Skip to main content

Remember the school-days admonition that something might end up on your "permanent record"?

A Fordham Law School study found that state educational databases across the country have severely inadequate privacy protections for the nation's school children. The study, prepared by the Center on Law and Information Policy, reports that at least 32% of states warehouse children's social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children's educational records. Almost all states with known programs collect family wealth indicators.

According to the study, most states use third party vendors for at least part of their data collecting and reporting needs. Some states outsource the data processing without any restrictions on use or confidentiality for children's information. The Fordham study therefore recommended that states which outsource data processing have comprehensive agreements explicitly addressing the privacy obligations of the third party vendors. Furthermore, access to the information and the disclosure of personal data may occur for decades and follow children well into their adult lives. More than 80% of states fail to have data-retention policies and may retain the information indefinitely. Thus, the study recommended that states should limit data collection to necessary information and should have specific data retention policies and procedures.

The Fordham report also recommended that data at the state level be made anonymous, that the collection of information by the state be minimized and specifically tied to an articulated audit or evaluation purpose, and that states should have a Chief Privacy Officer in the department of education who monitors the privacy protections of educational record databases and who publicly reports privacy impact assessments.

Study Website:

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.