Need for New Student Data Privacy Laws Subject of CEA Forum

Education Committee members Rep. Andrew Fleischmann, Rep. Gail Lavielle, Rep. Kathleen McCarty, and Rep. Pam Staneski were some of the many lawmakers attending today's CEA forum

January 21, 2016

"Connecticut is at a critical juncture when it comes to student data privacy," Khaliah Barnes of the Electronic Privacy Information Center told legislators, parents, teachers, and concerned citizens gathered today at a CEA Forum on data privacy. "You have an important opportunity to come up with meaningful solutions to these issues."

The absence of strong state and federal laws has put the safety, privacy, and civil liberties of children and families at risk, and that brought nearly 100 people to the Legislative Office Building in Hartford to learn what can be done to stop data mining of educational records and protect student privacy.

"The importance of this issue was really brought home to me by concerned parents," said state Representative Andrew Fleischmann, co-chair of the legislature's Education Committee and moderator of the first half of the forum. "They did not think sufficient protections are in place."

Fleischmann was one of many legislators who attended the forum, expressing support for new state laws to protect students' privacy. "The legislators here today, and others who are not here, are very committed to this issue," Fleischmann said.

Fleischmann and his Education Committee co-chair Senator Gayle Slossberg plan to introduce a student data privacy bill this legislative session, which begins February 3.

"You don't need to convince me of the importance of this bill," said Representative Gail Lavielle, ranking member of the Education Committee.

"Everything that gets recorded has the potential to live forever," said CEA Director of Policy, Research, and Reform Donald Williams. "When it's children, students in our schools, we have this assumption that there is privacy, that there is protection. We need to ensure that every move students make in our schools does not become part of some data collection system that follows them, perhaps forever."

Regulations and enforcement both lacking

Cameron Russell of the Center on Law and Information Policy at Fordham University School of Law and Khaliah Barnes of the Electronic Privacy Information Center were two of the experts who spoke at today's forum.

The CEA forum featured several experts in the area of student data privacy, including Barnes, Cameron Russell of the Center on Law and Information Policy at the Fordham University School of Law, Leonie Haimson of the Parent Coalition for Student Privacy, and Brian Kelly, chief information security officer at Quinnipiac University.

Russell said that a study his organization conducted in 2013 found that 95 percent of school districts are outsourcing data to the cloud and only 25 percent of districts inform parents of their use of cloud services. These records can include grades, homework essays, lunch room purchases, fitness records, and much more. Districts often fail to provide for adequate data security, allow vendors to retain student information in perpetuity, and fail to address parental notice or consent in contracts with vendors.

The federal Family Educational Rights and Privacy Act (FERPA) governs the privacy of student records, however the law has been weakened twice in recent decades under both the Bush and Obama administrations to provide fewer protections for students and families.

In the absence of strong federal law, states have been stepping in to enact their own laws. In 2014 and 2015, 36 states passed new privacy laws, however none are as strong as privacy experts would like. The speakers stressed the need not just for new privacy laws, but for strong laws with enforcement provisions.

"Parents and students should be able to hold companies accountable and have their day in court," Barnes said. She added that, when violations of agreements or data breaches occur, schools should be able to immediately cancel their contract with vendors.

The need for new security and safety standards is constantly evolving, Kelly said. Cyber security is a new frontier, and laws have not caught up to the need that exists to keep individuals safe. "The Food and Drug Administration, the Federal Aviation Administration—all of these agencies exist to ensure safe and secure standards. We need to evolve to apply similar standards to data privacy," he said.

In the meantime, Connecticut has the opportunity to act and ensure safety and privacy for students.

"Private sector data mining has exploded in many facets of our lives and has now reached our children and our public schools," said CEA President Sheila Cohen. "State lawmakers cannot ignore this problem and we urge them to act during the session to protect our most vulnerable citizens—our children."

Back to Top