IT Best Practices

Evaluating the Privacy and Security of Ed Tech

7 Questions to Guide the Process

• By Bill Fitzgerald
• 04/14/16

When working with educational technology, responsible decision makers in schools recognize the need for solid security and privacy practice in software applications. However, defining an acceptable level of privacy protection, or an adequate level of security, can feel imprecise. While some of the loudest conversations about privacy and security try to reduce the issues to binary choice, the reality is often more nuanced.

As we navigate evaluating the privacy and security protections of educational software, the following questions and observations can help guide the process.

What is collected? 
The answer to this question can determine the level of review required for an application. For example, an online calculator application that doesn't require a login will generally be easier to review than student blogging software. When evaluating what data an application collects, it is also important to consider whether or not the data collected by the application is limited to just what the application needs to function. It is not uncommon to see more information collected than is needed by an application. If an application overcollects information, it's an indicator that the entire application will require a more thorough review.

From whom is this information collected? 
Educational data can be collected in a variety of ways. As an example, the information collected from a teacher as notes in a student information system is going to be different from information collected directly from a student. When only teachers have access to an application, this creates a different set of needs and concerns from when students and teachers — or teachers, students, and parents — all have accounts.

Who can access and use the information that is collected? 
When working with a vendor, it is essential to clarify who owns the data. When we are talking about digital assets, access and ability to use the data often make outright ownership superfluous. If a company claims no ownership rights over the data but asserts that they can use or potentially share the data with few restrictions, access to the data can be just as invasive to privacy as ownership.

Who can delete the information that is collected? 
The ease with which data can be deleted is a good sign of how much actual control a person has over information that he or she uses in an application. You can check for the deletion process in two places: first, by creating a sample account and reviewing the options within the application for deleting that account, and, second, by reviewing their terms and reading about if or how they describe their deletion process. Apps that don't allow accounts to be deleted should be able to define why they don't support this basic feature.

Beware of privacy settings. 
Multiple issues exist with privacy settings. The issues that often get the most attention focus on default settings that are too permissive, which can lead to oversharing. However, most privacy settings are better described as visibility settings. They control what can be seen by other users but not what is actually shared with the vendor. Even if an application has robust visibility settings, in most cases the vendor gets access to everything regardless. Any privacy needs should be balanced against the potential sensitivity of data collected within an application.

What protections are in place to safeguard information? 
Any application that stores student information will need to have adequate security protections to safeguard against unauthorized access. While a full information security review is outside the scope of this post, checking that the site requires encryption is easy to do: the web address should begin with "https://" — the final "s" indicates that the connection to the website is encrypted. Once you have logged in to the site, try to remove the "s" from the URL. You should be redirected back to the encrypted connection. 

Additionally, read the terms of service and privacy policies. Many vendors will describe how they protect data. While the vendor's declarations in their policies require us to take their assertions at face value, the level of specificity used when describing security practices can help give a sense of how vendors view information security. Those interested in learning more about security reviews should consult our recently released Information Security Primer.

How long is data retained? 
Ideally, data will be deleted as soon as it is no longer required to provide the service to the client. Over time, retaining data that is no longer used creates a risk of unauthorized access — via a breach or via human error. While some vendors might have valid reasons for retaining user data, asking about data deletion practices can help create a clearer picture of how a vendor manages data over time. Additionally, many vendors describe their data retention practices in their terms of service or privacy policies.

When evaluating software, we need to consider a range of factors. However, the ultimate decision about whether or not an application is a good fit for a specific group of learners must prioritize learner's needs — and these decisions are highly contextualized. While the desire to make privacy and security "simple" is understandable, the reality is that these choices — like many choices in education — require an accurate understanding of the subject, paired with an accurate understanding of the learning community.