With the expansion of student and school data collection and its use:

  1. Teachers in 35 states can now access student information via secure websites or portals, up from 28 in 2011.                             
  2. Currently, parents in 14 states can access their children’s electronic data
  3. 31 states use data to identify students most at risk of failing or dropping out, up from 18 in 2011.
  4. 45 states require the maintenance or use of school data systems, up from 36 in 2011.

And that data can and often does include students’ names and …

  • Attendance records
  • Special needs
  • Grades/educational achievement
  • Standardized test scores
  • Food preferences
  • Which qualify for federal free lunches
  • Health status
  • Weight and exercise habits
  • Religion

Enter an outfit called inBloom, funded to the tune of $100 million in grant money from the Bill and Melinda Gates Foundation and the Carnegie Corporation. At first blush, it looked like a good deal, helping districts tailor learning/instruction, inform and engage parents, and save time and money, all the while enhancing data privacy and security.

It’s no wonder then that various states showed initial interest, but ultimately several backed out, including Louisiana, Kentucky, Georgia, and Delaware. Meanwhile, Massachusetts is piloting inBloom in only one district, while Illinois has signed on, but individual districts can opt out—and that’s exactly what the Chicago Public Schools did.

So far, it looks like only the New York State Education Department is forging ahead, requiring that all districts now send their student data to inBloom. It’s all accessible by teachers and parents who will find students’ names, grades, standardized test scores, attendance records, even medical diagnoses requiring special education services and any suspensions.

Needless to say, not everyone is on board, as concerns mount about privacy rights and how all this data will be used for marketing educational materials, not for educating and informing.

As for such concerns, the company’s Adam Gaber had this to say: “By law, inBloom cannot sell nor even share any state/district customer data.” And therein lies the rub.

That law he’s referencing is the Family Educational Rights and Privacy Act, otherwise known as FERPA. Passed in 1974, it is “intended to protect student education records.” However, in recent years, the U.S. Department of Education has made regulatory changes to the law, thus weakening the law’s privacy protection. Indeed, educational records may now be shared with outside contractors, such as private companies that track grades or attendance on behalf of school systems.

About that writes Time Magazine’s Kayla Webley: “In the past five years, the Department of Education has made changes to student privacy laws that make it much easier for companies like Knewton [a NYC-based education-tech start-up] to gather data on kids. Student information can now be passed, without parental consent, to a third party that a school deems to have a ‘legitimate educational interest in the records,’ as when a district hires a contractor to perform a service that cannot be carried out without access to student data.”

That’s where the Electronic Privacy Information Center (EPIC) comes in. This nonprofit research group was established in 1994 “to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.” To that end, in February 2012, the organization filed a lawsuit against the U.S. Department of Education challenging such changes. However, a federal court dismissed the suit “for lack of standing.”

Regardless, EPIC’s administrative law counsel, Khaliah Barnes has found that the states are doing a poor job of informing parents of the potential issues accompanying technology, to whom the data is being disclosed, and for what purposes.

Indeed, it turns out that:

  • One-third of data analysis doesn’t comply with FERPA’s requirement that data be deleted once it is no longer needed for its intended purposes.
  • Few agreements specify a level of encryption.
  • Very few require that vendors reveal data breaches.

Barnes also wants parents to know that they should have the right to opt out of disclosing certain types of information and should also be notified how to access and change incorrect information. Remember, after all, that these records go way beyond attendance and grades in this age of cafeteria palm scanners, GPS trackers, and microchip technology recording when students board their school buses and arrive at school.

No wonder, then, that a number of states are considering playing a stronger role in data protection. Unfortunately, though, says Kim Richey, general counsel for the Oklahoma Department of Education, “To my knowledge, we’re the only state that doesn’t release student level data.”

Meanwhile, a Fordham Law School’s Center on Law and Information Policy study of 54 urban, suburban, and rural districts found that “most cloud-based services are poorly understood, non-transparent, and weakly governed by schools.” In fact, many of those districts:

  • Failed to inform parents just how much of their children’s lives is being put out there.
  • Had contracts with web-based vendors that don’t address privacy issues at all.
  • Failed to explicitly restrict the marketing of the collected data.
  • Had few personnel familiar with their district’s outsourcing policy.
  • Poorly maintained documentation.

Know, too, that in the study, one-third of the schools were often in violation of that federal Family Educational Rights and Privacy Act (FERPA) that’s supposed to protect our children’s records.

Indeed, found the researchers: “Districts often relinquish control of student information when using cloud services and do not have contracts or agreements setting clear limits on the disclosure, sale and marketing of such data.”

In other words, there’s lots of work to be done to improve the security and privacy of all this information being collected on our kids and stored by outside companies in the “cloud.” To that end, the Fordham researchers recommend that districts:

  1. Incorporate privacy protecting language in the contracts with these companies.
  2. Require the companies to say how the data might be sold, transferred, or mined, with the districts in control of who accesses the information.
  3. Draw up contracts that address the types of security used to protect the data, how they’ll be alerted to a breach, and how such breaches are to be handled.
  4. Provide teachers/staff members with guidelines on the use of cloud services.

Moreover, it’s suggested that states and larger districts create the position of “chief privacy officer” to address related privacy issues and that a national research center and clearinghouse be established to help schools and cloud-service providers with privacy issues.

And it can’t happen soon enough. As said, in the cloud-based model, third-party software-providing companies allow users to access data remotely instead of saving and managing the data on their own computers. Cost saving, yes, but, in turn, such vendors can make money by selling and using the data for marketing, advertising, and profiling students—and that represents an $8 billion market!

The bottom line: Schools should be thinking hard about how all this student data is being used and by whom–and so, it would seem, should we parents.