The Health of Student Identity

The Every Student Succeeds Act (ESSA) increases the demand for more robust data reporting at the State and local level as part of Statewide accountability measures that aim to address the need for school improvement and to close student achievement gaps. Modern data reporting systems are crucial to carrying out the requirements of the new law in the upcoming 2017-2018 school year. To fulfill ESSA requirements, States have implemented data dashboards that report school and district performance and other information, such as demographic data, for transparency and accountability purposes. Meanwhile, schools and school districts are implementing streamlined solutions that provide access to student data from a myriad of systems such as online educational services, government agencies and other establishments, like healthcare. These systems centralize data access; everything in one place.

See also ESSA Update – Federal Feedback and Funding Levels

Educational Data all in One Place

Efficient student information management systems enable schools and school districts to stay organized, track student progress and make data-driven decisions. These platforms provide educators with useful information for classroom management, instructional planning and personalized learning. Platforms and services vary in terms of capabilities, yet common features include data reporting, cloud-based or local storage and custom configurations. Typically, Student Information Systems (SIS) are web-based software applications used to manage educational records. Administrators, teachers, parents, students and other school staff access to student information from a single dashboard. Digital dashboards may even be funded by Federal grants through subcontracts with the State.

Educational Records



Educational records include students’ personally identifiable information (PII) such as names, addresses, data of birth, and even more sensitive information such as Social Security Numbers and health records. Educational records typically consist of names of parents or guardians, contact information of parents/guardians and emergency contacts, home addresses, demographic data, family background, financial aid records, discipline records, Individualized Education Plans (IEP), academic history and performance, assessment data, health information, medical records and more.

Before the emergence of technologies that streamlined data access and reporting, information was siloed and scattered across multiple systems. Now, student data management solutions often integrate with Learning Management Systems (LMS), online assessment programs, digital curriculum, and other online services and software applications. Data management systems even integrate with other government agencies and institutions to isolate persistent problems and to better address student needs such as students in foster care or students with certain health issues.

Schools and school districts collect, store and use significant quantities of data on each student for daily tasks. Real-time reporting of student data tracks student growth, empowers teachers, and keeps parents informed as to their children’s performance in school. All of the convenience of uniting sources of information into a single point of access has its benefits, yet all the data is stored in one place represents a jackpot of sensitive PII, educational records, health information and more.

Legal Implications of Educational Data Breach

The healthcare system is an example of the legal implications of a data breach. For example, a hacker accesses the medical records of a hospital exposing the data belonging to thousands of patients. The hospital would then have a legal right to file against the contractor, yet the patients would also have the right to hold the hospital liable for the exposure.

Educational data systems are not immune to a breach. A proactive mindset is that unauthorized access is not a question of if but when a data breach will occur. This mindset activates vigilance and continued improvement of policies, practices and preventative measures to safeguard student data by patching holes in procedures and addressing vulnerabilities in systems; actions on the part of contracted vendors as well as educational leaders who negotiate contracts and oversee school policies. States, districts and school leaders may have a legal right to file against services, yet parents and students may hold the school or district liable for data exposure if found in non-compliance with Federal and State laws governing student data privacy and security. State Departments, districts and schools can mitigate liability by heedfully forming contracts with vendors and by adopting identity management solutions. Additionally, contractors may also reduce risk by incorporating better compliance solutions.

The Realities of Student Data Exposure

Unauthorized access, whether by mishap or the active pursuit of a black-hat, could expose student information to exploitation and potentially lead to identity theft thus damaging the health of student identity. In fact, the aftermath may continue years beyond the initial breach occurred. Such is the case in the one county when a former student, who had attended school in the area, stumbled upon stolen data online. Out of boredom, he entered his personal information in a Web search and came across a website offering for sale the names, birthdays and Social Security Numbers of nearly 20,000 people. As he perused the list of stolen information online, he came across some of the names of his former classmates. In response, he alerted the school district. The FBI got involved, the school district issued a press release and notified students of the breach. The former student supposed that the breach was possibly connected to the unauthorized payday loan of $1,300 that was taken out in his name. (Bauer-Wolf, 2016)

A more recent example occurred earlier this year, in April of 2017, when a “White Hat” security researcher—a person who identifies weaknesses in systems and alerts owners to remedy security issues—came across student records that one contracted company had mistakenly configured for public access on a cloud-based server. The data breach exposed information of 1.3 million people including students in an entire school district. The accidental disclosure included students’ names, addresses, birth dates, some Social Security Numbers, assessment scores including State tests and English Language proficiency exams, as well as parents’ names. Fortunately, the log files showed that only the security researcher accessed the exposed files. The contracted vendor quickly remedied the configuration, and the school district promptly contacted the U.S. Department of Education’s Privacy and Technical Assistance Center for guidance and informed parents of the breach (Kadvany, 2017).

