Summary: (July 21, 2015) The Senate recently passed its Elementary and Secondary Education Act (ESEA) reauthorization bill, the Every Child Achieves Act. It includes an amendment calling for the formation of a commission to study how to update federal student privacy laws and regulations in light of contemporary technologies and related issues. Such an effort would likely impact student privacy requirements at the higher education level as well. So, even though the prospects for a final ESEA bill to take shape and become law are unclear, the possibility that a student privacy commission could emerge from it makes this year's ESEA reauthorization of greater than usual interest to higher education.
Colleges and universities are traditionally (and understandably) much more interested in the reauthorization of the Higher Education Act (HEA) than in the renewal of its K-12 analogue, the Elementary and Secondary Education Act (ESEA). Given that consideration of HEA reauthorization has been blocked by the need for Congress to first reauthorize ESEA, though, this month’s passage of ESEA bills in the House (the “Student Success Act”) and Senate (the “Every Child Achieves Act”) at least raises the possibility that HEA reauthorization might proceed later this summer. (The House and Senate will have to reconcile their separate bills into a single piece of legislation that can pass both houses of Congress and avoid a presidential veto; it’s far from certain that Congress can clear either of those hurdles.)
An amendment to the Senate ESEA bill, though, creates an additional point of interest for higher education, specifically in relation to student privacy. In passing the Every Child Achieves Act, the Senate approved an amendment from Senator Orrin Hatch (R-UT) calling for the formation of a commission to examine student data privacy issues in relation to existing laws and current data practices. While the amendment doesn’t specifically refer to the Family Educational Rights and Privacy Act (FERPA), any reexamination of federal student privacy requirements would necessarily involve FERPA. Likewise, while the amendment is clearly written with K-12 student data privacy in mind, revisiting FERPA in any substantive way would necessarily draw higher education’s attention since it governs the privacy of student educational records at colleges and universities as well.
It remains to be seen whether the Hatch amendment will survive the process of merging the House and Senate ESEA bills into one. For example, the chair of the House education committee has floated a discussion draft of a bill to revamp FERPA, so the House leadership could be inclined to address student privacy concerns via that potential legislation. The inclusion of the Hatch amendment in the Senate’s bill, however, means that the conversation will be on the table when a conference committee is convened to reconcile the House and Senate ESEA bills. And those interested in student data security and privacy will probably have more of an interest in ESEA reauthorization than they otherwise might.
For the full text of the Hatch amendment, please see below:
Amendment No. 2080
(Purpose: To establish a committee on student privacy policy)
At the end of title I, add the following:
SEC. 1018. STUDENT PRIVACY POLICY COMMITTEE.
(a) Establishment of a Committee on Student Privacy
Policy.--Not later than 60 days after the date of enactment
of this Act, there is established a committee to be known as
the ``Student Privacy Policy Committee'' (referred to in this
section as the ``Committee'').
(b) Membership.--
(1) Composition.--The Committee shall be composed of--
(A) 3 individuals appointed by the Secretary of Education;
(B) not less than 8 and not more than 13 individuals
appointed by the Comptroller General of the United States,
representing--
(i) experts in education data and student privacy;
(ii) educators and parents;
(iii) State and local government officials responsible for
managing student information;
(iv) education technology leaders in the State or a local
educational agency;
(v) experts with practical experience dealing with data
privacy management at the State or local level;
(vi) experts with a background in academia or research in
data privacy and education data; and
(vii) education technology providers and education data
storage providers; and
(C) 4 members appointed by--
(i) the majority leader of the Senate;
(ii) the minority leader of the Senate;
(iii) the Speaker of the House of Representatives; and
(iv) the minority leader of the House of Representatives.
(D) Chairperson.--The Committee shall select a Chairperson
from among its members.
(E) Vacancies.--Any vacancy in the Committee shall not
affect the powers of the Committee and shall be filled in the
same manner as an initial appointment described in
subparagraphs (A) through (C).
(c) Meetings.--The Committee shall hold, at the call of the
Chairperson, not less than 5 meetings before completing the
study required under subsection (e) and the report required
under subsection (f).
(d) Personnel Matters.--
(1) Compensation of members.--Each member of the Committee
shall serve without compensation in addition to any such
compensation received for the member's service as an officer
or employee of the United States, if applicable.
(2) Travel expenses.--The members of the Committee shall be
allowed travel expenses, including per diem in lieu of
subsistence, at rates authorized for employees of agencies
under subchapter 1 of chapter 57 of title 5, United States
Code, while away from their homes or regular places of
business in the performance of services for the Committee.
(e) Duties of the Committee.--
(1) Study.--The Committee shall conduct a study on the
effectiveness of Federal laws and enforcement mechanisms of--
(A) student privacy; and
(B) parental rights to student information.
(2) Recommendations.--Based on the findings of the study
under paragraph (1), the Committee shall develop
recommendations addressing issues of student privacy and
parental rights and how to improve and enforce Federal laws
regarding student privacy and parental rights, including
recommendations that--
(A) provide or update standard definitions, if needed, for
relevant terms related to student privacy, including--
(i) education record;
(ii) personally identifiable information;
(iii) aggregated, de-identified, or anonymized data;
(iv) third-party; and
(v) educational purpose;
(B) identify--
(i) which Federal laws should be updated; and
(ii) the appropriate Federal enforcement authority to
execute the laws identified in clause (i);
(C) address the sharing of data in an increasingly
technological world, including--
(i) evaluations of protections in place for student data
when it is used for research purposes;
(ii) establishing best practices for any entity that is
charged with handling, or that comes into contact with,
student education records;
(iii) ensuring that identifiable data cannot be used to
target students for advertising or marketing purposes; and
(iv) establishing best practices for data deletion and
minimization;
(D) discuss transparency and parental access to personal
student information by establishing best practices for--
(i) ensuring parental knowledge of any entity that stores
or accesses their student's information;
(ii) parents to amend, delete, or modify their student's
information; and
(iii) a central designee in a State or a political
subdivision of a State who can oversee transparency and serve
as a point of contact for interested parties;
(E) establish best practices for the local entities who
handle student privacy, which may include professional
development for those who come into contact with identifiable
data; and
(F) discuss how to improve coordination between Federal and
State laws.
(f) Report.--Not later than 270 days after the date of
enactment of this Act, the Committee shall prepare and submit
a report to the Secretary of Education and to Congress
containing the findings of the study under subsection (e)(1)
and the recommendations developed under subsection (e)(2).