[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
HOW EMERGING TECHNOLOGY AFFECTS
STUDENT PRIVACY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON EARLY CHILDHOOD,
ELEMENTARY, AND SECONDARY EDUCATION
COMMITTEE ON EDUCATION
AND THE WORKFORCE
U.S. House of Representatives
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD IN WASHINGTON, DC, FEBRUARY 12, 2015
__________
Serial No. 114-2
__________
Printed for the use of the Committee on Education and the Workforce
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web:
www.gpo.gov/fdsys/browse/
committee.action?chamber=house&committee=education
or
Committee address: http://edworkforce.house.gov
___________
U.S. GOVERNMENT PUBLISHING OFFICE
93-208 PDF WASHINGTON : 2016
_________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON EDUCATION AND THE WORKFORCE
JOHN KLINE, Minnesota, Chairman
Joe Wilson, South Carolina Robert C. ``Bobby'' Scott,
Virginia Foxx, North Carolina Virginia
Duncan Hunter, California Ranking Member
David P. Roe, Tennessee Ruben Hinojosa, Texas
Glenn Thompson, Pennsylvania Susan A. Davis, California
Tim Walberg, Michigan Raul M. Grijalva, Arizona
Matt Salmon, Arizona Joe Courtney, Connecticut
Brett Guthrie, Kentucky Marcia L. Fudge, Ohio
Todd Rokita, Indiana Jared Polis, Colorado
Lou Barletta, Pennsylvania Gregorio Kilili Camacho Sablan,
Joseph J. Heck, Nevada Northern Mariana Islands
Luke Messer, Indiana Frederica S. Wilson, Florida
Bradley Byrne, Alabama Suzanne Bonamici, Oregon
David Brat, Virginia Mark Pocan, Wisconsin
Buddy Carter, Georgia Mark Takano, California
Michael D. Bishop, Michigan Hakeem S. Jeffries, New York
Glenn Grothman, Wisconsin Katherine M. Clark, Massachusetts
Steve Russell, Oklahoma Alma S. Adams, North Carolina
Carlos Curbelo, Florida Mark DeSaulnier, California
Elise Stefanik, New York
Rick Allen, Georgia
Juliane Sullivan, Staff Director
Denise Forte, Minority Staff Director
--------
SUBCOMMITTEE ON EARLY CHILDHOOD, ELEMENTARY, AND SECONDARY EDUCATION
TODD ROKITA, Indiana, Chairman
Duncan Hunter, California Marcia L. Fudge, Ohio,
Glenn Thompson, Pennsylvania Ranking Minority Member
Dave Brat, Virginia Susan A. Davis, California
Buddy Carter, Georgia Raul M. Grijalva, Arizona
Michael D. Bishop, Michigan Gregorio Kilili Camacho Sablan,
Glenn Grothman, Wisconsin Northern Mariana Islands
Steve Russell, Oklahoma Suzanne Bonamici, Oregon
Carlos Curbelo, Florida Mark Takano, California
Katherine M. Clark, Massachusetts
C O N T E N T S
----------
Page
Hearing held on February 12, 2015................................ 1
Statement of Members:
Rokita, Hon. Todd, Chairman, Subcommittee On Early Childhood,
Elementary, and Secondary Education........................ 1
Prepared statement of.................................... 2
Fudge, Hon. Marcia, L., Ranking Member, Subcommittee On Early
Childhood, Elementary, and Secondary Education............. 3
Prepared statement of.................................... 4
Statement of Witnesses:
Sevier, Shannon, Vice President for Advocacy, National Parent
Teacher Association, San Antonio, TX....................... 06
Prepared statement of.................................... 08
Knox, Allyson, Director of Education Policy and Programs,
Microsoft, Washington, DC.................................. 10
Prepared statement of.................................... 12
Abshire, Sheryl, R., Chief Technology Officer, Calcasieu
Parish Public Schools, Lake Charles, LA,................... 20
Prepared statement of.................................... 22
Reindenberg, Joel, R., President, Stanley D. and Nikki
Waxberg chair and Professor of Law, Founding Academic
Director, Center on Law and Information Policy, Fordham Law
School, New York, NY....................................... 27
Prepared statement of.................................... 29
Additional Submissions:
Dreiband, Eric, Partner, Jones Day, Washington, DC:..........
Prepared statement of.................................... 66
HOW EMERGING TECHNOLOGY AFFECTS STUDENT
PRIVACY
----------
Thursday, February 12, 2015
House of Representatives,
Subcommittee on Early Childhood, Elementary,
and Secondary Education,
Committee on Education and the Workforce,
Washington, D.C.
----------
The subcommittee met, pursuant to call, at 11:15 a.m., in
Room 2175, Rayburn House Office Building, Hon. Todd Rokita
[chairman of the subcommittee] presiding.
Present: Representatives Rokita, Thompson, Carter, Bishop,
Grothman, Russell, Curbelo, Fudge, Davis, Bonamici, and Clark.
Also present: Representatives Kline, Messer, Scott, and
Polis.
Staff present: Lauren Aronson, Press Secretary; Janelle
Belland, Coalitions and Members Services Coordinator; Nancy
Locke, Chief Clerk; Daniel Murner, Deputy Press Secretary;
Krisann Pearce, General Counsel; Jenny Prescott, Legislative
Assistant; Mandy Schaumburg, Education Deputy Director and
Senior Counsel; Alissa Strawcutter, Deputy Clerk; Tylease Alli,
Minority Clerk/Intern and Fellow Coordinator; Austin Barbera,
Minority Staff Assistant; Jacque Chevalier, Minority Senior
Education Policy Advisor; Eamonn Collins, Minority Education
Policy Advisor; Denise Forte, Minority Staff Director; Melissa
Greenberg, Minority Labor Policy Associate; Christian Haines,
Minority Education Policy Counsel; Ashlyn Holeyfield, Minority
Education Policy Fellow; and Brian Kennedy, Minority General
Counsel.
Chairman Rokita. Well, good morning. And welcome to the
first hearing of the Subcommittee on Early Childhood,
Elementary, and Secondary Education in the 114th Congress.
I would like to thank our witnesses for joining us today.
We appreciate the opportunity to learn from you about how
emerging technology in the classroom affects student privacy.
And Ms. Fudge, before we begin, I want to take a moment to
congratulate you on being selected by your colleagues to be the
ranking member of this subcommittee. I anticipate that we are
gonna hear a lot from each other, work well together. And I
look forward to doing that with you.
Ms. Fudge. Thank you.
Chairman Rokita. Forty years ago, Congress enacted the
Family Educational Rights and Privacy Act, otherwise known
around these parts as FERPA. It was meant to safeguard
students' educational records and ensure parents had access to
their children's information. The law established the
circumstances under which the record could be shared, giving
parents the peace of mind that with few exceptions, that their
child's academic performance and other personally-identifiable
information would be under their kid's school's lock and key.
As a father of two young boys, I can appreciate why parents
may not have that same confidence today. Despite the advent of
computers, the internet, wifi, cloud services, et cetera, the
law has not been significantly updated since its introduction
in 1974. As a result, student privacy--the very information
FERPA was intended to protect--may be at risk.
As administrators, teachers, and students continue using
emerging technology to track everything from test results to
bookstore purchases, parents and students are vulnerable to the
inappropriate use of student data, often without their
knowledge or consent. New devices, platforms, programs, and
services have enabled educators to better understand the
behavioral and educational needs of each student and tailor
individual learning plans accordingly. I think that is amazing
progress.
They have assisted researchers in developing new solutions
to improve class room reduction, and they have provided
families with more educational options by facilitating distance
and blended learning opportunities. Technology organizations
and policymakers have taken steps to strengthen student privacy
protections. And that is appreciated. However, these efforts
have not addressed rules under which schools must operate as
the guardians of student data.
So unless Congress updates FERPA and clarifies what
information can be collected, how that information can be used,
and if that information can even be shared, student privacy
will not be properly protected. We welcome your thoughts on how
this committee can update FERPA for the 21st Century, improve
parental involvement, and hold bad actors accountable.
Modernizing student privacy protections without undermining
opportunities to improve student achievement is no small task,
as everyone here understands. But we owe it to our students and
parents to work together to find that proper balance. So I look
forward to hearing from you and from my colleagues on this
important issue.
And with that, I welcome and recognize our subcommittee's
ranking member, again, my colleague, Congresswoman Fudge, for
her opening remarks.
[The statement of Chairman Rokita follows:]
Prepared Statement of Hon. Todd Rokita, Chairman, Subcommittee on Early
Childhood, Elementary, and Secondary Education
Good morning, and welcome to the first hearing of the Subcommittee
on Early Childhood, Elementary, and Secondary Education in the 114th
Congress. I'd like to thank our witnesses for joining us today. We
appreciate the opportunity to learn from you about how emerging
technology in the classroom affects student privacy.
Ms. Fudge, before we begin, I want to take a moment to congratulate
you on being selected by your colleagues to serve as ranking member of
this subcommittee. I anticipate we will have many robust conversations
on key issues, and I am looking forward to working together on policies
that will help our children succeed in school and in life.
Forty years ago, Congress enacted the Family Educational Rights and
Privacy Act, or FERPA, to safeguard students' educational records and
ensure parents had access to their children's information. The law
established the circumstances under which the records could be shared,
giving parents the peace of mind that, with few exceptions, their
child's academic performance and other personally identifiable
information would be under the school's lock and key.
As a father of two young boys, I can appreciate why parents may not
have that same confidence today. Despite the advent of computers, the
Internet, Wi-Fi, and cloud services, the law has not been significantly
updated since its introduction in 1974. As a result, student privacy,
the very information FERPA was intended to protect, may be at risk.
As administrators, teachers, and students use emerging technology
to track everything from test results to bookstore purchases, parents
and students are vulnerable to the inappropriate use of student data -
often without their knowledge or consent.
New devices, platforms, programs, and services have enabled
educators to better understand the behavioral and educational needs of
each student and tailor individual learning plans accordingly. They
have assisted researchers in developing new solutions to improve
classroom instruction. And they have provided families with more
educational options by facilitating distance and blended learning
opportunities.
Technology organizations and policymakers have taken steps to
strengthen student privacy protections. However, these efforts have not
addressed rules under which schools must operate as the guardians of
student data. Unless Congress updates FERPA and clarifies what
information can be collected, how that information can be used, and if
that information can be shared, student privacy will not be properly
protected.
