Instead of locking student data in the principal’s office, more school districts are moving it to cloud providers.
By sharing data with private companies, schools can improve student learning using data analysis tools. But on the flip side, privacy advocates worry that student data is not safe in the hands of schools or the third parties they contract with.
“Across the board, students unfortunately don’t have the level of protection they need,” said Khaliah Barnes, director of the Electronic Privacy Information Center’s Student Privacy Project.
Voices of concern seem to be getting louder. A lawsuit filed in California accused Google of violating anti-wiretapping laws by scanning student email, a practice the company has since abandoned. At least 32 states have taken up student data privacy legislation this session. And policymakers throughout the nation gathered in Washington, D.C., for a School Privacy Summit earlier this year that addressed this matter. The issue of student data privacy has indeed sparked a national conversation.
In the last 20 years, student data has moved from paper to digital, and now to the cloud. And its quick adoption in school districts has left the law in the dust, said Sonja Trainor, director of the Council of School Attorneys at the National School Boards Association (NSBA).
“There’s been so much movement and innovation in using data, and it’s happened so quickly, that I think many schools are right now just taking a moment to look at it comprehensively,” she said.
Part of that evaluation process involves looking at existing contracts with third-party vendors, taking ownership of student data decisions and reviewing guidelines that a number of organizations have created. The U.S. Education Department, Consortium of School Networking, NSBA, Common Sense Media and Electronic Privacy Information Center, to name a few, have all released guidance on how to safeguard student information.
Common Sense Media recommends three overarching principles for schools and policymakers to consider:
Students’ personal information should be used only for educational purposes.
Students’ personal information and online activity should not be used to target advertising to students or families.
Education technology providers in schools should have appropriate data security policies in place.
“The idea is to make sure that the technology, the information and their data is used appropriately to improve learning, without having to worry that it’s not secure or safe or that all kinds of third parties are looking at it,” said Joni Lupovitz, vice president of policy for Common Sense Media.
One of the questions around student data privacy is whether existing legislation — including the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act — adequately protects student data. Trainor and Lupovitz agree that both pieces of legislation have gaps and don’t cover all the issues that technology raises.
But more legislation isn’t necessarily the answer. Instead, joint guidance from the U.S. Department of Education and the Federal Trade Commission might help provide clearer direction, Trainor said. Many of the questions that the Education Department tried to address in its guidance this year started with the words “it depends.” That demonstrates how complex FERPA really is and how much more work there is to be done, Lupovitz said.
“FERPA’s very complicated — there are all kinds of exceptions and requirements — and it really requires schools to have bulletproof contracts with their vendors,” she said. “What we’ve seen so far is in practice, that’s not always the case.”
Keith Bockwoldt has been reviewing his school district’s contracts with companies including Google. He’s also looked at guidance from several organizations to make sure he’s doing everything he can to protect students’ data.
As the director of technology services at Township High School District 214 in Arlington Heights, Ill., Bockwoldt is comfortable with his current Google contract and doesn’t have a problem with anything the company is doing.
“I look at Google as a company that is helping education, but I think people are at the micro level really digging into any little thing that Google may be doing to misperceive it as bad or collecting student information, and I don’t believe that’s the case at all,” said Bockwoldt, who was an NSBA 20 to Watch honoree in 2013.
Google’s competition begs to differ. Microsoft has been rather outspoken about the importance of ensuring that companies are not using student data for anything other than educational purposes. And the company has called out Google and Apple in particular for their data practices.
“Our view is simple: Kids are not products,” said Cameron Evans, chief technology officer of U.S. Education for Microsoft. “They’re there to be educated, and they shouldn’t have to compromise in order to get great education and great technologies at the same time.”
He said schools can have technology and privacy without compromising. In fact, more third parties will be collecting student data because schools can use it to inform instruction and give students more ownership of their learning.
When it comes to technology, school district leaders shouldn’t throw out tools and applications because of privacy considerations, but they should be willing to talk openly about the issues, according to Pete Just, CTO at the Metropolitan School District of Wayne Township in Indianapolis.
“I’m glad to see greater awareness of this, but I sure hope we don’t torpedo the good ship of education because of some alarmist viewpoints as opposed to a balanced point of view,” said Just, who also serves on the Consortium of School Networking’s Board of Directors.
For Just, striking that balance means creating an environment where technology and privacy work in tandem to maximize student learning.
As for third-party applications, many people just click “OK” without actually reading the terms of service that spell out what the company can do with their data. And that can be dangerous, Just said. Schools should understand what they’re agreeing to before making a decision.
They also must take more responsibility for setting the conditions of contracts with third parties. “We need to have, as districts, a little more stake in the game with these providers, creating data standards agreements that we have with providers, and basically demanding on our terms what they can and cannot do with the data,” Bockwoldt said.
Some of the questions districts need to address include: How long do you store data? What’s the protocol when a breach occurs? What security procedures are in place?
Schools should be especially wary of free or “freemium” services, whose value often comes at the expense of student privacy. The bottom line for Barnes is that if districts don’t think the data will be secure in a third party’s hands, they shouldn’t entrust it to them.
Barnes also recommends that schools be transparent about which third parties have access to student data and what they are doing with it. Publishing this information on the district’s website gives parents and students a clear understanding of what’s happening with their data.
At Kent School District in Washington state, technology staff members have their work cut out as they make agreements with third-party providers. The district has data standards that are required to be in each agreement, and the IT staff members teach the companies they talk with how to incorporate privacy into their practices.
“I’m appalled at the way some will say, ‘Just send us an Excel file with your kids’ information as an email attachment.’ We have actually done a lot of education of our vendors,” said Greg Whiteman, director of technology integration for Kent School District, which won the 2014 Team Award from the Consortium of School Networking for its education technology leadership.
Along with sharing data with vendors, Kent School District also works out how to share data with its counterparts in King County. Seven districts including Kent won a 2012 Race to the Top grant to raise student achievement together. When a student moves between school districts, they must be able to share information about the services they provided to help the student succeed and any special needs that should be addressed immediately.
“Everyone’s not out to make a dime off this data. We do need it to move between districts and third parties,” said Stosh Morency, executive director of IT at Kent School District.
“What we all want is a safe place where our kids go to school,” Lupovitz said. “They can use technology to really learn and thrive, it can be very engaging, and they don’t have to worry about who’s watching them, but kids can just be kids, and learn and explore.”