Some names have been changed to protect student privacy.

On Dec. 28, 2024, national education data software company PowerSchool reported a data breach in its system. The company attributed the breach to one of its customer-support portals but declined to explain the specific depth of the hack or how many people it affected. 

Though not all PowerSchool clientele were affected, the leak likely reached a significant number of students, leading NBC cybersecurity reporter Kevin Collier to speculate that “The hack of a company that helps schools track tens of millions of students appears to be the largest breach of American children’s personal information to date, school officials and cybersecurity experts say.”

Though MCPS student data was not included in the breach — MCPS only subscribes to a limited version of the PowerSchool application — the breach is bringing new attention to student data security and the way in which that data ought to be accessed. 

Entrepreneur Greg Porter founded PowerSchool in 1997. The company was soon acquired by PeopleAdmin, which develops assessment and analytics software for schools, including Performance Matters — MCPS’ main hub for student data.

The information collected by Performance Matters ranges from student attendance to standardized test scores. When counties become PowerSchool clients, they feed information to the program through front-facing systems like Synergy for daily records and grades and Canvas or Blackboard for assignments. Among other data, teachers may then access students’ previous grades, attendance history and disciplinary records with few restrictions. A student’s AP, SAT, PSAT, ACT and state standardized test scores are also generally available to teachers, though some school systems like MCPS only grant the student’s current teachers access, while administrators and department heads generally have access to the entire student population.

Compared to other data collection online, the variety of student data and its open access among staff mark a uniquely large, private data set with great consequences if exploited. Advocacy groups have taken on the task of securing standards for these systems. In 2014, nonprofits The Future of Privacy Forum and The Software & Information Industry Association co-developed the legally enforceable “Student Privacy Pledge” and began encouraging education data companies to sign it. Companies that sign adhere to ethical and responsible practices that insulate student data.

In a statement regarding data privacy concerns, PowerSchool announced on its website in 2023 that it had signed the Pledge. In the wake of the breach, its website pledges greater security without consistently committing to internal data privacy, such as measures that would keep school data separate. While it’s unclear whether PowerSchool pools national or state-wide aggregated data, the potential of aggregated sensitive data at a company level remains concerning to users, as the company is a private, for-profit organization.

The Family Educational Rights and Privacy Act, passed in 1974, remains a focal point in the movement to protect student privacy. FERPA outlines caveats for “organizations conducting studies for, or on behalf of, the school for the purposes of administering predictive tests, administering student aid programs, or improving instruction.” 

Jim Siegl is a senior technologist with the Future of Privacy Forum. FERPA has a role to play in policy regarding students’ individual privacy, Siegl said, and each year, it updates its regulations for what constitutes a “legitimate interest” that opens data to collecting and sharing among school staff.

“It’s usually based on if you have a need to know or access the information to do your job,” Sieghal said. “In practice, your teachers would have access, possibly your guidance counselor, your principal, your assistant principal — people that need to access information to support you in education. The janitor doesn’t need to have access. Probably the school resource officer doesn’t need to have access. The teacher that you had last year doesn’t necessarily need to have access.”

Common Performance Matters permissions grant access to students’ test scores for all of their current teachers, even when the scores have no relation to the teacher’s department. Critics allege that through such wide access, teachers may form unwarranted impressions regarding the students’ academic performance and conduct. 

Research shows that, in school, first impressions are crucial. A 2021 international study concluded that students deemed likable by their teachers will score on average 10% higher compared to similar performances from other students. Instructionally, if a teacher has preconceived notions about a student’s behavior, they may adjust curricula or academic expectations for them. Access to unnecessary, potentially bias-creating data could heavily influence a teacher’s understanding of their student and ultimately affect the student’s performance. 

Whitman junior Eva said she believes access to student data hurts students with records that may bias teachers against them.

“Last year I didn’t really go to school much; my attendance was awful,” Eva said. “Now I’m definitely going a lot more. If my new teachers were looking at my attendance, they would think, ‘This one is going to be a bad student.’ They would already have that preconception.”

For advocates, data surrounding performance indicators can help both school administrators and teachers in their work to improve their students’ academic success. Data can locate student weaknesses, allowing for teachers to tailor instruction to certain areas.

Social studies teacher Andrew Sonnabend works here at Whitman, where administrators encourage the use of data to gain insight into student achievement. 

“There is value in my ability to pull up a student’s grade in all of their classes at any given point to see if it’s a holistic issue or if it is something about my class,” Sonnabend said. “There’s tons of value in that. You know, it takes a village, and we as teachers are a village.”

The data available to teachers and administrators isn’t always quantitative. Data regarding past experiences with bullying or social struggles can assist an instructor in determining a seating chart or group activities, advocates say. Privacy concerns are also specific to the attitudes of the teachers and the way in which they use the data. 

“Is it harmful that I have access to all this information? Not for me, not for the student, not for privacy concerns,” Sonnabend said. “I don’t think that’s the issue. I think the issue is the use of this data to determine whether or not we’re successful as a school.”

Many solutions to student privacy concerns require a large-scale shift away from the reliance on quantitative data. Some demand more anonymity of data and the removal of data deemed unnecessary to teachers’ instruction. The level of impact that data has on a teacher can vary from person to person and teacher to teacher. Because of its multifaceted nature, the ongoing debate regarding student privacy is difficult to resolve but an important discussion as data privacy becomes an increasingly relevant worldwide issue.

Representatives from PowerSchool, the parent company of Performance Matters, declined to comment.