[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
HOW DATA MINING THREATENS
STUDENT PRIVACY
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
Serial No. 113-76
and the
SUBCOMMITTEE ON EARLY CHILDHOOD,
ELEMENTARY, AND SECONDARY EDUCATION
of the
COMMITTEE ON EDUCATION
AND THE WORKFORCE
HOUSE OF REPRESENTATIVES
Serial No. 113-61
__________
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
JUNE 25, 2014
__________
Printed for the use of the Committee on Homeland Security and the
Committee on Education and the Workforce
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
91-448 WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Filemon Vela, Texas
Lou Barletta, Pennsylvania Eric Swalwell, California
Richard Hudson, North Carolina Vacancy
Steve Daines, Montana Vacancy
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
Vacancy
Brendan P. Shields, Staff Director
Joan O'Hara, Acting Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama Yvette D. Clarke, New York
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Jason Chaffetz, Utah Filemon Vela, Texas
Steve Daines, Montana Vacancy
Scott Perry, Pennsylvania, Vice Bennie G. Thompson, Mississippi
Chair (ex officio)
Michael T. McCaul, Texas (ex
officio)
Alex Manning, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
COMMITTEE ON EDUCATION AND THE WORKFORCE
John Kline, Minnesota, Chairman
Thomas E. Petri, Wisconsin George Miller, California,
Howard P. ``Buck'' McKeon, Senior Democratic Member
California Robert C. ``Bobby'' Scott,
Joe Wilson, South Carolina Virginia
Virginia Foxx, North Carolina Rubeen Hinojosa, Texas
Tom Price, Georgia Carolyn McCarthy, New York
Kenny Marchant, Texas John F. Tierney, Massachusetts
Duncan Hunter, California Rush Holt, New Jersey
David P. Roe, Tennessee Susan A. Davis, California
Glenn Thompson, Pennsylvania Rauul M. Grijalva, Arizona
Tim Walberg, Michigan Timothy H. Bishop, New York
Matt Salmon, Arizona David Loebsack, Iowa
Brett Guthrie, Kentucky Joe Courtney, Connecticut
Scott DesJarlais, Tennessee Marcia L. Fudge, Ohio
Todd Rokita, Indiana Jared Polis, Colorado
Larry Bucshon, Indiana Gregorio Kilili Camacho Sablan,
Lou Barletta, Pennsylvania Northern Mariana Islands
Joseph J. Heck, Nevada Frederica S. Wilson, Florida
Mike Kelly, Pennsylvania Suzanne Bonamici, Oregon
Susan W. Brooks, Indiana Mark Pocan, Wisconsin
Richard Hudson, North Carolina Mark Takano, California
Luke Messer, Indiana
Bradley Byrne, Alabama
Juliane Sullivan, Staff Director
Megan O'Reilly, Minority Staff Director
------
SUBCOMMITTEE ON EARLY CHILDHOOD, ELEMENTARY, AND SECONDARY EDUCATION
Todd Rokita, Indiana, Chairman
John Kline, Minnesota David Loebsack, Iowa,
Thomas E. Petri, Wisconsin Ranking Minority Member
Virginia Foxx, North Carolina Robert C. ``Bobby'' Scott,
Kenny Marchant, Texas Virginia
Duncan Hunter, California Carolyn McCarthy, New York
David P. Roe, Tennessee Susan A. Davis, California
Glenn Thompson, Pennsylvania Rauul M. Grijalva, Arizona
Susan W. Brooks, Indiana Marcia L. Fudge, Ohio
Bradley Byrne, Alabama Jared Polis, Colorado
Gregorio Kilili Camacho Sablan,
Northern Mariana Islands
C O N T E N T S
----------
Page
Statements
The Honorable Patrick Meehan, a Representative in Congress From
the State of Pennsylvania, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies, Committee on Homeland Security:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Todd Rokita, a Representative in Congress From the
State of Indiana, and Chairman, Subcommittee on Early
Childhood, Elementary, and Secondary Education, Committee on
Education and the Workforce:
Oral Statement................................................. 6
Prepared Statement............................................. 8
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies, Committee on Homeland Security:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable David Loebsack, a Representative in Congress From
the State of Iowa, and Ranking Minority Member, Subcommittee on
Early Childhood, Elementary, and Secondary Education, Committee
on Education and the Workforce:................................
Oral Statement................................................. 9
Prepared Statement............................................. 10
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 12
The Honorable Jared Polis, a Representative in Congress From the
State of Colorado:
Prepared Statement............................................. 14
Witnesses
Mr. Joel R. Reidenberg, Stanley D. and Nikki Waxberg Chair and
Professor of Law, Founding Academic Director, Center of Law and
Information Policy, Fordham University School of Law:
Oral Statement................................................. 16
Prepared Statement............................................. 18
Mr. Mark MacCarthy, Vice President, Public Policy, Software and
Information Industry Association:
Oral Statement................................................. 22
Prepared Statement............................................. 23
Ms. Joyce Popp, Chief Information Officer, Idaho State Department
of Education:
Oral Statement................................................. 26
Prepared Statement............................................. 28
Mr. Thomas C. Murray, State and District Digital Learning Policy
and Advocacy Director, Alliance for Excellent Education:
Oral Statement................................................. 30
Prepared Statement............................................. 33
For the Record
The Honorable David Loebsack, a Representative in Congress From
the State of Iowa, and Ranking Minority Member, Subcommittee on
Early Childhood, Elementary, and Secondary Education, Committee
on Education and the Workforce:
Statement of Aimee Rogstad Guidera, Executive Director, Data
Quality Campaign............................................. 42
HOW DATA MINING THREATENS
STUDENT PRIVACY
----------
Wednesday, June 25, 2014
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity,
Infrastructure Protection, and
Security Technologies, and
U.S. House of Representatives,
Committee on Education and the Workforce,
Subcommittee on the Early Childhood,
Elementary, and Secondary Education,
Washington, DC.
The subcommittees met, pursuant to call, at 11:02 a.m., in
Room 311, Cannon House Office Building, Hon. Patrick Meehan
[Chairman of the Cybersecurity, Infrastructure Protection, and
Security Technologies subcommittee] presiding.
Present from Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies: Representatives Meehan,
Rogers, Clarke, and Vela.
Present from Subcommittee on Early Childhood, Elementary,
and Secondary Education: Representatives Rokita, Roe, Brooks,
and Loebsack.
Also present: Representative Bonamici.
Mr. Meehan. The Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies of the
Committee on Homeland Security and the Subcommittee on Early
Childhood, Elementary, and Secondary Education of the Committee
on Education and the Workforce will now come to order. The
subcommittees are jointly meeting today to examine data
collection and privacy concerns in education.
I will recognize myself for an opening statement. I would
like to thank Ranking Member Clarke, as well as Chairman Rokita
and Ranking Member Loebsack from the Education and the
Workforce Subcommittee on Early Childhood, Elementary, and
Secondary Education, for coming together with us today to hold
this joint hearing on what is a very important issue, which is
the privacy and security of our students' Personally
Identifiable Information. We call it PII. Today marks the first
joint hearing between these two committees, and I am looking
forward to working with Chairman Rokita and Ranking Members
Clarke and Loebsack on this issue.
In recent years, the number of school districts using
educational software and cloud services has just exponentially
increased. Today, nearly 95 percent of school districts are
using these services. These services can provide numerous
advantages to school administrators and educators, including
individualized learning, State examination assessments and
administrative functions such as attendance records. While
these services can be helpful to our students' development, it
is vitally important that we understand the privacy and
security concerns of sharing such sensitive information.
A report by the Fordham Law School found that cloud
services used by school districts are poorly understood and
have a lack of transparency, finding 20 percent of school
districts do not have proper policies in place for the use of
these services. Fewer than 7 percent restrict the sale of
student information by vendors. Let me repeat that line: Fewer
than 7 percent restrict the sale of student information by
vendors. Security of student information must be paramount. As
this subcommittee has examined in recent hearings, cyber
criminals have become more sophisticated in their tactics and
techniques, evidenced by the increasing number of cyber
breaches at universities, schools, and retailers. The more
convenienced our lives become with on-line services the greater
risk these criminals can exploit it.
Over the past year, three major universities and one school
district became victims of cyber breaches affecting hundreds of
thousands of students' personally identifiable information. But
it is not just the identifiable information. It is also
information about the students and their performance itself.
Much like health records, a lot of the things that is being
able to be tracked includes the mental processes of students as
they are working through equations. There has to be an
appropriate form of protection of that, an appropriate form of
parental consent, before that kind of information is utilized.
Greater transparency is needed on behalf of the school
districts and the vendors with which they contract. Parents
enrolling their children in school should have a clear
understanding of what information is collected, stored, and
shared. The Family Educational Rights and Privacy Act, which we
call FERPA, is the Federal law that governs the privacy of
student records. FERPA establishes when, and what type, of
information school districts can share with private vendors.
However, there are concerns that because FERPA was enacted in
1974, long before the advent of these technologies, it doesn't
reflect the current reality in the classroom and changes in how
data is collected and shared.
I think we will also hear testimony about gaps that exist
in the laws that oversee the protection of student information.
Today's hearing will seek to examine the sharing of student
information with educational software and cloud service
vendors, and the laws and guidelines that govern them. The
subcommittees will hear testimony from a distinguished panel,
including representatives from the Fordham Law School, Software
and Information Industry Association, the Idaho State
Department of Education, and the Alliance for Excellent
Education.
Transparency on behalf of the school districts and the
educational companies is vitally important. Parents should have
a clear understanding of what schools are sharing and what
rights they have. I appreciate the opportunity to work with my
colleagues in Education and the Workforce to examine this
important issue.
[The statement of Chairman Meehan follows:]
Statement of Chairman Patrick Meehan
June 25, 2014
I would like to thank Ranking Member Clarke as well as Chairman
Rokita and Ranking Member Loebsack from the Education and the Workforce
Subcommittee on Early Childhood, Elementary, and Secondary Education
for corning together with us to hold this joint hearing on a very
important issue, the privacy and security of our students' Personally
Identifiable Information (PII). Today marks the first joint hearing
between these two committees, and I'm looking forward to working with
Chairman Rokita and Ranking Member Loebsack on this issue.
In recent years the number of school districts using educational
software and cloud services has greatly increased; today nearly 95% of
school districts are using these services. These services can provide
numerous advantages to school administrations and educators including
individualized learning, State examination assessments, and
administrative functions such as attendance records. While these
services can be helpful to our student's development, it is vitally
important that we understand the privacy and security concerns of
sharing such sensitive information. A report by the Fordham Law School
found that cloud services used by school districts are poorly
understood and have a lack of transparency, finding 20% of school
districts do not have proper policies in place for the use of these
services and fewer than 7% restrict the sale of student information by
vendors.
Security of student information must be paramount, as this
subcommittee has examined in recent hearings cyber criminals have
become more sophisticated in their tactics and techniques, evidenced by
the increasing number of cyber breaches at universities, schools, and
retailers. The more interconnected our lives become with on-line
services the greater the risk these criminals can exploit it. Over the
past year three major universities and one school district have become
victims of cyber breaches affecting hundreds of thousands of students'
Personally Identifiable Information.
Greater transparency is needed on behalf of the school districts
and the vendors with which they contract. Parents enrolling their
children in school should have a clear understanding of what
information is collected, stored, and shared. The Family Educational
Rights and Privacy Act (FERPA) is the Federal law that governs the
privacy of student records. FERPA establishes when and what type of
information school districts can share with private vendors. However,
there are concerns that because FERPA was enacted in 1974, long before
the advent of these technologies, it does not reflect the current
reality in the classroom and the changes in how data is collected and
shared.
Today's hearing will seek to examine the sharing of student
information with educational software and cloud service vendors and the
laws and guidelines that govern them. The subcommittees will hear
testimony from a distinguished panel including representatives from the
Fordham Law School, Software and Information Industry Association,
Idaho State Department of Education, and the Alliance for Excellent
Education. Transparency on behalf of the school districts and the
educational companies is vitally important; parents should have a clear
understanding of what schools are sharing and what rights they have. I
appreciate the opportunity to work with my colleagues at Education and
the Workforce to examine this important issue.
Mr. Meehan. The Chairman now recognizes the Ranking Member
of the subcommittee, the gentlelady from New York, for any
statements she may have.
Ms. Clarke. Thank you, Mr. Chairman. I want to thank you
for holding today's hearing. I want to welcome our colleagues
from the Education and the Workforce Committee, especially
Ranking Member Loebsack and his fellow Members from the Early
Childhood, Elementary, and Secondary Education Subcommittee.
Today's hearing reminds me of the work we have done on this
subcommittee in developing authorities for the Department of
Homeland Security to create a robust cyber workforce. In
developing my bill, Cybersecurity Boots on the Ground, we
thought carefully about how we must learn to improve the
readiness and capacity of DHS' cybersecurity current workforce.
But more importantly, how to engineer systems and devices that
earn parents, schools, and policymakers' trust and confidence
to train students for future careers. Our goal was to encourage
innovation in education to help create cyber-capable citizens
and help sustain a cyber-capable workforce.
Today's hearing is specifically about the use of technology
in learning that could open up countless opportunities for
students from the personalization of learning to the concept of
learning any time, anywhere. From visiting the schools in my
district, I have seen how advanced technology is being rapidly
deployed in all grades and can offer benefits that support a
number of distinct functions, from data analytics to student
reporting requirements to basic productivity, functions such as
e-mail, data storage, and document editing. Advances in
information technology have led to many new ways to collect
data, analyze and use data, in ever-expanding volumes.
Big data holds tremendous potential to benefit society and
contribute to economic growth. Researchers have told us that it
will soon be possible to create and maintain longitudinal data
about the abilities and learning styles of millions of
students. Early adopters of these technologies have
demonstrated their potential to transform and advance
educational tools. But these same technologies also called
attention to serious policy questions. In particular, the
information-sharing web hosting and telecommunication
innovations that have enabled these new educational
technologies raise questions about how best to protect student
privacy and about the security of student information.
In this committee's work on cybersecurity legislation, we
have seen that rapidly-developing technology like data mining
often outpaces the capacities and legal requirements that
institutions and businesses need to manage and make use of big
data and information sharing.
However, data mining has emerged as one of the few--the key
features of many Homeland Security programs involving the use
of sophisticated data analysis tools to discover previously-
unknown valid patterns and relationships and learning enlarged
data sets. In the context of homeland security, data mining is
viewed as an essential means to identify terrorists and
criminal activities, such as money transfers and communications
screens and to identify and track terrorists themselves through
travel and immigration records.
However, the concept of data mining in education has
witnessed dramatic world-wide growth both in academia and in
the business sector as a process that can provide useful data
necessary for decision making in institutions and for the
development of educational tools. While States and local
communities are the core of our education systems, much of the
software that supports on-line learning tools, on-line courses,
and school system productivity tools is provided by for-profit
firms. This raises complicated questions about who owns the
data streams coming off on-line education platforms and how
they are used.
Applying priority safeguards to educational records can
create unique tasks. Today, we will hear how the use of school-
based student data has gained more attention in recent months
and how it has seen increased scrutiny by parents and advocates
and resulted in new State and local laws.
I know that my colleagues on the Education and the
Workforce Committee, Mr. Polis and others, are working with a
variety of stakeholders to find the right balance for
educational settings. I also know that the technology industry
is already engaged, working on best practices and policies,
along with a number of expert and academic organizations, to
move these discussions along.
I look forward to the testimony of our distinguished
panelists today, Mr. Chairman, and I yield back.
[The statement of Ranking Member Clarke follows:]
Statement of Ranking Member Yvette D. Clarke
June 25, 2014
Today's hearing reminds me of the work we have done on this
subcommittee in developing authorities for the Department of Homeland
Security to create a robust cyber workforce. In developing my bill,
``Cybersecurity Boots on the Ground'', we thought carefully about how
we must learn to improve the readiness and capacity of DHS's
cybersecurity current workforce, but more importantly, how to engineer
systems and devices that earn parents, schools, and policy maker's
trust and confidence, to train students for future careers. Our goal
was to encourage innovation in education to help create ``cyber-
capable'' citizens, and help sustain a ``cyber-capable'' workforce.
Today's hearing is specifically about the use of technology in
learning that could open up countless opportunities for students, from
the ``personalization of learning'', to the concept of ``learning
anytime and anywhere''. From visiting the schools in my district, I
have seen how advanced technology is being rapidly deployed in all
grades, and can offer benefits that support a number of distinct
functions, from data analytics, to student reporting requirements, to
basic productivity functions such as email, data storage, and document
editing.
Advances in information technology have led to many new ways to
collect data, analyze, and use data in ever-expanding volumes. Big data
holds tremendous potential to benefit society and contribute to
economic growth. Researchers have told us that it will soon be possible
to create and maintain longitudinal data about the abilities and
learning styles of millions of students. Early adopters of these
technologies have demonstrated their potential to transform and advance
educational tools, but these same technologies have also called
attention to serious policy questions. In particular, the information
sharing, web-hosting, and telecommunication innovations that have
enabled these new education technologies raise questions about how best
to protect student privacy, and about the security of student
information.
In this committee's work on cybersecurity legislation, we have seen
that rapidly-developing technology, like data mining, often outpaces
the capacities and legal requirements that institutions and businesses
need to manage and make use of ``big data'' and information sharing.
However, data mining has emerged as one of the key features of many
homeland security programs, involving the use of sophisticated data
analysis tools to discover previously unknown, valid patterns and
relationships in large data sets. In the context of homeland security,
data mining is viewed as an essential means to identify terrorist and
criminal activities, such as money transfers and communications
sources, and to identify and track terrorists themselves, through
travel and immigration records.
However, the concept of data mining in education has witnessed
dramatic world-wide growth, both in academia and in the business
sector, as a process that can provide useful data necessary for
decision making in institutions, and for the development of educational
tools. While States and local communities are the core of our education
systems, much of the software that supports on-line learning tools, on-
line courses, and school system productivity tools, is provided by for-
profit firms.
This raises complicated questions about who owns the data streams
coming off on-line education platforms and how they are used. Applying
privacy safeguards to educational records can create unique tasks.
Today, we will hear how the use of school-based student data has gained
more attention in recent months, and how it has seen increased scrutiny
by parents and advocates, and resulted in new State and local laws.
I know that my colleagues on the Education and the Workforce
Committee, Mr. Polis and others, are working with a variety of
stakeholders to find the right balance for educational settings, and I
also know that the technology industry is already engaged--working on
best practices and policies, along with a number of expert and academic
organizations to move these discussions along.
Mr. Meehan. I want to thank the Ranking Member, and I also
want to express my deep appreciation to my colleague--my good
friend and colleague, the gentleman from Indiana. This is one
of those opportunities where we have the occasion in which our
work overlaps. We had a shared interest, and I was very
grateful for not only his agreement, but encouragement, to find
a way in which we could jointly explore this so that we may
learn a great deal and perhaps share in the resolution of the
matter. So I am very grateful for your participation.
The Chairman now recognizes the Chairman of the
Subcommittee on Early Childhood, Elementary, and Secondary
Education, the gentleman from Indiana, Mr. Rokita, for any
statement he may have.
Mr. Rokita. Thank you, Chairman Meehan. Good morning and
welcome. Let me begin by thanking you, Chairman, for
approaching me and my committee Members about the idea for this
morning's hearing. I am pleased that our two subcommittee teams
came together for this important and relatively new issue. So
again, thank you for your leadership. Collaboration across
committees is very important, and I hope not only these two
committees, but others, are able to do more of it.
As we draw from the knowledge and expertise of our House
colleagues, I believe we become more effective policymakers. So
I look forward, No. 1, from hearing from our witnesses and
having an informative discussion.
We are dealing with an issue today that is both critically
important and exceptionally complex. First, why is it so
important? As we fight for all Americans looking to build
better lives for themselves and their families, we know that a
cornerstone of that is a quality education. It is the route of
a better life. With very few exceptions, a worker will not
succeed in the workforce if they failed as a student in the
classroom. A strong education system is essential to a strong
and exceptional America. That is why we should engage
innovative solutions to raise achievement, and embrace new
technologies that allow us to teach children in more effective
ways.
We often see how acquiring data on student performance can
revolutionize student learning. For starters, data can provide
an early warning to teachers, alerting them to students who are
falling behind and need that extra help. It can also awaken
parents to the challenges their child is facing so they can
step in with additional support at home. Additionally, data on
student achievement can equip local communities with the
information needed to hold their schools accountable as well as
enable schools to share information on what is working in their
classrooms. Sometimes even more importantly, what is not
working.
