Thursday, April 3, 2014

The Student Privacy Bill of Rights

On March 6, 2014, Khaliah Barnes, the Director of the Electronic Privacy Information Center's (EPIC) Student Privacy Project authored an extremely important article that was featured in the Washington Post titled, "Why a Student Privacy Bill of Rights is desperately needed".  The piece details the digital privacy challenges students encounter and why they need to have stronger legal rights to better protect their personal privacy and safety.  I wholeheartedly agree with Ms. Barnes and believe our students need more robust digital privacy protections.

The main federal laws designed to protect student privacy, the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PRPA) have not been updated to keep pace with the Digital Age.  The lack of legal protections for our students' personal information that is stored in the cloud has made Ms. Barnes' Student Privacy Bill of Rights a necessity.  It enumerates six basic rights for students and I believe that in the age of Big Data, students have "certain unalienable Rights" regarding their personal privacy.  The Rights are listed below:

Right #1 Access and Amendment:  Students have the right to access and amend their erroneous, misleading, or otherwise inappropriate records, regardless of who collects or maintains the information.

While growing up in the 1980's, I didn't have to worry that everything I said to my classmates and/or teachers would be on my permanent record forever.  When I attended elementary, middle, and high school, the primary form of communication was in person, on the phone, and handwritten/typed letters.  In college, I recall sending out my first email and then in law school  email began to gain traction. 

As an adjunct professor at a major international university, I have noticed that students prefer email as their primary form of communication outside of class.  Students sometimes make inappropriate remarks in class and/or email.  However, students attend school to learn how to communicate and I believe the content of their school work and their school related communications should be protected and off limits from data mining.  My students and children should be afforded the same privacy protections I experienced in school without fear that every single student-teacher and  student-student digital interaction may be used against them in the future.     

Right #2 Focused collection:  Students have the right to reasonably limit student data that companies and schools collect and retain.

Schools, along with their vendors, and sub-contractors should be limited to what type of data they are able to collect and retain about students.  For example, some schools require student-athletes to install cyber-monitoring software onto their personal computers and personal digital media accounts so all of their online postings may be captured and archived indefinitely.  One school vendor was caught a couple years ago by Time Magazine abusing its access to personal student data and utilizing their content for advertising purposes.  Therefore, it is imperative that students have the right to reasonably limit the type of personal information that is collected and retained about them by companies that contract with schools.    

Right #3 Respect for Context:  Students have the right to expect that companies and schools will collect, use, and disclose student information solely in ways that are compatible with the context in which students provide data.

Unfortunately, some companies have not been honest about the manner in which they collect and utilize personal student information.  Education Week recently reported that Google is abusing its privilege as a school learning platform provider because it is using its Apps For Education offering to surreptitiously data mine student emails for potential advertising. 

Whether its through cloud computing, mobile communication devices, apps, or old school personal computer networks, a tremendous amount of information is being collected by third parties and this data is not under the direct control of our schools.  Therefore, schools and their vendors must be required to disclose exactly what is happening to student information that is stored digitally. 

Right #4 Security: Students have the right to secure and responsible data practices

Secure data practices do not happen overnight and requires cooperation from both schools and their vendors.  Professor Dan Solove of George Washington University has been advocating for years that schools hire chief privacy officers to educate and provide leadership on these issues.  Earlier this year, Prof. Solove told USA Today, “[w]ithout a privacy officer in schools, there will be no one looking out for privacy issues,”  Recent high profile data breaches at the University of Maryland and Indiana University demonstrates the need for educational institutions to implement policies and practices that better protect our students' privacy.    

Right #5  Transparency:  Students have the right to clear and accessible information privacy and security practices.
 
Transparency is key to fostering successful privacy and security practices.  Educational institutions and their contractors need to be required by law to be fully transparent about the type of information they collect, how it is utilized, how long it is archived, and who has access to it.  School vendors such as
Google who have not been transparent about their privacy and security practices put our students' privacy and personal security at risk.  If schools are unable to provide clear and accessible information about their contractors' privacy and security practices, students should have the right to opt-out of participating in a school provided platform that harms their privacy and puts their personal security at risk.        

Right #6  Accountability:  Students should have the right to hold schools and private companies handling student data accountable for adhering to the Student Privacy Bill of Rights. 

FERPA has no private right of action against school vendors.  This is a huge loophole that puts the burden of protecting our children's privacy squarely on academic institutions even though many schools are ill equipped and under-funded to do so.  New state and/or federal laws/regulations are needed to hold school contractors accountable for violating the privacy of our students.   

A recently released report on Big Data and "alternative credit scoring" by the World Privacy Forum reinforces the need for greater regulation to protect our privacy.  The report discusses unfairness and discrimination issues that may soon become widespread because our current legal and regulatory privacy framework was designed before email, apps, and the cloud became ubiquitous.  Students shouldn't have to worry about whether their school related research, questions, communications, and/or projects on disabilities, HIV, personal sexuality, pregnancy, sexually transmitted diseases, etc... will be data mined and/or sold to the highest bidder. 
 
 If third party vendors mislead schools, parents, or students about their data handling or protection practices, they need to be held legally and financially responsible for privacy violations.  For example, students who utilize Google Apps For Education through their schools should be able to hold Google legally and financially accountable for data mining their school digital interactions, content, work etc...for non-educational purposes.  

Soon after the Education Week article that uncovered Google's very troubling student data mining practices was published, I reached out to Ms. Barnes and asked her to comment about these new revelations.  In an email Ms. Barnes stated, "Google's data mining admissions underscore the importance of the Student Privacy Bill of Rights. Here's a situation where students lost total control over their information. The students first lost control when the schools made a choice on behalf of students, without first adequately vetting Google's data practices and ensuring that those practices don't put students at risk. Second, students lost control when Google decided to read students' emails. Google's practices contravene the Student Privacy Bill of Rights by repurposing student data for commercial use. Google should be held accountable to students, the Education Department, and the Federal Trade Commission for violating student trust."

As a society, we need to do more to protect our children's privacy in the Digital Age.  A first step would be to adopt the principles advocated by Ms. Barnes' in her Student Privacy Bill of Rights. 

Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.

No comments:

Post a Comment