ESSA’s State accountability systems are highly data-driven drilling down to student subgroups. Thus, ESSA’s data requirements address student data privacy and intersect with other Federal laws, namely, FERPA. This article examines the data sets required by ESSA, regulatory requirements for handling student information, and principles of best practice with regard to educational data.
The upcoming school year, 2017-2018, marks a transition into implementation of the Every Student Succeeds Act (ESSA), the law that replaces No Child Left Behind (NCLB). Most States will submit their completed plans to the USDE for review and approval this fall, and the September 18th due date for submissions is just around the corner. ESSA gives States significant leeway in planning their accountability systems. ESSA’s flexible grant programs provide State and Local Educational Agencies (SEAs and LEAs) with funding streams that provide schools with comprehensive and targeted support and improvement strategies to make sure that “all children significant opportunity to receive a fair, equitable, and high-quality education, and to close educational achievement gaps.” (SEC. 1001. Title I Statement of Purpose, the Every Student Succeeds Act) Unlike NCLB, ESSA shifts authority over K-12 education to the States, yet States must also comply with rigorous Federal mandates for data collection and usage— from public-facing data dashboards produced by the States to Digital Learning programs that facilitates personalized learning experiences through the collection, analysis and use of student data.
Educational data provides States, districts, school leaders, teachers, parents and school partners with valuable information that can be used as feedback to improve upon the tools, strategies, programs, educational content and instructional practices that support student success. While information systems and data reporting creates a culture of continuous improvement, strong data governance principles are essential to safeguard student privacy and identity. The health of student identity depends on strong data privacy policies and best practices at the State, district and local level as everyone who uses student data is responsible for handling student information in a manner that is effective, legal, ethical and responsible.
Federal laws support the effective and ethical use of data in K-12 education, namely, the data-rich requirements of the Every Student Succeeds Act (ESSA) and the implications of student data usage under the Family Educational Right to Privacy Act (FERPA).
ESSA: Data-Driven Accountability & Improvement
ESSA requires that States and districts produce and use high-quality data to inform decision-making leading to improved educational outcomes for all students at the State and local level. First of all, the USDE maintains that ESSA’s data collection and reporting requirements bring about accountability and transparency. State and district report cards offer to “parents and stakeholders the information they need to understand how schools are held accountable and how students, including each subgroup of students, are performing” (USDE, 2016). Secondly, data sets are useful in identifying students’ needs and persistent problems related to school performance in order to close achievement gaps--which is the primary purpose of ESSA, a civil rights law. The Federal government collects data from SEAs and LEAs; that collect students’ data from schools and school districts. Students’ data may also be shared with other agencies and third parties. Thus the need for compliance with Federal regulations and security practices are paramount.
ESSA’s New Data Requirements
ESSA requires each State to describe a school’s level of performance “on each accountability indicator, from among three performance levels that are distinct, aligned to a State’s long-term goals, and clear and understandable to the public.” Section 200.18(a)(2)-(3) But the new law mandates deeper data sets than NCLB reporting requirements. For example, school districts must now report their per-pupil spending of federal, state and local funds. This level of transparency enables stakeholders to determine whether the district or State investments are succeeding. States and districts must also cross tabulate academic data, such as test scores and graduation rates, so that those conducting research can disaggregate data to certain student groups (e.g. female English language learner). Additionally, the new law requires data reporting to include three additional student subgroups: homeless students, students in foster care, and students in military families. This level of detail aids in developing interventions that targets groups of students and facilitates a more holistic approach versus oversimplified information that does not adequately supply the facts and statistical data necessary to develop an effective improvement strategy.
Moreover, ESSA incorporates the concept of “evidence-based” into the legislation as a way of validating that the activities for which States, districts and schools seek to be funded by grant programs effectively improve educational outcomes and close achievement gaps. Data sets provide evidence that the program or activity is working, and digital learning programs may provide such metrics by collecting data on student performance throughout the instructional program for research purposes.
evidence-based – the rationale for an activity, strategy, or intervention that is based on high-quality research findings or positive evaluation that demonstrates that the activity, strategy or intervention system is likely to improve student outcomes or other relevant outcomes such as school conditions. (Section 8101(21) (A))
Online Data Dashboards
States may use Federal funds to construct data dashboards that report school quality to the public in a manner that is easy for parents and other stakeholders to understand. A data “dashboard” is an example of a way for a State to report performance levels for schools and districts that are accessible online. Online data reporting via public-facing report cards enables parents and other stakeholders to review the performance of their local school or district and to get involved in developing solutions for specific school and student needs. Dashboard software, web applications, work by pulling information from different databases and cloud-based sources.