So on to the next question: Why is this so complex? Well, I
think we have learned by now that modern technology is anything
but a simple concept. The science and ingenuity behind each new
smartphone app, computer, or piece of software is tough to
comprehend. Yet, these products have become an integral part of
our everyday lives. Even though we surely got along before
them, still it is hard to imagine what our daily lives would be
like if we never heard the names such as Google, Apple,
Microsoft, Facebook, and Amazon. With each new technology comes
risk and responsibility.
That is certainly the case when it comes to the technology
we bring into our schools and the data we collect on our
students. Protecting student privacy is a shared
responsibility. Parents have to be informed and engaged about
what technologies and practices are used in their schools and
what data is actually collected on their children, who has
access to that data, and the safeguards in place to protect our
children's privacy. What is the role of the local school board,
local school leaders, and staff? Should State and local
education leaders have to ensure they are limiting the data
collected to only information truly needed to improve classroom
instruction?
Who gets to define what ``truly needed'' means? Should
access to student data be limited to only individuals who are
working with schools to improve classroom instruction? Should
there be strict security protocols in place, while ensuring
parents are fully informed about the data use policies of the
particular school or district? Then there are the technology
providers, who I expect would agree, have an equally important
role in protecting student privacy and securing student data to
which they have access. These companies must remain vigilant
and remember that students are in the classroom first and
foremost to learn.
Finally, there is also a role for Federal policymakers that
is Constitutionally-based. For example, for 40 years the Family
Educational Rights and Privacy Act that Chairman Meehan
mentioned has been in place to protect the privacy of student
education records. I look forward to discussing with our
witnesses today whether that law is up to the challenges that
we face today, or whether changes need to be made so that the
law better reflects the realities of modern technology, also as
Chairman Meehan alluded to. Or is it simply a matter of all the
stakeholders self-policing?
I am fighting for all people so that they can build better
lives for themselves and their families. Strengthening
education is a goal we all share, and one the Education and the
Workforce Committee has spent a great deal of time working on.
As I noted earlier, the gathering and sharing of student data
can improve achievement, but let's make sure we are doing it in
a way that doesn't have unintended consequences like losing
student privacy.
Chairman Meehan, again thank you for your leadership and
your help with this joint hearing.
[The statement of Chairman Rokita follows:]
Statement of Chairman Todd Rokita
June 25, 2014
Let me begin by thanking Chairman Meehan for hosting today's joint
subcommittee hearing. Promoting collaboration across committees is
important. As we draw from the knowledge and expertise of our House
colleagues, I believe we become more effective policymakers. I look
forward to hearing from our witnesses and to an informative discussion.
We are dealing with an issue today that is both critically
important and exceptionally complex.
Why is it so important? As we fight for all Americans looking to
build better lives for themselves and their families, we know that a
quality education is at the root of that better life. With very few
exceptions, a worker will not succeed in the workforce if they failed
as a student in the classroom. A strong education system is essential
to a strong America. That is why we should encourage innovative
solutions to raise achievement and embrace new technologies that allow
us to teach children in more effective ways.
We all can see how acquiring data on student performance can
revolutionize student learning. For starters, data can provide an early
warning to teachers, alerting them to students who are falling behind
and need extra help. It can also awaken parents to the challenges their
child is facing so they can step in with additional support at home.
Additionally, data on student achievement can equip local communities
with the information needed to hold their schools accountable, as well
as enable schools to share information on what's working in their
classrooms and what's not.
Why is it so complex? Well, I think we've learned by now that
modern technology is anything but a simple concept. The science and
ingenuity behind each new smart phone, app, computer, or piece of
software is tough to comprehend, yet these products have become an
integral part of our everyday lives. It's hard to imagine what life
would be like if we never heard of names such as Apple, Microsoft,
Google, and Amazon.
With each new technology comes risk and responsibility. That is
certainly the case when it comes to the technology we bring into our
schools and the data we collect on our students. Protecting student
privacy is a shared responsibility.
Parents have to be informed and engaged about what technologies and
practices are used in their schools, what data is actually collected on
their children, who has access to that data, and the safeguards in
place to protect their child's privacy.
State and local education leaders have to ensure they are limiting
the data collected to only information truly needed to improve
classroom instruction. That means they must limit access to student
data to only individuals who are working with the schools to improve
classroom instruction. They must also ensure there are strict security
protocols in place while ensuring parents are fully informed about the
data use policies of the school and district.
And then there are the technology providers, who have an equally
important role in protecting student privacy and securing student data
to which they have access. These companies must remain vigilant and
remember that students are in the classroom first and foremost to
learn. Data and student information should be placed in the hands of
educators so they can leverage those resources to further student
achievement.
Finally, there is also a role for Federal policymakers as well. We
should oppose any information sharing or data mining on students
intended to serve interests outside of the classroom. For 40 years the
Family Educational Rights and Privacy Act has been in place to protect
the privacy of student education records. I look forward to discussing
with our witnesses today whether that law is up to the challenges we
face today, or whether changes need to be made so that the law reflects
the realities of modern technology.
Mr. Meehan. Let me thank Chairman Rokita. I would like to
also express my deep appreciation to the Ranking Member, the
gentleman from Iowa from the subcommittee, Mr. Loebsack.
You are recognized for any statement you may have.
Mr. Loebsack. Thank you, Chairman Meehan. It is great to be
here with you and with Chairman Rokita and Ranking Member
Clarke, as well. I do thank you for holding today's hearing,
and I thank our witnesses for being here, as well.
More than ever before, technology plays an essential role
in educating our children. I think we can all agree to that.
Technology-based educational tools and platforms offer
important new capabilities for students and teachers at both
the K-12 and university levels. The increasing number of
educational iPad and iPhone apps, on-line study tools and
engagement programs illustrate the growing abundance of tech
resources that are being used to meet students' individual
learning needs. These educational tools generate tremendous
amounts of data that are instrumental in improving a student's
learning experience.
Data allow teachers to quickly identify and address gaps in
student understanding before they fall behind. By making data
available to parents, they can track their child's progress and
participate more fully in their education. Beyond addressing
the needs of individual students, data aids schools and their
institutional and administrative functions. School and district
leaders rely on data to drive improvement and decision making
around curriculum, technology infrastructure, and staffing. The
availability of new types of data also improves researchers'
ability to learn about learning.
Data from a student's experience, and technology-based
learning platforms, can be precisely tracked, opening the door
to more accurately understanding how students move through a
curriculum, and at greater scale than traditional education
research is able to achieve. As data systems become more
integrated into the learning and teaching process, we are
seeing the impact that they can have on students, teachers,
administrators, and policy makers. These systems enable
teachers, schools, and districts to make more informed
decisions to enhance student learning.
Meanwhile, a growing number of on-line educational services
have the ability to enhance learning within the classroom and
extend it beyond the school day. Edmodo, for example, which is
used by more than 20 million teachers and students world-wide,
allows teachers to set up virtual classrooms and then post
homework assignments and other content to extend lessons. Khan
Academy has more than 5,000 instructional videos and
assessments which allow students of all ages to learn at their
own pace in subject areas ranging from pre-algebra to
differential equations, from art history to computer science.
With this explosion in on-line resources, there is a large
amount of new data being generated by children using these
services which do raise valid privacy concerns. The privacy of
student education records, as we know, is protected under
FERPA, the Family Educational Rights and Privacy Act. When
those student education records are hosted or analyzed by
private companies that are helping districts build data systems
to drive improvement, those same FERPA protections still apply,
and we have to keep that in mind. However, when students use
on-line services like Khan Academy in school or at home, or
when teachers use grade and behavior-tracking software on their
iPads, all of that data are not necessarily covered by FERPA.
In those direct interactions between students and software
companies, data are being collected to build user profiles,
individualize the learning experience, and track progress. But
in the cases where FERPA does not apply, it is not always clear
what protections exist to guarantee the privacy of those data
and ensure companies are not using them to target
advertisements at children, for example. This committee will
hear important testimony today about the value that these
tailored technological resources provide the students
themselves, and the importance of ensuring access to data for
teachers and researchers to improve education.
We will also hear about the need for consistent privacy
policies, and current efforts to generate the security and
privacy of student data. As we examine the privacy concerns
prompted by the rapidly-growing education technology sector and
the information it collects, it is clear that we must strive to
find a proper balance between privacy and innovation. We must
ensure that companies involved in collecting and analyzing
student data are not exploiting students' private information
for marketing purposes or financial gain. Data are an
invaluable tool. Data empower teachers, guide individualized
learning, and inform policy.
As we consider where improvements are needed in privacy
regulations, we must be sure that we do not compromise the
value of student data. I look forward to hearing from the
witnesses today.
Thank you, again, Chairman Meehan and Chairman Rokita and
Ranking Member Clarke for this hearing. Thank you.
[The statement of Mr. Loebsack follows:]
Statement of Hon. David Loebsack
June 25, 2014
Good morning, Chairman Rokita, Chairman Meehan, and Ranking Member
Clarke. I'd like to thank you for holding today's hearing and thank our
witnesses for being here.
More than ever before, technology plays an essential role in
educating our children. Technology-based educational tools and
platforms offer important new capabilities for students and teachers at
both the K-12 and university levels.
The increasing number of educational iPad and iPhone apps, on-line
study tools, and engagement programs illustrate the growing abundance
of tech resources that are being used to meet students' individual
learning needs.
These educational tools generate tremendous amounts of data that
are instrumental in improving a student's learning experience. Data
allows teachers to quickly identify and address gaps in student
understanding before they fall behind. And by making data available to
parents, they can track their child's progress and participate more
fully in their education.
Beyond addressing the needs of individual students, data aids
schools in their institutional and administrative functions. School and
district leaders rely on data to drive improvement and decision making
around curriculum, technology infrastructure, and staffing.
The availability of new types of data also improves researchers'
ability to learn about learning. Data from a student's experience in
technology-based learning platforms can be precisely tracked, opening
the door to more accurately understanding how students move through a
curriculum, and at greater scale, than traditional education research
is able to achieve.
As data systems become more integrated into the learning and
teaching process, we are seeing the impact that they can have on
students, teachers, administrators, and policymakers. These systems
enable teachers, schools, and districts to make more informed decisions
to enhance student learning.
Meanwhile, a growing number of on-line educational services have
the ability to enhance learning within the classroom and extend it
beyond the school day. Edmodo, which is used by more than 20 million
teachers and students world-wide, allows teachers to set up virtual
classrooms and then post homework assignments and other content to
extend lessons. Khan Academy has more than 5,000 instructional videos
and assessments, which allow students of all ages to learn at their own
pace in subject areas ranging from pre-algebra to differential
equations, from art history to computer science.
With this explosion in on-line resources, there is a large amount
of new data being generated by children using these services, which
raises valid privacy concerns.
The privacy of student education records is protected under FERPA,
the Family Educational Rights and Privacy Act. When those student
education records are hosted or analyzed by private companies that are
helping districts build data systems to drive improvement, those same
FERPA protections still apply.
However, when students use on-line services like Khan Academy--in
school or at home--or when teachers use grade and behavior tracking
software on their iPads, all of that data are not necessarily covered
by FERPA. In those direct interactions between students and software
companies, data are being collected to build user profiles,
individualize the learning experience, and track progress, but in the
cases where FERPA does not apply, it is not always clear what
protections exist to guarantee the privacy of those data and ensure
companies are not using them to target advertisements at children.
This committee will hear important testimony today about the value
that these tailored technological resources provide to students
themselves and the importance of ensuring access to data for teachers
and researchers seeking to improve education. We'll also hear about the
need for consistent privacy policies and current efforts to guarantee
the security and privacy of student data.
As we examine the privacy concerns prompted by the rapidly growing
education technology sector and the information it collects, it's clear
that we must strive to find a balance between privacy and innovation.
We must ensure that companies involved in collecting and analyzing
student data are not exploiting students' private information for
marketing purposes or financial gain. Data are an invaluable tool. Data
empowers teachers, guides individualized learning, and informs policy.
As we consider where improvements are needed in privacy regulations, we
must be sure that we do not compromise the value of student data.
I look forward to hearing from our witnesses.
Thank you very much.
Mr. Meehan. Let me thank Ranking Member Loebsack for his
opening statement and for his insights. I am also very--oh, let
me also remind other Members of the committee that opening
statements may be submitted for the record.
[The statements of Ranking Member Thompson, Hon. Jackson
Lee, and Hon. Polis follow:]
Statement of Ranking Member Bennie G. Thompson
June 25, 2014
There is considerable controversy about how we treat the vast
amounts of student data created in the education field. Education's
large-scale data sets--what scientists refer to as ``big data''--are
troves of potential knowledge about our students. From education's
``big data'', teachers can learn instructional methods; textbook
writers can adapt their content; and policy makers can make decisions
on curriculum guidelines. However, the information technology involved
in storing the big data is outpacing the infrastructure and the
contractual agreements that school districts currently have in place.
Educational data contains sensitive, Personally Identifiable
Information about our students. Parents are justifiably concerned about
schools' use of their children's student data.
The Family Educational Rights and Privacy Act, or FERPA, was
written and has been amended to protect the privacy of student
education records. The law applies to all schools that receive funds
under an applicable program of the U.S. Department of Education. FERPA
gives parents certain rights with respect to access to their children's
education records. While the Department of Homeland Security does
identify Education as a sub-sector in the National Infrastructure
Protection Plan, most of the planning and coordination between the two
agencies exists because of physical security and emergency response
planning needs in the event of natural or man-made disaster or
terroristic events.
What we will hear today is testimony on the implications of the
collection, storage, and use of in-depth student data, as managed by
local and State school systems, and the Department of Education. The
Department of Homeland Security is considered the leader among civilian
agencies in developing privacy-protective technologies and policies for
handling personal data, and has initiated pilot programs for developing
a Federal Department-wide capability to analyze the large sets of data
that DHS agencies collect.
As part of this ``big data'' effort, DHS has brought together
stakeholders to find ways to incorporate privacy protections in the
management of big data strictly in the dot-gov arena. And DHS has been
involved in Federal research efforts as part of the Networking and
Information Technology Research and Development program, on data
privacy technologies in general, efforts promoted by the White House
Office of Science and Technology.
It is possible that the Department's leadership role in the Federal
Government's cyber R&D efforts can help provide advanced IT
capabilities for the education sector, and other sectors concerned with
privacy. There is a huge body of study already underway by academia,
educational advocacy, and industry groups to develop and enable a
common language for security and privacy policies tailored to students
and parents, as well as to organizations and entities that underpin the
education environment.
This could potentially help school systems, and parents, that are
struggling with contractual or technological or procedural privacy
concerns associated with educational ``big data''. Like with all
critical infrastructure networks, we must find a way to work together
with schools, nonprofits, and industry to enable parents and educators
to make informed decisions and maximize the opportunities that come
with rapidly-advancing technology, without comprising our students and
learners' privacy and safety.
______
Statement of Hon. Sheila Jackson Lee
June 25, 2014
My thanks to Chairman Meehan and Ranking Member Clarke of the
Committee on Homeland Security Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies as well the
Education and the Workforce Committee's Subcommittee on Early
Childhood, Elementary, and Secondary Education for holding today's
joint hearing ``How Data Mining Threatens Student Privacy.''
Today's hearing is an opportunity to receive testimony on the issue
of student kindergarden through 12th grade data privacy, data mining,
confidentiality, and security practices related to cyber-based student
and educational IT systems. Members will have the opportunity to hear
testimony about how cloud-based databases and other IT technologies,
used in K-12 schools are becoming increasingly complex and expansive,
prompting an examination of the approaches that protect private student
data, who may have access to it, and where and how it is stored.
As the founder member and chair of the Children's Caucus the topic
of today's hearing is of great interest to me.
Children often do not enjoy the same rights as adults--they cannot
consume alcohol, vote, nor can children enter into contracts.
However, children also have a level of protections in law that are
greater than those of adults such as the Children's Online Privacy
Protection Act, child labor laws, laws to prevent abuse and neglect and
laws regarding education such as the Family and Educational Rights and
Privacy Act of 1974 (FERPA).
These laws are is intended to facilitate children having safe and
happy childhoods, which means the freedom to make mistakes and learn
from those mistakes.
Many children do not grow up the most ideal circumstances and those
circumstances should not influence the course of their lives without
due cause.
In recent years there have been a number of incidents where the
privacy of children has been violated by school districts that are of
great concern.
Primary of which is the incident involving the Lower Merion County
Pennsylvania School District.
That School District became internationally known when it was
disclosed that it deployed spyware to take thousands of images of
student while using their school-issued laptops.
Images were taken of students while off school grounds, often went
they were at home. Images were captured of not only students, but
family members while in intimate settings.
The case was a very emotional and situation for both families and
school officials who were unaware of the activities of the technology
department that deployed the surveillance system.
Privacy violations of this type have most often occurred in
domestic abuse or predator cases. This is the first known case to rise
from an incident of a non-judicial decision by a domestic government
institution to use this type of surveillance technology in this manner.
Because Federal and State laws had not kept pace with technology
there were no laws that address that type of privacy invasion that
relied upon still pictures and not full motion video.
Privacy is central to the health and strength of many other rights
that we enjoy. Specifically, the First, Fourth, and Fifth Amendments to
the Constitution rests on a foundation of privacy protection that allow
us to speak as we wish, associate with other and hold our own beliefs
free of fear or threats.
Privacy should not nor has it been viewed as a partisan issue.
So the topic of today's hearing is of great concern to me. There
cannot be privacy without security, although we can have security
without privacy. The digital information age requires that Federal
agencies must have cybersecurity for any system that collects, retains,
or uses personal information.
Privacy protection and cybersecurity are linked in the work I have
done on the topic of privacy. The ability to control who, when, why,
and how someone else can gain access to personal information requires
security for this reason attention to this issue is central to my
strong support for Federal privacy laws.
Although the Homeland Security Committee has no jurisdiction over
general education issues there are aspects of today's hearing which do
touch upon some our work of the Committee on Homeland such as questions
regarding data security.
Each of these children will be part of the workforce which will
include the Department of Homeland Security. To the extent data
security and privacy is compromised in education settings this may have
an impact on the future ability of workers and employers to rely upon
Department of Homeland Security programs like e-Verify, TWIC, or air
travelers to trust PreCheck programs.
Each of these data collection and use programs requires data non-
repudiation.
Data non-repudiation very simply establishes that a person is who
they claim to be.
Further, we know from the work of intelligence and National
security agencies that adversaries and friends seek as much detailed
information on key persons in the Federal Government and influential
private-sector business leaders.
Data collection practices regarding student records on children:
At least 38 States collecting some type of longitudinal
student data at the State level, five others are in various
stages of development, and the rest are insufficiently
transparent to determine.
At least 32 percent of States collect children's social
security numbers.
At least 22 percent of States record student pregnancies.
At least 46 percent of States have a mechanism in place to
track children's mental health, illnesses, and jail sentences.
At least, 72 percent of States collect children's family
wealth indicators.
Only 6 States appear to use a third party who restricts the
State's access to the student ID numbers, i.e. prevents State
access to individual student data.
Only 18 States have detailed access and use restrictions.
Only 18 States require database users to enter into
confidentiality agreements.
Only 10 States have data retention policies.
Forty-nine States make FERPA information accessible on the
internet, but for many the information is hard to find, vague,
or incomprehensible.
The change in the Family and Educational Rights and Privacy Act of
1974 (FERPA) rule regarding what entities can have access to student
records is troubling.
In April 2011, the U.S. Department of Education (ED) issued a
notice of proposed rulemaking (NPRM), inviting public comments on its
proposed regulations amending the Family and Educational Rights and
Privacy Act of 1974 (FERPA).
The final rule removed limitations prohibiting educational
institutions and agencies from disclosing student Personally
Identifiable Information, without first obtaining student or parental
consent.
The change in FERPA regulations redefined FERPA definitions
regarding ``authorized representative,'' ``education program,'' and
``directory information.'' The new definition gave non-governmental
actors increased access to student personal data.
I am not opposed to the collection data on students regarding their
lives, education or well-being for education purposes.
I am however, strong object to use of student record information
outside of the purpose of the collection and the lack of control over
those records that parents may have in limiting access and use for non-
official purposes.