We welcome your thoughts on how this committee can update FERPA for
the 21st century, improve parental involvement, and hold bad actors
accountable. Modernizing student privacy protections without
undermining opportunities to improve student achievement is no small
task, but we owe it to students and parents to work together to find
the proper balance. I look forward to hearing from you and from my
colleagues on this important issue.
With that, I will now recognize the ranking member, Congresswoman
Fudge, for her opening remarks.
______
Ms. Fudge. Thank you very much, Mr. Chairman. And I thank
all of you for being here today. Look forward to hearing your
testimony.
I certainly want to recognize the ranking member of the
full committee who has joined us, Representative Scott, from
Virginia.
And I want to say to the chairman, indeed I do hope that we
can have some very productive meetings and discussions. This is
a very timely topic. I thank you for calling this hearing.
I do though find it unfortunate that it is our first
hearing after we had a 10-hour mark up yesterday on ESEA. And
with that, to you, more than ever before, technology does play
an essential role in educating our nation's children, enhancing
learning and empowering educators with more and better
information to meet the individual needs of their students.
Gone are the days when education was supported by
flashcards and workbooks. Today's students use electronic
tablets and smartphone apps, online study tools, and various
other technological resources to aid them in their studies.
Teachers have the ability to extend learning beyond the
classroom using online learning platforms to share multimedia
resources and engage parents in their children's learning.
New educational technology generates information that can
be instrumental in improving a student's learning experience.
The data from these tools allow teachers to more accurately
assess student progress and provide interventions to ensure
children are learning.
Data can also assist schools in making district strategy
and curriculum decisions. Many states now use longitudinal data
systems to link student achievement data from pre-K through
grade 12, or even through entrance into the workforce, enabling
district and state leaders to make informed, data-driven policy
decisions.
While the use of technology in education continues to
expand, we must take the necessary steps to protect the privacy
and the data of students and their families. The Family
Educational Rights and Privacy Act was enacted 40 years ago to
address concerns about privacy in a time of paper student
records. Innovative new educational technology tools capture
large amounts of student data. And many districts now contract
with private vendors to use online, cloud-based storage for
students. I see some of those very vendors here today.
Congress must ensure student data is being used only for
defined educational purposes and cannot be sold or used for
private companies' financial gain. Parents should know who has
access to student data and how it is being used and protected.
And teachers and school leaders need to understand how to
properly protect student information while taking advantage of
the powerful digital learning tools at their disposal.
As we examine FERPA, we need to balance privacy and
innovation. Students, teachers, and parents need to feel
comfortable that student data is protected. At the same time,
we need to be careful not to limit the advancement of new
educational technologies, restrain educators' ability to
accurately assess student learning, or stifle research and
development of effective instruction tools.
I look forward to hearing from our witnesses. Mr. Chairman,
I yield back.
Prepared Statement of Hon. Marcia L. Fudge, Ranking Member,
Subcommittee on Early Childhood, Elementary, and Secondary Education
More than ever before, technology plays an essential role in
educating our nation's children, enhancing learning and empowering
educators with better information to meet the individual needs of their
students.
Gone are the days when education was supported by flashcards and
workbooks. Today's students use electronic tablets and smartphone apps,
online study tools, and various other technological resources to aid
them in their studies. Teachers have the ability to extend learning
beyond the classroom, using online learning platforms to share
multimedia resources and engage parents in their children's learning.
New educational technology generates information that can be
instrumental in improving a student's learning experience. The data
from these tools allow teachers to more accurately assess student
progress and provide interventions to ensure children are learning.
Data can also assist schools in making district strategy and
curriculum decisions. Many states now use longitudinal data systems to
link student achievement data from pre-k through grade 12, or even
through entrance into the workforce, enabling district and state
leaders to make informed, data-driven policy decisions.
While the use of technology in education continues to expand, we
must take the necessary steps to protect the privacy and the data of
students and their families.
The Family Educational Rights and Privacy Act (FERPA) was enacted
40 years ago to address concerns about privacy in a time of paper
student records. Innovative new educational technology tools capture
large amounts of student data and many districts now contract with
private vendors to use online cloud-based storage for student data.
Congress must ensure student data, is being used only for defined
educational purposes, and cannot be sold or used for private companies'
financial gain. Parents should know who has access to student data and
how it is being used and protected. And teachers and school leaders
need to understand how to properly protect student information while
taking advantage of the powerful digital learning tools at their
disposal.
As we examine FEPRA, we need to balance privacy and innovation.
Students, teachers, and parents need to feel confident that student
data is protected. At the same time, we need to be careful not to limit
the advancement of new educational technologies, restrain educators'
ability to accurately access student learning, or stifle research and
development of effective instructional tools.
I look forward to hearing from our witnesses. Thank you.
______
Chairman Rokita. Thank the gentlelady. Pursuant to
Committee Rule 7(c), all members will be permitted to submit
written statements to be included in the permanent hearing
record. And without objection, the hearing record will remain
open for 14 days to allow such statements and other extraneous
material referenced during the hearing to be submitted for the
official hearing record.
It is now my pleasure to introduce our distinguished
witnesses for today. First we have Shannon Sevier. All right.
Not off to a good start. Sevier. Shannon Sevier--thank you--has
been a PTA member for 14 years. As vice president for advocacy,
she needs advocacy efforts for the national PTA positions at
federal, state, and local levels. Welcome.
Next, we have Allyson Knox, who is the director of
education policy and programs at Microsoft. In her 10 years at
Microsoft, she has focused on stem, computer science, education
and technology, and student privacy issues. Welcome to you, as
well.
Next, we have Sheryl Abshire, who is the chief technology
officer for the Calcasieu Parish Public Schools in Lake
Charles, Louisiana. For over 40 years, Dr. Abshire has worked
as a chief technology officer, school principal, K through 5
teacher, a library media specialist, classroom teacher, and
university professor. She was the first teacher inducted into
the National Teacher's Hall of Fame. Thank you for being here.
Next, we have Joel Reidenberg. He is the Stanely D. and
Nikki Waxberg Chair in law and professor of law at Fordham
University, where he directs the center on law and information
policy. Reidenberg publishes regularly on both information
privacy and on information technology law and policy. Mr.
Reidenberg, welcome back. I understand this is at least your
third time testifying.
Mr. Reidenberg. Thank you.
Chairman Rokita. I will now, in conformance with our rules,
ask our witnesses to stand and raise your right hand.
[Witnesses sworn.]
Let the record reflect that the witnesses answered in the
affirmative.
And before I recognize each of you to provide your
testimony, let me briefly explain our lighting system. You will
each have 5 minutes to present your testimony. During the first
4 minutes of that, the light will be green. The last minute it
will be yellow. And then if it turns red, I will be forced to
use the gavel, which we have never had to do. At all. Ever. So
I am sure it won't happen today.
So with that being said and understood, Ms. Sevier, you are
recognized for 5 minutes.
TESTIMONY OF MS. SHANNON SEVIER, VICE PRESIDENT FOR ADVOCACY,
NATIONAL PARENT TEACHER ASSOCIATION, SAN ANTONIO, TEXAS
Ms. Sevier. National PTA thanks Chairman Rokita and Ranking
Member Fudge for the opportunity to submit testimony to the
Committee on Education and the Workforce. On behalf of the
National Parent Teacher Association, I express my appreciation
for holding a hearing to discuss emerging technology and
student data privacy.
My name is Shannon Sevier, vice president of advocacy for
the National PTA, past European PTA president, and proud mother
to Ryley, MacKenzie, Meraleigh, Ryan, and Hanna.
Founded in 1897, PTA is the oldest and largest volunteer
child advocacy association in the United States. For more than
118 years, we have worked side by side with policymakers at
every level to improve the lives of our nation's children. With
more than 4 million members and 22,000 local units in every
U.S. state, D.C., Puerto Rico, the Virgin Islands, and Europe,
PTA continues to be a powerful voice by advocating for federal
policies to improve educational equity and opportunity for all
children.
With access to so many families, PTA also recognizes our
responsibility to our membership to approach changes in
education policy through engagement and outreach and to
recognize that true advocacy is achieved through stakeholder
consensus and collaboration. National PTA has long been a vocal
advocate of keeping kids safe; safe at school, safe at home,
and same online.
The National PTA's position statement on technology safety
clearly states National PTA opposes the practice of collecting,
compiling, selling, or using children's personal information
without giving parents notification or choice with respect to
whether and how their children's personal information is
collected and used.
The National PTA takes student data privacy seriously and
believes we should strive to guarantee the effective use of
students' information, while keeping that information
protected. While student data management has changed, parents'
and students' expectation of privacy has not. And as such,
National PTA has made safeguarding student data a key pillar of
our overall policy agenda.
The Administration has also called attention to this issue,
announcing its support of what it calls the Student Digital
Privacy Act, which would build upon the basic language of
record management release and review offered by the Family
Educational Rights and Privacy Act, or FERPA. This law was
written in 1974 with the intent to protect the privacy of
student educational records and includes a parental consent
provision.
Over the past 40 years, however, the concept of privacy has
evolved from the right of direct control to an individual's
right to control the information they have entrusted to others.
This wrinkle in control requires subsequent change to student
data privacy policy.
Entities collecting educational data should seek to provide
value back to the people on whom data are being collected. Our
children's data, our children's privacy, should not be treated
as a product or commodity. Until now, the collection and use of
student data could not be feasibly used to target advertising
or mass profiles by third party vendors. The use of student
data for other than educational purposes was not contemplated
on a large commercial scale. FERPA provisions must be updated
to address the privacy concerns presented through such use.
In addition, we are seeing this data collected and stored
in a different fashion heretofore not addressed by FERPA. State
by state, we see the construction of longitudinal data systems
that hold hundreds or even thousands of pieces of data related
to individual students. Typically, demographic, enrollment,
curriculum choice, test performance, and grade information. The
extent to which this information constitutes a student's legal
educational record is unclear, as are the policies for
protecting student data through cloud-based computing.
Current policy also begs the questions, who owns the data
and who is responsible for the management of the data? Has the
data been selected ethically with full consent and
notification? And what constitutes sufficient notice in the
case of breaches or unauthorized releases of data?
Parents, as their child's first educator, play a unique
role in education reform. Whether big or small, reform will be
unsustainable without the buy-in of these key stakeholders.
