Background: Family Educational Rights and Privacy Act (FERPA). This federal law protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when the student reaches the age of 18 or attends a school beyond the high school level.

Under FERPA schools generally must have written consent from the parent or student, when the right has transferred, in order to release any personally identifiable information from a student's education record. However, there are exceptions to this consent requirement.

A federal regulation defines personally identifiable information as including, but is not limited to, the following:

the student's name;
the name of the student's parent or other family members;
the address of the student or student's family;
a personal identifier, such as the student's social security number, student number, or biometric record;
other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

A federal regulation defines biometric record, as used in the definition of personally identifiable information, as a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting.

FERPA does not apply to student data that has been aggregated and therefore no longer contains personally identifiable information.

Washington Law. Current law provides that the confidentiality of personally identifiable student data must be safeguarded consistent with the requirements of FERPA and applicable state laws. It also states that any agency or organization that is authorized by the Office of Superintendent of Public Instruction (OSPI) to access student-level data must adhere to all federal and state laws protecting student data and safeguarding the confidentiality and privacy of student records.

Current law provides that the board of directors of each school district must establish a procedure for granting parents' or guardians' requests for access to the education records of their child.

K–12 Data Governance Group. In 2009 the K–12 Data Governance group was established within OSPI to develop policies, protocols, and definitions for collecting data from school districts.

Summary of Bill: Biometric Data. The following entities and people are prohibited from collecting, retaining, or using in any manner, student biometric information:

the Superintendent of Public Instruction, or any employee or contractor of OSPI;
an educational service district board of directors, employee, or contractor; and
a school district board of directors, employee, or contractor.

Biometric information includes, but is not limited to, a fingerprint or hand scan, a retina or iris scan, a voice print, or a facial geometry scan of a student.

Parent or Guardian Access to Personally Identifiable Data. OSPI must grant parents and legal guardians access to any student record that is a record of a child of the parent or a child in the care of the legal guardian, including records that contain personally identifiable data, unless the student is age 18 or older.

The board of directors of each school district must establish a procedure for granting parents' or guardians' requests for access to the education records of their child that provides the following:

records must be provided electronically, if practicable;
no fees are charged for the inspection of records; and
if the records are provided in a non-electronic format, then the school district may impose a reasonable charge to cover the actual costs directly incident to the copying.

Third Party Disclosure of Personally Identifiable Data. OSPI and the board of directors of school districts must not disclose personally identifiable student-level data to any other third party unless the disclosure is necessary to meet a legitimate need for the data to support the individual's professional role.

Protecting Personally Identifiable Data. All public agencies or organizations and private contractors or vendors that are authorized by OSPI or the board of directors of a school district to access data must adhere to all federal and state laws protecting student data and safeguarding the confidentiality and privacy of student records. These public and private entities must ensure the following if they receive personally identifiable student-level data:

All personally identifiable student data must be used solely for the purpose for which the disclosure was specifically intended;
No personally identifiable student-level data may be used for marketing, commercial, or advertising purposes;
All personally identifiable student-level data, including backup copies, must be destroyed when the data is no longer needed, or upon agreement or contract termination, or project completion;
Parents and legal guardians must be granted access to any student record that is a record of a child of the parent or a child in the care of the legal guardian;
A record must be kept of any requests for access to the personally identifiable student-level data; and
No personally identifiable student-level data may be disclosed to any other individual or entity without the prior written consent of the parent, legal guardian, or student if the student is over the age of 18.

School districts are not precluded from collecting and distributing aggregate data about students or student-level data without personally identifiable information.

Data Security Plan. The K–12 Data Governance Group must develop a detailed data security plan and procedures to govern the use and maintenance of data systems, including ensuring the use of appropriate administrative, physical, and technical safeguards for electronic and physical personally identifiable student-level data at the state level.

The group must develop a model plan for school districts to use to safeguard personally identifiable student-level data at the school district level.

Staff Summary of Public Testimony: PRO: In society, mass amounts of data are collected. Data is often used for good, but it can be misused. The government needs to be cautious about the data that it collects from students. Students do not have a choice to attend school, so the data that is collected from them needs to be protected. Currently our state relies heavily on federal law for student privacy. This bill covers a gap in state law. Biometric information can be used in many ways that we do not yet understand. It is improper to collect this data since it is not known how it will be used. De-identified information should be protected in the bill. The bill should state that data can only be used for educational purposes. The bill should strengthen encryption requirements. Online service providers that have contracts with schools want to make sure that this bill would not inhibit certain tasks such as getting addresses for transportation purposes and sending work home to students.

OTHER: There is no definition for personally identifiable information in Washington law. Adding a definition would strengthen the bill. Newspapers often run stories about student achievement, and reporters want to make sure that information regarding achievement and recognition still could be shared with them. Certain bill language may unintentionally restrict use of data with contractors and researchers, which helps with school accountability. Operationalizing the detailed data security plan required by this bill will cost money. OSPI has a budget request for hiring a privacy records officer, which could help with implementing the plan.