See also ESSA’s Data Privacy Requirements (below) for more information on the disclosure of student information.
State report cards must include:
- Detailed description of the State accountability system
- Schools in need of support and improvement as identified by State methodology
- Student participation rates in assessments
- Assessment scores disaggregated by subgroup
- The number and percentages of students taking alternative assessments
- English language learner proficiency rates
- Student performance on academic indicators
- High school graduation rates
- College and career readiness (i.e. postsecondary enrollment, SAT/ACT scores, etc.)
- Performance level on statewide non-academic indicators (i.e. social-emotional learning,
- Per-pupil expenditures of federal, state, and local funds, including actual personnel costs
- Teacher qualifications including emergency or provisional credential status
- Results from the National Assessment of Educational Progress
- Data consistent with the Civil Rights Data Collection survey
Adapted from: http://www.ascd.org/ASCD/pdf/siteASCD/policy/ESSA-Accountability-FAQ_May112016.pdf
State Data Dashboards
The examples of State Data Dashboards reflect the components of the State plan. These online report cards must include the data sets required by ESSA.
Note: Information collected, included or disseminated in report cards must be collected and disseminated in a manner that protects individual privacy in consistency with section 444 of the General Education Provisions Act, a.k.a. the Family Education Rights and Privacy Act of 1974 (20 U.S.C. 1232g) as well as Section 1111(h)(1)(i)(1) of ESSA.
Visit www.isafeventures.com to learn more about legal mandates and safeguarding student data.
Ohio State Department Data Dashboard (Sample)
Source: http://reportcard.education.ohio.gov/Pages/District-Report.aspx?DistrictIRN=048934%5C
New York State Department of Education Data Dashboard
Source: https://data.nysed.gov/
ESSA’s Data Privacy Requirements
Public-facing report cards present large quantities of data by collecting student data from a variety of sources. Thus, ESSA addresses student data privacy, yet to fully protect student information, States must have a process in place to reduce the risk of disclosing students’ PII. According the U.S. Department of Education Privacy Technical Assistance Center (PTAC) the process is referred to as disclosure avoidance—efforts to de-identify data in order to reduce the risk of unauthorized or accidental access to, release, transfer, or other communication of personally identifiable information from educational records (PII). De-identification is a necessary point of consideration when selecting digital learning programs used in the classroom to online assessments and State report cards.
Title I: Statewide Accountability & Reporting
The purpose of Title I is to ensure that all students have access to an effective and equitable education, and to close achievement gaps. State accountability systems and report cards utilize deeper data sets which allows for informed decision-making and provide transparency. Student data collection and online publication calls for State and local compliance with privacy requirements.
Title I, Part A, SEC. 1111 (i) (2) (N) (iii) outlines the general privacy requirements for all of Section 1111. ‘‘Information collected or disseminated under this section… shall be collected and disseminated in a manner that protects the privacy of individuals consistent with … the ‘Family Educational Rights and Privacy Act of 1974’) and this Act.” “Disaggregation under this section shall not be required if such disaggregation will reveal personally identifiable information about any student, teacher, principal, or other school leader.”
Title I, Part A, SEC. 1111 (b) (2) (B) (xi) includes a requirement for the state to report disaggregated results based on a number of demographic subgroups but that the results must not, “reveal personally identifiable information about an individual student.”
Title II: Student Data Privacy Training for Teachers & School Leaders
High quality student data presents the potential for increasing student achievement. However, district administrators, school leaders, teachers and other relevant personnel must be trained to handle data effectively and ethically. The purpose of Title II is to provide SEAs and LEAs with funds to enhance the quality and effectiveness of teachers, principals and other school leaders in order to improve educational outcomes.
What is your district or school doing to train educators on #StudentDataPrivacy? #ESSA2017
Title II Part A of ESSA provides funds to support training for districts and schools in data privacy.
ESSA Definition: digital learning – The term ‘digital learning’ means any instructional practice that effectively uses technology to strengthen a student’s learning experience and encompasses a wide spectrum of tools and practices.
Digital Learning tools and practices, as outlined by ESSA include:
- interactive learning resources, digital learning content (which may include openly licensed content), software, or simulations, that engage students in academic content
- access to online databases and other primary source documents
- the use of data and information to personalize learning and provide targeted supplementary instruction
- online and computer-based assessments
- learning environments that allow for rich collaboration and communication (which may include student collaboration with content experts and peers)
- hybrid or blended learning, which occurs under direct instructor supervision at a school or other location away from home and, at least in part, through online delivery of instruction with some element of student control over time, place, path, or pace
- access to online course opportunities for students in rural or remote areas.
