Future of Data – Future of Policy

The Data Quality Campaign hosted an event on Friday last week entitled, Maximizing power of education data while protecting the privacy, security and confidentiality of student information

Panelists included:

  • Christopher Calabrese, legislative counsel for privacy-related issues in the American Civil Liberties Union’s Washington Legislative Office (WLO).
  • Robert Gellman, privacy and information policy consultant in Washington, D.C., specializing in health confidentiality policy, privacy and data protection, and Internet privacy.
  • Joel R. Reidenberg, Founding Academic Director of the Center on Law and Information Policy at Fordham Law School.
  • Gary West, Strategic Initiative Director for Information Systems and Research at the Council of Chief State School Officers (CCSSO).
  • Steve Winnick, practitioner of education law and policy with EducationCounsel LLC.

Resources for the panel include:

Supporting Data Use While Protecting the Privacy, Security and Confidentiality of Student Information: A Primer for State Policymakers

Using Data to Improve Education: A Legal Reference Guide to Protecting Student Privacy and Data Security

Aimee Guidera, Executive Director at the Data Quality Campaign, opened the panel with a discussion of why educational institutions are not using data to make informed decisions. She said that regardless of the fact that expectations are rising and resources are tight, it is important to have conversations about the responsibility of improving student achievement and outcomes while also improving structures that guarantee safety and protection.

With the passage of NCLB, data-gathering has been given a bad rap. Guidera pointed out that the introduction of accountability measures was a huge step for education, but it made using the data gathering process seem like a defense mechanism rather than using data to make informed decisions. She continued that data gathering is not effective when it is not used to guide conversations.

Guidera also said it was time to open the discussion of how policymakers can support and build capacity to use data to influence and inform decisions. This conversation would require that governance structures step out of their traditional silos and talk about how to link and share information with all people in a way that ensures privacy, maintains accuracy, requires safety, creates an environment of trust, and supports new technology structures.

Question to the panel: What are states doing to be proactively involved in starting these conversations?

Gary West discussed that k-12 education in the United States has always had information about students, but is one of the last nations to use that data to actually improve education systems. West feels that policymakers at a state level are moving away from a compliance-oriented structure of governance to a more service-oriented structure, which is a good step. He concluded that getting policymakers’ minds wrapped around an “all package deal,” including the service components with privacy being the coat, is important as these conversations move forward.

Christopher Calabrese began his remarks stating that reporting needs to be on the same level from all different schooling systems, and that data needs to be collected uniformly. Moving forward, it is important to make sure that students do not get lost because of balancing structural issues. Calabrese discussed the importance of looking at educational trends in data gathering and privacy, and cross tabulating them to better inform policies around civil liberties for kids. He continued that it is important to ask why data is being collected and what it is being collected for. He feels that most often information is gathered that is not critical to data collection, and to make sure data gathered is rid of personally identifiable information if possible. He also mentioned paying particular attention to FERPA rules when discussing privacy and security.

Robert Gellman discussed how state policymakers need to proactively look at fair information practices and how to include it in any particular context. He recognized that one size does not fit all, and that it is better to establish clear expectations and laws and rules that accommodate all these varying circumstances. He argued that it is just as important to write flexible policies that sustain what is fair and equitable for each set of circumstances.

Joel Reidenberg discussed over extensive data collection and non-compliance to certain standards. He said that according to a recent study, states were not adopting fair information practices, transparency in data gathering was atrocious, and states did not comply with the open record rule, demonstrating a lack of accountability to public.

Reidenberg continued that states should have enabling statutes for specific rules for sharing information or outsourcing practices, and should also be given the authority to choose how information is used. He recommended that states come up with internal accountability systems and establish rules and regulations as to who gets access to certain data. Once states address these concerns and protocols, they need to have trained experts on staff to address security issues and programs. He concluded that as information is becoming more readily available, it is important for states to be particularly sensitive to what needs to happen in order to prevent lawsuits.

Steve Winnick posed the argument that there needs to be balance between educational needs and privacy. He said that to an extent schools are failing at risk students. If data is needed to answer the question of why or what can be done to ensure this doesn’t happen, then data gathering needs to happen. He feels that at the federal level, the department and even state policymakers have interpreted FERPA as a way to trump data collection for analysis and implementation purposes. He concluded that states need to do a better job at responding to issues about what policies ought to be, using local connections to have those discussions.

