Security | News

Fordham Study Finds Major Problems with Public School Use of Data in Cloud Computing

Schools are fairly clueless regarding the impact of their decisions on student privacy in adopting cloud services, according to a new study by Fordham Law School's Center on Law and Information Policy (CLIP). A report put together by six members of Fordham's School of Law stated that cloud Services are "poorly understood, non-transparent, and weakly governed" in the school districts where they've been adopted. Only a quarter of districts inform parents when cloud services are put in use, and a fifth of districts fail to have policies in place for the use of online services. Also, many have gaps in their contract documentation, including missing privacy policies. And no districts specifically prohibit the sale and marketing of children's information.

The goal of the study was to examine the use of cloud computing nationwide by public schools; assess how schools are addressing regulatory requirements and "generally accepted" privacy principles in their cloud service agreements; and to develop recommendations based on the findings to increase the protection of student privacy.

What the study, "Privacy and Cloud Computing in Public Schools," found was that as public schools adopt cloud-based services to fulfill educational objectives and exploit new online opportunities, they tend to transfer "increasing quantities" of student information to third-party providers without requisite privacy protections, such as strong data security measures or limitations on commercial data mining.

"School districts throughout the country are embracing the use of cloud computing services for important educational goals, but have not kept pace with appropriate safeguards for the personal data of school children," said Joel Reidenberg, a professor at Fordham Law School and the founding director of CLIP. He noted that vendors that aren't generally subject to federal privacy laws have put schools in a "precarious position" through their contract terms regarding how children's data is handled. "We believe there are critical actions that school districts and vendors must take to address the serious deficiencies in privacy protection."

The research team chose a national sample of school districts that included small, medium, and large systems from every geographic region of the country. The researchers used state open public record laws to request from each district all of its cloud service agreements, notices to parents, and computer use policies for teachers. They used those documents to examine whether the districts met privacy obligations under the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children's Online Privacy Protection Act (COPPA), and other "norms of fair information practice." The study didn't report on individual district compliance and even where specific districts were cited, they were referenced by regional census zone, not by name. However, all of the districts whose records were scrutinized are listed in the report.

Among the other findings of the research:

  • Districts often relinquish control of student information to vendors when adopting a cloud service. Fewer than 25 percent of agreements specify the purpose for disclosures of student information, and fewer than seven percent of contracts restrict the sale or marketing of student information by vendors. Many agreements actually allow vendors to change the terms without notice. The stipulations of FERPA, however, generally require districts to have "direct control" of student information when disclosed to third-party service providers;
  • Most cloud service contracts don't mention anything about parental notice, consent, or access to student information, even though those are specifically regulated by FERPA, PPRA and COPPA. The researchers found that some services even require parents to activate accounts and in doing so consent to privacy policies that may contradict those in the district's agreement with the vendor; and
  • The cloud service agreements signed by school districts don't generally provide for data security and even allow vendors to "retain student information in perpetuity with alarming frequency."

In order to address "deficiencies" in privacy protection, the report provides a set of recommendations for school districts and vendors. To address problems of transparency, the researchers recommended that district Web sites include information about the existence and identity of cloud service providers and the privacy protections for student data and that districts provide notice to parents of the existence of these services and the types of student information being transferred to third parties.

To address data governance, the report's authors recommended that districts establish policies and implementation plans to be followed in the adoption of cloud services by teachers and staff. Those plans should include in-service training and mechanisms that will make the formal adoption process simple for teachers. Where schools are using advertiser-supported applications, districts need to be upfront about the adoption of these services. And they should create "data governance advisory councils" for developing policies and practices. Likewise, the software industry itself should create tools to help districts "vet privacy-safe services and technologies."

Larger districts and state departments of education should designate a "chief privacy officer" as well to provide advice and assistance, the report suggested.

In the area of contracting, the report advised districts to document all cloud service agreements, including maintaining "fully executed contracts complete with all appendices." Also, rather than passively signing contracts made available by vendors, districts need to become more proactive about demanding specific terms within their agreements. These include:

  • Specification of the purpose of the agreement and the authority to enter into the agreement;
  • Specification of the types of data transferred or collected;
  • The prohibition or limitation on redisclosure of student data;
  • The prohibition or limitation on the sale or marketing of student information without express parental consent;
  • The assurance that districts will have exclusive control over data access and mining;
  • The prohibition on new or conflicting privacy terms when parents are required to activate an account for their child;
  • The allocation of responsibilities for granting parental access and correction capabilities;
  • The specification of whether foreign storage and processing is allowed;
  • The specification of whether other government agencies (such as social service agencies) may have access;
  • The specification of data security and breach notification obligations;
  • The prohibition on unilateral modifications; and
  • The inclusion of a right for the district to audit/inspect vendors for compliance with contractual obligations.

Finally, the researchers recommended the creation of a "national research center and clearinghouse," to perform academic and policy research; bring together stakeholders; draft model contract clauses, privacy notices and consent forms; and create a repository for research, model contracts, and policies.

The Software & Information Industry Association (SIIA) issued a press release attempting to counter the damaging results contained in Fordham U's report. SIIA is a trade association for software and digital content companies.

"School service providers work with school districts to use student information to deliver technologies and services that are critical to student learning and to meeting a school's enterprise management needs. In their use of student information, they act exclusively for the schools or other educational authorities for whom they work," said Mark Schneiderman, SIIA's senior director of education policy. "As schools and providers work together to improve student learning, they are committed to a shared responsibility to protect the privacy and security of personal student information."

Schneiderman added that vendor commitment to student privacy is "enforced" by "strong" federal laws. "Contracts alone don't govern the use of student data. There exists an impressive network of strong federal protections and business practices that keep this data safe," he said. "School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions."