Ohio student-data privacy laws rated weak
Education officials: Study doesn’t reflect work being done.
— A report COLUMBUS that rates states on how well their laws protect the privacy of student data ranks Ohio’s efforts among the weakest.
Ohio finished in 40th place with a D-minus, and the only states that scored lower were those the report listed as not having approved any laws in the past six years.
But the Ohio Department of Education and groups helping school districts safeguard the sensitive student data they collect say the report doesn’t illustrate all the work being done across the state. That includes the state recently joining the Student Data Privacy Consortium, a group that shares free resources and strategies about how to secure data such as student grades, disciplinary actions, medical conditions and contact information.
The study itself has drawn criticism from some outside privacy experts. They say the measurements used in the report — released last month by the Parent Coalition for Student Privacy and the Network for Public Education, advocacy groups based in Colorado and New York, respectively — don’t provide a full picture of protections in many states.
“Technology moves really quickly, and the legislation is almost always behind what technology can offer,” said Larry Fruth of New Albany, a former technology director for the Ohio Department of Education and co-founder of the Student Data Privacy Consortium, which includes 8,400 member districts in several countries.
The group, based in Washington, D.C., teaches educators how to negotiate contracts with technology vendors, detect scams and unsecured apps, and prevent common “user errors,” such as misplacing a flash drive or sending an email to the wrong person.
Sara Clark, general counsel for the Ohio School Boards Association, agreed, saying that “school districts aren’t waiting for legislation to tell them how to guide their work in this area. It’s very much on the front burner already.”
The association regularly hosts cyber-law workshops for educators, she said.
But the report’s primary author, Rachael Stickland, said it intentionally focused only on student-data privacy laws to help parents and lawmakers understand how the state’s laws compare with others and to lobby for change. It’s a complicated but increasingly important topic, Stickland said.
The FBI warned the public in September about the risk of cyber threats in schools due to the increase in education technology and personalized, online learning opportunities, both of which collect data. Examples described hackers using data to shame, bully or threaten students and publicize their personal information.
The new student-data report analyzes 99 laws approved since 2013, ranking criteria on a weighted scale. The criteria included transparency, parent and student rights, enforcement and penalties for violations, and limits on commercial use of data. No state received an A. More than half received aDorF.
The focus of the report in Ohio is House Bill 487, a 2014 law that established guidelines for the state’s education management information system, or “EMIS.”
The law doesn’t mandate implementation by the state or school districts, which Stickland said is a concern. “Very few of these laws have any sort of teeth to enforce them,” she said.
Ohio has long-standing student protections not mentioned in the report, said Dan Minnich, spokesman for the Ohio Department of Education. For example, data sets that districts report to the state use an identification number, not a student’s name. Extra protections prohibit the release of public records called “directory information,” such as students’ names, grade levels and birthdays, for profit-making activities, and require training for anyone collecting data on students with disabilities.
Those rules go beyond the federal Family Educational Rights and Privacy Act, the 1974 federal law that protects student education records, Minnich said.