#Schoolprivacyzone: emerging best practices for a contentious issue

Advocacy group Common Sense Media held a summit in Washington, DC on Monday as part of a national campaign on the highly contested topic of student data privacy.

The results of Common Sense Media's January survey show most parents concerned about student privacy.

The results of Common Sense Media’s January survey show most parents concerned about student privacy.

A recent study by Fordham University Law School found that as schools and districts adopt cloud computing services, they are transferring student information to third-party providers, often leaving it open to data mining and commercial purposes such as reselling and ad targeting. These services may be in violation of federal law. These agreements allow vendors to do whatever they want with student demographic records and other personal information. Of the districts studied, fewer than 25% of the agreements between districts and vendors specified the purpose for disclosures of student information, and fewer than 7% restricted the sale or marketing of student information by vendors in any way. And that is to say nothing of the risk of hacking or other security breaches.

There are a number of attempts in the works to establish better guidelines for the $8 billion educational software industry. The Software&Information Industry Association, a trade group, yesterday announced a list of best practices for agreements between software groups and schools:

That data should be used only for educational purposes, that its use should be fully disclosed and transparent and full consent obtained from families, that all reasonable security procedures should be followed and schools be notified in case of actual data breaches.

Even as the industry is taking baby steps to govern itself, lawmakers are converging on a solution with more teeth. California State Senator Darrell Steinberg just introduced a bill in that state enforcing some of these same principles: educational purposes only, encryption and deletion of data. Massachusetts Senator Ed Markey plans to do the same at the federal level.

At the Common Sense Media event, according to the lively discussion on Twitter, industry representatives like Cameron Evans of Microsoft and Joel Klein of Amplify argued that a rush to legislate might cause more problems than it solves. Best practices for data privacy and security continue to evolve as the technology does. The large-scale use of cloud computing and web-based data storage itself dates back only to the mid-2000s. It is difficult for the law to catch up. Also, while contracts may specify “educational purposes only,” the nature of the beast in ed-tech is that a large source of educational innovation is coming from for-profit startups whose involvement with the day-to-day experience of teachers and students is becoming increasingly intimate, if not intrusive. In practice the line between educational and commercial purposes may be somewhat blurry. As Katherine Varker, Associate General Counsel, McGraw-Hill Education, asked at the summit: ‘Where does targeted advertising end and personalized learning begin?’

 


POSTED BY Anya Kamenetz ON February 25, 2014

Comments & Trackbacks (1) | Post a Comment

Ron Kleinman

A very insightful post! The key line:

“Of the districts studied, fewer than 25% of the agreements between districts and vendors specified the purpose for disclosures of student information, and fewer than 7% restricted the sale or marketing of student information by vendors in any way. And that is to say nothing of the risk of hacking or other security breaches.”

That’s the problem … if the contract is flawed, there can be no Data Privacy. Period. But there are more threatening issues than these lurking in the typical contract.

Consider the following clauses from the current public Data Privacy policy of a major cloud service vendor in the educational space:

“If we sell, divest or transfer the business or a portion of our business, your information may be transferred, provided that the new provider has agreed to data privacy standards no less stringent than our own. We may also transfer your personal information – under the same conditions – in the course of mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of our business.”

What the above makes very clear is that all sensitive student data entrusted to this cloud service provider will be treated as a corporate asset when the company is sold (and by implication, was treated as a corporate asset from the moment the student data was first acquired)!

Note that under this policy it is the vendor that gets to decide whether the new owner has “adequate” data privacy standards in place – and NOT the District. This means the vendor is actually the entity that “owns” the student data, rather than the District, because ownership of the data means deciding who it will be shared with, and:

* No district will be notified when the cloud servers containing its student data have been sold to / acquired by a new, unapproved entity

* No district is given the option to “scrub” their data from the cloud disks before it passes into new hands

At this point in time, the vendor with that public Data Privacy Policy is already storing all the Student Data from more than 15,000 schools in the US on their cloud servers (!). And by their stated policies, they have the right to decide who to sell that data to (and presumably, those buyers can in turn sell it to whoever they want).

What does data privacy mean for the Districts that have turned over their sensitive student data to a cloud vendor with this type of Data Privacy Policy clause? What does it mean for the parents of the students in that district?

The data privacy barn door is open and many of the horses are already gone …

Your email is never published nor shared.

Required
Required
CAPTCHA Image