The Center for Democracy & Technology, along with the law firm BakerHostetler, developed a state-by-state compendium of privacy laws relating to the collection, use, and sharing of student data.
While the practice of collecting data about students is not new–schools have been gathering and reporting test scores, grades, retention records, and the like for years–the means by which student data is collected, the types of data collected, and the entities that ultimately have access to this data have expanded dramatically, the report explains.
In order to understand the laws on a state level, as well as in a regional and national context, let’s look at each state and regional individually, using the United States Census Bureau’s four statistical regions–the Northeast, Midwest, South, and West.
- Illinois–While Illinois offers a lengthy definition of educational record, it doesn’t offer a definition of student record. The state has a broad prohibition on releasing student records except in limited circumstances, including to parents, board of education employees who have a demonstrated need, pursuant to a court order, and to be in compliance with the Family Educational Rights and Privacy Act (FERPA). The report explains that [a] school may maintain indefinitely anonymous information from student temporary records for authorized research, statistical reporting or planning purposes, provided that no student or parent can be individually identified from the information maintained.” Additionally, according to the report, each school is required to have an “official records custodian,” who is responsible for “maintenance, care and security of all school student records, whether or not such records are in his personal custody or control.” The report also notes that the records custodian “shall take all reasonable measures to prevent unauthorized access to or dissemination of school student records. The Land of Lincoln only authorizes schools to maintain records of “anonymous information from student temporary records” and only for “authorized research, statistical reporting or planning purposes, provided that no student or parent can be individually identified from the information maintained.”
- Indiana–As with other states in the region and country, Indiana offers a definition of educational record, but not one for student data. The state requires schools to comply with FERPA and to only release data under limited circumstances. The state hasn’t codified data retention limits, security protocols, or de-identification or aggregation rules.
- Iowa–The Hawkeye State also only defines educational records in its statutes. Iowa also mandates that data be kept private unless required by law or court order to share data. It does, however, note that data can be shared with secondary education institutions upon the student’s request. The state also notes that statutes discussing data privacy shouldn’t be construed to prohibit a postsecondary education institution from disclosing to a parent or guardian information regarding a violation of a Federal, state, or local law, or institutional rule or policy governing the use or possession of alcohol or a controlled substance if the child is under 21 and the institution determines that the student committed a disciplinary violation with respect to the use or possession of alcohol or a controlled substance regardless of whether that information is contained in the student’s education records. The state does provide security protocols, but doesn’t have language on data retention or de-identification and aggregation.
- Kansas–The state provides definitions for both educational records and student data. Additionally, data is required to be kept confidential except under limited circumstances. The report also notes that when student data is transferred to another agency or to a service provider pursuant to a data-sharing agreement, “the student data shall be destroyed when no longer necessary for the purposes of the data-sharing agreement or upon expiration of the data-sharing agreement, whichever occurs first.” School boards are also required to design and implement security protocols with specific requirements, as well as de-identification and aggregation procedures.
- Michigan–Michigan provides strong definitions for both educational records and student data. The state also requires student data to be kept private except for limited circumstances. The statutes also note that official recruiting representatives of the armed forces of the United States or their service academies may receive pupil directory information, but shall use that information only to provide information to pupils concerning educational and career opportunities available in the armed forces or the service academies, and shall not release that information to a person who is not involved in recruiting for the armed forces or the service academies. The Great Lakes State hasn’t codified any security protocols or data minimization rules. However, the state does require schools to use data in aggregate for reporting purposes.
- Minnesota–Minnesota provides a brief definition for educational records and no definition for student data. It does, however, require student data to be kept private and subjects any entities that the government contracts with to follow the state’s data privacy laws. Minnesota requires schools to keep data for a long period of time. The report notes that any registered schools (private schools offering degree programs and out-of-state postsecondary educational institutions offering distance learning to students within Minnesota), shall maintain a permanent record for each student for 50 years from the last date of the student’s attendance. The state also lays out requirements for data security and de-identification and aggregation of data.
- Missouri–As with many states in the region, the state defines educational record, but not student data. Missouri also requires schools to keep data private, and when contracting with third parties the state must ensure that any contracts that govern databases, assessments, or instructional supports that include student or redacted data and are outsourced to private vendors include express provisions that safeguard privacy and security, including provisions that prohibit private vendors from selling student data or from using student data in furtherance of advertising, with penalties for noncompliance, except to a local service provider for the limited purpose authorized by the school or district whose access to student data, if any, is limited to “directory information” as that term is defined in the Federal regulations implementing FERPA. While the Show Me State doesn’t have any statutes on data minimization, it does have security protocols and aggregation requirements on the books.
- Nebraska–Nebraska also only defines educational record. The state does require records to be kept private, but it carves out an exception for state employees who are analyzing whether a Federal- or state-funded educational program is successful or working properly. While the Cornhusker State doesn’t have data security protocols codified, it does have regulations on data minimization, as well as de-identification and aggregation.
- North Dakota–The Peace Garden State does provide a brief definition of educational record, but skips one on student data. The state does have data minimization rules laid out, including when data must be disposed of. While North Dakota doesn’t have any rules codified regarding de-identification or aggregation of data, it does lay out specific security requirements, including the use of encryption technology and staff training.
- Ohio–The state provides definitions for both educational record and student data–both of which are lengthy and detailed. Additionally, while the state does require personalized data to be kept private, the report notes that the state doesn’t possess identifiable data in the first place. The statewide Education Management Information System (EMIS) is the Department of Education’s student data system. Data submitted to the statewide EMIS includes individual test, attendance, demographic, program, and course data. Such data are reported using a Statewide Student Identifier. The state also provides lengthy regulations, with specific rules and requirements, governing data minimization, security protocols, and de-identification and aggregation. The state also provides governance for third-party contracts that the board of education or schools may enter into.
- South Dakota–The state offers strong definitions for numerous words surrounding the issue of student data privacy. However, it does not offer regulations on data retention or de-identification requirements. The law does prevent the government from sharing student data with third parties and offers protocols regarding the securing of student data.
- Wisconsin–The state excludes notes or records maintained for personal use by a teacher or other person who is required to hold a certificate, license, or permit if such records and notes are not available to others; records necessary for, and available only to persons involved in, the psychological treatment of a pupil; and law enforcement unit records from its definition of educational record. Additionally, Wisconsin requires student records to be kept confidential with limited exceptions, including law enforcement, authorized public officials, parents of the pupil, or for limited purposes in an emergency. The state also has clear data retention policies, requiring that each school board adopt rules in writing specifying the content of pupil records and the time during which pupil records shall be maintained. According to the report, pupils’ progress records shall be maintained for at least five years after the pupil ceases to be enrolled in the school. Additionally, behavioral records shall only be maintained for one year after the pupil ceases to be enrolled in the school, unless the student requests records be maintained for longer. However, the Badger State doesn’t specify security protocols regarding student data or require the de-identification or aggregation of data.
Also in This Report:
Alabama, Arkansas, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, North Carolina, Oklahoma, South Carolina, Tennessee, Texas, Virginia, Washington, D.C., West Virginia
Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, Wyoming
Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island, Vermont