Student record data should be limited to education purposes with
the exception of uses related to the protection of the well-being of
the child and their family.
Data brokers a new business model that buys and sells a wide range
of personal information would find great value in have unlimited
control and use of personal identifiable information--the more
sensitive that information--the more value that information.
Too often the opportunity to limit additional uses of personal
information on students requires a parent or guardian to act, when
allowed to control the use of their child's education records.
This will mean that students whose families are not as equipped or
knowledgeable of the data collection, use, and retention polices
regarding student records will likely have their information retained
and used, which can have serious consequences for the opportunities
they may have in the future.
Personal Identifiable Information should be protected by fair
information practices no matter the age of the person whose information
is collected.
I strongly believe that our children are our Nation's most precious
resource and their futures should not be limited or influenced by a
permanent government record that contains unprotected information from
their earliest years throughout their work like.
I yield back.
Thank you.
______
Statement of Hon. Jared Polis
June 25, 2014
Recently, concerns about the increasing collection and use of
student data in schools have come to the forefront in local education
debates. The fall of the nonprofit education database, inBloom, as well
as the hearing today titled, ``How Data Mining Threatens Our Children''
are evidence of widespread consternation from the left and the right.
I believe that security and privacy are critical, yet manageable
concerns. We should not dismiss the power of using data to improve
classroom instruction; simply develop best practices to ensure that
data is used responsibly. Data can be a powerful tool to provide
parents with meaningful information about their child's progress,
connect students and families with personalized learning opportunities,
and create high-quality materials and tools that can bring our
education system into the 21st Century.
InBloom's demise raised important concerns about the appropriate
privacy and security precautions necessary to protect beneficial
student data in an increasingly technological school environment.
That's why I am urging industry, parents, and teachers to come together
to address these concerns with a set of expectations and commitments on
how to best protect and secure our children's data, while enjoying the
benefits of more personalized learning.
When I am back home in Colorado, I hear from parents who are
rightly concerned about data security, but optimistic about improving
their children's educational opportunities. They worry about where
their student data is stored, whether it is secure, and who it is
shared with. They worry about a pervasive ``permanent record.'' They
worry that advertising companies may inappropriately target their
children and somehow profit on their decisions in what should be a safe
and secure school environment. At the same time, they want for their
children to succeed in an increasingly connected digital world. They
want to know how their children are developing, and what they can do to
help. And they want to be able to make informed choices about the best
schooling options for their children.
Parents want what is best for their children, and deserve
transparency about what is happening in their schools. Unfortunately,
the intersection of the Family Educational Rights and Privacy Act
(FERPA), Children's Online Privacy and Protection Act (COPPA), a
growing number of State laws, district policies, vendor contracts, and
privacy policies make it very difficult for them to have confidence
that their children's data is being used solely to advance their
education. Lately, these concerns have moved from hesitation to
outright opposition to the collection and use of student data.
While opposition is mounting for valid reasons, we must recognize
the promise of digital learning and the opportunities that collecting,
analyzing, and utilizing student data, appropriately, presents to
personalized education. I have experienced the power of digital
learning as the former chair of the State board of education in
Colorado, and know that timely, relevant, and private information about
student performance can be an important tool to ensure that our
education system is able to identify student's strengths and challenges
and intervene appropriately.
I am concerned that a purely political reaction to legitimate
privacy concerns threatens to derail the potential of digital learning
and years of progress in personalizing education. Federal legislation
is an option, but may not be able to provide a nuanced solution in such
a complex and emerging field.
That's why I, along with Representative Luke Messer are calling on
industry leaders, parents, and teachers to come together around a set
of effective and appropriate expectations and commitments on data
privacy in schools. These standards should be rigorous, but adaptable;
comprehensive, yet easily comprehensible for parents to understand what
is occurring in their schools. That is why a few weeks ago, we were
honored to convene a group of industry and educational leaders to
discuss the topic, and are pleased with the group's progress during the
first meeting. We are calling on these groups to develop a transparent
set of expectations and commitments in time for back-to-school.
Ensuring the right balance between privacy and innovation in
education is a critical, bipartisan issue that will pave the way for
the next generation of students to thrive. I am looking forward to
working with industry, parents, and teachers to achieve this balance,
and make a promise of which we can all be proud.
Mr. Meehan. I am also very grateful for what is a very
distinguished panel of some real experts who understand and
have spent a great deal of time looking at this issue from
multiple factors. So what we really hope we are able to do is
encourage the kind of insight and give and take to help us best
understand how we might both understand the challenges in this
issue and act accordingly to protect appropriately the privacy
of our students.
Ms. Clarke. Mr. Chairman.
Mr. Meehan. Yes.
Ms. Clarke. Before you proceed, I would like to request
unanimous consent for Ms. Bonamici of the Education and the
Workforce Committee to join us in the hearing today.
Mr. Meehan. Without objection, so ordered.
Ms. Clarke. Thank you.
Mr. Meehan. Thank you for being here, Ms. Bonamici.
I will briefly introduce each of the distinguished panel
members today. First, to my left, is Mr. Joel Reidenberg. He is
the Stanley D. and Nikki Waxberg chair, and professor of law
and founding academic director at the Center on Law and
Information Policy at Fordham University School of Law. Mr.
Reidenberg is an expert on information technology law and
policy, and his current research examines privacy in public
information surveillance, privacy in cloud computing in
purchase schools, and the impact of patents on the smartphone
industry.
Next to Mr. Reidenberg is Mr. Mark MacCarthy. Mr. MacCarthy
is a vice president of public policy for the Software and
Information Industry Association. Mr. MacCarthy directs SIIA's
public privacy initiatives in the areas of intellectual
property enforcement, information privacy, cybersecurity, cloud
computing, and the promotion of education technology. The
Software and Information Industry Association is the principle
trade association for the software and digital content
industry, providing global services in Government relations,
business development, corporate education, and intellectual
property protection.
Next is Ms. Joyce Popp. Ms. Popp is the chief investment
officer for the Idaho Department of Education. One of her key
focuses since joining the State department of education in July
2009 has been the design management and security of the data
collection process and the use of data. Prior to joining the
State department of education, Ms. Joyce had over 30 years
experience in management within the high-tech industry, leading
large teams in the creation, design, and support of data
systems and information exchange.
Last is Mr. Thomas Murray. Mr. Murray is the State and
district digital learning policy advocacy director for the
Alliance for Excellent Education. The Alliance for Excellent
Education is a D.C.-based National policy and advocacy
organization dedicated to ensuring that all students graduate
from high school. Mr. Murray works alongside State education
departments, corporations, and school districts around the
country to implement digital learning. As a former school
principal, Mr. Murray has been invested regarding proper
technology in fusion and personalized professional learning. He
is the founder of #Edchat, a weekly educational technology
twitter-forum, and has a weekly radio show on the BAM Radio
Network.
I want to let each of the witnesses know that your full
written statements will appear in the record. We are limited,
or try to stay as closely as we can, to 5 minutes to testify.
You are dealing with a weighty, a meaty, and important subject,
so I will ask. You all have impressive backgrounds and resumes,
and I will take official notice of your impressive
qualifications. So with the time that you have, if you can, I
would like to ask if you would dig right into the substance of
your observations on this issue because you have a great deal
to share with us in time that we make available to you.
So at this point in time, the Chairman recognizes Mr.
Reidenberg for your comments.
STATEMENT OF JOEL R. REIDENBERG, STANLEY D. AND NIKKI WAXBERG
CHAIR AND PROFESSOR OF LAW, FOUNDING ACADEMIC DIRECTOR, CENTER
OF LAW AND INFORMATION POLICY, FORDHAM UNIVERSITY SCHOOL OF LAW
Mr. Reidenberg. Good morning, Mr. Chairman, Ranking Members
and distinguished Members of the subcommittees. Thank you very
much for inviting me to testify this morning. It is truly an
honor and a privilege to be able to address these issues. My
testimony is going to draw on the Fordham study, that the
Chairman mentioned, that I directed addressing privacy in cloud
computing in public schools. I hope that this study might be
included with the record of the committee hearing today.
I am joined today by two of my co-authors from the study,
Cameron Russell and Tom Norton. But I am giving my own views as
an academic expert and I am not representing those of any
organization. I am gonna spend my time summarizing four of the
key points from the written statement. The first is that
schools--essentially, every school district in the United
States is outsourcing student information. Our study found
there were--95 percent of the school districts did this.
Schools are sending data to third parties for a whole
series of very positive reasons: Data-driven educational goals;
reporting obligations; cost savings; instructional
opportunities. We found in our study that there was a
tremendous diversity in type of services and the service
providers themselves. The services ranged from classroom
instructional functions, reporting functions, data mining,
guidance for college and career counseling, IT hosting, special
services like transportation and cafeteria management. The
number of vendors are staggering.
It is a very wide range from large companies to small
companies. There is an enough quantity of information that is
being transferred by school districts. It is not simply the
traditional school record, the grades or the transcripts. It
includes things like homework assignments, essays, fitness
profiles, family financial records and financial status,
lunchroom purchases, whether a child blinks while he is
reading. All of these sorts of things are being transferred as
children use on-line services in schools and as schools rely on
third parties to perform some of their functions.
The second point is that Federal educational privacy law
fails to protect the student information. There are essentially
three statutes that I believe are relevant in this context.
FERPA is one, a 40-year-old statute; the Children's Online
Privacy Protection Act that requires parental consent when data
is gathered directly from children on-line under the age of 13;
and the Pupil Privacy Protection Amendment that addresses
taking surveys of children in schools. FERPA is essentially the
baseline that everyone speaks of. But FERPA only applies to
educational institutions. It is a funding statute.
It does not apply to the vendors. It only applies narrowly
to what are defined as educational records. The Supreme Court,
in its one decision interpreting that provision of FERPA, seems
to think an educational record is only the type of data that
would have been held in a principal's file cabinet. So when you
look at the statute itself from 1974, it is a pre-computer era
statute. COPPA has some application if children are on-line in
schools. The school districts can, in certain instances,
consent as though they were parents. But then what happens when
the child moves from school to home and works on the same
application? It has been an instructional tool.
States are beginning, across the country, to look to fill
some of these gaps. But contracts would be the only source of
true protection. What our study shows is that schools
essentially routinely relinquish their students' privacy when
they contract with outside vendors, and parents are kept in the
dark. We heard from the Chairman's opening statement, 20
percent of the schools have no policies on adopting
technologies. Seventy-five percent of the districts failed to
inform parents that they are outsourcing their children's data.
The contract practices, on the whole, are terrible. Many of
the contracts allow vendors to unilaterally change the terms.
They don't block the sale or marketing of data. Forty percent
of the hosting agreements fail to require any data security.
Twenty-five percent of the classroom programs are free
programs; they don't charge school districts money. Instead,
the school districts essentially pay with the student's
privacy. The data is being monetized.
My fourth point is that strong and effective privacy
protections are essential. Because without them, if we persist
with the status quo, all of the educational policies that we
want to achieve based on data-driven decision-making, they will
fail. Parents will object to the use of these technologies.
There will be scandals, there will be problems that will shut
down rather than carefully nuance how to treat the data privacy
issues. We have seen this in New York State, for example, with
the inBloom project. InBloom is a $100 million project, it is a
platform that would enable data sharing between schools and
vendors. It shut down over the privacy concerns.
In my prepared statement, I make four recommendations for
Congress to consider. I see my time has expired so I will
perhaps leave those recommendations for you to see in a written
statement, and we can answer--I will answer any questions on
them during the following period.
Thank you.
[The prepared statement of Mr. Reidenberg follows:]
Prepared Statement of Joel R. Reidenberg
June 25, 2014
Good morning Chairman Meehan, Representative Clarke, Chairman
Rokita, Representative Loebsach, and distinguished Members of the
subcommittees. I would like to thank you for the invitation to testify
today on this critical privacy issue for our Nation's school children.
My name is Joel Reidenberg. I am here today as an academic expert
on student information and privacy. I hold the Stanley D. and Nikki
Waxberg chair at Fordham University where I am a professor of law and
the academic director of the Center on Law and Information Policy
(``Fordham CLIP''). I am also just finishing my term as the inaugural
Microsoft Visiting Professor of Information Technology Policy at
Princeton University.
As a law scholar, I have written and lectured extensively on data
privacy law and policy. I am a member of the American Law Institute
where I serve as an adviser to the Restatement of the Law Third on
Information Privacy Principles. I am a former chair of the Association
of American Law School's Section on Defamation and Privacy and have
served as an expert adviser on data privacy issues for the Federal
Trade Commission, the European Commission and during the 103rd and
104th Congresses for the Office of Technology Assessment. I have also
served as a special assistant attorney general for the State of
Washington in connection with privacy litigation.
Of relevance to today's hearing, I directed the research study
``Privacy and Cloud Computing in Public Schools'' (Dec. 2013)
[``Fordham CLIP Study''] that provides a benchmark analysis of the
processing of student information by on-line vendors and that also
documents the current legal risks surrounding student privacy.\1\ Two
members of the Fordham CLIP research team, N. Cameron Russell, Fordham
CLIP's executive director, and Thomas B. Norton, Fordham CLIP's privacy
fellow, accompany me here today.
---------------------------------------------------------------------------
\1\ Joel R. Reidenberg, N. Cameron Russell, Jordan Kovnot, Thomas
B. Norton, Ryan Cloutier, Daniela Alvarado, Privacy and Cloud Computing
in Public Schools (Dec. 2013) available at http://law.fordham.edu/
k12cloudprivacy [hereinafter ``Fordham CLIP Study'']. I also directed
an earlier study, Children's Educational Records and Privacy: A Study
of Elementary and Secondary School State Reporting Systems (Fordham
CLIP: Oct. 28, 2009) http://law.fordham.edu/childrensprivacy and
testified on that work in a hearing before the House Committee on
Education and Labor during the 111th Congress.
---------------------------------------------------------------------------
In appearing today, I am testifying as an academic expert and my
views should not be attributed to any organization with which I am or
have been affiliated.
My testimony today draws specifically from the Fordham CLIP Study.
I will address a number of our key findings.
1. Schools are uniformly transferring vast amounts of student
information to on-line third parties for many varied purposes.
School districts across the country are rapidly embracing evolving
on-line technologies to meet data-driven educational goals, satisfy
reporting obligations, realize information technology cost savings, and
take advantage of new instructional opportunities.
The Fordham CLIP Study found that 95% of public schools in the
United States use on-line services that involve the transfer of student
information to third parties. Schools use these services for a myriad
of purposes that the Fordham CLIP Study categorized as follows:
Data analytics functions
Student reporting functions
Classroom functions
Guidance functions
Special school functions (e.g., transportation services)
Hosting, maintenance, and back-up functions. \2\
---------------------------------------------------------------------------
\2\ Fordham CLIP Study, at pp. 17-18.
---------------------------------------------------------------------------
These on-line services involve the collection and transfer of
enormous quantities of student information to third-party commercial
organizations including school records, homework essays, fitness
profiles, and even lunchroom purchases.
2. Federal education privacy law fails to protect student information
in a vast range of commercial computing services used by schools.
Three Federal privacy statutes address student information that may
be collected by and from schools: The Family Educational Rights and
Privacy Act of 1974 \3\ (``FERPA''), the Children's Online Privacy
Protection Act \4\ (``COPPA''), and the Protection of Pupil Rights
Amendment \5\ (``PPRA'').
---------------------------------------------------------------------------
\3\ 20 U.S.C. � 1232g.
\4\ 15 U.S.C. �� 6501-6506.
\5\ 20 U.S.C. � 1232h.
---------------------------------------------------------------------------
FERPA is the oldest and best-known educational privacy statute. The
statute seeks to provide confidentiality to student data, but only
covers ``educational records'' in a very narrow sense (e.g.,
transcripts).\6\ The statute also specifically exempts ``directory
information,'' including a student's name, address, date of birth,
telephone number, age, sex, and weight from confidentiality
obligations.\7\ Most significantly, FERPA was written 40 years ago
before public schools had computers, let alone internet access. As
acknowledged by the Department of Education, the applicability of FERPA
to typical on-line school services is questionable at best.\8\
---------------------------------------------------------------------------
\6\ See Owasso Independent School District v. Falvo, 534 U.S. 426
(2002).
\7\ 20 U.S.C. � 1232g(a)(5)(A).
\8\ Dept. of Educ., Protecting Student Privacy While Using Online
Educational Services: Requirements and Best Practices, PTAC FAQ3 (Feb.
2014) http://ptac.ed.gov/document/protecting-student-privacy-while-
using-online-educational-services (the Department wrote: ``Is student
information used in online educational services protected by FERPA? It
depends.'').
---------------------------------------------------------------------------
The other statutes, COPPA (addressing parental consent for on-line
collection of data directly from children younger than 13) and PPRA
(primarily addressing the use of data collected from in-school surveys
and some marketing activities), similarly suffer from significant
protection gaps in the context of cloud computing, that the Fordham
CLIP Study explains.
Many cloud services used by schools are, thus, completely outside
the protections of these statutes. For example, when a middle school
uses a cloud service provider to offer young teens self-assessment
tests that give scores to their language or math levels, those scores
will not likely be protected by the Federal statutes: They are not
FERPA ``educational records'' because they are not used for the middle
schooler's transcript grade, they do not require COPPA parental
consent, and they fall outside the PPRA categories of protection. Thus,
there is no statutory obligation of confidentiality.
Another example comes from special school functions: Schools are
now using third-party on-line service providers to manage payments for
the school cafeteria. When a child buys a meal in the school cafeteria,
the information about the child's eating habits will not have privacy
protection.
Another important point to note is that FERPA does not apply to
vendors. By its terms, FERPA only applies to educational agencies and
institutions that are recipients of Federal funds.\9\ FERPA does not
provide a private right of action,\10\ and the only sanction available
under FERPA is the denial of Federal educational funds by the
Department of Education. The Department has never issued such an order.
Thus, under Federal law, legal protection for student privacy will only
come from the contractual terms in agreements between schools and
vendors.
---------------------------------------------------------------------------
\9\ 20 U.S.C. � 1232g(a).
\10\ Gonzaga Univ. v. Doe, 536 U.S. 273 (2002).
---------------------------------------------------------------------------
States, however, are increasingly concerned about the commercial
sale of student information. According to recent reports, over 30
States across the country have bills at various stages of enactment to
address student privacy on-line. These bills do not generally address
the full range of issues and would establish different protections for
students in different States.
3. The Fordham CLIP study documents that schools routinely relinquish
student privacy when they contract for on-line services and parents are
kept in the dark.
In the absence of statutory rights, schools can protect student
privacy through their contracts with on-line service providers. The
Fordham CLIP Study, however, demonstrates that contracts between
schools and vendors often fail to establish legal rights that protect
student information. Schools essentially relinquish their students'
privacy in the cloud. And, at the same time, schools routinely fail to
inform parents that their children's data is sent to third parties.
Among the findings, the Fordham CLIP Study reported that:
Technology governance controls are absent.--20% of school
districts have no policies on the vetting and adoption of
information technology services by teachers and staff.
Transparency is missing.--75% of districts did not inform
parents that their children's data was being released to on-
line service providers, and districts do not readily make their
agreements publicly accessible.
Legal compliance is not working.--COPPA is frequently
ignored; FERPA notices are rare.
Contract practices are disturbing.--Over 75% of the
agreements fail to specify a legitimate purpose for processing
student data, vendors are routinely able to modify the privacy
terms on a unilateral basis, and schools fail to keep adequate
documentation of their contracts.
Student data may be sold for advertising and marketing.--
Fewer than 7% of agreements explicitly prohibit the sale or
marketing of student information, though higher percentages of
agreements have general restrictions on re-disclosure. Without
a contractual prohibition, vendors are free to sell the student
information.
Data security protections are poor.--40% of hosting
agreements, like many other categories, fail to require any
data security and, depending on the type of service, 33% or
more of the agreements fail to require the deletion of student
information at contract termination.\11\
---------------------------------------------------------------------------
\11\ See Fordham CLIP Study, Executive Summary, pp. 1-2.
