online privacy

Do you Know What Schools are Doing with Your Kids’ Private Data?: Two Things You Can Do to Make Sure Your Child’s Data Is Protected

Print Friendly

Parents in the digital age have a lot to worry about when it comes to their child’s online safety: privacy protection, cyberbullying, predation, adult content, the list goes on. But many parents think that is where the concerns end. Unfortunately, that’s not the case. You need to be aware that your child’s data, collected and utilized by their school and school district, is at risk because of where it goes and who may have access to it.

The flow of data looks something like this: Schools collect data on your child (age, race, gender, grades), school districts keep that data in a database, state databases then have access to it. Analyzing this data can have many benefits. Big data analysis allows researchers to find trends that may predict student achievement or patterns in student comprehension. And remember, schools have been collecting this kind of information for a long time. The big difference now, however, is that they’re being asked to collect it digitally and the people asked to collect this data aren’t necessarily equipped to manage it. This is where the privacy protections requirements start to become problematic.

The Family Educational Rights and Privacy Act (FERPA) mandates data containing personally identifiable information (PII) can only be nonconsensually accessed by “authorized representatives” such as “officials of state or local educational authorities, or to the agencies headed by certain federal officials” and the Department of Education has done well in adhering to that mandate. But the problem isn’t about who goes through proper channels to be considered “authorised representatives,” rather the potential for leaking information comes much earlier.


School districts are being asked to set up their own databases, which they typically don’t have the technical know-how to do (as their expertise is in education, not database management), so they often go to a third party to build and manage a database for them. Their district databases then become a part of state databases. Because of these dynamics, Congress “amended the Family Educational Rights and Privacy Act (FERPA) to allow authorized third parties to access sensitive student data.” This is where we see the protection of our children’s privacy fall short.

According to research conducted by The Fordham University Law School’s Center on Law and Information Policy’s (A Study of Elementary and Secondary School State Reporting Systems) :

  • All fifty states educational databases across the country ignore key privacy protections for the nation’s K-12 children.
  • Large amounts of personally identifiable data and sensitive personal information about children are stored by the state departments of education in electronic warehouses or for the states by third party vendors.
  • These data warehouses typically lack adequate privacy protections, such as clear access and use restrictions and data retention policies and are often not compliant with FERPA and leave K-12 children unprotected from data misuse, improper data release, and data breaches.

Third-party contractors are prohibited from selling or using the data they’re managing for non-educational purposes but the rules are murky and the penalties are minor. Clearly, there is potential for an information leak when the data is being handed off to people who have relatively little incentive to protect it. One such example is a company known as InBloom which provides “off-site digital storage for student data—names, addresses, phone numbers, attendance, test scores, health records—formatted in a way that enables third-party education applications to use it.”

Presumably, these third-party education applications are used by educators for their own classes, but that is still a lot of data to have in one place. When InBloom announced that they had partnered with nine states, parents were furious, and rightfully so. What would happen if there were a leak or if the company decided to start selling the information? Concerned parents worked together to take down InBloom and now only three of the original nine states still use the service. These same parents formed Student Privacy Matters, an organization dedicated to protecting the privacy of students’ data.


If you want peace of mind that your child’s private information remains private, here are the following actions you can take:

  • Visit Student Privacy Matters
    • At their Take Action page, you can sign up to be part of their coalition, subscribe to their newsletter, or find instructions on how to write a letter to your senator or representative asking that they take action towards better privacy protection for students.
    • Share the material on online privacy they provide with your child’s school.
  • Go to your school district and
    • ask them to provide you with information on how they, and their third party service providers are specifically abiding by FERPA.
    • confirm that they are following the best practices for keeping parents informed about the information they collect on students. The U.S. Department of Education provided guidance guidelines that- schools need to follow with parents. The new guidance recommends that schools and districts provide parents with information, such as:
      • What information are you collecting about students?
      • Why are you collecting this information?
      • How is the information protected?
      • Do you share any personal information with third parties? If so, with whom and for what purpose(s)?
      • Who should parents contact if they have questions about your data practices?

The U.S. Department of Education also advises schools to make information about their student data policies clear, consistent and easy to find on their public website. Members of the community should periodically review the site for ease of use, comprehension and completeness.

Welcome back to a new school year and data protection. Share with us what you learn about your child’s school data privacy practices. We’d like to know.

facebooktwitterpinterestlinkedinby feather

Leave a Reply

Your email address will not be published. Required fields are marked *