National PTA remains committed to engaging parents, to
guaranteeing students have safe and secure access to technology
in the classroom, and committed to supporting policies that
ensure responsible management of student records, digital or
otherwise.
National PTA commends the committee for holding this
hearing and highlighted the need for sound federal policy that
balances the promise of educational technologies with student
data, privacy, and security.
Thank you.
[The testS NOT AVAILABLE IN TIFF FORMAT]
Rokita. Thank you for your testimony.
Ms. Knox, you are recognized for 5 minutes.
TESTOMONY OF MS. ALLYSON KNOX, DIRECTOR OF EDUCATION POLICY AND
PROGRAMS, MICROSOFT, WASHINGTON, D.C.
Ms. Knox. Thank you, Chairman Rokita, Ranking Member Fudge,
and members of the subcommittee for inviting me to testify
today. My name is Allyson Knox. For 10 years I worked in the
fields of education, workforce development, and economic
development at the local, regional, and state levels in
Michigan. I have worked at Microsoft for 10 years, and
currently serve as the director of education policy. I am
pleased to be here today to discuss this important issue of
student privacy.
Microsoft believes students must be protected. Student data
belongs to students and their parents. And students are not
commodities to be monetized through advertising. Over the past
year, revelations of government surveillance, highly-publicized
data breaches, and other stories of personal data being used
inappropriately have dominated the media. Microsoft, a provider
of education technology, continues to balance education
objectives, as well as privacy and safety expectations.
For many years, schools have been increasing the use of
technology in the classroom because it transforms education. It
enables personalized instruction, and it helps students learn.
Schools that use cloud-based services rather than maintaining
and updating their own on-site servers, they save money and can
access the latest technology. Cloud computing allows teachers
and students to access their documents and communications, such
as email, anywhere from almost any device, enabling learning
any time and anywhere.
We have seen great changes on the technology side. But the
primary federal law focused on protecting student privacy, the
Family Educational Rights and Privacy Act, or FERPA passed in
1974 has not kept pace with these changes.
Think back to a classroom in 1974. I think we can all
remember student data being collected and stored in an old-
fashioned way on paper forms sent home with kids and stored in
school filing cabinets.
The world of information storage and sharing has certainly
changed. In almost all schools, information about a student is
stored digitally, and it can be accessed through the school's
internet or the open internet. The data is portable and often
not deleted when the student graduates from high school.
There are obvious difficulties with the law that is 4
decades old. And there are three areas to consider. First, it
is questionable whether FERPA covers email stored in a cloud.
As a result, some interpretations are that FERPA applies to
cloud-based email for faculty, but not for students, and that
FERPA doesn't apply to most third-party online courses. FERPA
would benefit from an update to reflect these new types of
technologies.
Second, FERPA was written to apply only to educational
institutions. It should be updated to prohibit third parties
from using data for targeted advertising or for building
profiles to advertise to students after they leave school.
And third, FERPA's primary sanction is the denial of
federal funds to school. This all-or-nothing enforcement
penalty is so draconian that it has never been used. As a
result, FERPA provides no real incentive for technology
providers to improve data privacy practices. The time has come
to do the difficult work of revising this law to bring it to
the 21st Century.
And in the absence of federal action to update FERPA,
states have taken this issue into their own hands. This year,
already over 100 student privacy bills have been introduced in
32 states. It is becoming more and more difficult to interpret
and comply with the patchwork of federal and state laws on this
issue, even for a company of our size.
Microsoft and other technology companies have also moved
forward on their own to set a higher standard for protecting
student data. Last October, Microsoft was one of the 14
original signatories of a detailed and voluntary industry
pledge, led by Representatives Messer and Polis, about how to
protect student privacy. Today, the pledge has over 100
signatories.
Under the student privacy pledge, school service providers
promised to not sell student information, not target advertise
to students, use data for authorized education purposes only;
and there are 5 other points, but I am running out of time. The
pledge has been influential and beneficial, but Microsoft
believes that signing it is only part of what must be done to
help inform schools and parents on how to protect student data.
It is for this reason that Microsoft has worked closely with
key lawmakers and national education associations to help
inform and educate stakeholders about the student privacy
issue.
Again, I thank you for this opportunity to come before you
today to discuss these important issues, and I look forward to
answering any questions.
[The testimony of Ms. Knox follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Rokita. Thank you for your testimony.
Dr. Abshire, you are recognized for 5 minutes.
TESTIMONY OF DR. SHERYL R. ABSHIRE, CHIEF TECHNOLOGY OFFICER,
CALCASIEU PARISH PUBLIC SCHOOLS, LAKE CHARLES, LOUISIANA
Ms. Abshire. Yes, sir. Thank you, Chairman Rokita, Ranking
Member Fudge, and members of the subcommittee for inviting me
to testify about technology's impact on student privacy and
confidentiality.
For over 40 years, I have served the Louisiana Public
Schools as a teacher, school librarian, principal, and
technology leader. I now serve as the chief technology officer
of the Calcasieu Parish schools in Lake Charles, Louisiana. And
I am also a member of the Consortium for School Networking,
CoSN, the national professional organization for school tech
leaders.
I appreciate this opportunity to discuss how our district
uses technology to support teaching and learning and to share
our strategy for balancing effective technology and data use
with strong student data privacy protections.
Technology and data use plays a central role in our
district's strategy for supporting teaching and learning, as
well as in improving the system's planning, evaluation, and
continual improvement. Equipped with the right technology,
high-quality professional development, and appropriate data,
our teachers tailor individualized instruction, engage
students, and deliver rich digital resources. Our district also
equips parent and guardians with the data they need to monitor,
understand, and support their children's educational progress.
Using technology to provide the right people with the right
data at the right time is critical to effective decision making
at the classroom, school district, and state levels. We believe
robust data sharing, however, must be complemented by well-
designed strategies and practices to protect student privacy
and ensure confidentiality.
Our district has taken an aggressive and comprehensive
approach to assuring student privacy. We have created extensive
data-sharing training materials, and all employees in the
district have participated in training sessions. Upon
completion of this required training every year, each district
employee signs a statement of assurances. This process is based
on CoSN's protecting privacy in a connected learning toolkit
that we produced in partnership with the Harvard Law School.
And the best part, it is free to all school districts.
The Calcasieu Parish Public Schools strongly emphasize both
appropriate technology and secure and safe data use, including
using this data to develop a greater understanding of student
needs, and then tailoring instruction delivery of resources to
help them succeed. Over the past 3 years, our district has
developed a leading edge data warehouse and data dashboard to
provide our teachers and school leaders with timely, targeted
information; the information they need to support improving
learning.
Based on my experience in the Calcasieu Parish Schools, I
urge Congress to proceed very cautiously with new federal
privacy requirements. We want to ensure that any contemplated
legislation doesn't impede this type of powerful instructional
data use.
We also work with all of our vendor partners that use any
student data as part of learning or assessment. We require them
to certify their compliance with our data usage policy. And our
state law reasonably addresses data sharing with vendors and
requires them to sign contracts specifying the limited purposes
for which the student information can be used.
Our district believes that our teachers and school leaders
and parents must be equipped with the right technology and the
knowledge about how to use the student data and protect--to use
it with fidelity to implement best practices. We provide this
regularly-targeted professional development designed to equip
our educators and school leaders with this knowledge they need
to use to, most importantly, improve student outcomes, and
including training them with privacy and security practices.
However, additional federal investments in technology and
student-focused privacy professional development, including the
Enhancing Education Through Technology program is urgently
needed. I would encourage Congress to support the President's
fiscal year 2016 request. Unfortunately, for school districts,
this program hasn't been funded since 2011.
Our district also prioritizes communicating with
stakeholders to convey the value of this data in teaching,
learning, and decision making. All of this information is made
readily available to parents and the entire community on our
district web page. Transparency builds trust with our
communities. And that is why I hope Congress will consider
strategies that encourage districts to promote data use
transparency, including describing the who, what, where, and
when of their technology practices.
Protecting student data is not a one-time event. Educators'
data needs are evolving. Security threats are constantly
changing, and professional development need are ongoing. I hope
Congress would encourage districts to implement security
practices that meet the mature technical, physical, and
administrative standards.
While federal state and privacy policy is critically
important, there is no doubt in my mind that school districts
and schools must lead these efforts to protect student data
privacy. And any effort by Congress to update laws to protect
students, FERPA and COPPA, should support, not burden school
district and state data use to improve instruction and decision
making.
Appropriate data sharing must be served to strengthen the
potential of technology to transform and improve education. I
urge Congress, please do not overreach as you address this
important issue. But instead, take a thoughtful, balanced
approach focused on supporting schools and district leaders.
I thank the members of the Committee for this opportunity
to share a realistic view of the issue from the perspective of
a school district that is engaged in this work. And I am happy
to answer any questions.
[The testimony of Dr. Abshire follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Rokita. Thank you, Dr. Abshire. Appreciate it.
Mr. Reidenberg, you are recognized for 5 minutes.
TESTIMONY OF MR. JOEL R. REIDENBERG, STANLEY D. AND NIKKI
WAXBERG CHAIR AND PROFESSOR OF LAW, FOUNDING ACADEMIC DIRECTOR,
CENTER ON LAW AND INFORMATION POLICY, FORDHAM LAW SCHOOL, NEW
YORK, NEW YORK
Mr. Reidenberg. Thank you, Mr. Chairman. And good morning.
Good morning, Ranking Member, and distinguished remembers of
the committee. I very much appreciate the opportunity to
testify today.
I studied and written on privacy technology for over 25
years. And I focused the last 5 or 6 years on student privacy
issues, including several national studies that have been
presented previously to this subcommittee. On a personal level,
I served on a school board for 5 years. So it is an issue that
is actually quite close to my heart.
I am testifying today though on my own behalf, I am not
representing any organization with which I am affiliated. I
have submitted a longer witness statement, but I am just gonna
summarize that during the 5 minutes.
Educational technologies and the use of data today is
transforming American education. We see tremendous
opportunities to improve education. And at the same time, we
see the scope of data collection has now become massive. And
our privacy laws simply aren't working to protect children's
privacy when that information is coming from schools.
We have three statutes in our federal privacy law; FERPA,
the Protection of Pupil Rights Amendment from the 1970s, and
COPPA. The Pupil Rights Amendment Act and COPPA are really
addressing very narrow issues. One focuses on surveys in
schools. The other focuses on directly collecting data from
children.
