5 min read
In 2001 with the passage of No Child Left Behind, the previously existing data collection efforts of schools, districts, and states became central to high-stakes accountability. Data collection predates NCLB, but the requirements of this law gave shape to the current discussions around data collection and privacy. This Data Quality Guideline brief from the Education Department (doc download) does a good job showing the high level requirements:
The accountability provisions included in the No Child Left Behind Act of 2001 (NCLB) significantly increased the urgency for States, local educational agencies (LEAs), and local schools to produce accurate, reliable, high-quality educational data.
The EdFacts Overview page has additional information about data required at the federal level.
Since 2005, 47 states, the District of Columbia, Puerto Rico, and the Virgin Islands have all received at least one federal grant to support building a statewide longitudinal data system. The purpose of these grants is the support of "states to design, develop, and implement statewide P-20 longitudinal data systems to capture, analyze, and use student data from preschool to high school, college, and the workforce."
The 12 core requirements for longitudinal data systems (summarized here by the Department of Education) are defined in the America COMPETES Act - passed in 2007, renewed in 2010. A quick look at lobbying efforts for the 2007 bill show that Microsoft, the Software & Information Industry Assn, and the Business Roundtable spent millions of dollars on lobbying efforts related to this law.
Data collection is required by federal law and supported by federal dollars - and has been for quite some time now. Unless there is an overnight change, it will continue for the foreseeable future.
Federal law mandates that schools, districts, and states collect data on individual learners in the name of "accountability;" this ensures the need for data management. If inBloom, Ed-Fi, Pearson, etc were all to disappear tomorrow, there would be another round of datastores popping up because collecting and storing data is - according to federal law - a required element of public education.
Because of this federally required need for the services and software they provide, organizations like inBloom and Ed-Fi are in an ideal position to support increased privacy protections for learners and teachers. Remember - the need for data collection is a federal mandate. Congress would actually need to do something for these requirements to change, which is the best type of security any entity can have. Data is required to flow from schools to districts to states to the federal government.
A common charge levelled against the organizations building, running, and/or supporting datastores is that they care more about vendor profits than student privacy. The general response to this claim is that any decisions around security and data sharing is deferred to the local level. While this is technically accurate, it feels like an evasion - part of the attraction of a pre-built datastore is that it supplies a level of expertise not readily available at the local level. Addressing the technical requirements without even acknowledging the policy requirements feels like an unnecessary half-step.
Given that the need for interoperable data stores is required by federal law and supported by federal money, inBloom and Ed-Fi could provide leadership on issues of student rights and data ownership without any real risk to their position. If either of these organizations came out in support of increased privacy supports, they could silence critics and provide some needed guidance and leadership without any real risk to their product, as the need for their product is defined by federal law.
How would the privacy conversations change if either inBloom or Ed-Fi came out with a privacy plan that included any of the following elements?
- Establish a state Privacy Officer, tasked with ensuring the privacy and security of student data - UPDATE: EducationNY has a model bill creating a state-level privacy officer;
- Made a recommendation for data sunsets (a date past which student data would not be stored);
- In conjunction with privacy advocates in a transparent process, developed sample opt-in policies for school and district data collection;
- Documented the smallest amount of data required to meet state and federal reporting requirements;
- Document sample policies on student and parent review and cleansing of data;
- Document sample policy on learner ownership of their data;
- Develop a set of data handling and privacy guidelines for use with school and district staff on secure data handling.
This is a short and incomplete list, but demands like these will be coming. These recommendations, of course, wouldn't be binding. In most cases, enacting policy would require political action.
The organizations currently working in the space have an opportunity to shape the conversation, but it's an opportunity that won't last indefinitely. Right now, there is a vacuum, with many people talking about the need for privacy, but without clear consensus of what "privacy" means or what policy around privacy should look like. Organizations building datastores are in a great position - their existence is required by federal law, and short term, there are no viable alternatives readily available. This puts them in the ideal position to advocate for learner's rights and increased privacy protections.