Dept of Ed: Parents, Not Minor Students, Must Consent to College Admissions Pre-Test Surveys and Data Sharing

By Amelia Vance, Sara Collins and Tyler Park

Ed Tech vendors that use student data to provide services in schools must navigate a complicated legal landscape, including intertwining state and federal laws, all of which are designed to protect student privacy. Newly-released technical assistance from the US Department of Education’s (USED) Privacy Technical Assistance Center (PTAC) explores student data use practices by state and local education agencies (SEAs and LEAs) that register students for college admissions examinations. School registration of students for these exams or the use of these exams as Title I assessments can raise questions about statutory compliance obligations.

A key finding in the PTAC guidance: optional surveys administered to students as part of the SAT and ACT exams can violate the Protection of Pupil Rights Amendment (PPRA), Family Education Rights and Privacy Act (FERPA), and Individuals with Disabilities Education Act (IDEA) if appropriate transparency, consent, and other privacy safeguards are not employed.

The guidance is not limited to administration of the SAT and ACT in particular; PTAC intends the guidance to inform LEA and SEA practices whenever schools register students for third-party examinations and surveys that collect protected information. Also, it is worth emphasizing that this technical assistance does not apply when students take the SAT or ACT independently.

Why is this happening now?

Originally, students signed up to take the ACT and/or SAT on their own to fulfill college admissions requirements for certain schools. In recent years, states have elected to make the ACT and/or SAT mandatory for high school students and have begun administering the test directly. This change occurred for two reasons. First, states and districts want to increase college access – by making the ACT/SAT free, it removes an economic barrier to entering college. Second, the ACT/SAT is now being used by some states as the high school english and math assessment required and authorized by Title I of the ESEA. In states where this shift occurred, information collected in conjunction with the administration of those tests becomes part of the student’s educational record, and therefore subject to legal obligations under FERPA.

The Issue

As part of an SAT or ACT test, students can fill out a presurvey that asks questions about various topics, including religious affiliation and parental income. Students currently “opt in” to taking the survey and having the information they enter into the survey shared with education-related third parties. The primary purpose of these surveys is to help colleges, universities, scholarship services, and recruiters identify students who may be of interest to their programs. However, it is not always clear that these surveys are voluntary; PTAC wrote in the technical assistance:

We have heard from teachers and students…that the voluntary nature of these pre-test surveys is not well understood, and that each of the questions requires a response, and the student must affirmatively indicate in response to multiple questions that the student does not wish to provide the information.

PPRA

The Protection of Pupil Rights Amendment (PPRA), passed in 1978, “seeks to ensure that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals” certain sensitive information – including religion and parental income, two categories of information included in the SAT and ACT pre-surveys. Under PPRA,

LEAs must also adopt policies to protect student privacy in the event of the administration or distribution of any survey containing questions that ask students to reveal information from one of the eight PPRA-protected areas and also provide notification to parents, at least annually, at the beginning of the school year, of the specific or approximate dates during the school year when such a survey is scheduled or expected to be scheduled and an opportunity for parents to opt their students out of participation in any such survey.

The technical assistance finds that, under PPRA, parents – or students if they are over 18 – must be notified and given the opportunity to opt-out of participation in the SAT and ACT pre-surveys by LEAs.

FERPA and IDEA

FERPA requires data protections around student personally identifiable information in education records.  FERPA limits what data can be disclosed, to whom, and determines when consent is required for disclosure. IDEA governs the rights of students with disabilities, requiring broader student data protections than FERPA. Under FERPA, re-disclosing information from student records can only occur with prior written parental consent or under a FERPA exception. Under IDEA Part B regulations, re-disclosures also cannot occur without written parental consent or an applicable exception.

Implications

The college admission exam technical assistance letter has a number of implications for stakeholders. Because the technical assistance and its implications are layered, more information and impressions will become apparent over the next few weeks. Here are some of our initial takeaways from the letter:

Contracts with Ed Tech Companies

Interestingly, the technical assistance says that “[c]ontracts between testing companies and SEA, LEAs, or schools for testing…should include provisions assuring that before [personally identifiable information] is disclosed nonconsensually, the testing companies (when acting on behalf of the SEA, LEA, or school) will comply with the privacy protections required by Federal law, specifically FERPA and IDEA.” It is unclear – but not unlikely – whether this requirement would apply to contracts between non-testing ed tech companies and SEAs, LEAs, or schools.

Specifically, the technical assistance “encourages SEAs and LEAs to consider the following when contracting with testing companies:

This appears to be the first time that PTAC or USED has articulated these best practices.

PPRA: A Bigger Issue Moving Forward?