---------------------------------------------------------------------------
These findings present a very disturbing set of risks to the
privacy of our Nation's student information. A permanent record may now
indeed follow a child from elementary school through adulthood. For
example, the company ConnectEdu held data on over 20 million students
and offered a product called K12 Early Warning Indicator.\12\ The
product sought to label students with the goal of identifying and
helping at-risk students. But, the lack of privacy protection means
that the label may now follow the child indefinitely. Worse still, the
company is now in bankruptcy and the Federal Trade Commission had to
make a special filing in the hope that it could persuade the bankruptcy
judge not to sell off to the highest bidder all the student data held
by the bankrupt company.\13\
---------------------------------------------------------------------------
\12\ See ConnectEdu, About Us http://connectedu.com/about-us
(stating the company had data on 20 million ``registered learners'');
ConnectEdu, What does K12 Early Warning do for you, http://
207.127.11.51/products-k12earlywarning-features.html (``locate students
at risk'').
\13\ See Federal Trade Commission Letter From Jessica L. Rich,
Director of the Bureau of Consumer Protection, Filed With the
Bankruptcy Court for the Southern District of New York--in In re
ConnectEDU, Inc., No. 14-11238 (Bankr. S.D.N.Y.) (May 22, 2014) http://
www.ftc.gov/system/files/documents/public_statements/311501/
140523connecteducommltr.pdf.
---------------------------------------------------------------------------
Similarly, student data becomes fuel for commercial uses. In some
contexts, such as those involving classroom functions, 25% of the
school contracts involved no financial payments. This likely means that
these vendors are monetizing the student information to fund the
services they provide. In other words, school districts are paying for
services with their students' privacy rather than cash. This was
dramatically illustrated by disclosures in the law suit against Google
for its scanning of student email. Originally, Google represented to
educational institutions that it did not scan student email for
commercial advertising.\14\ As it turned out, Google was profiling
students based on their email.\15\ In a policy change announced on
April 30, 2014, Google said that it would no longer ``collect or use
student data in Apps for Education services for advertising
purposes.''\16\ Google remains silent, however, on scanning email and
profiling student users for other commercial purposes and partnerships
with education technology companies. Google is not alone. The other
companies that offer education technology products without fees are or
will be trading on student privacy.
---------------------------------------------------------------------------
\14\ See Jeff Gould, Google admits data mining student emails in
its free education apps, SafeGov.Org (Jan. 31., 2014) http://
safegov.org/2014/1/31/google-admits-data-mining-student-emails-in-its-
free-education-apps (quoting a pre-2013 Google FAQ saying ``note that
there is no ad-related scanning or processing in Google Apps for
Education'').
\15\ See Michele Molnar, Google Abandons Scanning of Student Email,
Education Week, Apr. 20, 2014, http://blogs.edweek.org/edweek/
marketplacek12/2014/04/google_abandons_scan-
ning_of_student_email_accounts.html.
\16\ Protecting students with Google Apps for Education, Apr. 30,
2014 http://googleenterprise.blogspot.com/2014/04/protecting-students-
with-google-apps.html.
4. Without strong and effective privacy protections for student
information, data-driven educational policies will fail and parents
---------------------------------------------------------------------------
will oppose new instructional methods.
The responsibility for placing student privacy at risk through
these observed practices is complex. Federal laws such as the No Child
Left Behind Act and the American Recovery and Reinvestment Act of 2009
required schools to create and report detailed student information.
Innovations in technology and incentives for data mining create new
demands for student information. Yet, at the same time, education
privacy laws have not been modernized to keep up, and our research
revealed that schools were not equipped to address these issues
effectively.
Data collection and use to inform and improve student learning is
critical to making education successful in the United States. But so is
the long-term health of our children's privacy. More often than not,
school districts poorly understood the data transfers and privacy
implications of the on-line services they use.\17\ Other than the
largest districts with legal offices, few had either the expertise or
the ability to negotiate contract terms that were drafted by vendors.
---------------------------------------------------------------------------
\17\ See Fordham CLIP Study, p. 15 (describing districts' lack of
knowledge of their own agreements); Stephanie Simon, Data mining your
children, Politico, May 15, 2014 http://www.politico.com/story/2014/05/
data-mining-your-children-106676.html (``school administra- tors . . .
don't know which digital tools individual teachers are using in the
classroom.'').
---------------------------------------------------------------------------
As a result, today's status quo is an unstable and contentious
environment for education technology. The recent failure of inBloom, a
$100 million venture to develop a platform for education data,
demonstrates that privacy risks will shut down programs when public
concerns are not addressed effectively.\18\ If privacy is not
adequately and transparently addressed, parents will oppose the use of
education technologies for fear of their children's safety.
---------------------------------------------------------------------------
\18\ See Benjamin Herold, inBloom to shut down amid growing privacy
concerns, Education Week, Apr. 21, 2014 http://blogs.edweek.org/edweek/
DigitalEducation/2014/04/
inbloom_to_shut_down_amid_growing_data_privacy_concerns.html.
---------------------------------------------------------------------------
Strong and effective privacy protections for student information
are essential for data-driven educational policies to succeed.
recommendations
There are a number of steps Congress can take to restore and assure
the privacy of student information:
(1) Modernize FERPA to protect and limit the use of all student
information whether held by schools or vendors--including a
prohibition on non-educational uses of student information and
graduated enforcement remedies such as private rights of
action.
(2) Require that the processing of student data under any
Federally-financed educational program be prohibited unless
there is a written agreement spelling out the purposes for the
processing, restricting the processing to the minimum amount of
data necessary for those purposes, restricting the processing
to permissible educational uses, mandating data security,
requiring data deletion at the end of the contract, and
providing for schools' audit and inspection rights with respect
to vendors.
(3) Require that States adopt an oversight mechanism for the
collection and use of student data by local and State
educational agencies. A Chief Privacy Officer in State
departments of education is essential to provide transparency
to the public, assistance for local school districts to meet
their privacy responsibilities, and oversight for compliance
with privacy requirements.
(4) Provide support to the Department of Education and to the
research community to address privacy in the context of
rapidly-evolving educational technologies, including support
for a clearing center to assist schools and vendors find
appropriate best practices for their needs.
Thank you again for the opportunity to participate in this hearing
and for your consideration of my testimony.
Mr. Meehan. Yes, you will have an opportunity to elaborate,
I think, on some of those in response to the questions, or to
open the door to some of those in responses to any questions
you may have.
The Chairman now recognizes Mr. MacCarthy.
Mr. MacCarthy, I am gonna ask that you push your button so
that we can pick up your voice.
Mr. MacCarthy. Now do you have it?
Mr. Meehan. I have it.
STATEMENT OF MARK MAC CARTHY, VICE PRESIDENT, PUBLIC POLICY,
SOFTWARE AND INFORMATION INDUSTRY ASSOCIATION
Mr. MacCarthy. Excellent. Thank you. My name is Mark
MacCarthy and I am with Software and Information Industry
Association. On behalf of SIIA and our member companies--many
of whom are involved in providing educational services to
schools--I want to thank you for having me here to testify on
this important topic. I want to thank you for your thoughtful
opening statements on this topic.
Mr. Chairman, Ranking Members, the effective use of
educational technology and student information is essential for
improving student learning, for empowering parents and,
ultimately, for ensuring the competitiveness of the United
States in a global environment. Let me take a few minutes to
explain some of the uses of technology and student information,
and how it is transforming American education.
They are enabling multiple approaches to learning to
address each individual student's individual learning style,
their abilities, their pace, their interests. Data-powered
course-ware helps teachers deliver customized lessons to each
individual student. Predictive analytics are allowing students
and teachers to identify students at risk of failing in a
particular course or even of dropping out of school entirely.
Data-driven technology is empowering parents, allowing them to
access information about their children's educational progress
and communicating more effectively and actively with their
teachers.
Cloud computing is enhancing school capacity by providing
more data access, enhanced data management, powerful analytics,
and improved security. The scale of cloud computing enables
greater expertise and more investment in information security.
The list goes on but, in sum, educational technology is
allowing schools to identify students at risk, to personalize
learning, to improve communication with parents, to modify
their operations better and more efficiently, and to inform
their decision making.
Now, of course, we recognize that there are important
questions being asked about data privacy. I would like to
address three essential ways in which student data is being
protected. First is Federal law. Federal law establishes a
strong framework that restricts the use of student information
to educational purposes. FERPA requires that identifiable
information shared with service providers without parental
consent or without student consent, must be used solely for
institutional services and functions that would otherwise be
performed by school officials. It must be used only for
educational purposes.
Now, FERPA covers educational records. But educators and
service providers treat all identifiable student information
with the same high level of privacy protection. While FERPA is
40 years old, its regulations have been updated for the digital
age, including student privacy guidance for on-line services
released just this year. The Children's Online Privacy
Protection Act offers further protections for children under
the age of 13.
The bottom line is that if an outside party wants to use
student information for non-educational purposes, it is
required by law to get the consent of the parent or the student
to do so.
So that is the first level of protection, Federal law. The
second level is contracts. Student data is also protected by
contract. Service providers are bound by the contracts they
enter into with schools. Here, frankly, we owe Professor
Reidenberg a debt of gratitude, both the industry and the
educators, for drawing attention to the limitations on those
contracts and the need to work together to improve them.
The third level of protection is the efforts by SIIA and
other stakeholders to enhance student data protection. Service
providers are continuously reviewing and improving data
policies, procedures, and technologies, and are guided, in
part, by SIIA's recently-released best practices. The
Consortium for School Networking, representing school
technology officers, has released a tool kit for protecting
student privacy. We appreciate the recent leadership from
Representatives Polis and Messer in assembling stakeholders to
engage in collective efforts to improve student privacy.
While it makes sense for public policies to be reviewed, we
do not think that new Federal student privacy legislation is
necessary at this time. The current legal framework and
industry practices maintain local decision-making and
adequately protect student privacy. New legislation creates
substantial risks of harm to the innovative use of information
that is essential for improving education for all students, and
ensuring that U.S. economic strength in an increasingly global
competitive environment is maintained.
I would be happy to answer any questions you might have.
[The prepared statement of Mr. MacCarthy follows:]
Prepared Statement of Mark MacCarthy
June 25, 2014
On behalf of the Software & Information Industry Association (SIIA)
and our member high-tech companies, thank you for inviting me to
testify today. I am Mark MacCarthy, SIIA's vice president of public
policy. SIIA commends Chairman Meehan and Rokita, Ranking Members
Clarke and Loebsack and your respective committees for holding this
hearing to examine student privacy in the digital age.
SIIA is the principal trade association for the software and
digital content industry. Many of SIIA's 800 member high-tech companies
partner with schools and universities across the country to develop and
deliver learning software applications, digital content, web services
and related technologies and services that meet teaching, learning, and
enterprise management needs. All SIIA members depend on the Nation's
schools for a skilled, high-tech workforce.
Modern information technologies play an increasingly essential role
in our education system. SIIA agrees that the effective use of student
information to improve learning is concomitant with the obligation to
safeguard student data privacy and security. This will require a
continued and enhanced trust framework between the triad of
stakeholders--parents and schools; schools and service providers; and
service providers and parents.
My testimony today will address three questions:
What are some of the ways students, teachers, and schools
use technology and leverage data to improve education?
What are the current policies and evolving practices
protecting student privacy and data security?
Is there a need for new Federal student privacy legislation?
i. use of technology and student information in schools
As we move from an industrial-age era model to a customized
education model, technology is increasingly mission-critical to making
certain all students receive a world-class education, and our Nation
competes in the global economy. International assessment results and
high-tech job openings demonstrate the challenge of ensuring students
are college- and career-ready, including with the STEM (science,
technology, engineering, and math) and other 21st Century skills needed
to succeed in this knowledge-based economy.
From adaptive learning software to class scheduling applications to
on-line learning, technologies are enhancing student access and
opportunity and enabling administrative operations. Many of these
technologies are based on the effective use of student information for
educational purposes. As such, technology and data systems are
increasingly essential to supporting students, families, and
educators--providing operational efficiencies, informing practice, and
personalizing student learning.
Some of the ways the use of educational technology and student
information can enable school operations and improve student learning
include:
1. Help Meet the Needs of All Students.--Technology enables
multiple approaches to learning to effectively address each
student's individual learning style, abilities, pace, and
interests. Through embedded assessment and adaptive content,
today's data-powered courseware helps teachers deliver lessons
and content in the modality, complexity, and representation to
meet every student's unique needs, rather than teaching to the
mean. Predictive analytics can also identify students at risk
of dropping out of school. Timely identification enables
schools to intervene early in the process.
2. Facilitate Communication and Collaboration.--Participation in a
variety of controlled virtual and learning communities with
peers and experts inspires students and teachers to discover,
explore, guide, and collaborate. Parents can access information
and curriculum, and communicate with teachers in more
convenient and powerful ways to support their children's
learning.
3. Manage the Education Enterprise.--Like businesses, schools are
harnessing technology to manage core organizational tasks from
accounting to human resources to scheduling. Through data
management and analysis tools, administrators can identify
performance gaps and effective practices, thus enabling more
informed decisions to operate the school more efficiently and
effectively.
The recent Obama White House report on data and privacy highlights
two complementary main benefits of data in education: Personalized
learning and research to enhance understanding about learning. It
reads, in part: ``Data from a student's experience . . . can be
precisely tracked, opening the door to understanding how students move
through a learning trajectory with greater fidelity, and at greater
scale . . . ''. The opportunity is to use this data-driven
understanding to customize student instruction and curriculum based on
each student's unique needs.
As outlined above, an essential part of the technology-enabled
changes to practices in our schools is the collection, use, and sharing
of student information for educational purposes. Our educational system
has long collected and used student data to operate and inform
educational practices, and has routinely done so by using third-party
service providers.
Today, new technologies like cloud computing are enhancing school
capacity in ways not otherwise possible by providing anytime/anywhere
data access, enhanced data management functionality, powerful data
analytics, and improved security. The scale of cloud computing enables
great expertise and investments in security, which includes predicting
and identifying against external threats such as hackers or malware and
putting in place the most sophisticated data security technologies. In
addition, cloud security guards against more traditional threats such
as fire or unlocked file cabinets whereby the technology provides a
protection not possible through traditional methods. These tools and
techniques allow educators to manage more data in more cost-effective,
secure, and sophisticated ways to inform instruction and enhance school
productivity.
We can think of these cloud data systems like a safety deposit
box--your valuables are in a bank, but only you have the key and decide
who gets access. For many data systems, the provider houses the data
and provides data tools, but access is controlled by education
administrators with the digital key.
The result of advanced data management and analysis tools is the
ability for school systems to better identify students at risk of
failure, identify the lessons that best meet each and every student's
unique needs, inform decision making, and enhance operations. The goal
is to translate data into actionable information so we can be smarter
as an educational system about how to meet the needs of each student
based on understanding of what is most effective with students like me.
We should want our students, families, and educators to have all the
relevant information, while making sure it is used appropriately for
educational purposes and that student data privacy is protected.
ii. current framework of student privacy practices and protections
Schools and service providers have a shared responsibility to
safeguard the privacy and security of student information. One way they
do this is by limiting the collection and uses of student personal
information to legitimate educational purposes. They have policies and
procedures in place to prevent unauthorized use.
Federal law establishes a framework that restricts the collection
and use of student information to what is necessary to accomplish
legitimate educational purposes.
The Family Educational Rights and Privacy Act (FERPA) requires
that:
personally identifiable information shared with service
providers be limited to uses otherwise performed by the
school's own employees,
the provider be under direct control of the school, and
the information can only be used for educational purposes.
In addition, the Children's Online Privacy Protection Act (COPPA)
requires consent for child-directed on-line and mobile collectors of
personal information from children under the age of 13, both inside and
outside of schools, and prohibits the use of information for behavioral
advertising. COPPA requires the operator to provide the school with
full notice of its collection, use, and disclosure practices.
FERPA and COPPA require parental consent if the school shares
personal student information with third parties for non-educational
purposes. These laws also require parental consent if the operator
wants to use or disclose the information for its own commercial
purposes beyond those related to the provision of services to the
school.
In addition, the Protection of Pupil Rights Amendment (PPRA)
requires parental notice and opportunity to opt out of activities
involving the use of personal information collected from students for
marketing and advertising purposes unrelated to the educational purpose
for which it was collected.
The U.S. Department of Education has provided some examples of how
these rules work in practice to protect student privacy. In its
recently-released guidance on protecting student privacy while using
on-line educational services, the Department of Education advised that
a service provider such as a provider of email service or cafeteria
service is not permitted to use student information to target ads to
students because this use does not ``constitute a legitimate
educational interest.''
Service providers are also bound by contract and are subject to
significant penalties for unauthorized disclosure of personal student
information, including a ban on providing services for up to 5 years.
And there's a market incentive: If service providers do not live up to
their responsibilities, they will lose the confidence of their
customers.
In short, school service providers do not have an independent role
in the school system. They cannot just use personal student information
as they see fit. School service providers collect personal student
information only with the explicit approval of the schools and agencies
that they work for. They use this information only for the purpose
authorized by those educational institutions.
SIIA recognizes questions and concerns raised by some parents,
educators, and policy makers. SIIA agrees that the obligation to
safeguard student data privacy and security means that continued review
and enhancements are needed in the framework of our policies,
practices, and technologies.
Stakeholders are responding to recent questions and concerns:
Service providers continuously review and improve data
policies, procedures, and technologies.
SIIA has released industry ``Best Practices for the
Safeguarding of Student Information Privacy and Security for
Providers of School Services'' that address educational
purpose, transparency, school authorization, data security, and
data breach notification (http://bit.ly/SIIAstudentPrivacyBP).
The Federal Government recently updated regulations and
guidance for FERPA and COPPA specific to on-line educational
services.
The Consortium for School Networking (CoSN), representing
school CTOs, recently released a toolkit for protecting
privacy, ``Considerations When Choosing an Online Service
Provider for your School System.''
School districts are instituting supplemental agreements
with their vendors that further specify restrictive data use,
security, and confidentiality terms.
School districts and non-profits are developing criteria for
the review of apps, websites, and cloud-based software, and
sharing the criteria and review results.
These policies and agreements enhance a framework of laws and
practices that has been highly effective through the years in
safeguarding student privacy and data security.
iii. the need for federal student privacy legislation
SIIA and our member companies agree with the need to review and
improve public policies as needed. However, we do not think that new
Federal legislation is needed at this time. The current legal framework
and industry practices adequately protect student privacy. Moreover,
new legislation creates substantial risks of harm to the innovative use
of information that is essential to improving education for all
students and ensuring U.S. economic strength in an increasingly
competitive global environment. These risks include:
New legislative requirements would not provide local
communities and school officials with sufficient flexibility,
and Government actions intended to create a privacy and
security floor would instead unintentionally create a digital
learning ceiling.
Policies that are overly restrictive or make impractical
requirements would have a chilling effect on schools and
service providers that would stifle the emergence of
personalized learning environments and the effective use of
predictive analytics to improve student learning.
SIIA agrees with the Obama administration's May 2014 report on data
and privacy, which called for ``Responsible Educational Innovation in
the Digital Age,'' including that ``Students and their families need
robust protection against current and emerging harms, but they also
deserve access to the learning advancements enabled by technology that
promise to empower all students to reach their full potential.''
Similarly, the Aspen Institute Task Force on Learning and the
internet's recent report, ``Learner at the Center of a Networked
World,'' cautions that ``Approaches to providing safety online that are
defensive and fear-based are often ineffective and can have the
unintended consequence of significantly restricting learning
opportunities for young people.'' SIIA agrees with the Aspen Institute
that technology ``can be part of the solution by helping create trusted
environments.''
SIIA recently issued ``Policy Guidelines for Building a Student
Privacy Trust Framework'' (http://bit.ly/
SIIAStudentPrivacyPolicyGuidelines) that I ask be included in the
record of the hearing.
Finally, while this hearing is focused on student data privacy, I
would be remiss without encouraging the committees to provide
additional leadership, regulatory innovation, and investment needed to
support the Nation's educational system in updating its teacher skills,
infrastructure, and practices for the digital age.
I would be happy to answer any questions you might have.
Mr. Meehan. Thank you, Mr. MacCarthy.
The Chairman now recognizes Ms. Popp for your opening
comments.
STATEMENT OF JOYCE POPP, CHIEF INFORMATION OFFICER, IDAHO STATE
DEPARTMENT OF EDUCATION
Ms. Popp. Thank you, Chairman, Ranking Members, and
committee Members for allowing me time to address you on the
important issue of student data privacy. In education, all
teachers should have access to meaningful data to support their
instructional practices. We will continue our efforts, with the
understanding the student-level data must be respected and
protected, while also acknowledging that student information is
a vital resource for teachers and school staff in their
educational planning.
