A key issue at the hearing was a Fordham University study authored by witness Joel Reidenberg that found that a majority (95 percent) of school districts outsource some form of student data, and that only 7 percent of school districts had specific provisions in their vendor contracts that required third parties to keep student data secure and prohibited the sale or use of the data except for educational purposes. Reidenberg called for Congress to update privacy laws such as the Family Educational Rights and Privacy Act (FERPA) to apply to third-party vendors (currently the law only applies to educational institutions).
Mark McCarthy, Vice President of the Software & Information Industry Association, pushed back against Mr. Reidenberg’s assertions, and noted that the study found no actual evidence that student data was being abused by third parties, only that the school district contracts did not contain security provisions. McCarthy pointed out that under FERPA and the Children’s Online Privacy Protection Act (COPPA), student data is prohibited from being used or sold for non-educational purposes, and that if a third party wished to do so, they must obtain the parents’ permission. McCarthy told lawmakers that updates to existing law were unnecessary, especially given the recent FERPA guidance issued by the Department of Education. The other two witnesses. Chief Information Officer for the Idaho Department of Education Joyce Popp and State and District Digital Learning Director for the Alliance for Excellent Education Thomas Murray provided district-or administrator-level examples of what schools are doing currently to protect student data, and the beneficial nature of such data for educational purposes.
Homeland Security Subcommittee Chairman Pat Meehan (R-PA) asked several questions about the scope for potential misuse or sale of student data by third parties. Mr. Reidenberg explained that FERPA only covers certain types of data and cannot be used to prevent the misuse or sale of all types data. He also clarified (as Mr. McCarthy did) that his study found no evidence of abuse, only a lack of security-specific language or provisions in school contracts.
Homeland Security Subcommittee Ranking Member Yvette Clark (D-NY) asked a pointed question about what requirements should be placed on for-profit third-party vendors. Mr. Reidenberg answered that there are a variety of requirements such as data protection, breach notification, prohibition of sale to other parties, etc. that should be, but often are not, included in vendor contracts.
Education Subcommittee Chairman Todd Rokita (R-IN) asked several questions about the state of Idaho’s approach to student data privacy (based on witness Joyce Popp’s testimony), and indicated he believed that a state-by-state approach to privacy regulation was the most sensible.
Education Subcommittee Ranking Member Dave Loebsack (D-IA) asked what should be done to improve states’ and school districts’ contracting processes. Mr. Murray stated that there should, at a minimum, be annual contract reviews, annual audits of who has access to student data, and that a set of “best practices” should be developed and shared among states/districts.