Conclusion

The panel discussed what transparency of information and data gathering could mean for the future of privacy. They argued that breaches are going to happen, and that privacy and abuse of the data will certainly be a risk. Clearly, the more information someone has, the more they need to be cautious. Moving forward, it is important to address and justify the need for data collection. Most agreed that it is important to ask, “Is it worth the privacy risk?”

The panel concluded that parents and the community ought to be able to weigh in and understand how these data will be used. They said involving external stakeholders is important to the overall governance and policy structure. It is equally important to understand how data gathering and sharing impacts families and communities. The panel cautioned against creating a large amorphous mass of data – one overall national database system– due to several security breaches and other potential vulnerabilities.

Personal Takeaways: People are using FERPA as an excuse to prevent action. By thinking FERPA is a scare tactic, it is creating conversations of what CAN’T happen and preventing conversations of what CAN happen. While some feel that less data would be better, if it means not losing kids to the system, states should take the risk anyway. By paying more attention to fair information practices, data use and collection can get better.

SECOND PANEL

  • Kathy Gosa, Kansas State Department of Education (KSDE).
  • Donald Houde, former President of the Houde Consulting Group and Chief Information and Technical Officer for the Arizona Department of Education.
  • Alice Seagren, Commissioner of the Minnesota Department of Education (MDE) in July 2004.
  • Kathleen Styles, Chief Privacy Officer for the U.S. Department of Education.

The discussion opened with remarks on what individual states are doing to ensure privacy and security during the data gathering process, and provided recommendations for federal policymakers.

Donald Houde discussed policy implications of protecting the privacy of both children and educators. While the discussion for privacy exists, it is important to talk about talking how and what the state needs to do to operationalize appropriate and effective security programs. He suggests that states need to recognize that more security will mean more investment and more commitment from state employees. There is also a need for guidance from the federal government on how to best protect confidentiality and privacy.

Kathy Gosa said that the purpose of data collection is to get it into the hands of the people who can make and influence decisions. She remarked that this conversation is not new to states, since they have been working on this for many years. With national attention, she hopes that this will help states get what they need.

Alice Seagren said that in order to prepare for the future of education, information must to be readily available. Seagren feels that there needs to be more concentration on how states best develop privacy tactics, and that these ideas need to come and from everyone including policy people, parents, business, educators, etc.

Federal Recommendations

  • Recognize that there is not one size fits all in terms of governance. There should not be one security mandate or detail for all states to abide by. States should be able to determine their own standards.
  • Provide information for missing pieces as states build their system and security infrastructure.
  • Take these conversations and provide best practices, feedback, recommendations and standards that are not mandated. Houde argues that barriers are created when something is mandated. He suggests that even if it is a good mandate, it is harder for people to think about and implement. He also suggests that the federal government needs to develop a certain amount of trust, and providing federal recommendations of security measures and privacy creates a sense of “you can trust us and here is why.”

State Suggestions

  • Understand privacy laws and how it affects data collection.
  • Analyze security capacity.
  • Establish governance structure.
  • Establish data elements for collection purposes.
  • Determine data ownership and who is accountable for decisions around this data.
  • Separate stewardship amongst agency members. Decide who is responsible for what, and create project governance to account for risks, lack of control, abuse of data information, etc.
  • Consider having a data request review board.
  • Develop a clear escalation process for issues.
  • Consider assigning primary investigative advocates, i.e. a translator to understand what is needed for researchers.
  • Partner with people who understand data sets.
  • Use reasonable methods when creating security programs in order to avoid exploitation and compromise. When looking at security programs have implementation, review, and audit systems in place.
  • Define training and access and how it should be handled on both district and state levels.
  • Create a process for the ethical uses of data.
  • Make information available for other states where needed.
  • Look at reasons and responsible ways to share data.
  • Always use risk/reward evaluation. What is the risk? What is the reward? Always refer to how this affects the child, or how this affects the current education program.

Challenges

Access to cross-state information: The panel agrees that if the data will advance education in some way, the information needs to be disseminated in an appropriate way. However, there is not a need to build a huge database. While there is a need to track students across the lines, it is important to be careful in how this is accomplished.

Personal Takeaways: Kathleen Styles intends to establish a privacy department specific to addressing student privacy and data-sharing, proposing changes to FERPA to include stronger enforcement of student safety, and allowing research, audits, and evaluation of publicly funded schools that benefit students.