These situations are a reminder of the realities of educational data breach; data that is becoming more accessible in a centralized location. Student data privacy and personal information security must remain as a top priority among State and Local Educational leaders as well as educators, parents and students–particularly when schools are adopting more technologies and when student data is taking a more central role in improving educational outcomes and closing achievement gaps as is the purpose of ESSA.

See also Educational Data & Federal Policy

Data Access Control
Administrators, school staff and contracted parties carry out various daily tasks based on their roles and responsibilities. One way to prevent unauthorized access is to configure dashboards and platforms to provide specific data sets to school employees, and only those data sets that serve a “legitimate educational interest.” State audits have found access controls in school districts to be lacking, giving school staff access to more student information than is necessary to do their jobs. If school personnel can log in to their SIS dashboard and view information from students that are not assigned to them in that academic year, or access information that does not relate to their roles and responsibilities, the security configurations of the system are most likely not in compliance with the Family Educational Right to Privacy Act (FERPA). Although schools and districts may improve upon policies, tightened student data privacy policy is only as effective as student data management practices.
Legitimate Educational Interest: Information in a student record is legitimate when a school official needs access to specific data “in order to fulfill his or her professional responsibility.”

One way to remain in compliance with FERPA is to configure the SIS dashboards and platforms to provide specific data sets to school employees, and only those data sets that serve a legitimate educational interest.

Educational Leadership in Privacy Practices

Schools and school districts that carefully form contracts with vendors are taking steps to protect student data privacy and security. Additionally, school and district leaders guide educators in the right direction by providing a list approved of FERPA compliant software, services and sites --especially when combined with an evaluation and approval system for non-contracted sites, services and software programs. However, according to EdWeek Market Brief, nearly half (46%) of teachers surveyed say that they do not need approval from an administrator, such as a superintendent or a curriculum director, to use a promising educational technology tool in their classroom (Yettick, 2016). Innovative educators actively seek ways to leverage the power of modern technology to enhance the learning experience, yet without background knowledge and training to select digital tools for teaching and learning, educators may inadvertently incorporate a website, mobile app or software that does not follow best practice in protecting student data. This may put the school or district at risk of legal liability as well as compromise student privacy. Thus, educator training on how to evaluate technologies and platforms for FERPA compliance and other student data privacy regulations is equally as important as providing teachers with a pre-approved list and an establishing approval process for all sites, services and software incorporated into the classroom. Along these same lines, parent and family engagement is necessary to ensure best practice: clear communication with parent and families and obtaining Verified Parental Consent are integral aspects to include in teacher training and educational technology policies and procedures—for teachers as well as administrators.



Engaging Parents and Families

At the school level, educational technology enables principals and teachers to collect and analyze student data inclusive of online services, software and mobile apps, databases, cloud storage, digital curriculum, and more. In fact, every electronic device or software application connected to the Internet is capable of collecting or providing access to student data; devices that students use at home as well as at school. Although school leaders and educators can use student data to improve educational outcomes and close achievement gaps, policies and practices must be in place to ensure that student data is secured and only used for legitimate educational purposes. This includes involving parents in the conversation about student data privacy policies and practices, answering their questions and addressing their concerns over the privacy and security of their child’s information. In this manner, school and district leaders can ensure compliance with Federal law and establish an ecosystem of trust.

Technology platforms that engage parents and families keep them informed of their child’s progress and performance, involving them in school activities and initiatives. As educational technology becomes a more integral part of every child’s learning experience, parents need to be made aware of the technologies that their children use for school purpose and the ways that their child’s data will be handled. Background information on the technologies implemented by the school and in the classroom gives parents an understanding of the tools that their children use for learning purposes as well as student data usage.

