A Senate bill, introduced by two Democratic senators, addressing student and family digital privacy moved to the Education committee earlier this month. While not exactly a bipartisan initiative, one of the ten senators introducing the bill included Tracy Pennycuick, a Republican representing parts of Berks and Montgomery counties. Originally introduced last year, the bill is co-sponsored by Democratic Senators Amanda Cappelletti, representing parts of Delaware and Montgomery counties and John Kane, representing parts of Chester and Delaware counties.

The memo said that schools are increasingly using technology and cloud-computing services for academic and administrative functions.

“Through the thoughtful use of technology, schools can enhance student learning and improve school operations. However, the private educational technology companies that provide these tools can collect massive amounts of sensitive data about students, including, for example, health records, disciplinary records, financial status, and online activity.”

The memo referenced a review of thirty-one Pennsylvania school systems and found that only eleven had documented procedures for ensuring that software companies did not violate student privacy. None of the schools or districts were named in the memo.

The senators acknowledged that most schools make efforts to protect student data, but the task is complicated and often expensive. “Particularly given the use of third-party educational technology tools, it is not feasible to expect every school district to implement complicated security and safety plans.”

According to the memo, Pennsylvania is not the first state to propose such legislation. “The federal Family Educational Rights and Privacy Act (FERPA) offers some protections, but several states have enacted laws to strengthen enforcement, close gaps in federal law, and support educational entities in their efforts to keep data safe.”

The bill is intended to increase privacy for students and their families. “Our bill strengthens protections for students using education services technology in various ways, based on the approach in other states and feedback from a wide range of online privacy and education technology experts in Pennsylvania. Our legislation prohibits educational technology providers from selling student data, using information to advertise to students, or creating student profiles for noneducational purposes.”

Additionally, the legislation proposes support for school districts. “We provide support for educational entities by establishing a data security officer within the Department of Education, directing the Department to publicize model policies and contracts, and providing for the use of an online technology platform to safely maintain student data.”

If passed, the Secretary of Education will designate a chief data security officer within sixty days, and they will be required to submit an annual report on the protection of student data, including a description of all data collected, the findings from the department’s review of best practices, and recommendations for improvements.

School districts will be required to report any data breaches to the department within five days, including the number of students affected, the status of the compromise, and the steps being taken to fix and prevent the problem.

The bill comes on the heels of a data breach by a software company that some local districts in the region use for screening visitors. Raptor Technologies is an “integrated school safety software that enables schools to prevent, prepare, respond and recover from any emergency.”

Wired magazine reported earlier this month on the data breach that was not initiated by a hack. According to Wired, 5,300 school districts in the United States use Raptor, and while a higher number of schools outside the country use the software, the majority of the data breach was from US school districts. 

A security researcher discovered that 800 gigabytes of files were accidentally leaked to the public. “The highly sensitive cache of documents included evacuation plans, with maps showing the routes students should take and where they should gather during emergencies; details of students who pose a threat on campus; medical records; court documents relating to restraining orders and family abuse; and the names and ID numbers of staff, students, and their parents or guardians.”

Beth Ann Rosica resides in West Chester, has a Ph.D. in Education, and has dedicated her career to advocating on behalf of at-risk children and families. She covers education issues for Broad + Liberty. Contact her at barosica@broadandliberty.com.