Maryland privacy council tackles substandard student data protections

The council's work is a reaction to a recent audit finding that Social Security numbers of students and teachers had not been properly secured.
woman looking at data
(Getty Images)

Just three months after an audit of the Maryland Education Department’s data-storage practices found it was placing the personal information of 1.4 million students and 233,000 teachers at risk, a statewide council of Maryland education officials are trying to change the state’s data-privacy laws. 

Maryland’s new Student Data Privacy Council met for the first time on Thursday to study the state’s Student Data Privacy Act of 2015 and to identify best practices that other states have started using over the last five years. The idea is for the council to recommend changes to the state’s data-privacy strategy through a report submitted to Gov. Larry Hogan by December 2020. The state has long struggled to maintain effective data privacy protections and received a D+ grade from the Parent Coalition for Student Privacy in 2018. 

The council is chaired by Carol Williamson, deputy state superintendent for the Maryland Office of Teaching and Learning, and includes two state congressional representatives, as well as a handful of data-privacy experts and state Education Department administrators.

The council will meet monthly to offer fixes to the state’s privacy act, which has proved untenable after an audit revealed that personally identifiable information of teachers and students, including names and Social Security numbers, had been stored in an unencrypted format. The audit also found that the education department failed to implement data-loss prevention software or confirm that its third-party vendors were using proper data-security practices themselves. The audit also found the education agency had inadequate malware protection and sometimes relied on old, vulnerable servers.


Though the data-encryption issue was addressed within weeks of the audit’s release in July, council members are still calling for the state to further prepare for any future threats to its data. But at the council’s first meeting, Sean Cottrell, a student privacy law expert with the U.S. Department of Education told WBAL-TV that it should postpone any specific prescriptions.

“We don’t know what technology is going to be in a classroom next year, so how can we legislate that today? It’s best to revisit and see how have those uses changed,” Cottrell said.

Latest Podcasts