“Big Data” for Educational Institutions: A Framework for Addressing Privacy Compliance and Legal Considerations

Educational institutions at all levels have begun to realize that they hold a treasure trove of student-related information, that if analyzed using “Big Data” techniques, could yield valuable insights to further their educational missions.  Educational institutions hold a broad variety of student-related information that may be analyzed, including grades, financial information, health information, location-related information (both on and off campus), email, online and offline behavioral data and more.  Those advocating for the use of advanced analytics in this context hope that Big Data will result in enhanced student performance, improve the educational experience, yield student financial aid options and allocation, provide additional marketing opportunities and revenue for the school, allow for more effective teaching techniques, and lead to a more efficient and impactful allocation of school resources.

Of course, as one can imagine, Big Data projects using student-related information can implicate significant privacy issues.  Schools are regulated under the Family Educational Rights and Privacy Acts Statute, and depending on a school's specific activities may be subject to GLB and HIPAA.  In addition, many educational institutions  have internal policy and public-facing privacy policies that apply to, and may limit, the collection, use and disclosure of student personal information.  The impact of applicable privacy laws and existing privacy-related policies should be taken into account well before engaging in a Big Data project.  We have looked at Big Data privacy issues generally before, and the following is a framework for analyzing high level legal considerations and action items for educational institutions considering Big Data projects involving student-related information.

Big Data Privacy Legal Analysis Framework for Educational Institutions

The following considerations, analysis and actions may be appropriate for educational institutions considering Big Data projects involving student-related information:

  • Data Element and Flow Analysis.  Analyze and understand the source and nature of the data elements that will be disclosed/analyzed as part of the Big Data project.  Different types of data elements implicate different compliance and privacy concerns.  The source of the data may indicate the compliance regimes and policies that apply to particular data elements, and how particular data elements may be used and disclosed.  In addition, after gaining a detailed understanding of the data elements at issue, educational institutions may choose to not use certain data elements or modify their use and disclosure of personal data in order to minimize compliance and privacy concerns.
  • FERPA Compliance.  Establish a FERPA basis for disclosure of student personally identifiable information.  Even if an educational institution does not have student consent a separate legal basis may exist with respect to FERPA that allows for the use and disclosure of student information, usually subject to specific limitations.
  • Compliance with other Privacy Laws.  If applicable, establish a basis for disclosure of student personally identifiable information with respect to other relevant privacy laws, including without limitation, Gramm-Leach-Bliley and HIPAA.
  • Policy Review and Analysis.  Review and analyze existing privacy policies (and similar) of the educational institution related to the data elements that will be disclosed/analyzed as part of the Big Data project in order to determine whether any limitations have been communicated concerning the disclosure and use of personally identifiable information.
  • Policy Updating and Development.  Develop additional privacy notices and/or revise old privacy notices to establish a basis for disclosure and use of personally identifiable information for the project (and future Big Data projects).
  • De-Identification Strategies and Considerations.  Develop strategies concerning de-identification of personally identifiable information, including without limitation, strategies related to the methodology for de-identification, addressing the risk of re-identification, internal versus external de-identification (via a third party), and bifurcating de-identification and data analysis.
  • Student Relations and Legal Risk.  Consider student and parent reaction to the Big Data project and how to best communicate with stakeholders to ensure buy-in and decrease legal risk.  This is a public relations function, but it can impact the chances of regulatory scrutiny or litigation.  Educational institutions should strive to make communications clear, consistent and unified with respect to all channels and policies.
  • Third Party Big Data Analytics Providers.  If third party vendors are to be used for de-identification and/or analysis, draft and negotiate substantive service agreements and data sharing agreements, including terms establishing a FERPA basis for disclosure of personally identifiable information, limitations on use of personally identifiable information, security requirements, security breach obligations and indemnification and liability provisions related to handling and use of personally identifiable information.

The list is not exhaustive and additional considerations and analysis is necessary to address the specific compliance and legal issues and risk associated with such projects.  Each Big Data project will typically present its own set of privacy concerns and legal wrinkles, and analysis of the specific circumstances is necessary in each case.   Overall, in the coming months and years, most educational institutions and school administrators should expect to deal with Big Data and advanced analytics, as well as the privacy, compliance and public relations issues associated with it.   InfoLawGroup will be tracking these issues and writing about them here, so stay tuned.