In Idaho, we have been working diligently to find the
proper balance of strong data security policies while also
supporting the stakeholders. Data stewardship has been a
talking point for quite some time, teaching and encouraging
school district leaders to adopt equally as strong data
collecting and management policies. I have been with the Idaho
State Department of Education for 5 years. My background is
largely in the private sector, working in senior management for
several Fortune 500 companies, dealing with information systems
and information technology areas where infrastructure, e-
commerce, data systems, and data security was a key focal
point.
Data usage and security of information in the private
sector is of the utmost importance, just as it is in the
educational world. Through this experience, I have a working
knowledge of data systems, and how essential it is to protect
student-level data and ensure student data privacy. We live in
a world where cyber threats and a chance to breach data systems
are preventive, and we must make every effort to protect this
data, but also to be vigilant in our data use efforts. As we
all understand, however, students' data security is not the
same as data privacy.
Idaho collects student-level data for reporting purposes,
while also supporting State and Federal programs. We do not
want to be collecting data for data's sake. However, we want to
be collecting only data that is clearly needed to improve
educational outcomes for the students of Idaho. We collect data
at the student level, as all data must be repeatable,
defensible, and auditable. All of the data elements that have
been are currently being collected in Idaho have been published
through our public website. We are constantly auditing and
evaluating the data we collect and how we collect it to ensure
that technology best practices are employed.
Through this, we have improved our efforts in supporting
teachers and school administrators with quality, timely data.
For years, school districts and State agencies have diligently
followed the guidelines of the Family Educational Rights and
Privacy Act, which provides guidance on disclosure of
personally-identifiable information from educational records.
Educational stakeholders and their elected officials in Idaho
continue their efforts to work together in order to ensure
student data is protected. This is evidenced by the crafting of
our Senate Bill 1372 during the 2014 legislative session, a
student data privacy bill.
The intent of Senate Bill 1372, known as the Student Data
Accessibility, Transparency, and Accountability Act of 2014, is
to ensure that student information is safeguarded and privacy
is honored, respected, and protected, while also acknowledging
that student information is a vital resource for teachers and
school staff in their educational planning. The bill also
includes language addressing a monetary penalty if anyone fails
to protect the data and a breach of student-level data occurs
or it is released without proper authorization.
Policies have also been adopted to ensure that any
contractors or vendors who receive student-level data for
specific purposes do not use the data outside of the specified
use that is clearly called out in the contracts. All contracts,
in addition to data use, are required to have specific data
destruction and proof of data destruction dates. In a review of
a prior contractual agreement made with vendors that were up
for renewal, Idaho became aware of verbiage that stated vendors
owned the data that it was provided. This verbiage is no longer
allowed in any of the Idaho State Department of Education
contracts.
Awareness is a key component to the adoption of this new
law, and the district personnel have been notified and made
aware of their responsibilities. The bill also calls for the
Idaho State Board of Education to develop a model policy for
school districts and public charter schools that will govern
data collection, access, security, and use of such data. The
model policy will be available this summer. We employee
cybersecurity experts to constantly monitor and review
processes and procedures, including the types of hardware and
software programs purchased and deployed within our data
center.
Data privacy, however, is not as easily addressed. It is
everyone's responsibility. To close, Idaho has and will
continue to take the proper steps in implementing data security
and policies to protect the student-level data. It is our
responsibility to continually strive to adapt to the
constantly-changing world of technology and cyber threats.
Adequate is not enough when dealing with student data privacy.
We will continue to better our systems and policies to ensure
that student data privacy is not just a hope in Idaho, but it
is a reality.
Chairman, Ranking Members and committee Members, thank you
again for this opportunity.
[The prepared statement of Ms. Popp follows:]
Prepared Statement of Joyce Popp
June 25, 2014
Thank you Chairmen, Ranking Members, and committees Members for
allowing me time to address you on the important issue of student data
privacy. It is truly an honor to have this opportunity to discuss
Idaho's practices around collecting and protecting student data. In
education, all teachers should have access to meaningful data to
support their instructional practices; data that is collected is now
available to all educators, both administration and teachers in Idaho
to support them in making data driven decisions to impact student
achievement. We will continue our efforts with the understanding that
student-level data must be respected and protected while also
acknowledging that student information is a vital resource for teachers
and school staff in their educational planning. In Idaho, we have been
working diligently to find the proper balance of strong data security
policy while also supporting stakeholders. Data stewardship has been a
talking point within the Idaho State Department of Education for quite
some time, teaching and encouraging school districts leaders to adopt
equally as strong data collecting and management policies. This process
must not only happen at the State level, but also at the school
district and down to the individual teacher level.
I have been with the Idaho State Department of Education for 5
years and in the capacity of Chief Information Officer for the past
several years. My background is largely in the private sector, working
in Senior Management for several Fortune 500 companies, dealing in the
Information Systems and Information Technology area where
infrastructure, eCommerce, data systems, and data security was a key
focal point. Data usage and security of information in the private
sector is of the upmost of importance just as it is in the education
world. Through this experience I have a working knowledge of data
systems and how essential it is to protect student-level data and
ensure student data privacy. All companies in the private sector secure
their customer's data and likewise, State and local educational
institutions must make the same or greater efforts to protect student
data. We live in a world where cyber threats and attempts to breach
data systems are prevalent, and we must make every effort to protect
this data but also to be vigilant in our data use efforts. As we all
understand however, data security is not the same as data privacy.
Idaho collects student-level data for reporting purposes while also
supporting State and Federal programs. We do not want to be collecting
data for data sake, however we want to be collecting only data that is
clearly needed to improve educational outcomes for the students of
Idaho. Currently, the State of Idaho collects attendance data for each
day or portion of a day a student is in class as this is used for
funding purposes and program participation; yet the State does not
collect a specific reason for an absence as this is currently not a
data element necessary for program or funding calculations. We collect
data at the student level as all data must be repeatable, defensible,
and auditable. All of the data elements that have been, and that are
currently being collected have been published on the public website and
made available for district personnel and patrons. Along with this
information our department publishes why we collect this data, down to
each individual data element. Over the past 4 years we have been
receiving data from our school districts via secure measures. We are
constantly auditing and evaluating the data we collect, and how we
collect it to ensure that technology best practices are employed.
Through this refinement process, we have improved our efforts in
supporting teachers and school administrators with quality, timely
data. Also in this process, we worked with our Idaho legislators and
other stakeholders to create a piece of legislation that ensures that
our educational institutions not only have the policies and protocols
to ensure data security but also data privacy. Included in the
legislation, individuals are held accountable for improper handling and
use of student-level data.
For years, school districts and State agencies have diligently
followed the guidelines of the Family Educational Rights and Privacy
Act (FERPA) which provides guidance on disclosure of Personally
Identifiable Information (PII) from educational records. Not only has
Idaho followed these guidelines, but we have taken a conservative
approach in the interpretation of FERPA to safeguard student-level
data. Educational stakeholders and their elected officials in Idaho
continue their efforts to work together in order to ensure student data
is protected. This is evident by the crafting of Senate Bill 1372
during the 2014 legislative session, a student data privacy bill. Idaho
utilized information and recommendations put out by the Privacy
Technical Assistance Center (PTAC) through the U.S. Department of
Education. As stated within the Data Governance and Stewardship
document provided by PTAC, ``successful data management requires a
proactive approach to addressing stakeholders' needs for high-quality
data, while protecting the privacy of individual respondents.''
The intent of Senate Bill 1372, known as the Student Data
Accessibility, Transparency, and Accountability Act of 2014, is to
ensure that student information is safeguarded and that privacy is
honored, respected, and protected while also acknowledging that student
information is a vital resource for teachers and school staff in their
educational planning. This bill also provides specific definitions and
guidelines authorizing access to student data systems and to individual
student data, hence our continued focus on data stewardship. The bill
also includes language addressing a penalty not to exceed $50,000 if
anyone within the agencies, districts, or public charters fail to
protect the data and a breach of student level data occurs or is
released without proper authorization. In addition to addressing use,
protection and breaches of data, each public school district or charter
school is required to adopt data protection and privacy policies and
guidelines. Awareness is a key component to the adoption of this new
law, and district personnel have been notified and made aware of this
responsibility. Presentations are being conducted around the State to
emphasize the details and importance of the new law.
We are also aware that not all school districts have the capacity
to write data security policy; in knowing this, the bill also calls for
the Idaho State Board of Education to develop a model policy for school
districts and public charter schools that will govern data collection,
access, security, and use of such data. The Idaho State Board of
Education is currently working on the model policy and will have it
available for all school districts and public charters this summer.
I have made a concerted effort to provide awareness meetings to all
staff within the Idaho State Department of Education. In these meetings
I discuss the intent of Senate Bill 1372, and the level of
accountability, roles, and liabilities that State employees will be
required to adopt as well as our obligation to educate our districts
and schools of their responsibilities. Divisions within the agency
handle different types of data; however an example that has been used
is Child Nutrition Programs. The United States Department of
Agriculture (USDA) requires a specific ``need to know'' basis to access
free and reduced price meal eligibility information. Under the rule of
the USDA, State agencies, districts, and public charters must ensure
that data systems, records, and other means of accessing a student's
eligibility status are limited. The ``need to know'' thought process is
being adopted by the Idaho State Department of Education for all
employees who handle or might have access to student-level data.
As Idaho has many rural and even remote school districts, we also
take into consideration the population size whenever aggregating data.
We have methods to mask small cell size and ensure that data is not
personally identifiable even when aggregated.
Along with this thought process is also gaining the knowledge of
proper transfer of student-level data. For example, we have adopted
policies for data governance that prohibits student-level data being
passed by email. Employees and districts have received training on
encryption and other methods of data privacy and security. Sensitive
information is more properly transferred using password and data
encryption, through a Secure File Transfer Protocol (SFTP), again on a
``need to know'' basis. Policies have also been adopted to ensure that
any contractors or vendors who receive student-level data for specific
purposes do not use the data outside of the specified use clearly
called out in the contract. All contracts, in addition to data use, are
required to have specific data destruction and proof of data
destruction dates. In a review of prior contractual agreements made
with vendors that were up for renewal, Idaho became aware of verbiage
which stated the vendor ``owned'' the data it was provided. This
verbiage is no longer allowed on Idaho State Department of Education
contracts and as previously stated we require proof of destruction and
the associated dates of the destruction.
The Idaho State Department of Education receives many public
records requests and researcher requests to supply student-level data.
Idaho has put together policies which provide the ability to decline
all such requests for student-level data. To the individual making the
public records request, only aggregate data will be made available.
This means data collected or reported at the group, cohort of
institutional level only and will not include any Personally
Identifiable Information once again taking into consideration small
cell sizes within the aggregate data.
Idaho Department of Education has hired cybersecurity experts to
constantly monitor and review processes and procedures, including the
types of hardware and software programs purchased and deployed within
our data center. Data privacy however is not as easily addressed, as it
is everyone's responsibility.
To close, Idaho has and will continue to take the proper steps in
implementing data security and policies to protect student-level data.
It is our responsibility to continually strive to adapt to the
constantly-changing world of technology and cyber threats; adequate is
not enough when dealing with student data privacy. We will continue to
better our systems and policies to ensure that student data privacy is
not a hope in the State of Idaho, but a reality.
Chairmen, Ranking Members, and committees Members, again thank you
for this opportunity and I would stand for any questions you may have.
Mr. Meehan. Thank you, Ms. Popp.
The Chairman now recognizes Mr. Murray for your opening
comments.
STATEMENT OF THOMAS C. MURRAY, STATE AND DISTRICT DIGITAL
LEARNING POLICY AND ADVOCACY DIRECTOR, ALLIANCE FOR EXCELLENT
EDUCATION
Mr. Murray. Thank you, Mr. Chairman. I began this morning
with a call from a school principal asking if I was nervous to
testify in front of Congress. I said, ``Sir, when you have
stood in front of a thousand middle school students that are
completely hormonal, that is pressure.''
Thank you for having me.
Chairman Meehan, Chairman Rokita and Ranking Member Clarke,
Ranking Member Loebsack and Members of the subcommittees, it is
an honor to testify before you today. My goal is to illustrate
how student data can be used effectively to strengthen student
achievement and personalize the learning for each individual
student, while simultaneously maintaining high levels of
student privacy. Although I am now a State and district digital
learning director at the Alliance for Excellent Education, I
come to you first and foremost as an educator.
I have spent my life serving children, first as an
elementary and middle school classroom teacher, then as a
middle school assistant principal, an elementary principal and,
most recently, as the director of technology and cyber
education in the Quakertown Community School District, located
in Bucks County, Pennsylvania. In each of these roles, I have
balanced the use of data and its tie to student achievement,
while ensuring privacy on a daily basis. Although I could share
countless stories of how data-driven decision making has
forever changed the lives of students, I will take a moment to
just give one example.
I knew Susan, whose name has been changed for protection,
as a fourth grader. Susan had struggled tremendously in her
previous school and never had much support at home. Dad left
early, and Mom struggled to get by. It was evident that at home
her education was never a priority. Having bounced from school
to school, she had little consistency and rarely had the home
support needed to be successful, always playing catch-up, with
skills sometimes years behind. Life was dealing her a tough
hand.
During her first few weeks in my classroom, we were able to
collect a tremendous amount of data on levels of performance.
For example, we looked at the various aspects of her reading,
from fluency to comprehension. We found that Susan struggled
with accurate and fluent word recognition, and often originates
with the weaknesses in recognizing patterns of speech. It was
through data collection and analysis that we were able to come
to the conclusion of her exact reading needs. Based on Susan's
specific needs, we were able to develop a personalized plan for
success.
For example, we utilized a multifaceted approach that was
digital in nature. These various software programs were
overseen by, and used in connection with, dynamic instruction
from her well-trained teacher. Over time, her achievement was
tracked and personalized, her plan modified. Year-over-year,
her performance steadily improved and she was ultimately able
to cross the stage at graduation not only receiving, but truly
earning, her high school diploma.
As an educator who has witnessed a myriad of stories just
like Susan's, I know that her success is attributed to the
data-driven personalized education that she received. There are
countless students like Susan sitting in virtually every one of
our Nation's classrooms. It is critical that we understand the
Nation's context for today's hearing. In many ways, the
effective use of data is not just an educational strategy, it
is an economic strategy.
By 2018, two-thirds of the Nation's jobs will require at
least some post-secondary education, and estimates indicate
that the Nation will be 3 million college degrees short because
too few students graduate from high school on time and prepared
for post-secondary education.
Our students need and deserve an effective, world-class
education to be competitive in a global economy. In the 21st
Century, that means using data and technology effectively in
the classroom. Just like doctors evaluate your medical history,
current condition, and records from other physicians to
diagnose, care, and treat patients, teachers and administrators
need access to data in order to best personalize the learning
for each student. Today, the alliance released a paper that I
have submitted for the record describing how this is happening
across the country.
In Quakertown, I was able to witness first-hand the power
of data, and saw our graduation rates increase 10 percentage
points over a 2-year period. Data is used at all levels to
support student success. Teachers collect and analyze data on a
regular basis to inform their instruction, whether it is data
on reading comprehension, fluency, or math facts, teachers
collect, organize, and analyze data in order to personalize
instruction for each student. At the building level, I use this
information as a principle to analyze trends in curriculum,
strengths, and weaknesses in our academic program, and teacher
effectiveness.
Tracking this data at the building level allowed me to
properly allocate resources and modify schedules, from reading
specialists and special ed support to a systemic response to
intervention model. At the district level, our leadership team
would analyze district-wide trends to make sure--make decisions
about curriculum renewal, standardize assessments, professional
learning, budgets, and more.
As the director of technology in Quakertown, it was my
team's job to oversee the security of such data. Like other
districts, we utilized the necessary firewall, security
certificates, and other limitations of access to ensure that
only those people with the need to know had the needed
information.
For instance, only two people in the district would have
access to the student information: Me, and the data specialist
who would work alongside the Pennsylvania State reporting
system. Teachers were only able to see information that was
legally permissible for students who they taught, and they each
signed a confidentiality agreement each year. We ensured
compliance with SIPA as well as FERPA. For example, we utilized
128-byte encryption for instances of data transfer outside our
own firewall, the same level of security used in on-line
banking.
Educators across this country demonstrate every day that
they know how to use this data responsibly. I offer several
recommendations in my written testimony and, in closing, would
like to highlight two of them. First, educators need support in
how to effectively use data to improve instruction, while
protecting sensitive student data. Funds from Title II of the
Elementary and Secondary Education Act should be utilized for
this purpose.
My second recommendation is a simple request for caution as
you explore policy in this area. Privacy concerns are real. At
the same time, education in the 21st Century must take
advantage of all that technology has to offer. This precise
sentiment was expressed yesterday in a bipartisan op-ed by two
of your colleagues on the committee, Representatives Polis and
Messer, in which they eloquently stated security and privacy
are critical, yet manageable, concerns.
We must not dismiss the power of using data to improve
classroom instruction. Simply develop best practices to ensure
that data is used responsibly. We must not let fear of data
prevent us from realizing the promise of technology. The
Nation's students, their parents, and our economy deserve
nothing less.
Thank you for the opportunity to share a school and
district perspective on this important matter.
[The prepared statement of Mr. Murray follows:]
Prepared Statement of Thomas C. Murray
June 25, 2014
introduction
Chairman Meehan, Chairman Rokita, Ranking Member Clarke, Ranking
Member Loebsack, and Members of the U.S. House of Representatives
Subcommittee on Cybersecurity, Infrastructure Protection, and Security
Technologies and the Subcommittee on Early Childhood, Elementary, and
Secondary Education: It is an honor to testify before you today to
discuss the critical role that the effective and safe use of data can
play in supporting success among America's students.
My goal today is to illustrate how student data can be used
effectively to strengthen student achievement and personalize the
learning for each individual student while simultaneously maintaining
high levels of student privacy.
Today, I come to you first and foremost as an educator. I've spent
my life serving children, first as an elementary and middle school
classroom teacher, then as a middle school assistant principal, an
elementary principal, and most recently as the director of technology
and cyber education in the rural Quakertown Community School District
located in upper Bucks County, Pennsylvania. In each of these roles, I
balanced the use of data and its tie to student achievement, while
ensuring privacy on a daily basis.
I am now pleased to serve as the State and district digital
learning director at the Alliance for Excellent Education. The Alliance
is a Washington, DC-based National policy and advocacy organization
dedicated to ensuring that all students, particularly those
traditionally underserved, graduate from high school ready for success
in college, work, and citizenship. The Alliance focuses on America's 6
million most-at-risk secondary school students--those in the lowest
achievement quartile--who are most likely to leave school without a
diploma or to graduate unprepared for a productive future. The
Alliance's mission is to promote high school transformation to make it
possible for every child to graduate prepared for success in life.
A chief part of the Alliance's mission is using technology and
digital learning to provide innovative and effective ways to ensure
that all students--especially those most at risk and disadvantaged--
graduate from high school prepared for success.
The Alliance held the first National Digital Learning Day in 2012,
an annual celebration with participation from more than 26,000 teachers
and millions of students from every State in the Nation. In 2013, the
Alliance announced Project 24, a new effort to assist school districts
in developing a plan to use technology and high-quality digital
learning, including the collection of proper and secure student
learning data, to help drive new twenty-first-century student-centered
instruction models leading to improved college and career readiness for
all students. Currently, 1,300 school districts are participating in
some way.
Although I could stand before you and share countless stories of
how data-driven decision making--both in the classroom by teachers and
at the district level by school administrators--has forever changed the
lives of students, I'll take a moment to give just one example.
I knew Susan (name has been changed for protection) as a fourth
grader. When I met her she was 9. Susan had struggled tremendously in
her previous school and never had much support at home. Having bounced
from school to school, she had little consistency and rarely had the
home support needed to be successful. Life was dealing her a tough
hand.
