by Paul Rubell, Esq.
Here’s a novel story. Industry promises to protect privacy but doesn’t change a thing.
For the sake of background, Federal education laws purport to protect the privacy of school-aged children. Yet any high school student can tell you about the barrage of US mail and email marketing that she receives daily from colleges, technical training schools, the military, and SAT preparatory course providers.
Personally, I am still throwing out junk collegiate mail that is being bombarded at my child, even though he is already away at university.
Today, a consortium of companies that provide educational services and software have signed a Pledge, vowing to maintain students’ information.
The Pledge is not law. It is an industry initiative that is designed to go far beyond the current state of legal protection of children’s data.
A federal law called FERPA is designed to protect students’ privacy rights. However, there are many gaping holes in the law, and it is relatively easy for any marketing company to slalom around the regulations simply by complying with the “don’ts” and finding ways to “do” marketing and to conduct business.
FERPA (the Family Educational Rights and Privacy Act) does not prohibit companies from using students’ data. To the contrary, this federal law simply puts into place a regulatory system of rules that are designed to protect the use of information about students.
“Using” information is not the same thing as “not using” information.
Once again, we are witnessing the difficulty of law keeping pace with rapid advances in education.
Education can be enhanced via the power of computing:
- Teachers host websites to make it easier for their students to access information and submit homework assignments.
- School districts post report cards, grades, class rank and other information on web servers for ease of access (and to save the expense of postage).
- Parents can ask educators questions and seek educational information about their children online.
- Children with special needs receive better quality, more coordinated services by healthcare professionals. The web allows mission-critical data to be shared among professionals to allow them to deliver a more cohesive and more comprehensive teaching plan to students with needs.
- Individual education plans (IEPs) are mandated by federal law to ensure the quality of care that school districts furnish to special needs children. To accomplish this noble goal, however, highly personal, private information (including a child’s specific medical condition and treatment plan) is stored in the “cloud” to enable information sharing among those with a “need to know.”
In short, FERPA permits ease of access to highly confidential information about children yet at the same time, requires the information to be used in a way that is responsible, secured, and protected.
Access to information always involves risks.
In this era of mergers and acquisitions, data can get lost when a business is acquired by another. Also, a company that is sold may have had a stronger commitment to privacy than the company that purchased its assets.
Yes, today, information is an “asset” that is an integral part of the sale of a business.
To mitigate these risks to student security, a new initiative has been announced. Global leaders including Microsoft and Houghlin Mifflin Harcourt have signed a Pledge to protect information in a way that is more stringent and rigorous than FERPA requires.
This industry-led pledge is a commitment by businesses that serve the educational industry not to do any of the following things:
- Not to collect, maintain, use or share student personal information beyond the specific needs for authorized educational purposes, or as authorized by the parent.
- Not to sell student information.
- Not to use or disclose student information for targeted advertising to students.
- Not to develop a personal profile of a student (except to support authorized educational purposes or as authorized by the parent).
- Not to change to their privacy policies without first (1) providing prior notice to the school and/or parent, and (2) allowing them to opt in or opt of the change in use of information.
- Not to keep student personal information long than is needed to support the school’s specific purposes, or as authorized by the parent.
If industry leaders intend to do what they claim, I would be comforted as a parent in knowing that efforts are being made to stop the spam emails, junk snail mail, and targeted marketing that companies routinely send to my children.
However, hidden deep within the Pledge is a tenet far scarier than any holes that Congress may inadvertently have omitted from the FERPA statute.
Specifically, the Pledge promises that participating companies merely need to do the following in order to comply – and win kudos for their “commitment” to “privacy”:
“Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information we collect, if any, and the purposes for which the information we maintain is used or shared with third parties.”
Let’s look at what this means:
As long as a company “discloses”, on its website’s Legal Notice page, that it collects, uses, and sells private student information, the company has complied with the Pledge.
So what is this Pledge really all about?
Is it going to stop the marketing industry from selling student information to recruiters?
Is it going to keep student information secure?
Is it going to provide transparency of how information is being used?
Yes – as long as you are a lawyer/parent and take the time and arduous effort to read fine print masked within a website’s deep links.
FERPA has gaping holes.
So does this industry’s Pledge.
The more things change, the more they stay the same.