States and schools are signing over private data from millions of students to companies and researchers who hope to glean secrets of the human mind.

Nine states have sent dossiers on students —including names, Social Security numbers, hobbies, addresses, test scores, attendance, career goals, and attitudes about school —to a public-private database, according to Reuters. Standardized tests are beginning to incorporate psychological and behavioral assessment. Every state is also building databases to collect and share such information among agencies and companies, and the U.S. Department of Education has recently reinterpreted federal privacy laws so that schools and governments don’t have to tell parents their kids’ information has been shared.

Promises of researchers’ and governments’ good intentions are not enough to justify this, especially when tax dollars are involved and government entities are helping invade students’ privacy without parents’ or even school officials’ knowledge.

Very few U.S. citizens want to see their government even slightly imitate that of China, which keeps dossiers on all citizens’ performance and attitudes. These records influence work, political, and school opportunities. Because “everything they do will be recorded for the rest of their life … the dossier discourages any ‘errant’ behavior,” says Chinese professor Ouyang Huhua. This is not to say big databases equal communist oppression. But we do things differently in the United States because we trust our citizenry and we believe in self-rule.

Any researcher or organization wanting to plumb data – perhaps to help kids learn more, faster – can do so without trampling individual rights. First, the historic and accepted practice with student records has been to keep them anonymous when shared outside of schools. Researchers and government accountability gurus don’t need to know that Sally Smith failed Algebra I, even if her parents and teachers do. Researchers do not need personally identifiable information such as names, Social Security numbers, and addresses. They just need to know, for example, whether lots of students are failing Algebra I. Schools and states should check these privacy firewalls.

Second, students and their guardians should have full access to their own records, with the ability to correct false information. They also should be informed of and able to opt out of all data-sharing involving their records. Schools need parent consent to give children so much as an aspirin. They should get consent to share a student’s psychological evaluations or test performances.

Third, agencies should be required to explain exactly how they will keep the sensitive information in their hands from being hacked or exposed. The more people and organizations have access, and the bigger a treasure trove these databases become, the more likely security breaches become. Hundreds of thousands of people were put at risk of identity theft in 2012 because of security breaches in government databases, including one affecting three-quarters of South Carolinians. And child identity theft is often not discovered until adulthood, which makes youngsters’ records even more attractive to thieves.

Because the U.S. Department of Education has unilaterally knocked down federal privacy protections, lawmakers need to rebuild that wall. Alabama, Georgia, Oklahoma, New York and Oregon are a few states considering such legislation. They should act swiftly, and so should others.