Five basic questions to address for parents refer to who, what, why, where and how of student data usage:

  • Who has access to my child’s data?
  • What type of data is being collected from my child by the school and by the service?
  • Why is this information being collected?
  • Where is this information stored?
  • How is this information being used?
Parental Concerns over Privacy and Security

Parents are becoming more aware of the significant amount of data that schools collect and retain on each student. As a result, concerns over the privacy and security student data is also rising as information on child performance in school is taken beyond the classroom and school file cabinets into Statewide databases and cloud-based storage systems of contracted service providers. Educational data are also stored and shared across Federally-funded Longitudinal Data Systems that retain information on individual students for numerous years—even connecting with postsecondary systems.According to the most recent Future of Privacy Forum parent survey, “Beyond One Classroom,” the majority of parents have security and privacy concerns, primarily that:

  • Their child’s electronic education record could be hacked or stolen (84%);
  • An electronic education record could be used against their child by a college or an employer (68%).

(Future of Privacy Forum, 2016)

Parental Rights to Child Privacy

The primary Federal law governing student privacy is the Family Educational Rights and Privacy Act (FERPA), which controls disclosure of a student’s education record. FERPA grants parents certain rights regarding personally identifiable information (PII) derived from education records. The central idea as that parents consent to the use of their child’s data. FERPA maintains that, before a school releases “directory information,” the school must give parents a chance to opt-out. The law also gives parents the right to make corrections to the information. Often this “opt-out” is a one-time e-mail, letter, or section in the student handbook distributed at the beginning of the school year. But providing parents the chance to opt their child out of directory information is not enough.

When forming contracts with vendors, school administrators must pay close attention to the terms and conditions of student data access and use, restricting and controlling third party access to student data.

Of particular concern is that schools use third-parties service providers for everyday operations from the classroom to the district administration. FERPA allows “school officials” to access to students’ personally identifiable information (PII) if they have “legitimate educational interest” in that information. Under Federal student privacy law, administrators, teachers and employees of a school or school district qualify as a school official. Student data privacy advocates describe the FERPA definition of “school official” as a loophole that exposes student data to privacy risks, for according to the FERPA update in 2014, contracted vendors may qualify as a “school official” and, therefore, are allowed access to student data as an acting agent of a school or school district. When the law was written in 1974, third parties referred to photography services and yearbook publishers, but in the 21st century, third party contracts also consist of Internet service providers, online educational programs, SIS services and platforms, and database back-up centers—to name a few. Given the broad interpretation of these terms, a clear definition of “school official” and “legitimate educational interest” is essential to ensure that students and families are granted their rights under FERPA. The key takeaway here is that when forming contracts with vendors, school administrators must pay close attention to the terms and conditions of student data access and use, restricting and controlling third party access to student data.
School Official – In a K-12 school district, the term “school official” applies to administrators, teachers, school counselors, health staff, school clerk, committee members, disciplinary personnel and individuals to which the school has outsource student services.
Student Data Privacy Solutions

Leaders in districts and schools, as well as educators, can exercise best practice by engaging parents and families regarding the technologies that students will use inside and outside of the classroom for educational purposes. Clear communication with parents and Verified Parental Consent are key. Platforms such as i-SAFE Direct VPC gives administrators and educators the tools to clearly communicate with parents on the websites, mobile apps and online programs that their child is using on a daily basis—not just the one-time list posted on the school website, or a one-time chance to “opt-out” at the beginning of the school year. Moreover, parents can take control of their child’s data privacy through solutions like MyOk which covers commercial and educational online services.

Leaders in districts and schools, as well as educators, can exercise best practice by engaging parents and families regarding the technologies that students will use inside and outside of the classroom for educational purposes. Clear communication with parents and Verified Parental Consent are key.

Child identity theft is a reality, and an educational data breach is not a matter of if, but of when. Schools, districts and State Departments can go beyond the minimum of FERPA compliance to ensure the health of student identity through integrating solutions such as those offered by i-SAFE Direct that binds the identity of parent and child. As K-12 education in the United States continues to incorporate data-driven platforms and services--from mobile apps used in the classroom to district data dashboards to Integrated Data Systems--proactive protection of student data privacy is imperative. Likewise, educational technology providers can provide the K-12 market with platforms and services that exceeds regulatory requirements of COPPA and FERPA thus mitigating legal liability and ensuring the health of student identity in years to come.

Ready to take your school or district beyond compliance? Contact us to request a quote.

Is your company interested in partnering with us? Contact us by submitting this form.

About i-SAFE Ventures

i-SAFE Ventures is a hybrid organization (non-profit and for-profit LLC) focused on helping educational and commercial organizations comply with statutory regulations safeguarding child privacy. We offer a suite of technology services and solutions which enable identity management, and age-appropriate e-safety instructional programming, which meets and exceeds regulatory requirements. We are on the cutting-edge of technology and education. Learn more at