Source: (20 USC 7112)
ESSA & E-Rate
The modernization of the Federal Communications Commission’s E-rate program has also significantly increased funding for building a technology infrastructure to support digital learning. However, E-Rate mandates pertain to Children’s Internet Protection Act (CIPA) which includes firewalls to protect students from inappropriate online content and contacts and requires educational agencies to verify implementation of an e-Safety program that addresses specific topics. CIPA does not provide regulations on student data privacy. However, any use of Federal education funds must comply with applicable privacy laws and the specific program requirements of each funding source.
Source: https://tech.ed.gov/files/2017/01/2017.1.18-Tech-Federal-Funds-Final-V4.pdf
See also Regulatory Landscape: The Youth Market and Privacy Regulations
FERPA: Safeguarding Student Data
At the school level, educational technology enables principals and teachers to collect and analyze student data inclusive of online services, software and mobile apps, databases, cloud storage, digital curriculum, and more. In fact, every electronic device or software application connected to the Internet is capable of collecting or providing access to student data. Although school leaders and educators can use student data to improve educational outcomes and close achievement gaps, policies and practices must be in place to ensure that student data is secured and only used for legitimate educational purposes.
Privacy Technical Assistance Center defines FERPA as:
“…a federal law that protects the privacy of student education records and gives parents and eligible students certain rights with respect to education records, including under certain circumstances rights of inspection and review and generally, the right to consent to the disclosure of these records.”
(34 CFR Part 99, Subpart B, 34 CFR § 99.30)
According to FERPA law, before a State or local education agency or institution discloses personally identifiable information (PII) from student educational records, a parent or guardian must provide signed and dated Verifiable Parental Consent unless the disclosure meets one of the permissible exceptions to FERPA’s written consent requirement. PII refers to a student’s name or identification number that can be used to distinguish or trace an individual’s identity either directly or indirectly by linking with other information.
20 U.S.C. §§ 1232g (b) (1-3), (b) (5-7), (h), (i), and (j); 34 CFR §§ 99.30(a) and 99.31
FERPA Basics
The Family Educational Rights and Privacy Act (FERPA) was enacted back in 1974. The law prohibits schools and school districts from disclosing personally identifiable information (PII) in student educational records without Verified Parental Consent (VPC). As educational technology adoption increased, the USDE clarified the definition of “school officials” in 2008 to include third-party vendors such as online services, database management companies, or digital curriculum providers. Third-party vendors offer services that educators view as beneficial in facilitating communication with parent and families, enhancing the quality of educational programs, providing student services and support, and offering secure data storage. As a “school official” third parties have access to sensitive student information jeopardizing its confidentiality and security. Moreover, without regulation, companies might use educational data for commercial purposes or create dossiers using student information. Thus, in 2014, Congress passed a bill to update FERPA, clarifying that third parties are prohibited from using student information for marketing and advertisement. Moreover, States have since strengthened data privacy laws to safeguard student information.
How does your State’s #StudentDataPrivacy laws measure up? #ESSA2017
Third Party Services
Operators of websites, online services, web-based applications and mobile applications must comply with State and federal law whether or not they contract with schools. School and school district must have direct control over the ways that student data will be accessed and handled. Districts and contractors that do not ensure that best practices are followed may find themselves in hot water—and not only in violation of FERPA, but for other statutory compliance mandates as well including the Protection of Pupil Rights Amendment (PPRA) that deals with sensitive issues and requires school districts to notify parents if their PII will be used for marketing purposes, and the Children’s Online Privacy Protection Act (COPPA) that requires companies to obtain Verified Parental Consent prior to collecting, using or disclosing PII from children under the age of 13. Note that educators may use websites, apps and other online services for which a contract with the district has not been made. Refer to the best practices below best practices
Transition to ESSA necessitates that States, districts, not only update their technologies to fulfill federal requirements around data reporting, but to also update policies and practices to address such changes. Below are some best practices for States, district and school leaders, and educators.
