On July 30, 2014, Sen. Edward J. Markey, D-Mass., made good on his earlier promise to beef up the Family Educational Rights and Privacy Act of 1974 (FERPA) to provide heightened protections for student educational records shared with private companies. Together with Sen. Orrin Hatch, R-Utah, Markey introduced the “Protecting Student Privacy Act” (S.2690), which would amend FERPA and require schools and school districts to implement various data security protections to safeguard the personally identifiable information (PII) contained in students’ education records, and ties receipt of federal education funding to compliance with the Act’s heightened security standards. Among the bill’s provisions, the Protecting Student Privacy Act:
  • Requires schools and school districts to protect students’ personally identifiable information (PII) contained in education records maintained by the institution;
  • Prohibits schools and school districts from using, releasing, or providing access to student PII in education records for advertising or marketing services or products;
  • Provides parents with a right to access their children’s PII and challenge, correct, or delete any inaccurate data in the education records held by private companies;
  • Mandates that outside parties such as private companies with whom students’ PII is shared have comprehensive information security policies and procedures in place to protect the PII in education records;
  • Restricts the amount of PII that schools and school districts can share with outside parties by promoting data minimization;
  • Requires disclosure of which outside parties have access to student information; and
  • Directs private companies to destroy students’ PII held by companies when the information is no longer needed for its specified purpose.
The Protecting Student Privacy Act only applies to student information contained in education records; the net result is that student data outside of education records either gathered by or shared with private companies inherently falls outside of the scope of the Act. Also, some critics have noted that the proposed legislation, though well-intended, contains provisions that already exist in current law, and is thus redundant and unnecessary.  For instance, the Children’s Online Privacy Protection Act (COPPA) and its implementing rule provide guidance and restrictions on when and under what circumstances schools can share student’s personal information with private entities. As of July 30, 2014, the bill was referred to the Committee on Health, Education, Labor and Pensions for consideration.