So the main privacy legislation that addresses student
information is FERPA. And FERPA desperately needs to be updated
for the 21st Century. We have heard--you know, 40 years ago
when it was enacted, data was kept--the records were kept in
file cabinets. It worked then, but schools had no computers and
the internet wasn't anyone's dream in the school systems in
those days.
There are really three areas that I think we need to
address in modernizing FERPA. The first is that the coverage of
FERPA is outdated. FERPA governs educational records. Well,
today, student and educational records are narrowly defined.
Today, the kind of information will range from grades to
metadata about reading habits. Much of the data that comes from
learning tools is outside the scope of FERPA.
FERPA is a financing statute. It applies to institutions
receiving federal funds, and only those institutions. That
means the vendor community--those supplying many of these
services--have no direct statutory obligations. Schools have
them. But schools are often in a very difficult position to be
able to work--deal with--contract with the vendors.
We have so many schools across the country that don't have
legal council, don't have sufficient technology expertise to
even know what they are looking at when they see a vendor
agreement.
The privacy pledge that we heard about this morning is a
tremendous initiative, but it is not a substitute for strong
legal protections. And then FERPA misses very important
elements. FERPA saying nothing about data security, saying
nothing about breach notification, has nothing on the
transparency of how vendors might be using and sharing
information. So these are elements the coverage of FERPA just
doesn't match what is going on today.
The approach--the secondary, the approach of FERPA itself,
is outdated. FERPA's focus was on confidentiality and parental
access. Today, the critical issues are about permissible
educational uses of student data. What is the use; right? We
have other statutes, like the Fair Credit Reporting Act, is a
permissible purpose statute. That works in the modern world.
FERPA doesn't. FERPA needs to look toward that model, identify
what are truly educational uses. Those are fine. Everything
else is prohibited wthout parental consent.
Data mining, homework assignments, teacher interactions,
all of these things today, are they appropriate uses for the
students' data? As a parent, a former board member, I don't
think our children should be required to subsidize private
commercial gain to get an education through their information
being monitored and used.
Lastly, the third area is enforcement and remedies. FERPA
is essentially unenforceable. The one existing remedy is a
nuclear option. It has never been used by the department of
education. It is total withdrawal of federal funds.
The victims have no redress. If you or your family's
information is compromised, there is no redress under FERPA.
FERPA needs to have graduated sanctions, fines, various
abilities to enforce through the Department of Education. I
think the State's attorney general ought to have enforcement
authority. We see that again in the consumer credit reporting
area. And I think it would be very important to have private
enforcement options so that families have redress.
It would be helpful for Congress, I think, to encourage the
States to have chief privacy officers in their state
departments of education to assist the local schools. Because
it is very difficult for local school to understand how to
navigate this territory.
So my conclusion is that Congress can no longer wait. If we
want the innovation that educational technologies and data uses
offer us, if we want that to be accepted by schools and
parents, Congress has to update FERPA so that it matches what
will be happening in the school communities. Otherwise, parents
will not have trust, and there will be a constant struggle
between the communities and the schools and the educators and
national education policy.
Thank you.
[The testimony of Mr. Reidenberg follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Rokita. Thank you for your testimony.
The way this usually works is the subcommittee chairman
usually asks out with asking his questions. But I find out that
my life goes smoother when I defer to the full committee
chairman when he is in the room.
Sir, thank you for your leadership. You are recognized for
5 minutes.
Mr. Kline. Yes, that won't work. Okay. Thank you, Mr.
Chairman. This is a good hearing. Thanks for yielding to me to
ask a question. I really want to thank the witnesses. You are
an excellent panel. Years of expertise.
When we look at data and data privacy in the large, we as
Americans ought to be concerned. We have seen spectacular
reaches, big retail firms where all of their customers'
information was made available to whoever was doing the
hacking. Because these cyber attacks are not just a matter of
rhetoric, they are a matter of fact. And so whenever you have
data that is compiled, today, we have to be somewhat concerned
that data will be made available. So as we look at this, we
need to keep that in mind.
And I am also concerned that when we are dealing with
technology--we, the Congress--we, the government. But we, the
Congress, particularly--there is a great danger that we will be
trundling along here years behind. In the House we move slowly.
In the Senate they hardly move at all. And so it is a little
troubling that we could be developing policy that by the time
it is enacted is already outdated.
So I could probably start anywhere, but I am going to go to
Ms. Knox to--I would like for you to get at the issue of the
amount of technology that there is in the classrooms. It is not
a simple question of the paper file drawer now being on a flash
drive somewhere. There is all kinds of stuff. We have got
hardware, software, apps, tablets, kids with cell--we have all
kinds of things going on there.
So can you help us understand some common principles or
ideas that we should be looking at when we are trying to update
FERPA that will not get in the way of supporting technology in
the classroom, but which can provide some privacy and something
that won't be outdated tomorrow or in a week or something like
that? Just give it your best shot.
Ms. Knox. Sure, sure. I think starting with a commitment to
trust is important. I know that at our company, we have
principles and policies in place about establishing trust with
customers. So starting with a commitment is always important.
And then, you know, knowing what it is you believe. For
example, in our company, we believe that people own their own
data; right? So the student and the parent--the student's data
belongs to them. So being clear on those pieces sort of guide,
then, action and belief.
So then how does that translate? At least, again, where I
work, that translates into making sure that privacy is in the
design of any product that we put on the product. So if we
design a product, there is always a privacy expert with the
product developer. That means you are baking it in to who it is
and what it is you are going.
And then, you know, wherever we go, we try to be extremely
transparent about the data. So I know that the question has to
do with schools and there are all these different devices and
how do you make sure that data stays secure. The cloud, you
know, unites them, right, brings them all together. And it is a
service of--in a remote data center, basically--and educating
and becoming clear and being very transparent. Whoever that
third-party provider is needs to articulate in the clearest
terms how that data flows in and out, who has--if anyone have
access.
And we have an entire center called the trust center. We
have a trustworthy computing initiative. This morning I
actually watched a couple of videos of some software engineers
who took me on a virtual tour of our data centers. And I could
see physical, you know, protections. I could see software
protections. I could see a blue team and a red team identifying
good and bad use. I mean, being transparent helps inform, but
it also decreases fear. Because we believe data is critical in
the age of 21st Century education, just like everybody else
does.
And then two other points is, you know, in general, always
committing, putting something in place where improvement
continues. So whatever the law ends up doing--you know,
whatever direction it goes in, there should be a piece in there
that says we will constantly improve our practices based on the
times and the opportunities that come available.
We do that at the company, as well. So that is, again, part
of the way that we approach our work, the way that we, you
know, commit to it, believe in it, act on it, create products.
And I think that can be translated into the way that society
sort of behaves when designing laws for students and their
privacy.
Mr. Kline. Thank you. I see my time is expired, Mr.
Chairman. Thank you.
Chairman Rokita. Gentleman's time is expired. And I see
that this subcommittee's ranking member believes in a similar
philosophy as I do. So Ranking Member Scott, you are recognized
for 5 minutes.
Mr. Scott. Nice try. Thank you. And I want to thank all of
our panelists. They have provided really good information. Let
me just ask some general questions.
When you talk about personal data, is there anything in the
discussion that will hurt us in trying to find growth models or
trends, demographic trends, that in general we could use for
educational purposes? Is there anything that--nonpersonal
information, non-personally-identifiable information, is that
at risk if--in any of our discussion? In other words, boys do
better than girls in some areas, some pedagogy works better
with some groups other than others. Are we gonna lose our
ability to evaluate along those lines?
Mr. Reidenberg. Yes, can I respond, Congressman? I don't
think so. Because if the focus of FERPA is looking at using
data appropriately for educational uses, that is going to be a
very important educational use to understand how individual
children learn, how cohorts of children learn, and how to
deliver the most effective educational programs for them.
Mr. Scott. I just wanted to make sure that is not at risk.
Mr. Reidenberg, you indicated the problem with sanctions.
We have got a problem with classified information. If a
reporter gets classified information illegally, meaning
somebody illegally has classified information, gives it to a
reporter, there is apparently no prohibition against the
reporter just sticking it in the newspaper.
What about republication of data and other kinds of
breaches? You alluded to the fact that we need the graduated
sanctions so there will be some sanction. If there is a breach,
would there be any prohibition against the rebroadcast or
republication of the data? Is that part of FERPA?
Mr. Reidenberg. You are talking about, say--take an
example. Nashville, Tennessee a number of years ago had all of
the information on all of the cities' students and their
families openly available on the internet. A case like that, if
you are talking about a newspaper publishing information from
it, well, the First Amendment rights would address what the
scope of the newspaper's authority to do that.
But if you are talking about a third-party organization
taking all that data and then using it for various commercial
purposes, I think that would be wrong and should be
interdicted.
Mr. Scott. One of the questions is what is an educational
record. Is homework, grades on quizes, exams, final grades,
disciplinary records, financial records, are all those
educational data that needs to be protected? Computer use, if
you are using the library computer?
Mr. Reidenberg. Those I do not believe are currently
covered by the definition in FERPA. The Supreme Court has
interpreted the educational record specification quite
narrowly. So homework assignments, for example, would generally
not be. A family's financial status; so if the child is on a
reduced lunch program, for example, that is not going to be
considered necessarily part of the educational record. How a
child uses an app in school, the metadata generated from that
app will be outside the scope of protection from FERPA.
And I think it should be. I think when you are dealing with
data that is gathered about, by, or for kids in school, we
should be treating that as custodians of our children's
privacy, and we should be very careful with how that
information gets used.
Mr. Scott. So stuff like that is not now covered, but
should be covered?
Mr. Reidenberg. I believe that is correct.
Mr. Scott. And part of the discussion is how long should
the information be held? Somebody has graduated from high
school, should the high school still have their stuff on some
computer that somebody can get to?
Mr. Reidenberg. I think it is going to depend on what the
purpose is for the high school archiving it. Should the high
school, for example, or the high school's vendor be storing the
seventh grade home work assignment that Johnny or Sally wrote
when they are 35 years old? I think the answer to that is
probably no.
Mr. Scott. Let me ask you just another quick question. How
do the marketers get this information? I mean, I think we would
all agree you shouldn't be marketing people. How do they get
the information to begin with?
Mr. Reidenberg. If you ask me the question in a couple of
months, I should be able to give you a specific answer. We are
in the midst of doing a study right now in my research center
that is trying to understand the circulation of the student
information in the commercial student marketplace. And I don't
have an answer for you at this point.
Ms. Knox. So your question is how does student data end up
in the hands of marketing people. If the students are using
certain cloud infrastructures and it is held by a third party
and that third party's contract terms aren't clear, it is
possible for them to trend through the data that flows. So
emails, forms that the school district is completing. I am sure
Dr. Abshire may have some specific examples of maybe
situations.
But when it is flowing through the data center, it is
possible to, you know, take a peek at it and find trends and
put it kind of on the market to other businesses who want to
advertise to those students. And then certain targeted ads then
would flow back to the students. And when again they are
emailing, low and behold, what they were talking about maybe in
an email 6 months ago, there is an advertisement for it.
So this idea of trust and understanding where the data is
flowing and committing to not using data for noneducational
purposes becomes critically important in this information.
Chairman Rokita. Thank you very much. The gentleman's time
is expired.
I now recognize myself for 5 minutes. And in the first 20
seconds give Dr. Abshire a chance to respond to that last
question, if she would like.
Ms. Abshire. I guess I would just comment that the comment
around trust I think is critically important. Also, the comment
I would make is about how we at the district level should
anonymize data. If you think about all that we collect about
children--there was some earlier comment about large-scale
demographic data. That data coming out of a school district
usually is and should be anonymized so that it is reported in a
way that it is not PII, it is not personally identifiable
information. It indicates trends. It allows researchers and
states to look at those trends and make solid educational
decisions.
The other piece is the use of role-based data. In other
words, depending what your role is in the school district or an
organization, that limits your access to certain pieces of
information. We have been very successful with that, and we are
working on that in the--
Chairman Rokita. And does that work in a cloud situation?
Ms. Abshire. Absolutely.
Chairman Rokita. Okay.
Ms. Abshire. The pending and the agreements that are in
place with our providers allow for that data to be--
Chairman Rokita. And who writes your agreements? Who writes
your agreements? You have outside counsel?
Ms. Abshire. We work on that with counsel in the district
and with our state department. Yes, sir.
Chairman Rokita. Okay. Thank you. Very interested in all
your testimony. So many questions, so little time.
I am going to start with Ms. Knox. You rightly praised the
pledge that you signed. And now we have 100 other signatories
to it. Good stuff. Where is the enforcement mechanism in the
pledge?
Ms. Knox. I know--
Chairman Rokita. Assuming it was codified.
Ms. Knox. Right. Oh, assuming--well, the existing penalty
would be, you know, misleading. And if you actually do
different activities than you said you would do in the pledge,
then the FTC can fine you.
Chairman Rokita. Okay. And then you also mentioned that
FERPA, you mentioned correctly, does not include third parties.
Ms. Knox. Right.
Chairman Rokita. Should it?
Ms. Knox. Yes.
Chairman Rokita. Thank you. Mr. Reidenberg, same question.
You mentioned the same thing.
Mr. Reidenberg. Yes. I Think FERPA should absolutely apply
to all participants in this space, which would include the
third-party vendors. I--
Chairman Rokita. Can you give some more specificity of what
that would look like in an updated FERPA--
Mr. Reidenberg. Sure.
Chairman Rokita.--environment?
Mr. Reidenberg. What FERPA should--what I think FERPA
should be doing is specifying the kinds of uses that are
permitted for student information. And uses that don't fall
within that category would require consent. And that
requirement of only using for admissible purposes would apply
whether it is the school, whether it is a data analytics firm,
whether it is some other cloud service provider offering
services to the school.
Chairman Rokita. So as long as there is some contractual
relationship between the government jurisdiction or school
element and the service provider, that would extend FERPA?
Mr. Reidenberg. It would--there would always be that
contractual arrangement where the school is using third-party
services.
Chairman Rokita. Right. Ms. Knox, you wanted to add
something?
Ms. Knox. Just really quickly, one of the things I really
liked about Dr. Abshire's written and what you mentioned in
your oral is she talked about not overburdening schools with
more regulation. And I can't agree more. And I think that was
part of the brilliance of the Student Privacy Pledge. And I
just want to thank Representative Polis for his leadership
there. The idea of industry standing up and raising our hand
and taking a pledge and saying these are the kinds of things we
think we should be doing and we will do them when it comes to
students, I think it is important, and I think it does help
with schools.
Chairman Rokita. I thank you. But the question was on
FERPA; right?
Ms. Knox. Right. But I think it could translate right into
FERPA. I mean, not word for word. But the same principles.
There could be a new piece of FERPA that developed that looks
at third party or business--
Chairman Rokita. Absolutely. Absolutely. Thank you.
And with the time remaining at 1 minute, Ms. Sevier, what
do you think about what has been said so far? Do you have
comment to add?
Ms. Sevier. I do. It sounds like we are all speaking on
behalf of student privacy. And I just wanted to bring up the
parent engagement aspect. If parents are not able to review
digital records and if digital records are not included in the
definition of a child's educational record, then that kind of
relegates the parents to being a bystander in the process, and
not a participant. And I think we need parents as participants.
We need them involved.
Chairman Rokita. Absolutely. They are the first guardians
of all this. Literally.
Ms. Sevier. Yes. We need them to be involved. If a digital
profile is going to guide my children's opportunities, whether
they graduate, whether they are eligible for services, I want
to review that. I want to be involved. I want know how those
determinations were made. And right now, unless I am in her
school district, I don't necessarily have that opportunity.
Chairman Rokita. Thank you all again.
Ranking Member Fudge, you are recognized for 5 minutes.
Ms. Fudge. Thank you very much, Mr. Chairman. And again,
thank you all for your testimony.
Let me start with you, Dr. Abshire. You have kind of been
talking around it. But can you just give me some specifics
about what you believe we can do or how FERPA can be modified
to reflect the change in technological climate, while still
ensuring that children's data is protected?
I mean, I understand, you know, that you don't want us to
put more onerous restrictions. And I understand that too. But
my priority is children. And so if--you know, maybe it is a
little much and we can work on it. But how can we protect these
children? What do we need to do with FERPA?
Ms. Abshire. Well, thank you, Congressman Fudge. I
appreciate that question.
I think the comments of my colleagues here at the table
this morning have kind of encompassed that; that the revisions
do need to be made with an eye towards a balanced approach. I
would come down strongly on the side of ensuring parental
engagement and involvement. In our district it is called
``informed consent.'' Our parents are allowed to consent and
opt in and out on different pieces of data around their
children's educational records.
So they know that when they give informed consent, that
student data around discipline, student data around a
children's progress on formative and summative assessment
results are gonna be used within the district with privacy with
the educational experts that need access to make good decisions
about that child's educational progress.
They also know that it is gonna be sent to the state to be
able to assimilate that information and look at how our
district performs against other peer groups in the state and on
national levels. They also know that information will be
anonymized for certain requests and it will not leave the
district. It will not go out into the cloud and be available
for potential data breaches.
So I think the strongest piece that I can bring to the
table around that issue, Congresswoman, is the piece of
informed consent; that it is, I think as Chairman Rokita said,
the parents are the first guardians. And the culture of a
community in Louisiana--
Ms. Fudge. I don't want to cut you off, but I have got some
other questions I must ask, so--
Ms. Abshire. I am sorry--
Ms. Fudge. So parental consent. Ms. Knox, what has
Microsoft actually done to protect the data?
Ms. Knox. Well, great for us we have some lead amazing
products. And I feel lucky that I get to go out into classrooms
and talk to actual teachers who use them. Office 365 being in
the classroom. And these are specifically designed so that
students don't receive any unwanted advertisement. And so
they--a teacher can--as one teacher told me, no more in my
classroom can anybody come back from doing their homework and
say their dog ate their home work. Because everything is now
stored in the cloud. And there is more productivity. Kids are
really engaged. This office 365 product has really inspired him
to do new things with technology; collect data, do analytics on
which equation he is teaching about, you know, students
struggled with the most at night and didn't struggle as much on
this equation, so he changes his teaching strategy.
So all these things are great. But at the same time, we
need to make sure that they are--that the student is protected
and they are safe. And that is what these products do. It is
possible to strike the balance that Dr. Abshire keeps talking
about.
Ms. Fudge. Thank you very much.
Dr. Abshire, can you give me an example of how your
district uses this data dashboard to effect curriculum
decisions and to provide interventions for struggling students?
Ms. Abshire. Yes, Congresswoman. Thank you.
Teachers regularly meet in our district in what we call
PLCs, professional learning communities. And those communities
are focused on looking at how students are performing. And in
the past it was a set of folders. It was stacks of information
that people could not cross tabulate the data and, again, look
for trends and look for specificity in what skills and
standards are students not able to make.
Now in our direct, our teachers sit in conference rooms
with the fourth grade team or a group of math teachers at the
high school level and pull on a computer screen all the trends
for the students in their classrooms, drilling down to a
specific skill that don't know. So they are able to pull out
students into groups, reteach that specific skill, and allow
other students to move on.
What that data warehouse for us has created is efficiencies
in learning and efficiencies in teaching.
Ms. Fudge. Thank you very much, thank you very, very much.
I yield back, Mr. Chairman.
Chairman Rokita. Thank the gentlelady.
I would now like to recognize a new member of the committee
and subcommittee who has served on school boards in Florida.
Mr. Curbelo, you are recognized for 5 minutes.
Mr. Curbelo. Thank you, Mr. Chairman, for this opportunity
to discuss what is a topic that is increasingly on the minds of
parents and students and teachers.
I wanted to delve further into the issue with penalties
related to FERPA violations. Mr. Reidenberg mentioned that we
should perhaps consider developing a graduated penalty system.
Could you go into that, expound what would something like that
look like and how could it be most effective?
Mr. Reidenberg. Thank you. I think my reference to
graduated penalties, what I have in mind, are range of levels
of fine depending on egregiousness of violation. So you would
not want to see a school district or a state subject to
crippling penalties for what are small technical violations.
On the other hand, we need to have some mechanism to insure
that FERPA is, in fact, effectively enforced in local schools
across the country. I think--so on the one hand, those are the
publically-assessed fines. I think it is important that
families have an ability to get redress if their information is
compromised and their student's privacy rights are violated and
they are harmed. Right now, we have no mechanism for that in
FERPA. It is one of the few areas in American privacy law where
we have no way of addressing redress.