During her first few weeks in my classroom, we were able to collect
a tremendous amount of data on her levels of performance. For example,
we looked at the various aspects of her reading, from fluency to
comprehension, etc. Based on Susan's exact needs, and due to the large
amounts of data we were able to collect, we were able to develop a
personalized plan to meet her needs. Over time, I watched as these
interventions, implemented based on data-driven decisions, helped to
build her confidence, and ultimately her academic skill level. As Susan
moved through other data-based, personalized instructional
environments, she was able close the achievement gap, and ultimately
cross the stage at graduation, receiving her high school diploma. As an
educator who has witnessed myriad stories like Susan, it is without a
shadow of a doubt that I know that her success is attributed to her
teachers and schools being able to utilize a vast amount of real-time
data to develop personalized instruction to meet her needs. There are
countless students just like Susan, sitting in virtually every one of
our Nation's classrooms.
need for education reform
In order for the United States to sustain its position as the
world's leading economic power, its system of education must be rapidly
and dramatically improved. By 2018, two-thirds of the Nation's jobs
will require at least some post-secondary education, and estimates
indicate that the Nation will be 3 million college degrees short.\1\
Approximately 30 percent of African American and Hispanic students do
not graduate on time, if at all,\2\ and 20 percent of students who do
make it to college need at least one remedial course,\3\ meaning that
they are paying college prices for the high school education they
should have already received.
---------------------------------------------------------------------------
\1\ A. Carnevale, N. Smith, J. Strohl, Help Wanted: Projections of
Jobs and Education Requirements Through 2018 (Washington, DC:
Georgetown University Center on Education and the Workforce, 2010).
\2\ R. Stillwell and J. Sabel: Public High School Four-Year On-Time
Graduation Rates and Event Dropout Rates: School Years 2010-11 and
2011-12 (First Look) (NCES 2014-391) (Washington, DC: U.S. Department
of Education, National Center for Education Statistics, 2014).
\3\ D. Sparks and N. Malkus, Statistics in Brief: First-Year
Undergraduate Remedial Coursetaking: 1999-2000, 2003-04, 2007-08 (NCES
2013-013) (Washington, DC: U.S. Department of Education, National
Center for Education Statistics, 2013), http://nces.ed.gov/pubs2013/
2013013.pdf (accessed February 11, 2014).
---------------------------------------------------------------------------
This poor preparation is taking place at a time when the economic
demand for a highly educated workforce has never been greater. Over the
past 40 years, the percentage of jobs requiring post-secondary
education has doubled (from 28 percent to 59 percent).\4\ The demands
of the knowledge-driven economy are far outpacing the production of
students who are prepared for the workforce. To respond to this rapidly
rising demand for a higher-skilled workforce, every State has raised
its academic standards to require that every student graduate from high
school ready for college and a career.
---------------------------------------------------------------------------
\4\ A. Carnevale et al., Help Wanted.
---------------------------------------------------------------------------
While States are working to strengthen education in order to meet
the demand for a highly-educated workforce, the Nation's demographics
are rapidly changing. Students of color make up more than half of the
K-12 population in 12 States and comprise between 40 and 50 percent of
the student population in an additional 10 States.\5\ The Nation's
fastest-growing student populations are those that the traditional
education system is least equipped to serve.
---------------------------------------------------------------------------
\5\ W. DeBaun, Inseparable Imperatives: Equity in Education and
the Future of the American Economy (Washington, DC: Alliance for
Excellent Education, 2012).
---------------------------------------------------------------------------
This seismic tremor in education means that the Nation must provide
a higher-quality educational experience to more students than it ever
has before. Only the effective use of data and technology supporting
teachers will accomplish this major objective.
effective use of data is critical to education reform
Data can be a powerful tool for personalizing learning for each
student and increasing achievement in the highest-need schools. Just
like doctors evaluate your medical history, current condition, and
records from other physicians to diagnose, care, and treat patients,
teachers, and administrators need access to data in order to best
personalize learning for each student, for they too are assessing,
diagnosing, and treating the various needs of our Nation's students.
Today, the Alliance released a paper--Capacity Enablers and
Barriers for Learning Analytics: Implications for Policy and Practice--
that describes how learning analytics initiatives are helping States
and districts move from being data collectors to data analyzers.\6\ The
full paper is included in my complete testimony submitted for the
record. Learning analytics applies techniques from science, sociology,
psychology, and statistics to analyze student information. It enables
the effective use of data to improve instruction in meaningful ways,
such as those that adapt instructional content, intervene with at-risk
students, and provide feedback.
---------------------------------------------------------------------------
\6\ M.A. Wolf, R. Jones, R. Wise, Capacity Enablers and Barriers
for Learning Analytics: Implications for Policy and Practice
(Washington, DC: Alliance for Excellent Education, 2014).
---------------------------------------------------------------------------
When student data is collected properly and used effectively, it
can be an integral part of personalizing instruction to improve
learning. Data can guide digital learning to target instruction. It can
provide real-time feedback on student progress that allows teachers to
tailor instruction, resources, and time.
Throughout my time in Quakertown, I was able to witness this first-
hand. As the district implemented a personalized approach to
instruction, with decisions predicated on data-driven decision making,
we were able to create an environment where student learning and growth
was at the forefront. Through this technology-infused, data-driven
environment, we saw high school graduation rates increase 10 percentage
points over a 2-year period. Upon my recent departure from the
district, we had more students taking rigorous courses than ever
before, the State standardized test scores were the highest they've
ever been, and results on tests such as the SAT showed significant
growth over time.
Our Nation, schools, and leaders must be careful not to let fear of
data thwart progress toward the best learning strategies for all
students. At the same time, teachers, principals, and district and
State leaders must be mindful and purposeful about the appropriate
collection and use of data. Overly restricting data because of the
fears of some will be devastating to modern, innovative teaching
practices. There must be support for policies that effectively address
privacy, safety, and security concerns related to digital learning and
other ways that data is stored including antiquated paper file storage.
In doing so, it is important to differentiate between real and
perceived threats so that we can take advantage of the real potential
to improve learning outcomes for students through the proper use of
data.
Pulling from my 14 years of school district service, I'd like to
share a few examples of how the use of data transforms and personalizes
instruction for students and how school districts use data to
systemically plan and problem solve to meet the needs of their student
population.
Having been a classroom teacher for 6 years, and supervising
classrooms for 5 years as a principal thereafter, data played and
continues to play a vital role in the daily instructional process.
Teachers collect and analyze data on a regular basis to inform their
instruction. Whether it's specific data regarding reading levels,
comprehension, fluency, math facts, or information surrounding a
specific academic standard, teachers collect, organize, and analyze
data in order to personalize instruction for each student. Without such
collection, teachers would lose the ability to pinpoint the exact needs
of each child and would lose the ability to treat each need with
precision. Best practices indicate that meeting each student where they
are will push them to their highest levels of achievement. But this is
only feasible through personalized learning and instruction, which can
only occur when up-to-date data is readily available so that teachers
can make real-time instructional decisions, allowing them to put their
students' needs at the heart of teaching and learning.
At the building level--and as both a middle school and elementary
principal--this data was used to analyze grade levels, trends in
curriculum, strengths, and weaknesses in our academic program, and
grade level and teacher effectiveness. Tracking this data on a large
scale at the building level allowed me to properly allocate resources,
from reading specialists and special education support, to a systemic
response to intervention model. On a weekly basis, Quakertown's teacher
and specialists would meet in data teams to discuss every child and
what we could do better or differently to meet their individual needs--
both for those needing additional support and those who needed high
levels of enrichment. We would then use this information to design
schedules for support and intervention for all students, both at the
classroom and building levels.
As I moved to Quakertown's district office, the ability to collect,
analyze, and dissect student data on a large scale was even more
important. At the highest levels, our leadership team would analyze
district-wide trends, which allowed us to identify and plan for needs
moving forward. These areas of need would help us formulate district
goals, and over the long term, strategic plans. Without objective
academic data on the large scale, the ability to make district-wide
decisions about curriculum renewal, standardized assessments,
professional learning, budget, etc. would be jeopardized.
As it relates to special education, very specific achievement data
would be used to build an Individualized Education Program (IEP) for
each child, as required under the Individuals with Disabilities
Education Act. These goals would then be measured throughout the course
of each year and revised on a year-over-year basis to chart growth and
achievement and ensure that our Nation's students with disabilities
receive both what they need and deserve.
As both a principal and cabinet-level member at the district
office, part of my role was to ensure high-quality teaching in the
classroom, which was monitored through the teacher supervision process.
As such, supervisors had access to student data and were able to
longitudinally track performance of teacher effectiveness over time. In
order to prepare students for their tomorrow, there must be high-
quality teachers in the classroom today; and being able to objectively
assess effectiveness, over time, is imperative.
As the director of technology at Quakertown, it was my team's job
to oversee the security of such data, including data stored in our data
warehouse and student information system. Like other districts, we
utilized the necessary firewalls, security certificates, and
limitations on access to ensure that only those people with a need to
know had the needed information. For instance, only two people in the
district would have access to all student information; me and the data
specialist who would work on the district's Pennsylvania State
Reporting System. Teachers were only able to see information that was
legally permissible for students who they taught, and principals and
specialists would be granted access to their building-level data. This
information was treated with the highest levels of security and
accountability, even going as far as having every staff member sign a
confidentiality agreement, every year, which clearly delineates the
expectations of how they were to handle the student data to which they
had access.
On the educational technology front, the Quakertown district would
partner with various companies on tools and resources from on-line
registration, ranging from our student information system and gradebook
to various assessment and testing tools. For each company, we'd work to
ensure compliance with the Family Educational Rights and Privacy Act
(FERPA), and with instances of data transfer--such as that of on-line
registration--there was a 128-bit encryption in place, the same level
of security used in on-line banking. When it came to various web tools,
we'd work to ensure compliance with the Children's Internet Protection
Act, paying special attention and giving extra precautions to those
students under 13 years of age. It was the district's legal obligation
to ensure that the highest levels of security for this data were in
place, and something that was always at the top of our priority list.
other examples of success
In my role at the Alliance, I have seen States and districts across
the country using data effectively. In Kentucky, for example, K-12 and
post-secondary data is linked in order to provide feedback reports to
high schools on matters such as college readiness and ACT scores. This
data can be used to reduce the large number of students who need
remediation when they leave high school. In Oregon, professional
development on instructional strategies is paired with technical
training so that educators can use data regularly to improve
instruction.
A particularly powerful example of the effective use of data comes
from Chicago Public Schools (CPS), the Nation's third-largest school
district. In 2007, CPS initiated a reform to utilize data in order to
prevent students from dropping out. Evidence shows that students who
end their 9th-grade year on track to graduation are almost 4 times more
likely to graduate from high school than those who are off-track.
Therefore, CPS promoted the use of data to monitor students'
performance, help teachers intervene before students fell too far
behind, and implement a variety of interventions to address the
specific needs facing students as identified by the data. At the center
of this effort were monthly data reports given to each high school that
allowed educators to respond when students were heading in the wrong
direction.
As a result of this effort to effectively use data to keep students
in school, the percentage of 9th-grade students who are on-track to
graduation has risen 25 points, from 57 to 82 percent, and graduation
rates have increased 13 percentage points.\7\
---------------------------------------------------------------------------
\7\ M. Roderick, T. Kelley-Kemple, D. Johnson, and N. Beechum,
Preventable Failure: Improvements in Long-Term Outcomes When High
Schools Focused on Ninth Grade Year: Research Summary (Chicago:
University of Chicago Consortium on Chicago School Research, 2014),
https://ccsr.uchicago.edu/sites/default/files/publications/On-
Track%20Validation%20RS.pdf (accessed June 23, 2014).
---------------------------------------------------------------------------
recommendations
Whether in rural Quakertown, or urban Chicago, the power of data to
improve student achievement is real. Data can and must be used
responsibly, and educators across the country demonstrate every day
that they are able to effectively use student data while maintaining
student privacy. On behalf of the Alliance for Excellent Education, I
offer recommendations for your consideration in order to improve the
ability of our Nation's teachers and schools to use data to strengthen
student achievement.
(1) Professional development.--Educators need support in how to
effectively use data to improve instruction while protecting
sensitive student data. Funds from Title II of the Elementary
and Secondary Education Act should be utilized for this
purpose.
(2) Early warning indicator and intervention systems.--Schools and
districts across the country are implementing early warning
indicator and intervention systems in order to identify
struggling students and provide support that is tailored to
their individual needs. There are many ways in which Federal
policy can support the implementation of early warning
indicator and intervention systems, including requiring them as
a component of Federal School Improvement Grant program.
(3) Data transparency.--Parents and the public must know what data
is being used to support students, and they must be given
access to this information.
It is imperative that the public, and parents in
particular, know what student data is being collected and
why. States and school districts should each provide
readily and publicly accessible information on the types of
individual student data they maintain and how it is
collected and used, who has access to protected data, and
what safeguards are in place to protect it. School
districts must ensure that their individual schools are
meeting the district requirements.
The Family Educational Rights and Privacy Act, or FERPA,
currently gives parents and eligible students aged 18 or
older access to their education records. Following the
example set in health care through the Health Insurance
Portability and Accountability Act, or HIPAA, access should
be expanded so that data is also available for parents and
eligible students in an electronic and cost-efficient
format. School districts should explore creating encrypted
and password-protected websites to make this information
readily accessible to parents and eligible students in a
safe and protected manner while protecting it from exposure
to unauthorized individuals.
(4) Data protection.--Strong policies and plans are vital in data
collection to safeguard privacy. States, districts, and schools
must have a data protection infrastructure to ensure that
personally identifiable student data is protected. States
should designate a chief privacy officer who is responsible and
held accountable for the implementation of sound privacy
policy. Duties would include monitoring data collection
practices, insuring compliance with Federal and State laws,
overseeing a data security compliance plan and emergency data
breach response plan, and tracking the latest technological
improvements and best practices in data collection and privacy.
Districts should designate a single point of contact who
focuses on privacy issues. Some districts may consider
exploring whether they should designate a district chief
privacy officer depending on their size, individual needs, and
cost feasibility of implementation.
(5) Policy for learning in the 21st Century.--Privacy protection
policies must be updated and modernized to ensure student
privacy is protected. Simultaneously, legislative bodies must
be cautious to avoid creating policies that hinder learning.
Education in the 21st Century must take advantage of all that
technology has to offer, recognizing that learning takes place
in and outside of the classroom. To this end, the bipartisan
Aspen Institute Task Force on Learning and the Internet
recently issued the report Learning at the Center of a
Networked World, which offers recommendations for policymakers
at all levels for consideration and action.\8\
---------------------------------------------------------------------------
\8\ Aspen Institute Task Force on Learning and the Internet,
Learning at the Center of a Networked World (Washington, DC: Author,
2014), http://aspeninstitute.fsmdev.com/documents/
AspenReportFinalPagesRev.pdf (accessed June 23, 2014).
---------------------------------------------------------------------------
conclusion
There is a difference between rhetoric and reality. Privacy
concerns are real, and school leaders and policy makers must continue
to deal with these very real concerns systemically and transparently.
At the same time, it is imperative that this policy debate serves as a
mechanism for spurring innovation, rather than stifling it. The U.S.
Congress and State legislative bodies should explore modernizing
privacy protection through proactive laws that encourage data use while
protecting it to better reflect today's world, thus avoiding sudden
reactionary policies that create unnecessary and undue constraints on
learning. The Nation's students, their parents, and its economy deserve
nothing less.
Mr. Meehan. Thank you, Mr. Murray. I thank all of our
panelists for their opening comments. and before I recognize
myself for questions, I would like to ask unanimous consent to
enter in the record the Fordham Law School report on privacy
and cloud computing in public schools, authored by Mr. Joel
Reidenberg.
Mr. Meehan. Without objection, so ordered.*
---------------------------------------------------------------------------
* The information has been retained in committee files.
---------------------------------------------------------------------------
Mr. Meehan. I now recognize myself for opening questions.
Mr. Reidenberg, let me begin with you. I think we all
appreciate the points so eloquently made by Mr. Murray in his
commentary about the opportunities for individualized education
that can now be realized by virtue of technology. Nobody wants
to try to inhibit that personalized development. But I brought
with me here the perspective of us dealing with issues like the
NSA, and simple concern on the part of American people because
the Government was aware of who you called, what telephone
number was called by another telephone number.
As I began to look at this issue, I appreciated that the
courts themselves have determined things like homework
assignments or other kinds of in-class work which is now
available for exactly that personalized information. Every
keystroke may be being recorded. So you are learning a vast
amount about that student's analysis and ability to deal with
an issue. But we are also gathering that forever. The concern
is that that information, you are seeing 95 percent of it. Or
big percentages of it are no longer being held within the
school itself, oftentimes going off somewhere in the cloud and
becoming the property of third-party vendors.
This is where the rubber meets the road for me, in my
concern about this issue. How much not just private
information, but like a health care record. There is some
party--third-party vendor, I don't even know who it is--they
know a lot more about my child than I know. Worse yet, is there
the possibility that information lives otherwise? So a point
that was made by one of the panelists that identifies a
learning disability or difficulty that somebody may have.
Suppose that information continues and gets purchased or sold
by the very same company that many want to hire somebody some
day.
So where are the gaps and where are the limitations on the
utilization of this very personal, private information that
gets moved into a public sector ownership? Then how do we
contain it so that it doesn't get abused?
Mr. Reidenberg. Mr. Chairman, I think you have put your
finger on the precise problem that we are facing today. It
isn't just the parents who don't know where the information is,
it is also the schools. In our research, the irony of that 95
percent statistic, we know that the school that reported they
didn't outsource to the cloud actually does. We learned that
after we completed the students. So if we take a school
districts that responded, it turns out it is, in fact, 100
percent, not 95. We found, in asking school districts what they
were doing in calls to school districts, it was very difficult
to find anyone on the staff who even knew what kinds of
outsourcing arrangements they had.
When we look at how FERPA applies to this, FERPA is a
funding statute. FERPA conditions the receipt of Federal funds
by educational agencies to those agencies adhering--it is
essentially confidentiality. It exempts out, though, a
substantial amount of information, directory information, which
includes a student's age, height, weight. It is exempted, it is
not covered by the confidentiality unless the families opt out.
So it is a very complex statute. But it was designed
essentially as a hook on Federal financing.
It doesn't apply directly to any of these third parties.
The third parties can get data from school districts under, in
this context, the school official exception, which is an
exception essentially written into the statute by the
Department of Education. It is not spelled out, in fact, in the
statute. It is not challengeable. The court challenges to
recent Department of Education regulations were thrown out on
standing issues. Families who feel that they have been
aggrieved have no remedies because the Supreme Court has ruled
there are no private rights of action in the context of FERPA.
The Department of Education, in the 40-year history, has
never issued any sanction to a school district for violating
FERPA. So if you look at the statute itself, even for what it
covers it has some shortcomings that are quite significant. But
in this context, what is so hard is that the kinds of
outsourcing that take place are so complex that it is very
difficult, as you pointed out in your question--it is very
difficult to figure out exactly what is going on with this use
of information and where to put the control.
I don't think it is the vendors' own data in a true
property sense. What we find is, it is transferred pursuant to
some sort of contract. That contract can spell out what the
vendors' usage rights are. We don't see those contracts
actually spelling out that the district truly controls the
data, their kids' data. There are school districts all across
the country, so there could be multiple different forms of
contracts all across the country. Well, you touched an awful
lot.
My time has expired. I know we will get into it. Mr.
MacCarthy, I will ask it, I hope, in the context if we do not
get a chance for you to speak to some of those very same
issues, then I will come back to you and ask you some of those
questions. But I think my colleagues will get to a lot of that
as we move forward.
So at this point in time, I turn it over to Ranking Member
for her questioning. Thank you.
Ms. Clarke. Thank you, Mr. Chairman. I thank our panelists
for lending their expertise to this very important subject
matter today.
One of the issues that sort of dawned on me as I heard you
discuss this was just the level of complexity and the myriad of
circumstances under which data breaches actually occur. There
are a whole host of bad actors out there seizing opportunities
to assume identifies through identity theft. It just begs the
question as to whether you have observed sort-of systemic
protocols that are in place for reporting data breaches. Most
companies, you know, they are looking to assert their brand as
the best brand. It is somewhat, you know, scary for them and
their bottom line to have to admit any vulnerability within
their systems, the systems that they are trying to sell that
they have multiple customers for.
Have any of you raised that question or encountered the
type of protocols that would alert the users from the school
systems themselves to be actual subjects of the usage of data
breaches? I would be interested in that.
Mr. Reidenberg. We found that almost no contracts required
vendors to tell the school districts if there has been a
breach. The State breach notification laws might apply, but
there is wide variety of the scope of those breach notification
rules. We found that notifications of parents of the existence
of these third-party on-line services being used by the school
districts was quite rare. So we saw no indication of any
district informing its parents that there had been a breach.
