Lawmakers Agree More Student Data Protection Needed, Diverge on Who Should Lead
Student data at risk because nearly every school district is using third-party vendors for cloud storage and data-driven services, meaning more student data is being shared more widely, said House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies Chairman Pat Meehan, R-Pa., at a Wednesday hearing. Are new federal laws needed to protect student data privacy, “or is it simply a matter of all the stakeholders self-policing?” asked Education and Workforce Subcommittee on Early Childhood, Elementary and Secondary Education Chairman Todd Rokita, R-Ind. Meehan and Rokita’s subcommittee’s jointly held the hearing.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Lawmakers asked whether laws on the books -- mainly the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act -- are fully protecting the data. Witnesses -- including state officials, researchers, education advocates and industry representatives -- said more protections were needed, but disagreed on who should take the lead. Most witnesses and lawmakers were receptive to legislation similar to an Idaho bill (SB-1372) that “very clearly outlined what data could be collected,” and established monetary penalties for data breaches, said Joyce Popp, Idaho State Department of Education chief information officer.
Some Republicans and an industry official thought those guidelines should be pushed through state legislation, industry or the Department of Education (DOE). “We like that approach,” said Software and Information Industry Association (SIIA) Vice President-Public Policy Mark MacCarthy. “It sets up the proper framework for the inclusion of the appropriate issues within school contracts.” Both SIIA’s and the DOE’s recently released guidelines on protecting student data stress similar goals (WID Feb 25 p6).
Democrats, other Republicans and a researcher who has examined the contracts school districts make with third-party vendors said federal legislation may be necessary. Joel Reidenberg, founding academic director for Fordham University School of Law’s Center on Law and Information Policy, said the government can’t wait for states to catch up. Many smaller districts “seem to be winging it when they come to these kind of contracts,” he said. These “contract practices on the whole are terrible,” he said Wednesday, summarizing his findings from a December report (WID Dec 16 p3).
Rokita floated the idea of using DOE’s Title II funds -- used for local teacher and principal training and recruitment -- to educate local officials on writing student data privacy-focused contracts with third-party vendors. “If the federal government is going to be financing these kinds of programs at the state level” Reidenberg said, “then there ought to be commensurate requirement that the states address privacy as part of their infrastructure development.”