Mr. Curbelo. Now, I also heard a conversation about
expanding FERPA to cover third-party vendors--
Mr. Reidenberg. Yes.
Mr. Curbelo.--for example, how ould those groups be
penalized? Same way?
Mr. Reidenberg. Same way. Same way. If FERPA is authorizing
use for a defined educational purpose and the third-party
vendor does something else; something else being using it for
advising purposes, using it to profile a student to skew search
results or to deliver content that is unrelated to the
educational purpose for which the data was gathered. In an
instance like that, the third-party vendor should be subject to
a fine.
Mr. Curbelo. And a question for Ms. Sevier.
It is obvious that these types of breaches occur every day.
Obviously, most of them do not rise to the level where they
would get attention from the media. But how much do parents
know about these beaches? Do you get the sense that schools are
open and transparent about data breaches, or is there a lot
that parents and even we don't even know?
Ms. Sevier. That is an interesting question. And I think
that there are layers of misunderstanding, depending on how
involved the parent is in the landscape. But I also think that
the reason that question is most interesting is because the way
that the law is written right now, there is release of
information that is not considered a breach. Does that make
sense? And I think that is really the focus of revising FERPA
and kind of shoring up those areas; really looking at the
digital information that is being collected and stored,
informing parents not just how it is being collected and stored
and who is using it, but how it is legitimately being applied
within the school, and then allowing them to review that.
And I would say that dialogue at that level is not
happening, but that we are taking first steps with partners,
like Microsoft, to get information out to parents so that they
play more of an active role in shaping policy, at least at the
district level.
Mr. Curbelo. Thank you.
Ms. Knox, I think you wanted to weigh in?
Ms. Knox. Just in terms of the confusion that parents may
find. We hosted last month--or in December--approximately 30
state PTA leaders in our office. And we conducted a 2-day
training on student privacy. Everything from personalized
learning to what is cloud computing to--I mean, I can't--what
is data-driven instruction.
But one of the most interesting moments, I think, for all
of us was none of the adults had actually experienced
personalized learning. And so they had never--I mean, those
were words and terms. And so once they felt the power of oh, my
gosh, I get to move on quicker based on the data because I am
actually learning quicker than this person, but this person
might come and help me, they got really excited once they
experienced it.
But then they also thought where is all this data going?
And then breaking down the cloud and how that works. And it was
just a fascinating--I don't know if you want to mention--or
comment. But it was good.
Mr. Curbelo. Please.
Ms. Sevier. It was fascinating. And it enabled our state
leaders to go back to their states and kind of mimic that same
behavior with their constituents so they were informed
advocates around the issue. And it decreased the amount of
hyperbole. And I think it makes us better decision makers.
Mr. Curbelo. Thank you all very much.
Thank you, Mr. Chairman. My time is expired.
Chairman Rokita. Thank the gentleman.
Ms. Bonamici, you are recognized for 5 minutes.
Ms. Bonamici. Thank you very much, Chairman Rokita and
Ranking Member Fudge, for holding this very important hearing.
Thank you to the witnesses. This is an important issue. And
I hear a lot from many constituents in Oregon who are as
concerned as I am about the gaps in protection.
There is always a problem in legislating around technology.
Because as was recognized earlier, the technology changes much
faster than policy changes. And trying to find that right
balance to make sure that we aren't inhibiting innovation and
the beneficial uses of technology while still finding
protections is a critical balance. But it is past time for us
to address that issue.
I want to talk with you, Professor Reidenberg, and say
thank you for your excellent recommendations on the changes
that are needed to update FERPA. When I think back to--I think
you said in your testimony it was 1974. Things were a little
different in 1974. And we have come a long way. But the law
needs to definitely be updated.
You talked about an analogy to the Fair Credit Reporting
Act, permissible purposes provisions, when you talked about
educational use. But what about remedies? You said in your
written testimony that right now, the denial of education funds
by the Department of Education is the remedy.
But what happens, say for example, if a family finds out
that there is erroneous information in a database about their
student? What can they do? Is there way for them--analogous to
the correction of errors provision in the Fair Credit Reporting
Act, is there a way for them to correct erroneous information?
Mr. Reidenberg. Yes. FERPA gives the parents the right to
access and request the school district make changes to data
that is incorrect. If a school district does not do that, the
parent has no recourse.
The second thing is that doesn't apply to all of the third
parties holding that data. So all the educational app providers
that are profiling individual children to serve them content or
games or learning tools, the parents don't have a legal right
to access what those profiles are. And to suggest that the
profile really doesn't adequately or accurately describe the
child, there is no mechanism for the parent to have it changed.
Ms. Bonamici. An important issue to address.
And I want to follow up on Chairman Rokita's questioning
about the Student Privacy Pledge, which I applaud. That is a
great first step. However, I am concerned also about the
voluntary nature of it; that it is something that doesn't have
adequate enforcement if there is a problem. And again, being
voluntary.
So I am also concerned about the issue of conflict. When
schools are essentially acting in loco parentis, they are,
playing the parent role, in fact, when our students are in
their schools. So are schools really equipped to be a go-
between in this kind of issue where parents and vendors and
school district may have conflicts? How can schools adapt to
serve that role?
Mr. Reidenberg. So if I could address the pledge first, and
then the second portion. I mean, I think the pledge is a
terrific initiative. I think there are very serious questions
about its enforceability; whether if a company signs up for it
and does not adhere to it but then presents Dr. Abshire with a
contract that is inconsistent with the pledge, and she has had
her legal counsel review it, I think it is going to be very
hard to claim it is a deceptive practice on behalf of the
vendor.
So I think that relying on unfair and deceptive practices
as an enforcement tool I think may be difficult. It also means
the FTC is the principal enforcer for that. And their staff is
simply not equipped to go after that many organizations that
might not be following. It is great that there are 100 leading
companies that are standing up, but there are thousands and
thousands of companies across the country doing these sorts of
practices.
Ms. Bonamici. And as you know, the FTC doesn't represent
individuals to begin with. So it would have to be a widespread
practice.
Dr. Abshire, did you want to weigh in on this?
Ms. Abshire. Just a quick addition. I think we should make
no mistake about the fact that schools are painfully aware of
this issue today. None of us is--can ignore, I think as
Congressman Kline mentioned, the data breaches that have
happened with public information and different companies and
people's credit cards.
So we are all aware of this. And at the heart of our role
as school district officials, principals, and superintendents
and school boards, is the interest of the child. I think the
chairman said it quite eloquently. Our role is to educate,
protect, and take care of our nation's children.
And so in this area of privacy and security, we have not
ignored this. Every meeting I go to around the country there
are conversations about this. I am gonna be in California in a
couple of weeks speaking to district CTOs from around the
country about this issue. And if we find an issue, I don't know
of an educational agency that would say we will not correct the
record, that we will not do the right thing by the child; and
that if a contract is violated, we have easy recourse. We quit
doing business with them.
Ms. Bonamici. My time is expired. I yield back. Thank you,
Mr. Chairman.
Chairman Rokita. I thank the gentlelady. And I would like
to recognize another new member of the subcommittee and
committee. Glad to have him, as well.
Mr. Carter, from Georgia. 5 minutes.
Mr. Carter. Thank you, Mr. Chairman.
And thank you y'all for being here. We appreciate what you
do. Nothing more important than our children, and especially
their education.
Let me ask you, when we are talking about this information,
are we talking about specific information to a specific child?
Or are we just talking about general information? Are we
talking about, you know, at this school, 40 percent finished in
this percentile?
Ms. Knox. I mean, the way I think about the answer to that
question is there is data that is collected in a classroom,
right, that informs instruction. Then there is about classroom.
Then there is data at the school level. Then there is data at
the county level. And then it goes to the state.
And so you are right; there is all these different layers
and there are policies that sort of try to blend together and
weave together. I keep looking over at Dr. Abshire because she
lives this. And so the answer to your question is it is like a
fabric or a quilt that needs to kind of work all in the same
direction. But there are many different buckets of data at play
in the education system.
Mr. Carter. Are you more concerned with the--I suspect that
you are more concerned with the personal data on the specific
student than you are about the general data.
Ms. Knox. I mean, from my point of view, the personal data,
why--I am very concerned. I don't want to see kids get viruses
that penetrate their system. I don't want them to be--you know,
to have data loss or have their passwords exposed. I don't want
to have their data sold for inappropriate or un-educational
purposes. All those types of things more on the micro or the
personal level. But then data can being aggregated and there
can--people can look for trends. And then there can be some
unwanted advertising that is targeted towards the student or
groups of students based on clicks and searches and ways they
interact with the technology.
There are lots of ways for data to inform the technology
that has been used. And sort of what does the company decide to
do with the data that they are collecting? Is it for the
purpose of improving the business, or is it actually to be
monetized and sold and be making money off the whole process?
Mr. Carter. Dr. Abshire, when your school system gives the
information to a company, do you sell it? Do you get a price?
Do you get paid for it?
Ms. Abshire. Well, we don't give information about a
student to a company. That data--we have been working on this
for a little while. Let me say that. And as we look at PII,
personally identifiable information, we have begun to ferret
out systems where in earlier contracts and earlier provisions,
we used a lot of PII. And we are anonymizing that data now by
using student IDs.
Information is power in this new technology, economy, and
educational arena. And if we know that this information has the
potential, as Ms. Knox said, to be misused or to be exploited
in some way, then it is our responsibility as--it is the
responsibility at the school district level to be able to
restrict that PII in such ways that these children cannot be
identified.
Only within our own discreet systems with the educator or
the researcher or the evaluator that needs to use it in a
direct line of correlation between that child and their
educational records.
So as I said before, this is evolving. It is not an easy
issue. Because obviously, the use of technology and information
systems in schools is evolving. And it is complex. But it is
our opportunity, I think, as a community of policymakers, of
parents, of companies, and educators to look at this in a
comprehensive way that holistically evaluates what are we
doing, what should we be doing, what should happen if we don't
do what we are supposed to be doing. And then look at ways that
we can support the use of data to inform instruction.
Because I think as all the panelists said, the powerful
learning opportunities that this technology provides to
advance, remediate, enrich children's learning in ways that
didn't happen 40 years ago when I started is the way we would
transform schools and create competitive educational
environments so our kids can compete within those safeguards.
Does that help?
Mr. Carter. That helps. One last question.
