Just a Click Away

Looking to Europe as Model for Data Privacy

By Dan Florell

p. 36

Volume 47 Issue 1

NASP Members: Log in to download this article

By Dan Florell

At the end of May, there was a flurry of e-mails that arrived in people's inboxes regarding updates to privacy policies sent out by most major Internet service providers. These Internet services included Facebook, LinkedIn, Google, Pearson, Zoom, MailChimp, and a host of others. It seemed odd to have so many companies updating their privacy policies all at once.

Of course, this was not coincidence, but rather it was a response to a new European Union data privacy law that went into effect on May 25, 2018. The General Data Protection Regulation (GDPR) gives people in Europe more control over how companies collect, store, or process large amounts of information. It allows people to delete their data, receive copies of their data, or correct an error in the data. Companies have to comply with these requests within a set period of time. In addition, the GDPR lets people object to specific ways companies are using their data and requires notification within 72 hours once a data breach has been detected. All of these requirements are backed up by fines that are large enough that they will make even the biggest companies pay attention.

GDPR is a law that has been a long time coming, particularly with the Facebook data-sharing scandal that came to light this past spring. Cambridge Analytica obtained 87 million Facebook users’ data to assist its efforts to influence the 2016 presidential election. While Facebook got caught with its hand in the cookie jar, it not the only one mining personal data.

The use of personally identifiable data has been an ongoing concern for school psychologists. This concern accelerated as more school districts began using cloud services to store all student data and assessment companies required cloud scoring of their instruments. While the GDPR has the force of law only in Europe, it does influence the practice of companies in the United States. The caveat is that the privacy policies of these companies in the United States is based on their goodwill: They can decide to not follow it if they so choose.

However, I believe that the GDPR will have a great influence on the data protection policies adopted in the United States. Already Californians will be voting on a data privacy law (California Consumer Personal Information Disclosure and Sale Initiative) that has protections similar to those in the GDPR.

The United States has some data protection laws that I have written about previously. The Family Education Rights to Privacy Act is still the preeminent law regarding school records and data privacy, but it has been showing its age at 44 years old (and the Protection of Pupil Rights Amendment is 40 years old, though it was revised in the 2001 No Child Left Behind Act). The Children's Online Privacy Protection Act was passed in 1998 and protects children under the age of 13 from having online services collect personal information. Healthcare related laws such as HIPAA and HITECH are good guides for those working in the school but do not apply directly. This is all to say that we do not have an updated comprehensive law that protects student personal data that will make third party providers behave in a responsible manner. If you are curious about the GDPR, this link is a good guide: tion-gdpr-1-0.pdf

The result is that school psychologists need to take the lead in finding out what data these third party providers are collecting and whether it compromises student data, particularly for those students with disabilities. We have had a positive impact on companies changing their policies due to advocacy efforts that are reflected in the ideals set out by the GDPR. Several test publishing companies have made it easier to delete data and protect the data that is stored from being used for research.

As the school year begins, school psychologists need to continue their efforts to protect student privacy and confidentiality by reviewing the referral and evaluation processes at their schools. Each component of the process should be looked at, and components that leave student data at the most risk should be revised. This review should occur every year and over time, school psychologists will be able to have a high degree of confidence that student's data is being protected.

Dan Florell, PhD, NCSP, an assistant professor in the school psychology program at Eastern Kentucky University and a contributing editor for Communiqué