This is the most extensive technical assistance released on PPRA in almost forty years. It is possible that this indicates that USED has a heightened interest in providing guidance regarding PPRA, and that further guidance may be forthcoming. This is not only interesting because of the issues that PPRA’s survey restrictions raise, but also because PPRA has many little-known but significant restrictions and requirements:

Parents must be annually notified about these policies, and also notified whenever there is a survey that includes questions on a restricted topic or when student personal information will be “collected from students for the purpose of marketing or for selling that information (or otherwise providing that information to others for that purpose).”

Many schools are unaware of the full scope of PPRA, and additional guidance and technical assistance around the law would likely be beneficial. In this technical assistance, PTAC recommends that LEAs:

Significant Guidance

The technical assistance – designated as “significant guidance” – issued by PTAC demonstrates that the stakes are high for companies offering college admission testing to students and the schools that rely on them. Although financial penalties are rare, USED has other enforcement options if a school acts in a way that is inconsistent with the law, such as imposing a five-year ban on data transfers from an offending ed tech provider to the LEA or SEA where they violated FERPA. Highlighting to LEAs, SEAs, college admission test vendors, and other ed tech companies what is and is not consistent with FERPA, IDEA, and PPRA can not only increase compliance with those laws, but ensure all stakeholders understand how to better protect student data.

 

FPF Testifies Before Congress on Promoting and Protecting Student Privacy

For Immediate Release:

May 17, 2018

Contact: Erika Ross, Communications Associate, Education Privacy Project

[email protected]

FPF Testifies Before Congress on Promoting and Protecting Student Privacy

Washington, D.C– Today, Future of Privacy Forum’s (FPF) Amelia Vance, Director of the Education Privacy Project, will deliver testimony in a hearing before the House Committee on Education and the Workforce, “Protecting Privacy, Promoting Data Security: Exploring How Schools and States Keep Data Safe.” In her prepared testimony, Vance will comment on how states, districts and ed tech companies can work together in ensuring student privacy.

Vance will discuss the value of technology and data when it is used and implemented properly, and discuss innovative practices that help schools, states, and companies protect student privacy. She will also address the challenges and opportunities that stakeholders face when supporting appropriate use of educational technologies while safeguarding privacy.

Also testifying at the hearing are David Couch, K-12 CIO and Associate Commissioner of the Kentucky Office of Education Technology; Catherine Lhamon, Attorney and Former Assistant Secretary for Civil Rights at the U.S. Department of Education; and Dr. Gary Lilly, Superintendent of Bristol Tennessee City Schools.

Vance previously spoke on student privacy at the December 2017 workshop on student privacy and ed tech, hosted by the FTC and the U.S. Department of Education.  

FPF is a non-profit organization focused on consumer privacy issues. FPF primarily equips and convenes key stakeholders to find actionable solutions to the privacy concerns raised by the speed of technological development. FPF’s Education Privacy Project works to ensure student privacy while supporting technology use and innovation in education that can help students succeed. Among other initiatives, FPF maintains the education privacy resource center website, FERPA|Sherpa, and co-founded the Student Privacy Pledge.

A full version of Vance’s testimony is available here.

 

FPF Comments on CA Public Utilities Commission Autonomous Vehicle Passenger Service Proceeding

Last week, the Future of Privacy Forum filed written comments in response to the California Public Utilities Commission’s proposed decision authorizing pilot programs for passenger service in Autonomous Vehicles. The CPUC is a consumer protection agency that oversees, among other topics, provision of passenger service in the state. The proposed decision called for a number of criteria to be met by companies seeking to operate AV passenger service, including reporting of communications between passengers and remote operators of driverless AVs, as well as aggregated operations data. Opening comments by other parties called for even more data to be collected, including GPS information for pick-ups and drop-offs.

FPF filed comments focusing on three main topics: 1) Because the Commission cannot ensure that data will not be made public, it should minimize data collection and incorporate privacy safeguards; 2) Communication between passengers and remote operators could contain sensitive information, and the disclosure contemplated by the Commission could create serious privacy risks; and 3) Other opening comments’ requests for additional service data raise additional, significant privacy and security concerns. Some of these points echo our prior letter to the New York Taxi and Limousine Commission regarding privacy risks of sensitive geolocation and other consumer data).

Read the full comment here.

 

FPF Comments on Minnesota Student Privacy Bill HF 1507

Yesterday, the Future of Privacy Forum submitted written comments to members of the Minnesota House of Representatives in response to the pending student privacy bill, the Student Data Privacy Act (HF 1507). FPF expressed concerns about the proposed language of the bill, which would create conflicting requirements for schools and education technology companies, and likely cause unintended consequences for Minnesota schools and students. The primary concerns were:

Read the full letter here.