Report: Collection of Ed Data Useful but Challenging

Non-profit RAND Corp. has weighed in on the collection of data through education technology and found it to be both useful and troubling. In a newly published perspective, "Privacy and Interoperability Challenges Could Limit the Benefits of Education Technology," researchers Katharina Ley best and John Pane first laid out the numerous advantages of ed tech and the use of the data it generates for numerous stakeholders:

  • For students who can take online courses, ed tech provides "access to resources, facilities, or teaching staff for specialty subjects";
  • For teachers and parents, the shift to digital education with "trackable metrics" allows for more efficient "lesson planning, progress tracking, and educational cooperation and communication among the school, home and other places of learning";
  • For those producing school materials, including developers, digital resources offer new ways to engage with students and instructors, and the data generated can help them "improve and tailor" their offerings; and
  • Researchers and policymakers can use ed tech data to gain insights on "what works in education."

At the same time, however, the report explained, the burgeoning collection of data in education poses "infrastructure challenges" related to creation and storage that reduce the usefulness of data and presents "data privacy implications" that haven't been resolved, even with the current crop of regulations.

The report offered a quick recap of the data standardization structures that already exist for education, including the School Interoperability Framework developed by the Access 4 Learning Community; the U.S. Department of Education's Common Education Data Standards (CEDS); and Ed-Fi, sponsored by the Michael & Susan Dell Foundation. All of these — and others — are intended to provide greater utility and interoperability for the data that's collected so that it can be shared among the various constituents that want access to it for their own purposes.

The advantages offered by common data architecture and data elements only exist, however, if the data can be shared, as the report noted. That requires data users to agree on "what types of data are collected and stored," as well as how it "should be centralized, aggregated, shared or integrated with other information." And everybody using the data and the people whose data is being used must also reach consensus on how the information should be protected. In other words, the researchers wrote, "The data systems developed and populated by technology vendors, school systems, and researchers must be accessible to those who need them while also keeping private data safe from misuse."

Here's where the perspective shined, by exploring the main challenges of keeping ed tech data private. First up, a discussion of why data privacy matters in the broader context of our digital lives. "This question of how to balance data usability and privacy underlies one of the most lively contemporary policy discussions," the authors asserted.

Then the report became specific, with examinations of relevant regulations, including the Federal Trade Commission's five principles of Fair Information Practice. As a proactive measure against future regulation, the rest of the report examined the FTC principles as they might fit ed tech data usage and offered guidance for achieving the various goals.

The "Notice/Awareness" or transparency principle states that consumers or users of a system that collects data about them must be made aware of the fact that data collection is occurring. Right now, FERPA requires notice be given to students and their families when the data collected is shared with third parties. If that were expanded to encompass collection of any data about the student, the use of ed tech, the researchers pointed out, would be "taxing." The advice here is to make communications about ed tech usage "concise, easy to understand, and consolidated to cover in a coherent manner" all of the tech in use. After reading the communications, parents and students should be able to understand what the risks are.

The "Choice/Consent " principle encourages ed tech users to give users a choice about whether or not their data is collected and to affirm in the positive that it's OK to do so (or not). This stipulation presents a "significant hurdle," the authors wrote: It's hard to determine whether "informed consent" has be granted; it may be hard for students to opt out "because it would limit their ability to participate in the class"; and opting out can disrupt instruction. The burden rests with the developers. The report advised developers to consult with privacy experts as they create their tech, set up their data storage systems, and write their consent disclosures; and ed tech purchasers were told to "hold vendors accountable for robust privacy practices and clear disclosure of data collection."

The "Access/Participation" or information review and correction principle requires that people whose data is being collected have some way to see it, review it and edit it. How to do that without jeopardizing data security "is a potentially complex and expensive undertaking," the report warned. And how could revisions be made to the data "without undermining" its use in grading and scoring? When the data is maintained by the vendor, schools and districts need to take a strong hand in working with them to facilitate "user-friendly" access; when it's kept by the school system itself, the same rules apply.

The "Integrity/Security" or information protection principle says that data needs to be accurate and secure and "protected by access controls, encryption and safe storage." For example, while anonymizing data is one way to protect individual users, that doesn't always work because de-identifying data in one place can make it tougher "to link the data across sources" or add new data over time. While acknowledging how hard it is for any organization to protect the data, best practice still applies, the researchers emphasized. That includes keeping up with new types of data encryption practices and mandating continuous training among school employees. Also, vendor agreements need to spell out the appropriate response when a data breach occurs.

The "Enforcement/Redress" or accountability principle gives people whose data has been collected a way to file a complaint if the data has been misused. This one lies on the shoulders of policymakers and educators, the first to support laws that protect users' rights to file complaints and the second to make sure user agreements incorporate the right.

In their conclusion, the researchers urged decisionmakers to use the principles discussed in the report as a starting point for "building consensus on the right balance between privacy and the collection and use of student data." Being proactive, the report said, would help schools, ed tech vendors and others that have an interest in the outcome prepare to "more effectively communicate regarding the responsible future use of education technology."

The perspective is openly available on the RAND website.