Ms. Clarke. Parents trust schools to safeguard their
children's confidential and sensitive data. Can you tell us how
education officials should be seeking ways to protect students'
personal identifiable information? What are the contractual
pressures that exist when school systems hire, or use tools
from, for-profit companies to manage their students data?
Mr. Reidenberg. So there are a variety of basic security
practices that the school districts certainly need to be
engaging in. If they are transferring data it has to be
encrypted. They should be minimizing the identifying data. They
shouldn't be using Social Security numbers, for example, that
some districts around the country still do. Their contracts
need to have stringent security requirements on their outside
vendors. That is nonexistent right now. We saw an appalling
number of districts that--vendor contracts that did not include
obligations to secure the data.
It is not to say that the vendors are treating the data
with abandon. We don't know. What we do know is that there is
no legal protection that is being imposed on the vendors
through the contracts.
Ms. Clarke. The other element of vulnerability within
systems is the age of the system. I would wonder whether, in
your experience--particularly in school districts that are not
as wealthy--whether the systems they are using to transmit
data, you know, have reached their shelf life, if you will, in
terms of vulnerabilities. What challenge that can place.
Mr. Reidenberg. I think that is quite likely. I mean, the
kinds of school districts, the sizes of the school districts
across the country will range from the large cities that may
have a million students in the district to places that have
300. The district that has 300 students in it, if it is using a
well-designed cloud service that is gonna be more secure than
the district's own IT system, most likely. So there is an
advantage to using professional hosting services that a
district couldn't do. The downside is, if that hosting service
is now hosting data on 20 million students it becomes a honey
pot for cyber attackers.
Ms. Clarke. Very well.
Mr. Chairman, I yield back the balance of my time. Thank
you.
Mr. Meehan. I thank the Ranking Member.
The Chairman now turns to the Chairman of the Education
Committee, Mr. Rokita.
Mr. Rokita. I thank the Chairman. I also thank the Ranking
Members. Excellent testimony from everyone. I have really
learned a lot, and will continue to learn as this issue goes
forward.
Ms. Popp, I would like to start with you. I am always
encouraged, as a former State-wide elected official, when we
have solutions that come from the States. Now that is how this
was set up, and I am particularly pleased with your testimony.
To make sure I understood it right, are you saying that the
1372, or whatever number it was, prescribes contractual terms
that have to be used when districts contract? Or by virtue of
the statute alone, it is saying what is prohibited and what is
allowed under district's usual procedures?
Ms. Popp. Thank you, Chairman. Senate Bill 13----
Mr. Meehan. Ms. Popp, I am gonna ask if you speak into the
microphone and make sure that you push the button.
Ms. Popp. Yes, the red button is on.
Mr. Meehan. Okay, great. Thanks.
Ms. Popp. Thank you. Senate Bill 1372 was very clearly
outlined what data and how data can be collected. It also
addresses the fact that there is a monetary penalty for any
breaches. It does not get into some of the very specifics on
some of the policies that the Department of Education, however,
has adopted. One of the things being the contractual component.
It does, in the Senate bill address some of the information on
contracts with third-party vendors, such as testing the
agencies and student information. It actually calls out those
two particular vendors directly in the Senate bill.
Mr. Rokita. Thank you very much.
Mr. MacCarthy, what do you think of Idaho's approach? What
would your members think?
Mr. MacCarthy. Thank you for your question, Mr. Chairman.
We like the approach.
Mr. Rokita. Good.
Mr. MacCarthy. I think it sets up the proper sort of
framework for the inclusion of the appropriate issues within
school contracts. As many of you have heard in previous
testimony, transparency is a key element. We need to tell
parents what information is being collected by the school and
school vendors, what is done with it, who it is transferred to,
who it is shared with, what the data security requirements are,
what the data breach notification requirements are. That
information should all be provided to parents, and model
policies at the State level that--make sure that those issues
are covered in contracts are something that the industry would
support. They are part of the SIAA best practices that we put
out in February of this year. So we would encourage that level
of involvement by State and local and school districts.
Mr. Rokita. Thank you.
Mr. Reidenberg, what do you think of Idaho's approach?
Mr. Reidenberg. I think it is very encouraging. I think it
is very encouraging, Mr. Chairman. I also think it is extremely
positive that the Department--I know Department of Education is
spelling out what the contracting practices need to be for the
districts. I do think that, though, that kind of approach needs
to be seen on a Nation-wide basis and that it is not just the
students of Idaho that deserve the kinds of protections that
Idaho is enacting.
The Federal Government is funding, in the last couple of
years, anywhere between--it is probably between $500 million
and a billion dollars to the States to encourage and be
developing these kinds of information systems. I think we need
to see approaches like that more systemically deployed across
the country.
Mr. Rokita. Do you think Mr. Murray has a good idea when he
says Title II funds ought to be used in this area? Title II
funds----
Mr. Reidenberg. I am sorry.
Mr. Rokita [continuing]. As your PRAP in those kinds of
things. In fact, the Student Success Act that our whole
committee passed and that sits on Mr. Reid's desk right now--
block grants, a lot of Title II funds to the State so that they
could use these funds in the best way they see fit. Wouldn't
you say States should be able to use Federal money to help
protect, or enforce, issues in this area?
Mr. Reidenberg. Well, I think--I mean, I think that if the
Federal Government is going to be financing these kinds of
programs at the State level that require the generation and
collection of lots of student information, then there ought to
be a commensurate requirement that the States address privacy
as part of their infrastructure development. When the teacher
said I am not very familiar with Title II, to the extent that
it is involving, say, teacher training programs, that is a key
part----
Mr. Rokita. Sir, I am afraid my time has run out. Two short
questions--two short remaining questions, yes or no. Do you
know of any legal malpractice cases occurring in the United
States that involve attorneys for school districts or schools
in this area for their lack of preparing a contract correctly
or anything like that?
Mr. Reidenberg. I am not aware of any.
Mr. Rokita. Are you aware of any school district in this
country that doesn't have legal counsel?
Mr. Reidenberg. Yes.
Mr. Rokita. What percentage of the total would you think
that is?
Mr. Reidenberg. That, I couldn't tell you. I mean, we saw
school districts, the smaller school districts seemed to be
winging it when they come to these sorts of contracts.
Mr. Rokita. Mr. Chairman, I thank you for the time.
Mr. Meehan. I thank the Chairman.
I now recognize the Ranking Member, Mr. Loebsack, for his
questions.
Mr. Loebsack. Thank you, Mr. Chairman. Before I begin my
questions, I would request unanimous consent to submit two
written statements if I might. One from my colleague, our
colleague, Representative Jared Polis and another from Aimee
Guidera. She is the executive of Data Quality Campaign.
Mr. Meehan. Without objection, so ordered.*
---------------------------------------------------------------------------
* The testimony of Hon. Polis has been previously included.
---------------------------------------------------------------------------
[The information follows:]
Statement of Aimee Rogstad Guidera, Executive Director, Data Quality
Campaign
June 25, 2014
Thank you for the opportunity to offer written testimony today on
such an important topic for all of us in this country. The
conversations parents, educators, and others are having in communities
around the Nation about the use of data in education and the critical
need to ensure the safeguarding of student data are important ones, and
they will lead to solutions that assure all of us student data are
being used safely by those we entrust with the responsibility of using
them to improve student achievement. This conversation about data
privacy and security is not unique to education: As a society, we are
dealing with the unprecedented need to adapt to the increasing role of
data in helping us make better-informed decisions and attain better
services and outcomes in every aspect of our lives. Integral to this is
a need to also discuss how we safeguard data and protect our personal
privacy.
The Data Quality Campaign, a nonpartisan, nonprofit advocacy
organization, works with policymakers and other stakeholders to
highlight the power of effective data use at all levels to support
families and educators in their efforts to improve student achievement.
This hearing provides an excellent public forum for having these
vital discussions about the value, use, and protection of data. Thank
you for allowing the Data Quality Campaign to submit written testimony.
using data effectively can improve education decision making and
outcomes
Like every other sector focused on getting better results,
education is using data in new and game-changing ways. We are using
data to inform decision making in education and improve outcomes to the
level that every parent expects, every child deserves, and the future
health and well-being of this Nation requires. Because of the
investment the Federal, State, and local governments have made in
increasing the quality, availability and use of education data,
teachers and parents have better access to information that helps them
tailor learning to the needs of each student in real time, and more
students are walking across the graduation stage prepared for post-
secondary education and the workforce. At the same time, Americans are
raising legitimate questions about how we safeguard data while using
them for this important purpose.
Empowered with the right data, teachers can better track their
students' progress and tailor teaching to each child's needs, and
parents can have a more substantive, timely account of how their kids
are doing.
When education stakeholders are using data to inform their judgment
at all levels, student achievement grows. States' efforts to support
the effective use of data have yielded many positive developments.
Parents, educators, and policymakers in Kentucky can now review high
school feedback reports to get a richer picture of how well-prepared
graduates from a specific high school are for college-level work, and
then make changes in policy and practice to better align high school
course-taking and graduation requirements with post-secondary
expectations. Data coaches in Delaware can help teachers pinpoint what
interventions students need most. And an early warning system in
Massachusetts gives educators information that, when acted upon in a
timely manner, can mean the difference between a student graduating or
dropping out.
To fully leverage data to inform decisions and improve outcomes,
its collection and uses must be aligned to the needs of teachers,
parents, students, and policymakers. Equally important, the privacy,
security, and confidentiality of the data must be safeguarded. People
will not use data that they do not find useful and trustworthy. There
can be no effective data use without building trust that the data will
help and that it will be kept safe and secure.
All of us in education must do more to make sure that we are
transparent--especially with parents about what data are collected, who
has access to them, how they are used, and what policies and practices
are in place to protect privacy and keep the data secure.
all education data require protection
Part of the rising concerns around the security, and privacy of
education data stems from the need to better clarify how current laws
apply to the different types of data collected; this includes if and
when data may be used commercial purposes and what limits are placed on
access to students' Personally Identifiable Information.
The Family Education Rights and Privacy Act (FERPA) defines the
types of data that are collected in an education record (Authority: 20
U.S.C. 1232g[a][4]) as those that are ``maintained by an educational
agency or institution or by a party acting for the agency or
institution.'' This includes both the information traditionally
collected by an education agency like grades, test scores, gender, age,
and attendance, as well as information collected by a third-party
service provider which has been contracted by the education agency to
provide explicit educational services.
Privacy and legal experts continue to debate whether or not data
that is collected and maintained by third-party software providers, and
not on behalf of an education agency is governed by FERPA. These third-
party solutions provide learning apps and other technology and web-
based services to inform and improve student learning. The data
collected directly from a user (generally a student or parent) through
these services are collected and maintained by the company providing
the service and not at the request of an educational agency.
Some of these services not governed under FERPA, (for children 13
and under), however, are covered in the latest guide for businesses,
parents, and small entities regarding the Children's On-line Privacy
Protection Act (COPPA) released by the Federal Trade Commission this
spring.
Because these data are collected for different purposes and involve
different parties, it is necessary to create policies addressing
specific concerns and ensure that data are used and maintained in a
secure and effective manner. The concerns currently being raised by
parents and other education stakeholders are legitimate and must be
addressed in policy and practice to build understanding of their
purpose and trust in their protection.
state actions to safeguard student data
In response to these tremendous opportunities and advancements in
the uses of data, many States and education agencies are also thinking
about the governance and privacy responsibilities associated with data
use. To support these efforts, Education Counsel released Key Elements
for Strengthening State Laws and Policies Pertaining to Student Data
Use, Privacy, and Security: Guidance for State Policymakers. The
report, which highlights relevant Federal laws, State practices, and
emerging best practices, serves as a helpful guide for policymakers at
the Federal, State, and local levels seeking to ensure policies include
foundational elements:
1. Statement of the purposes of the State's privacy policies,
including an acknowledgment of the educational value of data
and the importance of privacy and security safeguards.
2. Selection of a State leader and advisory board responsible for
ensuring appropriate privacy and security protections,
including for developing and implementing policies and for
providing guidance and sharing best practices with schools and
districts.
3. Establishment of a public data inventory and an understandable
description of the specific data elements included in the
inventory.
4. Strategies for promoting transparency and public knowledge about
data use, storage, retention, destruction, and protections.
5. Development of State-wide policies for governing Personally
Identifiable Information.
6. Establishment of a State-wide data security plan to address
administrative, physical, and technical safeguards.
Since January 2014, 36 State legislatures have introduced 108 bills
directed at ensuring the privacy, security, and confidentiality of
education data. Many of these States recognize that FERPA is a strong
foundation for student privacy, but that they should tailor additional
laws to address the specific concerns of their citizens.
Several States have passed legislation this session to proactively
and publicly ensure that education data are used effectively and
ethically. Colorado's recently passed H.B. 1294 provides definitions of
key data terms and describes permissible uses of education data. The
law also requires the provision of supports needed to ensure the
privacy and transparency of the State's education data use, including a
public data inventory, data privacy training for Department staff,
breach notification processes, and contracting guidelines for working
with service providers. In addition to describing when data can be
shared and calling for new privacy and security policies, West Virginia
H.B. 4316 delineates State, district, and school responsibilities in
creating and maintaining a student data inventory; the law also
provides for a data governance officer and describes his or her
responsibilities.
Some new State laws seek to establish stronger mechanisms for
determining how student data will be used through the creation of data
governance bodies with decision making or investigatory authority.
Indiana's H.B. 1003 establishes the Indiana Network of Knowledge (INK),
a group charged with data governance and making the State's data
transparent and accessible to the public. Maine L.D. 1194 creates a
Joint Standing Committee on Judiciary to study student privacy
(especially with regard to social media and cloud computing services),
concerns of parents about on-line education data service providers
using data to build student profiles or target on-line advertising, and
how other States address student privacy with social media and cloud
computing services. South Carolina H.B. 3893 describes permissible
State data collections and calls for security and access rules, but it
also provides for the implementation of a Data Governance Committee to
make decisions about data disclosures.
While most of the student data privacy bills introduced this
session have focused on the student data collected by districts, some
bills have begun to address data collected through the use of on-line
programs and services, such as content programs and classroom apps,
which fall into the category of data collected by service providers. A
currently active bill in California (S.B. 1177) is one of the few bills
which seek to explicitly govern data collected through education
technology providers. The bill would prohibit on-line K-12 service
providers from selling student data or from using, sharing, or
disclosing certain types of student data for any purpose other than the
contracted purpose or for ``maintaining, developing, and improving the
integrity and effectiveness of the site, service, or application.''
Other bills, such as Idaho S.B. 1372, Massachusetts H.B. 331, and
Tennessee H.B. 1549/S.B. 1835, prohibit the collection or use of
student data for commercial purposes. The Tennessee bills, which have
been signed into law, also prohibit the collection of student data for
product development.
conclusion
While the above examples highlight the work that States and others
have done to protect the privacy and security of education data and
promote data being used effectively to improve student achievement, it
is important to note that this is only part of the work the field must
undertake to address the concerns around education data collected by
service providers. This hearing and others like it at the Federal and
State levels will raise awareness of the need to address public
concerns about the use of data in education.
It is important for privacy and legal experts to continue to debate
the solutions as we continue to gather information. Equally important,
Congress should continue to lead these discussions among all
stakeholders to review existing laws including how they apply to the
use of continuously changing technology to collect data and determine
what gaps may exist and if necessary, how they should be addressed
through new laws. Efforts like the one led by Congressmen Jared Polis
(D, CO-2) and Luke Messer (R, IN-6) to encourage leaders in the
education service provider field to develop standards of conduct are a
promising start, and can lead to further conversations.
In addition to clarifying how existing law protects data and how it
can be strengthened, there are many actions that the sector must
prioritize: Building the understanding of the need for every school,
district, State, and vendor to prioritize the safeguarding of education
data; increasing capacity of the field through training around data
security and privacy; increasing tailored communications around the
value, use, and protection of data with parents and citizens; adapting
emerging best practices from other sectors; and creating standards of
conduct for the field to use.
It is important that these conversations, like this Congressional
hearing, are not just about the ``risks'' of using data in education.
We must all help the American public better understand the promising
uses of this data to improve the performance of our schools and to
ensure that every child in this country graduates prepared for success
in post-secondary education and the workforce.
Mr. Loebsack. Thank you, Mr. Chairman. Thank you. This is
an exciting time in education, there is no question. Students
and teachers really have never before had so much information
at their fingertips. You know, we can all recognize clearly
that, through the internet, students have access to a world of
multimedia educational resources. With the use of data,
teachers and school leaders today have a clearer sense, I
think, of individual strengths and needs of each of their
students.
I want to step back just a moment from sort-of what we have
been talking about up to this point. We all recognize, you
know, what the problem is, potentially, out there and we have
got to do something about it. But if I could ask Mr. Murray
just to sort-of give us a sense--you already did a little bit.
But, you know, because I am concerned about throwing the baby
out with the bath water, if you will. But what can be done
today with data to support student learning that couldn't be
done 20 years ago, for example?
Mr. Murray. Sure, and that is a great question. I
appreciate you asking that. The classroom has changed
dramatically in the past 20 years. When I think back 20 years
ago, I think back to a one-size-fits-all approach. All students
were reading the same thing. If you were high up, you helped
the kids that were struggling. If you were struggling, you kind
of tried to get by. Teachers might offer students--and they
may, at the end of a quarter, say your child earned a B because
the average was an 86 percent because here is the average of
everything that your kid did over the marking period.
Fast forward 20 years and look at a parent conference. When
I am a parent, and I can hear very specific standards or very
specific information about what my child needs--not just that
it is an 86 percent overall--and get that very specific
concrete information there is incredible opportunity in
communication and transparency for parents, based on what their
child needs. Parents are incredible stakeholders in this
process. They--we, as school districts, need to be transparent
and need to be able to share very specific information on
student growth.
Let me give you another example. Much of our data is
available on-line to our students through very secure parent
portals that they create their own user name and passwords for.
So no longer is it, at the end of a marking period, you get a
report card and, as a parent, you only get to see that four
times a year. Our parents from where I came from, they got a
daily report card. They could log in to a secure system, see
attendance rates, see quizzes, see anything that was up-to-date
at a point in time, at that moment in time.
What does that do? That helps our children be successful.
In a classroom--one last example--if I am a teacher with access
to real-time data I can make decisions on the fly in the
classroom. It is no longer about planning a one-size-fits-all
lesson. It is about looking at data through the use of
technology inside the classroom to make decisions on the fly
for my kids. A quick example of that would be I am giving a
lesson, I am able to electronically receive feedback exactly
for every child, every answer, every time, no longer just the
kid in the back of the classroom with his hand up. Make
decisions as a teacher, on the fly, as what to do next right
there in the classroom. Twenty years ago, that was not
feasible.
Mr. Loebsack. Thank you, Mr. Murray. By the way, your
comment about facing a thousand middle school students? That is
a lot worse than facing us.
[Laughter.]
Mr. Loebsack. As somebody who is out of the college level
for 24 years, my wife taught second grade. I understand where
you are coming from. Given your teaching background and your
administrative background, I think you have kind-of a unique
perspective on all this. You mentioned some recommendations,
couple recommendations. Practically speaking, we have to try to
figure out a balance, if you will, between effectively using
data to improve instruction, and ensuring the privacy
protections that we are all concerned about. Can you elaborate
not only on the two, but maybe some others that you have in
mind?
Mr. Murray. Sure, absolutely. To me, it is not an either/
or. It is not privacy or data use and data analytics. It is an
and/and. We need to use the data, use the analytics to drive
the instruction in the classroom, and hold it to the highest
levels of accountability. So another example that I would give
would be related to the professional learning. This goes back
to the question that we were talking about a few minutes ago:
How do we keep this safe? No. 1, we need to make sure we have
educated teachers in the classroom, based on what can they do,
what can they share, what is their responsibility.
In Quakertown, where I was, they signed a confidentiality
agreement every year of what they would do and be able to
share. Second, we need to take a look at our contracts. I am
okay saying that, as the person that did that for the last
number of years--was the contractual person. I would sit with
our district solicitor and review that contract. We would not
engage with a large-scale data area that was not FERPA-
compliant for us. That was not highly secure with 128-byte
encryption. Our student privacy and security was absolutely
paramount in what we do.
