Policy
Ed Tech Must Embrace Stronger Student Privacy Laws
Our legal expert explains why districts (and vendors) would benefit from more robust protection of educational data.
During the last 50 years, the way that school records are created and stored has drastically changed. In the 1960s, student records were generally paper files created using a writing instrument or a typewriter, and they were stored in school administration offices or in a central district location. The 1970s saw the adoption of mainframe computer systems. During the 1980s, database management systems were deployed in K-12 schools. Then came the introduction of distributed applications and databases built on network operating systems and client/server architectures.
While each of these technologies created new privacy concerns, student data was generally stored on servers owned by school districts and located within their physical jurisdiction. This meant that access to student records was generally limited to teachers, school administrators, parents, legal guardians and others who had a legal right to access the information. Schools didn't have the technology to collect and archive every single student data point and all digital activity.
New Technology, New Privacy Concerns
During the last five years, schools have deployed new digital learning tools such as apps and cloud-based computing services that have the ability to track and store every single keystroke and activity performed on their platforms. Adoption of these technologies has raised significant questions about student privacy because vendors are storing personal student data on servers located outside of a district's physical jurisdiction.
Some vendor agreements state that student data may be processed and stored in any location around the world where the vendor or any of its agents maintains a facility. Being able to store data anywhere may offer price flexibility by enabling a provider to build its data servers in a low-cost area, but it may also enable some providers to process and archive personal student information in locations with weak student-privacy protections.
Any state where a student's e-mail or other digital data is processed may potentially claim jurisdiction if a legal claim arises. For example, if a Maryland school district contracts with a California-based provider and student e-mails are processed in servers located in Iowa and then stored in Georgia, multiple state laws may potentially govern access to the information. Since at least 47 states plus multiple U.S. territories have enacted data breach notification laws and each law is slightly different, some vendors may avoid processing and storing student data in states with more robust legal requirements.
Privacy Laws Lagging Behind Technology
The most comprehensive student privacy law is the federal Family Education Rights and Privacy Act (FERPA), which was enacted in 1974 when educational records were generally physically static and contained a limited number of data points about students. While technology has drastically changed during the last 40 years, FERPA has not been amended to account for these innovations.
Many electronic learning tools collect a tremendous amount of metadata about students, and some of this information may be highly sensitive. Since most of this information isn't inserted into an official school file, it isn't considered an educational record under FERPA and is therefore not protected. As Kathleen Styles, the U.S. Department of Education's chief privacy officer, has said, "I don't think it's necessarily an easy decision, what is and what is not the 'educational record.'... It's very contextual. A lot of metadata won't fit as an educational record." This admission by the person charged with protecting our students' privacy clearly demonstrates that more needs to be done to better protect the personal information of students.
5 Tips on How To Protect Student Data
1) Review all vendor agreements. Read and fully understand the terms of service and privacy policies of all third party-agreements that deal with student data. Contracts should not contain URL terms that may be unilaterally changed by the vendor. Agreements should not allow for student data to be used for non-educational purposes.
2) Educate the staff. All staff members who negotiate with vendors and/or procure new digital learning tools should have regular training on privacy best practices to help them fully understand the privacy implications of these technologies.
3) All digital learning tools must be approved. Every app and online digital learning tool must be pre-approved for classroom use. Teachers and schools should not be allowed to sign up for new technologies until they have been properly reviewed, because some services may put student privacy at risk.
4) Give parents a choice. Parents should have the opportunity to consent to or opt out of their children's using new digital learning tools. The most successful technology deployments make parents part of the decision-making process.
5) Understand relevant privacy laws. To avoid legal liability, it is essential that district leaders understand FERPA, COPPA and any pertinent state privacy laws. With all of the recent legislative activity, it is important to understand any new legal obligations that may be created.
Companies Using Student Data To Target Advertising
Some companies have taken advantage of FERPA's inadequacy and have provided schools free learning tools that also mine students' data for non-educational purposes. For example, Politico found last year that Khan Academy was using student data to deliver customized advertising. While Khan Academy subsequently strengthened its privacy policy, it still allows third parties such as YouTube and Google to insert cookies on students' computers to target ads.
Also last year, Google acknowledged that it was scanning student e-mails for advertising purposes. While the company later agreed to stop this practice, neither it nor Khan Academy was punished for their troubling student privacy practices — further demonstrating that the current legal framework to protect students' privacy is broken. These misuses of student information, combined with the now closed data-sharing program created by InBloom, have created tremendous anger among many parents and privacy advocates.
Government and Industry Response to Ed Tech Data Misuse
Weak privacy policies and non-educational use of student data have led state and federal lawmakers and President Obama to propose legislation to better protect students' information. According to the Data Quality Campaign, last year 36 states introduced 110 bills directly addressing student data privacy, and 21 of those states enacted 30 new laws. Congress has held multiple hearings on student privacy issues during the last year.
Industry response to student privacy concerns was at first lacking. However, after California enacted its groundbreaking Student Online Personal Information Protection Act (SOPIPA), a small group of school technology providers spearheaded the industry-backed Student Privacy Pledge, which generally follows SOPIPA's ban on using student data for non-educational purposes. While the pledge is a positive development and now has over 100 signatories, it doesn't replace stronger student privacy laws that hold vendors legally accountable for misusing personal student information.
Transparency, Accountability and the Future
Parents want to know who has access to their children's information. According to Rachael Strickland, co-founder of the advocacy group Student Privacy Matters, "Fundamentally, parents want three things: transparency, notification and consent. Before any student data are disclosed, parents must be told what data are collected, the purpose and use of the data, how the data will be secured, with whom the data will be shared and if/how the data will be repurposed. Once given this information, parents should be allowed to decide whether the value of the disclosure is worth the risk of data misuse and breach."
The best way to get parents to trust that their kids' data is secure is through required transparency and legal limits on how student information may be utilized. New federal legislation should be a floor and not a ceiling for student privacy protections. As a parent, I want my children to be able to use the latest and greatest digital learning tools. However, I need to know that their personal information and digital data emissions will not be used to discriminate against them when they apply to college or when they are interviewing for a new job.
While an industry-backed pledge is a good first step towards building trust with parents, more must be done. Some educational technology companies must strengthen their privacy policies and stop using student data for non-educational purposes. These same vendors must also cease opposing stronger student privacy laws (either directly or through trade associations).
Educational technology companies should embrace and advocate for stronger student privacy laws because this will signal to parents that their services can be trusted to protect children's personal information. Stronger student privacy laws are coming, and the sooner that the industry acknowledges and embraces privacy by design, the faster these technologies will be deployed. Without parental support, school districts will not spend the funds to build the infrastructure they need for new and innovative digital technologies.
In conclusion, more robust privacy protections will encourage parents to ask their school districts to use new digital learning tools that will help students compete in the 21st century. Supporting more comprehensive privacy protections for our children is not just right ethically, it is also the right business decision.