Personally identifiable information—often abbreviated as PII—refers to any data or information about students collected by schools, districts, government agencies, or organizations and companies working with schools that might reveal the identity or personal information of specific students or that could allow someone to indirectly track down the identity or personal information of students.
Common forms of personally identifiable information include a student’s name, the names of parents or family members (including the maiden name of a student’s mother), a household address, a date or place of birth, social security numbers, student-identification numbers issued by schools or school systems, and digital files such as photographs, videos, or audio recordings, among other forms of information that may reveal a specific student’s identity. Given that both students and schools are increasingly using powerful technological devices that record and store personal data, personally identifiable information may also include biometric data (e.g., fingerprints or palm prints), geolocation data (e.g., real-time location data relayed by a smartphone), and metadata (i.e., “data about other data,” such as data about image size, resolution, color, or date of creation that are commonly embedded in digital photos).
In some cases, data may indirectly reveal the identities of specific students even when the data seemingly contains no personally identifiable information. For example, some small, rural schools have very small minority student populations—perhaps only one or two students of color in the entire school. If state or school records contain, say, test scores or proficiency levels for various racial subgroups, the identity of individual African American, Hispanic, or Asian students could be inadvertently revealed even though the data are otherwise “anonymous” (by looking at the data, those who are familiar with the school, or who know who the minority students are, may be able to deduce which students earned which test scores, for example). For this reason, states, districts, and schools may “mask” or suppress (i.e., not publicly report or share) certain data when subgroups are small enough to potentially connect otherwise anonymous data to specific students.
Personally identifiable information is also a legally defined concept used in federal and state regulations and reporting requirements. In the federal context, personally identifiable information is defined in three primary statutes: the Family Educational Rights and Privacy Act—commonly abbreviated as FERPA—a statute that was first passed in 1974 and updated several times since, the Children’s Online Privacy Protection Act—or COPPA—which applies to information collected online through websites and apps from kids under the age of 13, and the Protection of Pupil Rights Amendment of the Family Educational Rights and Privacy Act, which is intended to protect the privacy rights of students and parents.
Reform
In recent years, personally identifiable information has become a topic of discussion, as well as a school-reform tool, mainly due to the growing power of computers and data systems to collect, communicate, and potentially compromise personal information in ways that were formerly far more difficult or impossible. While a comprehensive overview of the topic is beyond the scope of this resource, the following examples illustrate two ways in which personally identifiable information intersects with efforts to improve education systems, schools, or teaching:
- Data quality: When dealing with large sets of complex data—for example, state education agencies collecting, analyzing, and publicly reporting the graduation, dropout, or attendance rates of all students enrolled in a state’s public schools—it can be extremely challenging to manage and maintain data quality in a state or district. One way to increase the reliability and accuracy of a data set is to use personally identifiable information to connect specific students with specific sets of information. For example, if students are assigned a unique identification number in a data system, that “unique student identifier” can be a more effective way to organize information in a database than, say, a date of birth, given that birth dates will inevitably be shared by many students. When multiple forms of personally identifiable information are used—first and last names, unique student identifiers, dates of birth, etc.—the reliability and accuracy of data in system can be improved significantly.
- Data-informed instruction: New learning technologies, online course platforms, and educational software systems have given educators access to an unprecedented amount of information about students that can be used to diagnose or monitor student learning needs and academic progress in ways that were formerly impossible. In some situations, educators can use this information to modify or personalize learning experiences and instructional strategies and potentially improve or accelerate learning progress. For example, online courses and learning systems are typically capable of collecting a large amount of information about users, ranging from student results on embedded assessments to data about keystrokes, clicking patterns, log-in and log-out times, or the amount of time that elapses between when a question is displayed and when it is answered. Educators may then analyze and use this information to improve instruction for students. In addition, online courses and other forms of educational software may use the data to provide adaptive learning experiences—i.e., the systems may automatically modify learning tasks or questions based on student answers and other information collected by the system.
Debate
While personally identifiable information can be recorded in both physical and digital documents, archives, and reports, the term as commonly used today is primarily associated with electronic and online information systems (particularly systems that share data among multiple organizations, government agencies, companies, or systems that may be accessed and used by for-profit businesses, marketers, and other entities for purposes unrelated to the education of students, including illegal purposes such as identity theft). Consequently, concerns about online security and student privacy frequently generate debate about personally identifiable information in education.
While debates about personally identifiable information are numerous, complex, and nuanced, most are focused on (1) what types of information should be collected for educational purposes and should be legal to collect, (2) how information is stored and secured, and (3) how information is being used by schools, government agencies, companies, and others. The following questions will help to illustrate the complexity of debates about personally identifiable information:
- What types of personal information are necessary to collect for educational purposes, and what types of information are not essential to the educational process? For example, is it necessary to know a student’s home address or social security number to administer a standardized test? If the information is not essential, should it be collected?
- Is the personal data collected about students adequately protected from unauthorized viewers? Has personal student information been sufficiently secured from hackers, theft, and potential misuse? And who has access to what types of student information—for example, can school administrators, teachers, and parents all access and view the same information?
- Should outside companies have access to personal student information, and what types of legal protections and security measures are in place to safeguard student data and protect against identity theft and other forms of misuse?
- Are parents and guardians aware of and informed about the types of personal information being collected about their children? Can parents or guardians view the information and verify whether it’s accurate? Have parents or guardians been given an opportunity to opt-out of data-sharing arrangements between schools and third parties? To what degree can parents and guardians determine how their child’s personal data are being used?
- Can personally identifiable information violate student confidentially and privacy? Can the information be used to discriminate against or embarrass students and families? If connected to specific students, personal information related to psychological disorders, physical health or disability, special-education status, sexual orientation, disciplinary actions, family income, and immigration or migrant status—among other types of information—could potentially be misused or mishandled in any number of ways by districts, schools, or outside entities.
While many privacy-related issues are addressed in the Family Educational Rights and Privacy Act, the Protection of Pupil Rights Amendment, and other federal and state laws and regulations, most experts agree that the sophistication and speed of technological advancements are outpacing the laws intended to regulate and secure the use of personally identifiable information in education. In addition, school administrators and educators may not have the technical or legal background and expertise required to negotiate the complexities of data collection, sharing, and security. As a result, many states and education agencies are establishing and enforcing policies related to the software systems being used by schools and the related agreements made with third-party vendors and software developers that could inadvertently expose or compromise personally identifiable information.
Concerns about the accidental or inappropriate release of personally identifiable information have given rise to critical news stories; protests and lobbying campaigns by student-rights and privacy groups (and counter campaigns by proponents of new learning technologies); and state legislation that either bans the collection of certain types of student data (such as a student’s biometric information, political interests, and religious affiliation) or prohibits certain types of data arrangements (such as storing student data in cloud-based applications owned and managed by third parties).
As educational technologies and data systems become more embedded in public education, debates about personally identifiable information will likely continue to evolve.
The Glossary of Education Reform by Great Schools Partnership is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.