consideration, student memorabilia such as class photos and yearbooks to the educational agency or institution, students, parents, or individuals authorized by parents and to no others, in accordance with the terms of a written agreement between the Operator and the educational agency or institution;

States should consider cybersecurity improvements designed to protect student and personnel data

Ransomware and other cyberattacks are among the greatest threats to K-12 student data privacy. States should evaluate the cybersecurity threats faced by their schools and consider adopting policies designed to strengthen their overall cyber-defenses.  Key strategies could include the following:

School Device Standards and Parental Engagement

State policymakers should direct the state board of education to adopt standards for permissible electronic devices and software applications used by schools. In adopting the standards, the district must ensure that parents are provided the resources necessary to understand cybersecurity risks and online safety and assign a party to receive cybersecurity concerns. The below language is modeled on Texas Code Section 32.1021.

Proposed language:

STANDARDS. The state education agency shall adopt standards for permissible electronic devices and software applications used by a school district or open-enrollment charter school. In adopting the standards, the agency must:

  1. Minimize data collection conducted on students through electronic devices and software applications;
  2. Ensure that parents are provided the resources necessary to understand cybersecurity risks and online safety regarding their child ’s use of electronic devices before the child uses an electronic device at the child ’s school; and
  3. Assign to the appropriate officer of a district or school the duty to receive complaints or concerns regarding student use of electronic devices, including cybersecurity and online safety concerns, from district or school staff, other students, or parents.

REQUIREMENTS FOR TRANSFER. Before transferring data processing equipment or an electronic device to a student, a school district or open-enrollment charter school must: adopt rules establishing programs promoting parents as partners in cybersecurity and online safety that involve parents in students’ use of transferred equipment or electronic devices.

Promoting Cyberattack Information Sharing and Collaborative Response

States should encourage or require their educational agencies and institutions to collaborate in identifying and responding to cyberattacks.  States should also establish a statewide cybersecurity center, include representatives from the Department of Education in the center’s leadership, and ensure all school districts are among entities that benefit from the center’s work, including coordinating information sharing and cyber threat information. California Government Code Section 8586.5 provides a good model for ways to incorporate these structures in state law.

Proposed language:

CYBERSECURITY INTEGRATION CENTER.

  1. The state shall establish and lead a Cybersecurity Integration Center (CIC). The Cybersecurity Integration Center’s primary mission is to reduce the likelihood and severity of cyber incidents that could damage the [STATE]’s economy, its critical infrastructure, or public and private sector computer networks. The CIC shall serve as the central organizing hub of the [STATE] cybersecurity activities and coordinate information sharing with local, state, and federal agencies, tribal governments, utilities and other service providers, academic institutions, including school districts, county offices of education, and charter schools, and nongovernmental organizations. The CIC shall be composed of representatives including those from the following organizations:
    1. The Office of Emergency Services;
    2. The Office of Information Security;
    3. The State Threat Assessment Center;
    4. The Department of the Highway Patrol;
    5. The Military Department;
    6. The Office of the Attorney General;
    7. The Health and Human Services Agency;
    8. The Utilities Emergency Association;
    9. The State University;
    10. The University of —;
    11. The Community and Technical Colleges;
    12. The State Department of Education; and
    13. Other members as designated by the Director of Emergency Services.
  2. The CIC shall provide warnings of cyberattacks to agencies and nongovernmental partners, coordinate information sharing among these entities, assess risks to critical infrastructure and information technology networks, prioritize cyber threats and support public and private sector partners in protecting their vulnerable infrastructure and information technology networks, enable cross-sector coordination and sharing of recommended best practices and security measures, and support cybersecurity assessments, audits, and accountability programs that are required by state law to protect the information technology networks of [STATES]’s agencies and departments.
  3. The CIC shall develop a statewide cybersecurity strategy, informed by recommendations from the [State] Task Force on Cybersecurity and in accordance with state and federal requirements, standards, and best practices. The cybersecurity strategy shall be developed to improve how cyber threats are identified, understood, and shared in order to reduce threats to government, businesses, and consumers. The strategy shall also strengthen cyber emergency preparedness and response, standardize implementation of data protection measures, enhance digital forensics and cyber investigative capabilities, deepen expertise among the state’s workforce of cybersecurity professionals, and expand cybersecurity awareness and public education.
  4. The CIC shall establish a Cyber Incident Response Team to serve as the state’s primary unit to lead cyber threat detection, reporting, and response in coordination with public and private entities across the state. This team shall also assist law enforcement agencies with primary jurisdiction for cyber-related criminal investigations and agencies responsible for advancing information security within state government. This team shall be comprised of personnel from agencies, departments, and organizations represented in the CIC. 
  5. Information sharing by the CIC shall be conducted in a manner that protects the privacy and civil liberties of individuals, safeguards sensitive information, preserves business confidentiality, and enables public officials to detect, investigate, respond to, and prevent cyberattacks that threaten public health and safety, economic stability, and national security.

States should ensure educators, students, and families are privacy literate

States should consider adopting a student data privacy education and capacity-building strategy to provide educators, students, and families with tools to assist in navigating an increasingly digital learning environment. As schools rely more heavily on technology tools and data-driven practices, it is essential that all stakeholders understand how to protect student information and comply with applicable privacy and cybersecurity laws.

Proposed language:

STUDENT DATA PRIVACY EDUCATION AND CAPACITY-BUILDING INITIATIVE.

  1. Establishment. The Department shall establish and administer a Student Data Privacy Education and Capacity-Building Initiative (hereinafter “the Initiative”) to support LEAs in providing education and training on student data privacy and cybersecurity.
  2. Program Activities. The Initiative shall include, but need not be limited to, the following components:
    1. Professional Development for Educators and School Personnel.
      1. Develop or procure training materials on applicable Federal and State student data privacy laws, including the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and relevant state statutes;
      2. Provide annual training to school personnel on student data protection responsibilities and cybersecurity hygiene; and
      3. Offer technical assistance and model policies for LEAs to implement local training and compliance strategies;
    2. Student and Family Engagement and Education.
      1. Develop age-appropriate instructional materials for students on digital citizenship, cybersecurity awareness, and data privacy;
      2. Create outreach materials for families and caregivers to help them understand student data rights and responsibilities; and
      3. Provide guidance to LEAs on hosting community engagement events, workshops, or forums on data privacy and cybersecurity;
    3. Resource Hub and Communications Toolkit.
      1. Establish and maintain an online repository of tools, training modules, model policies, and best practices related to student data privacy and cybersecurity; and
      2. Issue periodic guidance or updates in response to changes in applicable laws or emerging threats;
  3. Consultation and Coordination. The Department shall consult with relevant stakeholders, including local education agencies, privacy and cybersecurity experts, student and parent organizations, and school personnel associations, to inform the development of Initiative activities and materials.
  4. Grant Program Authority. Subject to appropriation, the Department may award grants to LEAs to support implementation of local training programs and engagement activities consistent with the objectives of this Initiative.

For more policy resources and recommendations on ways to strengthen digital equity in your state, enhance college and career pathways, and develop next-generation accountability system, explore the rest of All4Ed’s State Policy Center.

Click here to return to the home page of our State Policy Center.
Click here to return to our Digital Equity Page.