Are there any physical characteristics including in this
information? You know, male, female, gender--
Mr. Reidenberg. Yes. It will be in the metadata. It will be
in some of the specific characteristics the child signs up for.
An app in school that has an avatar and they are supposed to
choose their sex, it will be predictable based on certain
patterns that a child engages in school. So the third party can
identify those characteristics, even if the child hasn't given
the name.
I think it is important though, just giving an ID rather
than a student's name is not satisfactory today, given the
state of computer science. The computer scientists are able to
show you can reverse engineer identity. If you give me several
characteristics about an individual that are purportedly
anonymized, I can reverse engineer who that child is.
And we see today that in our research we found
approximately 25 percent of the school contracts in--I think it
was in the classroom function area--were not paid with by cash;
they were paid with using their students' privacy. They were
giving the vendors information in exchange for the services.
Chairman Rokita. Gentleman's time is expired.
Mr. Carter. Thank you all again.
Chairman Rokita. Thank the gentlemen.
Now I would like to recognize another new remember to the
committee, very much welcomed as well. Mr. Russell, you are
recognized for 5 minutes.
Mr. Russell. Thank you, Mr. Chairman.
And thank you, panel, for being here today.
FERPA was changed under the leadership of Secretary Duncan,
allowing anyone that has even a mild interest in education to
see personal records. Would you support the elimination of
access by third-party vendors? And that is for whoever would
like to take that on.
Mr. Reidenberg. I am happy to jump in and say no. I mean,
third-party vendors serve an important and useful function for
the schools. And our schools today would not be able to develop
and enhance their educational programs if they couldn't use
third-party vendors. So if you cut off access to the
information, the schools would have tremendous difficulty
delivering education and improving the outcomes for their kids.
But that is not to say what those vendors do has to be careful
and closely circumscribed.
Mr. Russell. Okay. As a follow on to that, you know, Mr.
Reidenberg, you have correctly pointed out in your previous
comments about these unique identifiers that are attached that
never go away. They are attached to personal level student
data. It follows the data no matter where it goes. So
disaggregated data is really a myth. So how do you protect
that?
And then you are also willing to give it to third-party
vendors, because it is all for the children. Well what about
the Fourth Amendment of the Constitution of the United States
that says we have a right to privacy of our papers? What do we
do with that? And I would like to hear someone from the panel
address those issues.
Ms. Knox. I mean, from the company--from Microsoft's point
of view, we can operate as a third-party vendor. But our belief
system, what we adhere to, our principles and policies, is your
data that we are gonna put in a data center offsite, you own
that data. We don't own that data, and we will not access it.
And so we have that in our contract. And that is, I think, a
way of addressing and--well, addressing the issue, but
increasing trust among all these stakeholders who could access
the function--
Mr. Russell. Well, and to that point--and I agree with
that. But take the Federal government, for example. They are
asking for data from states to fill out such initiatives as the
prevention and intervention programs for at-risk youth. They
provide grants for the SLDS, the longitudinal data system. Do
you think that data from the National Assessment Educational--
you know, NAP, do you think that would provide the very things
that they are asking for with less specificity on individual
students? Why does the Federal government need to drill down to
that level?
Ms. Knox. I think there are lots of ways probably to
respond to that question. My big--my general response about the
NAPE and the data that is collected, as a general education
system as a country, we are trying to constantly improve it. So
we are collecting, you know, aggregated data to make good,
informed decisions so that we can improve our systems.
Mr. Reidenberg. Congressman, there is a well-known
principle in data privacy which is called ``data
minimization.'' And I think the question you are asking is
really going to that point; what is the minimum level of data
necessary to make the decision that we are seeking? And I think
with--and we have done some research on the SLDSs. And I think
there are many questions about the scope and extensiveness.
In fact, it was approximately 4 or 5 years ago I testified
before this subcommittee on a study that we did. And the
example that I used came from the state of Louisiana. I was
just telling Mr. Abshire this before the testimony. Louisiana
requires its school districts to report whether children curse
in school. And it seems to--because when you look at the
disciplinary codes, one of the codes is using--the child is
disciplined for using profane language.
And you have to ask the question, is that level of detail
necessary? I think in many cases, we will increasingly conclude
no.
Mr. Russell. Well, and I appreciates that. And my last
question, I mean, if FERPA no longer protects personal student
data and we can give no assurances that we can't reverse
engineer and find privacy factors, and yet we are still willing
to give it to third parties, what makes any of you on the panel
believe that the Federal government has a right to do that
instead of states?
Local schools, local communities owned by their school
boards, their parents, their teachers. Sure, we all accept
that.
What gives the Federal government this right that none of
you today by your statements, you realize that there are ways
around all of this and it can be breached. So why should the--
Mr. Russell.--federal government--
Chairman Rokita. The gentleman's time is expired. So we
will have to get those answers perhaps from the witnesses in
writing.
Mr. Russell. That would be great if I could. Thank you, Mr.
Chairman.
Chairman Rokita. Thank the gentleman.
Next, another new member of the subcommittee and committee.
Mr. Grothman from Wisconsin, you are recognized for 5 minutes.
Mr. Grothman. Thanks much. I have been concerned about this
issue for a long time. And the more the government collects
data of any sort--you know, we have seen every agency.
Eventually, it is going to get out somewhere. And this is
supposed to be confidential data. So it is a scary thing.
But Mr. Reidenberg just said something kind of shocking.
And I want you to repeat for me, because I almost fainted, so I
didn't hear the whole thing.
The percentage of vendors who are getting, apparently
partly in compensation for what they are doing, are sending out
data? Could you elaborate on that a little bit?
Mr. Reidenberg. Yes. The school districts that are getting
a service for which they are not paying cash. So the
quintessential example is Google apps for education. The school
districts aren't paying for it with cash. But what is Google
getting? Google is getting the personal information of all of
the district's children.
Mr. Grothman. Can you give me an example of that
information they are getting?
Mr. Reidenberg. Home work assignments, communications
between teachers and students, presentations that kids are
working on in school, if they are working from school, the
search items that are being used.
Mr. Grothman. So in other words, if Google wants to sell a
product and my niece is working on something on who knows what,
they are gonna know what she has chosen for her, whatever,
middle school project or something?
Mr. Reidenberg. Yes. But Google has now said that they
won't use that data to market or advertise to the children.
They haven't said whether they would not use that data to
develop the product, to create the content for the product.
Mr. Grothman. What else would they be doing with it?
Mr. Reidenberg. That is a very good question. It is
nontransparent. One of the difficulties is what the vendors do,
how they are using this information, it is not transparent. It
is not stated often in the contracts. If you look at the
contracts that school districts have with their vendors--and we
have done that. We have analyzed those contracts--it is very
difficult to figure out exactly what they are doing.
Mr. Grothman. And so these people, in addition to the
garden variety government employees--well, Ms. Sevier, do you
want to--
Ms. Sevier. Thank you. The situation that you bring up is
interesting to me. Because with this relationship that Google
has with the district--and this goes even to some online apps
that are used in a classroom--parents and students do have an
expectation of privacy, but they don't always realize when they
are opting out of it.
And so part of engagement and information-sharing would be
to educate teachers, administrators, parents and students, when
they are opting out of privacy; for them to understand that by
participating in something--by using Google or one of those
platforms, that they are giving their information up--
Mr. Grothman. I am gonna--
Chairman Rokita. Five minutes is--
Mr. Grothman. Okay. Well, we will--I have got a broader
question.
Ms. Abshire. Just very quickly. Back to our earlier
comments. This information, this concept of transparency and
trust; that within our communities, it is school districts'
responsibilities and states' responsibilities to inform and
educate parents so they can make informed decisions. We cannot
do this in isolation. I don't think we can do it with
legislation, with policy, or with practice. It has got to be a
partnership between companies, school districts, parents, and
students so that they are informed when they make these
decisions and we can use that power of technology.
I fear a world where we can not use the technology to
transform learning. But I also fear a world where our students'
privacy is jeopardized. But I think we can balance that. And I
hope that we will. Because I think that the potential is
transformative.
Mr. Grothman. Well, I am 59 years old. I grew up without
all this stuff, and I don't feel like I missed anything. But be
that as it may, maybe I did. Maybe I would be so much better
off if they had a big data bank to peruse.
Mr. Reidenberg, one quick question. By the time I am--let's
say I go graduate school, so we got all this stuff. Or like I
did, I went to law school. And this stuff was in place from the
time I was 3 years old in day care to 25 years old in law
school. What all--could you give us like a 1-minute summary of
all the stuff that would be in one place that somebody could
fine out about me? You know, that we all have to have, the
program has to be of?
Mr. Reidenberg. Well, probably the easiest way to do that
in a minute is just think George Orwell and take it to the Nth
degree, and that is probably what would be available. I mean,
we are in an environment of ubiquitous surveillance,
essentially. So the data from all sorts of devices can be
captured and synthesized in enormous number of places.
And as we see emerging between what children do in the
classroom, what they do at home outside the classroom, I think
we are gonna see a lot of pressure to have data from each of
these places; what is done in the privacy of the home with what
is done in school being merged together. And it will just be an
extraordinarily-rich data set of your life.
Chairman Rokita. Gentleman's time is expired. Thank the
gentleman.
And I am also pleased to see that we have members from off
the subcommittee interested in this issue. I would like to
recognize the gentleman from Colorado for 5 minutes.
Mr. Polis. Thank you, Mr. Chairman. And I appreciate the
opportunity to join the subcommittee today.
I think it was very valuable the way that Ms. Bonamici has
sort of framed this issue and why this has strong democratic
and republican agreement about, you know, parental rights and
privacy issues. It is really--as we know, schools function with
a certain degree of ability to in loco parentis operate in lieu
of the parents.
And the question is when it comes to kids' personal
information, do the schools and the government own it and can
they sell it? And the answer should be without the parent's
consent, no, they don't have that ability.
But because of the advent of interactive technology, there
are oftentimes students interacting directly with third-party
vendors and there is not the teacher or administrator there.
And therefore, policies and laws are needed to ensure that
schools, in fact, are not selling personal information, whether
there is monetary compensation or in kind, software
composition, effectively selling information that isn't really
theirs because the parents of the minor did not give them the
permission to do that.
I want to go to Ms. Knox. And recognizing that we can learn
from state efforts, notably SOPIPA in California that protects
student privacy. And this is fundamentally a demand driven by
parents across the country. Certainly, in my own state of
Colorado.