- Annually review data privacy policies to ensure compliance with relevant laws
- Update privacy policies to address weaknesses in processes, practices and procedures
- Maintain technology safeguards for statewide data systems and data collection processes
- Clearly communicate best practice in data breach notification and response policies and procedures for schools and districts
- Ensure student data access is restricted to legitimate educational purpose to carefully designated “school officials”
- Reduce risk through disclosure avoidance
- Guide schools and school districts in best practice regarding collection, storage, security and removal of student data
- Provide districts with a robust identity management solution that safeguards student identity
- Communicate the student data privacy policy to all stakeholders in easy to understand language including communication with teachers and parents
- Clearly specify in the district policy the type of student information that is collected, how the data is used, to whom the data is disclosed, and how data will be disposed
- Review and regularly update data breach response procedures
- Establish policies and procedures for evaluating and approving of proposed online educational services
- Effectively train district staff in the legal requirements and specific policies and practices to responsibly, ethically and effectively handle student data
- Educate staff about online educational services (i.e. web-based tools, apps, etc.) and how to determine that programs are FERPA compliant, and to follow State laws and district guidelines
- Ensure that third party vendors are prohibited from disclosing student PII without VPC, and that the contract specifically addresses the allowable and disallowable uses of student information
- Ensure that the Terms of Service with contracted vendors follow all regulatory compliance mandates that govern data access, data security and disposal of student data
- Practice transparency by posting policies formed with contracted service providers on district and school websites in a language that is easy for parents and other stakeholders to understand
- Provide a list of district-approved technologies and online services
- Publicly list all online educational services, mobile apps and software applications used within the school district
- Require and obtain Verified Parental Consent for educational technology hardware, systems and online educational services (i.e. website, software applications, mobile apps)
- Address questions and concerns from parents and/or guardians regarding district data privacy policies and the privacy and security of technologies and online services adopted within the school district
- Be well-acquainted with Federal, State and district regulations concerning student data privacy such as FERPA
- Ensure that third party vendors' privacy policies, security information are clearly communicated with all stakeholders including parents
- Clearly communicate with teachers and parents regarding the school’s collection and use of student data
- Train educators on how to determine whether online educational services, apps and platforms are in compliance with Federal, State and district requirements including FERPA
- Inform educators, other relevant school staff and parents data breach response procedures
- Establish policy and process for evaluating and approving of technologies and online services (e.g. websites, application software, mobile apps, etc.) into the classroom
- Present educators with a list of pre-approved online service providers, websites, apps and other educational technologies
- Train teachers to communicate with parents and obtain Verified Parental Consent prior to implementing online educational services, websites, apps or other educational technologies
- Address parents' questions and concerns over student data privacy and practices of online educational services
- Provide options for students whose parents choose to opt-out of using a particular service
- Get familiar with regulatory compliance mandates governing student data privacy such as FERPA
- Ensure that technologies are in compliance with student data privacy laws (FERPA), and follow State laws and district guidelines for incorporating online services and technologies into the classroom
- Provide parents with a list of all of the technologies and services that students will use as part of their learning experience including privacy policies and security information
- Communicate with parents prior to incorporating new technologies, software, websites, apps or other online services
- Address parents' questions regarding student data usage, privacy policies and security
- Obtain Verified Parental Consent for all technologies and services used in the classroom
About i-SAFE Ventures
i-SAFE Ventures is a hybrid organization (non-profit and for-profit LLC) focused on helping educational and commercial organizations comply with statutory regulations safeguarding child privacy. We offer a suite of technology services and solutions which enable identity management, and age-appropriate e-safety instructional programming, which meets and exceeds regulatory requirements. We are on the cutting-edge of technology and education.Learn more at isafeventures.com
References:
https://ed.gov/policy/elsec/leg/essa/essaaccountstplans1129.pdf
https://data.nysed.gov/ https://ferpasherpa.org/schneiderman1/
https://isafedirect.com/vpcservices https://nassp.org/who-we-are/board-of-directors/position-statements/student-data-privacy?SSO=true
http://ptac.ed.gov/sites/default/files/LEA%20Transparency%20Best%20Practices%20final.pdf
http://reportcard.education.ohio.gov/Pages/District-Report.aspx?DistrictIRN=048934%5C
https://studentprivacy.ed.gov/content/disclosure-avoidance
https://tech.ed.gov/files/2017/01/2017.1.18-Tech-Federal-Funds-Final-V4.pdf
http://www.ascd.org/ASCD/pdf/siteASCD/policy/ESSA-Accountability-FAQ_May112016.pdf
https://www.fcc.gov/consumers/guides/childrens-internet-protection-act
https://www.gpo.gov/fdsys/pkg/BILLS-114s1177enr/pdf/BILLS-114s1177enr.pdf
http://www.isafeventures.com/2015/08/04/coppa/
http://www.isafeventures.com/2015/08/05/ferpa/
http://www.isafeventures.com/2015/08/05/ppra/
https://www.isafeventures.com/2017/05/05/essa-essentials/
https://www.law.cornell.edu/cfr/text/34/99.31
http://www.ncsl.org/research/education/student-data-privacy.aspx