We also went through State audits. Every year, I would sit
with a State auditor and they would ask who has information
about your data, what companies are you partnering with, what
security measures do you have in place, who has access and how
do you know it is safe? They would give feedback on a yearly
basis. So at the State level, that leadership was also
imperative.
Mr. Loebsack. Thank you, Mr. Murray.
Thank you, Mr. Chairman.
Mr. Meehan. I thank the Member.
The Chairman now recognizes the gentleman from Tennessee,
Mr. Roe.
Mr. Roe. I thank the Chairman for having this hearing. Mr.
Murray, I think Susan was successful because of great teachers
like you. I think I would love to have my children, my three,
had you in the classroom. You are very enthusiastic and bring a
lot of horsepower to the classroom, I think. I think it is a
tribute to you, not necessarily data. You know, we cured polio
and put a man on the moon without big data. It is great
teachers, I think, like you that have helped make this.
Certainly data is important. I think it is critical to find
out where you are not doing well and to improve that and use
it. I think the concern we have, as you can hear from all the
committee Members and from the panel is, basically, privacy. I
think no one right now in this country, after the NSA
revelations, believes anything is private. I mean, I am here,
sitting in Congress. I served on the Veterans Affairs
Committee, the Education Committee. I had no idea they were
doing that.
I had no earthly idea the data mining that was going on.
Look, we data mine all the time. This is my Harris Teeter card.
Every time I go in there they know exactly what I am buying at
the Harris Teeter. So data is being mined on us all of the
time. The question is, how secure and who should have it and
who should care whether a kid blinks and how big they are. I
mean, the concern is how is this data being used? If it is used
like you are using it, it is very constructive. There is no
question about it.
But the worrisome part about me is--as Mr. Reidenberg
points out is that many school systems don't have the ability
to contract to get these very tight and to be sure that this
data is being used in a proper way. My question is: How can it
be improperly used? What should we be fearful of when this data
is out there in the cloud? Yes, sir.
Mr. Reidenberg. My answer would be that the data should be
used strictly for educational benefits for particular children.
And begin to define, what do we mean by legitimate educational
uses? That is the way I would define it. I would define it
quite narrowly. I am very concerned. I sat on a school board in
my local community in New Jersey for 5 years.
Mr. Roe. My condolences.
Mr. Reidenberg. Accepted. One of the issues that we, as a
board faced, dealt with commercial--you know, advertising on
the school board, in the stadium at the school. These big data
programs with educational data are bringing that issue into the
classroom. It is no longer just on the sports fields. I come
down on the side of saying that that is not appropriate for
public education. That public education, we should be using
this data for the specific educational benefits of the
individual children about whom the data relates. To me, that is
an important public policy debate we need to have in this
country.
Mr. Roe. I had no idea personally, as a parent of three
children that all went to public schools, that this data was
being shared with anybody. I had no idea that it would be out
there for other folks to use. I think it is important that
parents know that this data--I think that is absolutely
critical.
Mr. Reidenberg. Look at the case, for example--there is a
bankruptcy proceeding, ConnectEDU is the company that is in
bankruptcy right now. They hold data on 20 million children.
One of the products that they offered was a K-12 early warning
label for children. So it is not clear from the advertising.
Does that mean they are labeling third-graders as not college
material? They are in bankruptcy. That data can be sold off the
to the highest bidder unless the trustee in bankruptcy decides
to impose some restrictions on it.
The company, its main products are college counseling. So
it means they are holding data on family finances because of--
students were going to need student loans. The range of data
they are gonna hold on those kids is quite striking.
Mr. Roe. Well, can that be used to--as Harris Teeter would
do? Next thing I know, I am gonna get some coupons in the mail
with what I am--is that being used to market? Is that data out
there to market--whether it is loans or whatever it may be?
Mr. Reidenberg. It is not--well, the simple answer is
probably yes, but it is complicated. Because at least this
particular company says that students have to designate that
they want their data, say, going to a prospective college. But
once the prospective college gets that information there isn't
a further restriction on the college then selling it to a list
broker or it bleeding out in other ways.
Mr. Roe. Yes, I think the concern you have is when you
change internet service providers, you know, as I did 3 or 4
years ago. All of a sudden now--I won't mention the spam I get
on here, but they obviously sold that information out and now I
am getting e-mails from everybody in the world.
So I think that is a concern about how you can use it like
Mr. Murray, no question it is beneficial. I think the concern
is that it is not, or might not be, used like that.
Mr. Reidenberg. We found that only 7 percent of the
contracts had specific prohibitions on sale and marketing.
Other contracts, and it ranged between 15 and 20 percent of the
contracts, failed to restrict secondary disclosure. So some of
them that restrict to secondary disclosure could encapsulate,
essentially, restriction on selling it off for marketing
purposes. But for explicitly, clearly saying you can't use this
for marketing it is only 7 percent. You still had enormous
percentages weren't even restricting any other secondary use.
Mr. Roe. Okay, Mr. Chairman, thanks for your indulgence.
Yield back.
Mr. Meehan. I thank the gentleman.
The Chairman now recognizes Ms. Bonamici.
Ms. Bonamici. Thank you very much. Thank you, Chairman
Meehan, Chairman Rokita, Ranking Member Clarke and Loebsack,
for allowing me to participate in this fascinating discussion.
This is actually an issue that comes up quite often in the
district I am honored to represent out in Oregon. There have
been a lot of conversations about this issue, and I really
appreciate the expertise of the witnesses.
I want to follow up on the point about the opportunities. I
don't think anyone would disagree that there are so many
opportunities out there with technology. Mr. Murray, what you
describe I have witnessed in schools in the district I
represent. The use of technology to further instruction and to
improve instruction, there is a lot of potential there. I don't
think anyone would disagree with that. The concern is about
finding the balance to make sure that that data remains
adequately protected. Mr. Roe, I appreciate your sharing your
little story about your Harris Teeter card.
I think the difference is that you are using that with your
knowledge that they are keeping that information. You don't
have to swipe that card. You were making that choice. I think
that is very different for students when, often times, the
parents do not understand, they do not have that same knowledge
that you have about what is happening with the card that you
are swiping. I have to say that whenever we are legislating
around technology we have to make sure that the technology is
always developing faster than policy. Policy takes a long time;
technology is developing quickly.
So we have to make sure, in legislation, that we do not
inhibit the positive uses but that we do the--what it takes to
make the data protected. So I want to follow up. Mr.
Reidenberg, you just mentioned you--the question I was gonna
ask. About fewer than 7 percent of contracts between school
systems and on-line service providers explicitly prohibit the
sale of marketing of student information. So does that mean
that the other 93 percent of contractors are selling student
data? Do we have any sense of the scope of the problem?
For example, a student in my district. What are the--what
is the likelihood that there is marketing going on if they are
not in that 7 percent that has that prohibition?
Mr. Reidenberg. I want to come back to the 7 percent again.
The 7 percent are contracts that have specific restrictions on
sale of marketing. We have other--so, for example, hosting
contracts. Only 50--53 percent of the hosting contracts had any
limitation on redisclosure. So that means almost half of the
hosting contracts have no contractual restriction from the host
service doing whatever they want with the data.
We don't have any evidence on practice, actual practices. I
think that would be almost impossible to come by right now.
There is really not clear mechanism. I am sure we can all point
to companies that will say they don't do that. I would welcome
those companies presenting audit--you know, auditing, having
third-party audits like they audit their financials to actually
let the public know what, in fact, they are doing with school
data. But there is really--other than that, there is no way to
actually know systemically what the practices are in the
industry.
Ms. Bonamici. Thank you. Mr. MacCarthy, I respect the work
of your organization very much. Appreciate your testimony. You
did say that you do not believe that there is any new
legislation required. I know that we have had this conversation
about FERPA and the other existing legislation. But, Mr.
Reidenberg, you said that the Department of Education has never
denied Federal education funds to a school system for a
violation. So I wonder, are the meaningful protections there?
Ms. Popp, thank you for talking about what Idaho is doing.
But it sounds like we are gonna have to have something that has
a mechanism to ensure that the school systems and the vendors
are actually complying. So I want to ask Mr. MacCarthy, you
state that service providers already face penalties for
inappropriately disclosing information, including, for example,
a 5-year ban on providing services. Has a provider ever
received that penalty?
Mr. MacCarthy. They haven't been penalized in that way. The
thrust of my testimony, and maybe an opportunity to talk in
more detail about this later, is that the framework set out by
FERPA and that is accepted by the industry and educators
throughout the country is that student information should be
used solely and exclusively for educational purposes. For the
benefit of the student to improve educational products and
services. That is the fundamental thrust of the legal and
contractual framework that exists right now in this country.
If we need to work for improving the contracts or to
improve it through best practices, we are happy to step forward
and to do that. But I want to reassure this committee that it
is not the Wild West out there. There is not a lot of concern
among educators and people directly involved in the business of
educating children that a lot of information is being used for
marketing purposes. I want you to pay attention to the comment
that Professor Reidenberg just made. He has no evidence that
this is actually happening.
His evidence is that the contracts don't prohibit it. It is
against Federal law to take student information and to use it
for non-educational marketing purposes----
Ms. Bonamici. I think my--I see my time has expired. I do
see we have some work to do in, perhaps, defining educational
purposes. Thank you.
I yield back the balance of my time.
Mr. Murray. Mr. Chairman, do you mind if I say something
quickly on that topic?
Mr. Meehan. I thank the gentlelady. No, you may finish, Mr.
Murray, if you have a comment on that.
Mr. Murray. Sure. I would also urge caution here. Because
the information that we are collecting, that we are using with
third parties is very rarely comprehensive in terms of what we
are transferring. I can think of three cases. Student
information system, medical information and, for instance,
something like an on-line registration. Which are all highly
encrypted. When I had signed a contract saying we will not sell
and not be able to. A lot of this free stuff that are out
there, most cases we are giving generic user names and
passwords.
There is not actually anybody in even my district that
could figure out who the child is on any of this free software
or any of those free apps. Their user name might have been
classroom 32, student 1. You can't do anything with that data.
I do think we need to look at contracts and how important that
is. But school districts are adamant that they are very careful
with the information. This is not, I would agree, the Wild,
Wild West in that sense that teachers and districts use very
much caution in terms of anything related to student data
anywhere, with the exception of the student information system
where we must have it, which is highly secure, highly
encrypted.
Mr. Meehan. Thank you. Thank you, Mr. Murray.
I am just gonna recognize myself for some closing
questions. Because I promised that I would get back to Mr.
MacCarthy and give him a chance to address some of this issue
if he believes he didn't have an opportunity.
I am--I ask you, and appreciate that there are checks and
balances on some aspects of this thing. But I am concerned, as
well, as was identified when you said there is no need for
future legislation. The limits, because there are places in
which there are always smart people that find ways around the
structure.
So when you have, perhaps, a vendor that has information,
the question is where--what is it--a source of that
information. What capacities do you have to rein in that
vendor? Because FERPA protects your right of action against the
school district, so to speak. So I look at--the question I ask
is, a lot of teachers are using these perhaps outside the scope
of, you know, the direction of the traditional things, or
getting a lesson plan or something. The students are signing,
and then that kind of private information isn't necessarily an
educational record.
But the third-party vendor now owns that information. If
you want to bring a right of action to say, hey, don't use it
inappropriately, under FERPA the only thing we can do is punish
the school district. So where is the--how do you address that
issue? But I also appreciate what are the checks and balances
that you are seeing that are working, that are controlling
abuses of this kind of process?
Mr. MacCarthy. So first point is that vendors, providers of
services to school, are covered by FERPA. The statute that
creates the school official exception reads, ``A contractor is
subject to the requirements of FERPA's nondisclosure rules. A
contractor that violates the FERPA rules is subject to
suspension of its provision of services for up to 5 years.'' So
the legal framework is there.
Mr. Meehan. But didn't the Supreme Court itself say that
homework assignments aren't subjected to that? Couldn't there--
what is more intimate than the ability of some third party to
understand the calculations that my child is making on the very
math programs they are working on that third-party vendor's
software?
Mr. MacCarthy. Educators and school providers are not
looking for ways to circumvent the protections of FERPA. What
they are looking to do is to provide good service to students
and to teachers and to schools. They treat the Personally
Identifiable Information they get from schools and from
students as if it deserved and should receive the fullest
possible privacy protection.
Mr. Meehan. Mr. MacCarthy, that is a--I believe what you
are saying, but that is a sweeping comment. Because we are
talking about third-party vendors, and the fact is there is an
awful lot of very responsible third-party vendors who
completely share the same objectives. In fact, have invested
in--you know, the Gates Foundation and others have invested in
the best ways to teach. We don't want to stifle that. But we
also know that there are third-party vendors out there who are
looking at finding consumer information, any access they can
get to something that helps them.
So what is the protection against when my child is swiping
his card to see what he eats to make sure that he doesn't get
free--you know, free things from Coca-Cola?
Mr. MacCarthy. On that particular point, FERPA recently
issued some guidance. They said explicitly that a service
provider such as a cafeteria provider or an e-mail provider is
prohibited by Federal law from providing targeted advertising
to the students based on the information it collects as part of
its school service. It is currently illegal to do that, and the
Department of Education just released that advice in February
of this year.
Mr. Meehan. Mr. Reidenberg, do you have any comment with
regard to whether there are other--to that information, or
whether there are other gaps in the system?
Mr. Reidenberg. Yes. I think--I mean, a whole host. To that
specific point, it is guidance, it is not regulation. The
Department did not go through an administrative procedure act
regulatory process. It is wrong on the law. I think that the
gaps are astounding. Twenty-five percent of the--these kinds of
services are offered at a premium to the school; 25 percent of
the contracts we saw. That means they are monetizing the data
somehow. That monetization is not going to be coming from
educational benefits targeted to particular children.
We have seen this with Google apps for education. They
represented they weren't data mining e-mail, student e-mail.
Turns out they were. That came out in a lawsuit. I think right
now we are at a point where we need to modernize FERPA and we
need to modernize it. There are a series of steps that have to
take place for--has to apply to all student information. It has
to mandate notice to parents, public disclosure, of these
arrangements that just don't exist right now. What the
educational uses are.
I can give you further points, I think. That school
districts have to have written contracts with specific
prohibitions. I disagree quite strongly with the statement Mr.
MacCarthy just made about the applicability of FERPA to
vendors. I don't think that is what the statute says. If he and
I can each disagree on something like that, I think that may
suggest it is time for Congress to take a look at what the
statute means. States need to have chief privacy officers.
There are a lot of districts out there that don't have the
resources to address these issue and these problems.
They need guidance, they need it desperately. There need to
be remedies. Right now, there are no remedies. We have a long
tradition in this country that we sort out some of these
problems through private actions. Well, today we have no
mechanism for that. If any of the--if an irresponsible vendor
out there does something grossly inappropriate with student
information there is no remedy. The parents, the families, they
have no remedy whatsoever----
Mr. Meehan. Okay. Well, I thank you, Mr. Reidenberg.
I just wanted to ask one thing. Ms. Popp, you have worked
very diligently as a system, a State system, to look at the
square of this issue and try to--have you built in protections
against the kinds of things Mr. Reidenberg is pointing out, or
are those gaps still there?
Ms. Popp. From Idaho's perspective, I believe we have
worked very diligently to build in the safeguards. I think
awareness is absolutely the key, and training and working with
the school districts, to Mr. Reidenberg's point. In Idaho, we
have many rural and remote districts. They may not have the
resources. I think this is one time that the State can step in
at a State level and help them understand what they need to
have in place and the safeguards. All school districts within
the State of Idaho have school boards, and those school boards
do have representation from their own legal counsel for the
most part.
There may be one or two that does not. However, again,
doing the diligent training on what a good contract looks like,
helping them understand the protections of the data and, to Mr.
Murray's point, putting in the technology protections of the
encryption any time data is transferred is key to making this
work.
Mr. Meehan. Well, I thank you. I think one panelist has one
more question.
Mr. Rokita.
Mr. Rokita. Thank you. This will be pretty quick. In fact,
let the record reflect that of my 5 minutes, 3 has been used
already. So with that, let me just again thank the witnesses.
Appreciate even more Idaho's approach. State by State, this is
still, I think, the way to go for this. Lacking a
Constitutional basis otherwise. There may be one, but that is
for another hearing on another day.
We have talked about FERPA a lot. But you, Mr. MacCarthy,
mentioned some other pieces of legislation, some acts. The
Children's Online Privacy Protection Act, correct? You said
that requires parents' permission before the use of data. But
you also said that it only applies to children up to the age of
13. Can you reconcile the two, or what?
Mr. MacCarthy. You stated it accurately. It is designed to
protect children in the on-line context.
Mr. Rokita. So after 14.
Mr. MacCarthy. After 14 it does not apply.
Mr. Rokita. After 13. Okay, I just wanted to clear that up.
So it is not a--it is not a total solution either, is it?
Mr. MacCarthy. It protects children. Its aim is to protect
children. Teenagers are out from under its coverage. The
remaining protections of FERPA, the FERPA protection,
contractual protection is the best practices. Those still stay
in place. COPPA's aimed at children 13 and under.
Mr. Rokita. Okay, thank you. While it is acknowledged, and
certainly came out in the testimony today, that FERPA does not
recognize a private right of action, there still is a common
law contractual breach right of action. Yes or no, Mr.
Reidenberg?
Mr. Reidenberg. Only with respect to the school district.
If the provision is in the contract between the district and
the vendor, the district would be able to enforce the contract.
The victim child and family, at best, would be a third-party
beneficiary and would very likely have great difficulty
bringing any sort of action. Again, that is assuming the
contract includes a protection--an underlying protection in the
first place.
Mr. Rokita [continuing]. Which goes to my earlier question.
It may be a legal malpractice case, but that is a stretch, too.
Mr. MacCarthy. Mr. Chairman, just to be clear. One of the
reasons to work with Joel and with other people to make sure
that the contracts contain the appropriate provisions is
precisely to create this extra enforcement mechanism. We are
all looking forward to that.
Mr. Rokita. But you are not for private right of action.
Mr. MacCarthy. I don't think a private right of action
would be appropriate. But I do think the ability for the
schools to go into court and enforce against vendors who do the
wrong thing using contractual violations would be a good thing.
Mr. Rokita. How would you measure damages?
Mr. MacCarthy. I don't have a good answer for that.
Mr. Rokita. See, that is a problem, too. Unless you have
some statutory damages built in, like Idaho did, right? Which
you support.
Mr. MacCarthy. That would be a step in the right direction
at the State level.
Mr. Rokita. You being Mr. MacCarthy for the purposes of the
record. Ten more seconds.
Mr. Reidenberg. Mr. Chairman, I was just going to say for a
school district to enforce a contract, as a former school board
member if I am facing an instance where there is some sort of
breach that takes place, and I have to decide to devote $50,000
to $100,000 of taxpayer money to litigate that, that is gonna
be a hard decision for local school boards to be making. So
again, if it is total reliance on the school board protecting
their children's privacy it may be a very difficult thing to do
where the harm is particularized to just a couple families.
Mr. Rokita. Mr. Chairman, thank you again for your
leadership with this hearing.
I yield back.
Mr. Murray. Mr. Chairman, can I respectfully--one more--one
last comment?
Mr. Meehan. Go ahead, Mr. Murray.
Mr. Murray. I heard today a lot about vendors. I have heard
today a lot about third parties. Privacy is absolutely real. My
encouragement is to hold the expectation high for all of them
to build in safeguards at the State level, like Ms. Popp
eloquently shared. School districts need to be transparent, and
transparent with their families in what they are collecting and
what they are doing with that data. But what we cannot have
happen is that we cannot stifle the incredible innovation that
is going on with personalized learning and the awesome teachers
we have in our Nation.
Thank you.
Mr. Meehan. Well, thank you, Mr. Murray. You got the last
word, and a good one it was. But I think the last word on what
was a very invigorating presentation by the panel.
I want to thank my colleagues for their very genuine
interest in this particular issue. I want to thank you, the
panelists, who I know are continuing to work out there in the
field for your work. We will monitor your continuing work. I
thank you for the efforts that you all put, as well, into the
education of our next generation of children.
The Members of the committee may have some additional
questions for the witnesses. If, in fact, they do go we would
ask that you would do your best to be responsive in writing. I
thank you again for all of your testimony. Without objection,
the subcommittee stands adjourned.
[Whereupon, at 12:41 p.m., the subcommittees were
adjourned.]
