EWA Tip Sheet: Covering Student Data Privacy

Covering student data and privacy issues can be a daunting task for even a seasoned education reporter. 

Schools collect vast amounts of information from students, and many districts are using more tech tools than ever before following the COVID-19 pandemic. 

Online test-proctoring software, messaging platforms and even apps that monitor what sites students are accessing all collect and share data with school officials. 

But many students, parents and community members don’t know much about what data is being collected, how it is protected and who has access to it.

Journalists sometimes even might not realize what role student data or privacy plays in a story, said Ben Herold, a reporter for Education Week, at this year’s 2023 SXSW EDU Conference & Festival.

As he started covering technology’s role in education, he realized that “technology and data privacy are really kind of a part of everything,” Herold said.

“I think there’s a tendency to think of [student data privacy] as a standalone story,” he said. “Like ‘this weekend, I’m doing my data privacy story and I’ll go back to curriculum or staffing or whatever else it may be,’ but actually data privacy and technology are embedded throughout the beat.” 

Civil rights advocates are concerned that organizations are using flawed data sets that discriminate against certain student populations.

Experienced reporters recently gathered to share some pressing issues around student data privacy and how they are covering them during an Education Writers Association workshop at the 2023 SXSW EDU Conference & Festival in Austin, Texas. 

Let’s take a look:

Participants Featured in This Workshop:

• Pia Ceres, senior web producer, WIRED
• Ben Herold, reporter, Education Week
• Tawnell Hobbs, investigative reporter, The Wall Street Journal
• Arijit Sen, computational journalist, The Dallas Morning News

The State of Student Data Privacy: Top-Level Takeaways

• It’s a civil rights issue: There is a longstanding relationship between “racism, science and especially Black male communities,” Clarence Okoh, senior policy counsel at the Center for Law and Social Policy, said during another EWA session at SXSW EDU in March, and that includes education technology. Surveillance tools in schools are already being used by law enforcement agencies as part of “predictive policing programs,” such as the one in Pasco County, Florida, and are disproportionately affecting vulnerable student populations. 
• Who has access to student data is murky. Many school districts contract with vendors like software companies that might even tailor their products to the needs of the district. The Family Educational Rights and Privacy Act (FERPA), a federal law that protects who has access to student data, is unclear and so vendors are often granted access to otherwise protected information. 
• Privacy = safety: As states like Texas and Florida crack down on what schools are required to disclose to parents or other agencies, such as whether a child uses different pronouns at school or is receiving gender-affirming treatment, privacy shouldn’t be given up in the name of safety, said Elizabeth Laird, director of the Center for Democracy & Technology during another EWA session at SXSW EDU. “The more we understand the harms that can happen when students’ privacy is violated, the more we can understand this is also about safety.” 
• Cyberattacks: Schools and districts are especially vulnerable to hackers and ransomware attacks, which leave student data at risk. The Wall Street Journal’s Tawnell Hobbs said districts often aren’t spending much on beefing up cybersecurity and student data. Young students’ identities are “gold” for hackers, she added. 

The Legal Landscape: Laws to Know

• The Family Educational Rights and Privacy Act (FERPA): Gives parents the right to access their children’s education records and some control over what “personally identifiable” information is released. Districts still must surrender information if subpoenaed though and can release private information to third-party vendors designated as school officials.
  

• The Children’s Online Privacy Protection Act (COPPA): Passed in 1998, the law focuses on private companies, protecting the personal information of children under the age of 13. It requires parental consent to collect and store data from kids. Enforced by the Federal Trade Commission, companies can face hefty fines for violating the act.
• California’s Age-Appropriate Design Code: Though there is some political appetite at the federal level to address children’s online safety, often enforcement falls to the states. This California code, which goes into effect in July 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.
• TikTok bans: Congress also recently banned TikTok from most U.S. government-issued devices, and more than half of all states have banned the app from state-owned devices, including at public universities. Policies around the app are likely to continue to evolve as the company faces mounting pressure from lawmakers.

Tips From the Pros

• Ben Herold: Leverage public records. Obtain contracts and agreements with vendors. Build strong source relationships to help you figure out what to ask for through a FOIA request or what to look for in thousands of pages of documents. 
• Tawnell Hobbs: “Don’t stay too long on the dark web.” Hobbs said getting on the dark web took her reporting on hackers and hacked school systems to the next level, but she cautions that not every reporter or every newsroom has the resources to safely access the dark web. Reporters need strong support from their newsroom and IT departments to make it work. She tells reporters to be sure to protect their own identities and mental health online. 
• Pia Ceres: “Find the grassroots movement, who the vocal parents are, who are the parents less engaged and [find out] why.” Grassroots parent movements are often the ones raising awareness and concerns about these technologies. Sometimes, these concerns even unite parents across partisan lines.
• Ari Sen: Use databases like GovSpend.com to see how much school districts or universities are spending on surveillance tools and compare what institutions say the tool is used for and what they are actually using it for. Often, tools claiming to improve safety show “little evidence of lives saved” – worse, it’s up to reporters to find examples of lives made worse.

Student Data Privacy Story Ideas

• What ed tech tools or services do schools in your district use?
• Do schools in your district monitor students’ social media use?
• How are schools in your district surveilling students?
• How much is your district spending on tools like Bark, Gaggle, Securly, etc.?
• What student information do third-party vendors, like other government agencies or private companies, in your community have access to?
• Do parents know what information is being collected about their child? What are their rights?
• How much does your district spend on cybersecurity or IT services?
• How do schools in your district protect student data? How is the information stored? Who has access to it?
• Has your district ever experienced a security breach? What plans does your district have in place to protect student information in the event a breach happens?