By Peter Hanna, Legal Advisor on Privacy and Technology

Every day, we learn about new data breaches caused by inadequate security, faulty and exploitable systems, or intentional attempts to obtain sensitive data by malicious actors or hackers. Whether a case of negligence or malfeasance, there is one constant in these stories: sensitive information, often personal information, gets compromised. And when that information falls into the wrong hands or is misused, it can have profoundly damaging effects – especially on our young people.

Our laws give companies broad discretion to collect, use, and share personal information, including students’ personal data, in any number of ways. In many instances, people effectively must agree to that collection, use, and sharing of data in exchange for using a service they find valuable.
For example, Facebook gets our likes and photos, family and friend and job connections, and in exchange it provides users with the world’s largest social media platform. And the convenience of an Amazon Echo or Google Home Assistant comes at the cost of an always-on microphone in your home.
The bargain may not always be a fair one, as people rarely appreciate the full extent of what they are giving up for convenience - and the bargain also carries a lot of hidden risk. However, it is the bargain many adults accept (whether knowingly or unwittingly).
When we are talking about students’ personal privacy, however, the risk is far greater – not only to the students, but to society. Students today face an unprecedented array of threats to their personal privacy, and those threats will only increase without adequate laws to protect them, and that is where I want to focus the conversation today: why do students face an even more significant threat to their privacy and what should Illinois lawmakers do to address those threats?
So let’s start with what may be obvious to some – why do students face a greater and more dangerous threat to their personal privacy. Well, some of it has to do with the way students interact with technology. We all know that students have tended to be ahead of the technology curve – young people were among the first users of disruptive new social media platforms and apps like Twitter and Snapchat. This means there is often more student data being stored, processed, transmitted to and from, new and emerging platforms that may be more vulnerable to cyber-attacks, and may be more willing to share personal data with unknown partners.
Some of it also has to do with how new technology is being deployed in classrooms, rapidly and often with little or no explanation to students or teachers or parents as to what type of data is being collected and how it is being used or shared. Many classroom technologies now integrate video cameras, microphones, or other tools to gather information about students, and that data is often compiled and shared by schools with consultants or private corporations or other partners.
Schools are also just ill-equipped – if not simply under-resourced – to dedicate time and energy needed to safeguard student data they collect and train education professionals on privacy and security. Many school data management and record systems have weak or nonexistent data security protocols. The result is one we have seen time and again: just a couple of years ago, for example, DC public schools posted education records of about 12,000 public school special needs students online. The information included “each student’s identification number, race, age, school, disabilities and any services he or she receives.”
Just last year, personal information of hundreds of Palo Alto High students was leaked and used to create a “rogue” website that allowed students to see their class rank and other information. Here's a bonus fact - one industry cybersecurity report found that of the 400 or so number of data incidents/breaches in the education sector in 2017, more than 80% were caused by external factors, and more than 70% of the incidents sought to uncover personal information (VERIZON 2018 DBIR).
The bottom line is that schools are a very inviting target to both external and internal threats – easier access to valuable personal information that likely will be exploitable for an even longer time than the personal information of many adults.
The good news here is that the answer to the second question I posed – what lawmakers should to do to protect students against the threats they face – is a lot easier than undoing the damage caused by a breach of student personal data. On behalf of the ACLU, I stand beside my colleagues here in calling for sensible legislation to protect students’ privacy. And that starts with the Student Information Transparency Act (“SITA”), an Amendment to HB 1295.
First, protecting students’ privacy – schools often lack privacy and cybersecurity experts, and that is why it is up to you – our lawmakers – to provide guidance and meaningful legislation here that circumscribes the boundaries of what schools can and cannot do when it comes to collecting and storing student information. SITA is a good start.
Second, at a minimum, parents need to be better informed when their children’s’ personal information is being collected or shared, and they need much greater visibility into what is happening with that data. Transparency is essential to empowering parents to make more informed decisions about their children’s data and future, and ensuring that parents and students can correct erroneous information – especially when even a simple error in a student record can affect the course of their entire life.
In addition to supporting this legislation, I urge you to consider the following: any law protecting student information should identify some minimum security guidelines for schools and also set out special data incident notification procedures to ensure that schools and parents can move quickly, together, to minimize any damage resulting from a breach of student personal data.

It’s critical to include strong, but reasonable, limitations on the sale, licensing, and transfer of student data, as well as putting in place mechanisms for enforcing student data protection laws. We need accountability, and without meaningful limitations on student data use/sale and a mechanism for enforcement, the threat to student personal privacy will only increase, while schools continue to lag far behind in protecting personal information.

We all care about protecting student personal data, and we all appreciate the immense risk to young people who have their personal information exposed before they even have a chance to earn a first paycheck. To minimize that risk, we need to strengthen our laws, provide privacy and security guidance to schools who are the stewards of so much sensitive student information, ensure that parents are aware and understand how their children’s data is collected, used, and shared, and impose reasonable limits on how our students data is commercialized in a society that increasingly prizes data as a natural resource to be exploited to the greatest extent possible.