Student Data Security Is at Risk. We Need to Update FERPA.
By Henry Kronk
November 25, 2018
Earlier in November, about 100 students at the Secondary School for Journalism in Brooklyn walked out of school. They were protesting the school’s adoption of Summit Learning and the Summit Platform. Having grown frustrated with long hours of screen time every day and a system that didn’t suite them well, put their student data at risk, and which could be easily cheated, they left school to register dissent. More recently, two organizers of the event wrote a letter to Mark Zuckerberg. The platform has been funded by the Chan Zuckerberg Initiative and was initially developed by Facebook engineers. In the letter, Akila Robinson and Kelly Hernandez write:
“Another issue that raises flags to us is all our personal information the Summit program collects without our knowledge or consent. We were never informed about this by Summit or anyone at our school, but recently learned that Summit is collecting our names, student ID numbers, email addresses, our attendance, disability, suspension and expulsion records, our race, gender, ethnicity and socio-economic status, our date of birth, teacher observations of our behavior, our grade promotion or retention status, our test scores and grades, our college admissions, our homework, and our extracurricular activities. Summit also says on its website that they plan to track us after graduation through college and beyond. Summit collects too much of our personal information, and discloses this to 19 other corporations.
“What gives you this right, and why weren’t we asked about this before you and Summit invaded our privacy in this way?”
Federal law, actually, gives Zuckerberg and Summit Learning this right. The Family Educational Rights and Protection Act (FERPA) governs the protection of personal student data in school and, among other things, conditions under which it can be disclosed. It was written in 1974 and signed into law by President Gerald Ford. The act has been expanded and amended many times throughout its history.
FERPA Has a Major Loophole
As it stands, FERPA provides numerous exceptions that allow schools to disclose student data without parental or guardian consent, but edtech companies and organizations like Summit Learning tend to exploit a single one of these.
Under FERPA (34 CFR Part 99.31), “An educational agency or institution may disclose personally identifiable information from an education of a student without the consent required by § 99.30” if “the disclosure is to other school officials, including teachers, within the agency or institution whom the agency or institution has determined to have legitimate educational interests.”
Furthermore, “A contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions may be considered a school official” so long as said party “performs an institutional service or function, “is under direct control of the agency or institution,” and is subject to further requirements.
Edtech Companies Can Be Considered as a ‘School Official’ and Mine Student Data
In other words, in the case of Summit Learning at the Secondary School for Journalism in Brooklyn, they are considered a ‘school official’ performing a function and/or service. No consent was needed, and Summit Learning is fully within their rights to collect student data.
Many other edtech companies continue to collect student data through this loophole. It shouldn’t be that way, and FERPA is due for a rewrite.
The Electronic Frontiers Foundation provides a great resource for any individuals looking to take a deeper dive into the subject.
Featured Image: Jorge Alcala, Unsplash.
[…] districts saw a large number of data breach and ransomware incidents in 2019. According to The K-12 Cybersecurity Resource […]
[…] You wouldn’t think cybercriminals would bother with schools, colleges, and universities, but here we are. […]