Could you elaborate on how some of those innovative
policies can be taken to the federal level, building upon the
pledge which 100 companies, including yours, have already
signed?
Ms. Knox. Sure. Sure. And I would be remiss not to also
thank Representative Messer for your leadership on the Student
Privacy Pledge. So thank you for that. I know you joined a
little after Mr. Polis or Representative Polis.
The state bill. So the California bill was very
constructive. We found it constructive for the larger
conversation. I think the data that came out of 2014 where
there were 106 student privacy bills introduced, I think 28 of
them had to do specifically with protecting student privacy.
And I think it came from, like, there were 32 different states.
The numbers are even, you know, at that level and getting
higher as we speak.
What is interesting is that there is such a different kind
of mix of the state bills. So some of them are looking at
governance. You know, how--we should have a security officer or
a CIO or a student privacy leader at the state level, you know,
setting up governance systems, versus sort of this idea of how
companies should behave in relation to student privacy, and
especially third-party vendors.
So I think the Student Privacy Pledge has really helped
specify and clarify and bring the industry together to commit
to the eight specific objectives of the pledge. And we have
been able to say okay, we would like to take these commitments
and make sure that the other state bills that are moving right
now, we want to make sure that they kind of work in conjunction
with each other.
Mr. Polis. And I want to go to Professor Reidenberg.
I think one of the dangers, absent the types of controls
that parents want to see so that their own kid's information
isn't sold without their permission, the danger seems to be
that parents understandably--and this has occurred in districts
in my state--rebelled the other way, where they effectively
throw vendors out of schools that could otherwise be helpful at
providing an individualized education, if only the legitimate
concerns were addressed.
So I am wondering if you can address how we can harvest the
great potential and power of educational technology and
individualized education to boost student learning, while at
the same time ensure that the concerns of parents are met.
Mr. Reidenberg. I think that is exactly the challenge.
Because the concerns parents have arise from the lack of trust,
I think in part from a lack of transparency as to the sharing
arrangements that are taking place and what the companies are
doing. In the absence of effective privacy protection for their
children's information, parents will oppose the technology. We
have seen this. We saw this, for example, with the collapse of
the InBloom platform. There were lots of things that coalesced
in enbloom to cause its collapse. But one of the major reasons
was the way InBloom dealt with privacy or didn't deal with
privacy.
The other thing that I think is important to recognize,
parental consent, we have to be very careful when we talk about
engagement and giving parents the authority to consent and then
everything is fine. The reason I say we have to be very careful
is we have to be sure we are not dealing with forced consent.
You can't put a parent in the position that they have to waive
their child's privacy for their child to be able to engage in
school.
As a parent, we experienced this several years ago. We had
to sign up for the parent portal for our local school. And in
signing up for the portal, you have to click I accept. And
essentially, we had to accept waiving our child's privacy
rights for my child to be able to get his homework assignments.
So we have to be very careful about. That it is important to
have parents engaged. Parents have to have rights to consent.
But we can't be putting parents in the position where their
choice is their kids gets an education or they have privacy,
they can't have both.
Chairman Rokita. Gentleman's time is expired. I thank the
gentleman.
Also pleased to recognize Mr. Messer, from Indiana, another
welcome member of the full committee, for 5 minutes.
Mr. Messer. I thank the Chairman and the Ranking Member for
their leadership on this important issue. Certainly thank the
panelists as well for being here today an issue that I think a
lot of parents are concerned about and yet don't they don't
know a lot about either; that we are trying to wade our way
through the issue.
You know, several testimonies have mentioned that the
Student Privacy Pledge--thank you, Ms. Knox--and actually, Ms.
Sevier and the PTA and the parent organizations that were part
of our efforts to pull that together--obviously, we don't have
a law today. So to have at least 100 industry leaders step
forward and make clear that we ought to do some simple things,
like not sell student information, not behaviorally target
advertising, use data for authorized educational purposes only,
and all the rest of the pats of the pledge.
You remember from our meetings together before, I have
believed all along that the pledge alone wouldn't be enough,
and that we ought to look at other ways that we can legally
protect parents' rights to protect their child's privacy.
Yesterday in the ESEA bill we had an amendment that dealt
with that. I think amending FERPA is part of that, as well. And
looking at what other additional protections that we are seeing
at the states could we could supply up here, like Mr. Polis and
I are working on. Maybe a federal version. Not exactly the
same, but a bill that would mirror the HPPA law that you know
of in California.
I wanted to maybe start with Ms. Abshire and expound on the
testimony at the end of the last questions. You know, it is
important here that we protect student privacy. But it is also
important that we make--ensure that any new laws intended to
create student privacy don't create--that are intended to
create a student privacy floor do not also create a digital
learning ceiling.
And could you expound on that a little bit, reference--how
do we find that spot in policy where we are protecting students
and their privacy concerns, but still getting the remarkable
educational benefits that come from having this kind of
aggregated data?
Ms. Abshire. Well, I think it is a partnership
conversation. I think that there is deep experience in the
field with my colleagues and school superintendents and school
board members that are grappling with this every day at the
district level, with organizations such as CoSN and ISTI that
represent the types of leaders that also toil with these ideas.
In our work, we are not absent that thinking every day that
contracts that we sign, systems we put in place, don't hold
great responsibility for those of us that are in the
educational system. So it is a constant thought on our mind.
And the news and the media and the new tools that are emerging
constantly bring that to the forefront of our thinking. Because
we know what we have to do to make sure that our children are
safe in a world that in many ways is unexpected from day-to-day
as to what will happen.
But I think at the heart of this is the conversation--deep,
abiding conversations that we as school leaders and
policymakers have with the people that we entrust this
information to, which are our providers. I do commend Microsoft
and other people for coming to the forefront and putting it
together. And certainly, people that have worked at the state
and the national level on this. But it is not gonna be an easy
conversation.
Mr. Messer. Sure.
Ms. Abshire. And that is why I am so thrilled that this is
happening today. Because we have got to probe at this and look
at what the technology is doing in terms of securing privacy
but enabling learning. So I think it is an ongoing
conversation. I don't think we have the answers in our hands
today. But I think they are emerging. And I think this panel
today helped give you some insight.
And I know the conversations will continue. And we
appreciate you talking to practitioners and to companies and to
parents to know that we are all thinking about the same thing.
No one is ignoring this important issue in elevating learning.
Mr. Messer. Yes. Thank you very much. You know, I would
just say again thank the Chairman for today's hearing. Thank
the witnesses for your remarkable testimony.
There are incredible benefits to student learning that come
from this data. But as you heard from the testimony today,
parents are worried about protecting their children first.
Ms. Sevier, you want to finish?
Ms. Sevier. Thank you. I would. If you went to the street
and you pulled ten parents and you asked them well, how do you
feel about biometric data and should it be collected on your
student? Depending on the article that they just read that
morning, they might just say they are thinking of that grilled
cheese sandwich and no, you can't scan my child's eyes so that
they can move through the lunch line. But maybe you have got
other parents that are thinking about their child that is in
speech therapy, and that biometric data is being used to
accelerate their learning. And so it is all about conversations
and information, definitely.
Mr. Messer. Great point. Thank you.
Chairman Rokita. Gentleman's time is expired. I thank the
gentleman.
And the ranking member is recognized for closing.
Ms. Fudge. Thank you, Mr. Chair.
And again, I thank all of you for being here. Very
insightful. Very educational. We have learned a great deal
today, and certainly will take parts of the discussion to try
to determine how we best can serve students, as well as to make
sure that their educational experiences are what they can be in
this age of technology. Thank you all. And thank you, Mr.
Chairman.
Chairman Rokita. I thank the gentlelady. As always happens
with these kinds of hearings, we learn a lot. I especially. So
I want to thank each one of you for your testimony today.
Something perhaps not exactly orthodox. I am going to--
because this is so important, I want to just say a few things
and then I want to yield each of you 30 seconds--and it will
just be 30 seconds--to make my closing for me, to say what you
think we need to take away from today, what is most important
for us as we go back and we look at updating FERPA, overhauling
it for the 21st Century so that it has the appropriate
enforcement mechanism; so that it has that right kind of
balance, so that third parties can be brought into this in a
meaningful way so that, again, we can do what we all said we
wanted to do and was first on our mind, and that is protect our
kids, that they can have a lifelong successful learning.
So with that, Ms. Sevier, for 30 seconds, what should we
take away from today?
Ms. Sevier. The takeaway for today is to consider parents
as partners in education, and not bystanders; to always support
outreach and information; to consider not just who has the data
and how it is being stored, but how it is being used in
schools. Grilled cheese, speech therapy. And whether or not
parents have a right to review that information. Because I can
give content. But if it is a one-time thing, I am still a
bystander.
Chairman Rokita. Thank you.
Ms. Knox?
Ms. Knox. It is very possible to strike a great balance
between harnessing the power of personalized learning, while
also safeguarding our students' data. Ask more from companies.
There is no question that they need to be transparent,
articulate clear contracts; that they need to make sure that
they have comprehensive data security systems; and that they
commit to not using data for noneducational advertising
practices.
Chairman Rokita. And FERPA, if I understand your testimony
is a primary vehicle for doing that?
Ms. Knox. We would like it to be part of it. Yes.
Chairman Rokita. Okay. Thank you.
Dr. Abshire.
Ms. Abshire. Yes, sir. Please be careful in your
consideration of what changes in this law and how they will
filter down and affect the business of school districts
educating students. While we are painfully aware of the issues
around student privacy and PII, I am also painfully aware that
it is a very difficult and complicated process to manage
student learning and to be wise stewards of all of this
information. And so in terms of burden, we often talk about
that, seek out professionals in the field, practitioners that
will have to implement what you decide to do around this.
Chairman Rokita. Thank you appreciate it.
Mr. Reidenberg.
Mr. Reidenberg. Three quick things. Without modernizing
FERPA, innovation is going to be opposed and will stall. It is
just not going to work. I think Congress--message I would like
to give is Congress needs to protect all student information,
not just things that were considered educational records in
1974.
And lastly, the privacy protections have to apply to all of
the participants in the educational environment, which means
the schools, the vendors, the parents. The entire educational
community set of actors have to be covered by these
protections.
Chairman Rokita. Thank you. There being no further business
for the subcommittee, it stands adjourned.
[Additional submission by Mr. Dreiband follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[Whereupon, at 12:54 p.m., the subcommittee was adjourned.]
[all]