Why Schools Are Important Advocates for Effective Data Privacy Practices

By Divya Sridhar, Ph.D.


Educators have more opportunities than ever before to harness the power of digital technologies and use the data resulting from those technologies to improve their students’ educational outcomes. For example, educators can use student data to do the following:

  • Organize and grade homework assignments;
  • Support group projects;
  • Monitor attendance; and
  • Support students with online test preparation assessments.

To meet these goals, school administrators and educators frequently collect and use student personal information, such as name, email address, and password, and store this information in institution or service provider systems. They do this to identify the student and track their educational progress in an online course or education platform over time. Service providers in this context are entities separate from the school, and are bound by an obligation to the school to meet a certain function, such as storing student personal information, to support and implement digital services and platforms at schools.

Education Service Providers: Dos and Don’ts

While educators may use service providers to support educational outcomes, and those service providers may have access to personal information, only schools have the authority to change, revise, or delete personal information. Educators should be mindful of this important distinction: only schools, rather than service providers, have final authority and control of requests regarding personal information.

Due to the growth in the services and products across the mobile app, e-gaming and digital education marketplace, students and their families are currently eager to understand who controls their data. Students often times want access to their own information. It is important that educators are thoughtful and strategic when utilizing digital services in the classroom, since students’ personal information is generally collected to support these services. Increasingly, educators are being held accountable for understanding how personal information is collected and used. Therefore, educators should be made aware of the parameters under which education service providers operate in a school setting, pursuant to state and federal laws.

Generally speaking, there tends to be more restrictions and parameters on service providers who operate on behalf of a school, since they are using education data strictly for an educational purpose. On the other hand, other tech companies may be subject to different restrictions on using personal information for non-educational purposes (such as for websites, social media, or others).

New Federal and State Privacy Laws on the Horizon

As a result of the changing technologies and data privacy landscape, over the last five years, over 40 different states have passed more than 100 laws and introduced an abundance of privacy bills to increase the protections on student data through different requirements (e.g., adding a bill of rights, provisions to ensure schools have a list of contractors they are working with, details on oversight and enforcement, explanation of parental and student rights, requirements on data security, and more). Following the states lead, the U.S. legislative and executive branches ae reviewing the issues and are looking to update the federal laws for consumer, schools’ and children’s privacy rights. As there has not been a recent federal education privacy bill that incorporates the changes in the 21st century classroom, federal U.S. Education Committee members are looking at drafting legislation to update existing laws and create regulations in the federal student data privacy environment.

With new privacy efforts on the horizon, schools will need to be prepared to take on more responsibility for ensuring they meet the privacy and security laws and regulations that are taking effect. More importantly, schools will need to be aware of and regularly convey to their personnel the parameters within which they operate and use student data. A more informed group of colleagues can then support students and parents in their messaging on the sorts of information and data requests schools can or cannot meet. Unfortunately, most schools do not have the bandwidth or resources to hire a privacy enforcement officer, or personnel designated to support the school as it keeps up with new and forthcoming policy changes.

All of these changes may seem overwhelming to educators. Schools need to ensure regular training and professional development to inform schoolteachers and administrators of the changes happening in their state and across the country, as schools take to using more technologies and store more student data in the classroom.

Privacy Goes Rogue: The Case of California’s New Consumer Privacy Law

An interesting example of the challenging nature of student data privacy arose last year, through a ballot initiative in California, that was passed into law as the California Consumer Privacy Act (CCPA). Legislators and community stakeholders swiftly worked to craft this consumer privacy law, without fully considering the impact it could have on all the various stakeholders — in particular, the education community. As passed, the law presented one clear, glaring problem for schools. It did not define the role of service providers in supporting education data to nonprofits – including schools – complicating the traditional process for handling information requests, related to education data. Based on the law as written, consumers, including students and parents, could make a request directly to a service provider on changing their data without being granted formal approvals by the school. This meant students could now make requests to change their grades, or edit other personal information directly through the service provider – without the schools acknowledgement or sign-off. The way the law was originally written violates existing federal and state privacy laws that require the student to send formal data change requests to the school, not the service provider.

The law has been amended through recent regulations, which are to be implemented this year, that will define the role of a service provider when it serves schools and nonprofits, in addition to other businesses. The regulations also ensure that students follow the correct procedure that aligns to federal laws on data privacy: students must submit information and data change requests via the school (and not directly to the service provider). But it is a great example of how a consumer privacy law can have ripple effects, some that may be unintended though equally significant, to the lives of students, educators, schools, and businesses alike.

A Balancing Act: How Schools Can Best Advocate for Strong Privacy Practices

District leaders and educators should view education technology as a long-term investment in their students, rather than as a ticking time bomb. After all, the data driven insights on adaptive and personalized learning solutions and platforms can support real-time improvements for students and provide important trends, insights, and snapshots, as well as benchmarks of how students are doing – which can support better grades, overall retention and placement, and alignment to national and state standardized exams and coursework. But there remains ambiguity about the different types of data used by education technology companies, the parameters around data usage, and more. Due to this lack of clarity, even education technology companies that use data strictly to support schools and educators, rather than for other noneducational purposes (including targeted advertising or marketing), are perceived negatively.

Educators should be aware of the constraints on education technology companies to maintain student information and personal information strictly for educational purposes. Educators should rest assured of the general principal that the school remains the final controller of the data, and only the school can make determinations with regards to the educator and student personal information.

As key stakeholders in the education ecosystem, schools can benefit from actively advocating for reasonable policies and standards for privacy to ensure:

  1. The highest level of security and transparency for students;
  2. Ample opportunities for educators to use technology to support learning in the classroom, while continuously informing educators and instructors of privacy-related changes; and
  3. Offering reasonable parameters around data collection, sharing, and use by service providers.

As can be seen, schools must partake in an important balancing act when it comes to data privacy, since they are integral to upholding the privacy needs of their educator and student community.

For more on how your schools can support data privacy, see:

Why Data Privacy Policies are Important for the Future of EdTech

About the Author

Divya Sridhar, Ph.D. — Education Policy Advisor, McGraw-Hill

Divya Sridhar, Ph.D., is the Policy Advisor for Government Affairs at McGraw-Hill. McGraw-Hill is a learning science company, serving students, teachers and faculty with customized print and digital educational content, software, and services for Pre-K through postgraduate education. In her role, Divya supports thought leadership on the company’s education policy priorities, relationship building with federal state and local policy makers, and strategic advocacy for the company’s business units. Divya has 10 years of combined experience in healthcare and education policy and has worked on issues such as interoperability, district digital transformation, educational equity, student data privacy, and funding for instructional materials.