Administrator Magazine
Scholastic Administrator is a must-read resource for 240,000 of today's results-driven school leaders. Every issue features leadership for education executives, insight and analysis into what's next in education, and reporting on cutting-edge technologies in real life applications.

Protecting Privacy

Parsing what's allowable, and what's not, with student data.

In the summer of 2013, gravity finally caught up with ed tech.

The reportedly $8 billion PreK through eighth-grade industry ran up against a substantial roadblock when parents became concerned that school officials in Colorado, Louisiana, and New York had not adequately thought about the privacy implications of working with a company called inBloom.

InBloom, which was funded by the Bill & Melinda Gates Foundation and other organizations, proposed to provide cloud-based storage for school data, including information schools collected about their students. The idea was that it might not only improve the way such data was stored but also make it more easily available to ed-tech vendors, who, in turn, could create educational tools for schools, according to The New York Times.

But parents who asked about the restrictions in place to protect student data weren’t satisfied with the answers they received. They were alarmed, according to the Times, by the range of information inBloom had proposed to store. Several states that had signed up for the service backed out amid a backlash that some believe was stoked by the furor caused by the NSA revelations and reports about online security breaches.

More than 100 bills have since been introduced in states across the country to regulate the privacy of student data, 21 of which have been signed into law, according to Rachel Anderson, a policy and research associate at the Washington, D.C.–based Data Quality Campaign (DQC). In the past 20 years, this data has become the lifeblood of education.

“There has been a slow and steady march toward schools using, and now relying on, technology to do a lot of what we have historically done without technology,” says Doug Levin, executive director of the State Educational Technology Directors Association. “Every school has a website. Electronic communications happen with parents. Gradebooks are electronic. Attendance is electronic. And more and more instructional materials—traditional textbooks and other things—are being supple­mented with digital materials—or, in some cases, replaced by them.”

What has not kept pace with the development of technology in schools is districts’ understanding of their data-privacy obligations. “I think inBloom shined a light on school-district practice and the fact that schools are not experts in data-privacy issues,” Levin says. “The federal laws have not kept up. Districts try to do the best they can, but they are working without a good manual. You ask experts, ‘What does the law say?’ The answer is often, ‘Well, it depends.’ And that is a really hard answer to deal with for a school district.”

Fuzzy Legalities
Three federal laws have significant sway over how student data is handled by schools. The Family Educational Rights and Privacy Act (FERPA), passed in 1974, is the most important. The others are the Protection of Pupil Rights Amendment (1978) and the Children’s Online Privacy Protection Act (1998).

All three are dated, but experts say they provide a blueprint for approaching modern situations. FERPA charges districts with protecting personally identifiable information from students’ education records, known as PII, and specifically limits frameworks under which vendors can be given access to student data. One way vendors can gain access is by becoming contractual school officials, a framework under which they are prevented from using the data for any other reason than what was specified when they were hired.

Under that kind of relationship, “all of the protections of that student data that are governed by FERPA and apply to a state or a school district also apply to the vendor,” explains Kristin Yochum, the DQC’s director of federal policy. “The vendor then becomes legally responsible to do all of the same things with the data, which means they are not permitted to use it for marketing purposes. They’re not permitted to sell the data or to do anything with it other than the express purpose for which they were given it.”

The Department of Education’s Privacy Technical Assistance Center’s document Protecting Student Privacy While Using Online Educational Services states that a vendor that has become a contractual school official is considered to be “under the direct control of the school or district with regard to the use and maintenance of education records,” and the vendor can use those records “only for authorized purposes and may not re-disclose [PII] from education records to other parties (unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by FERPA).”

But vendors are allowed to use what is called “metadata”: “information that provides meaning and context to other data being collected, for example, information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made and how long the student’s mouse hovered over an item (potentially indicating indecision).”

The policy document goes on to explain that such metadata, stripped of all direct and indirect identifiers, might be used by a contracted online tutoring and teaching program to develop new personalized learning products and services.

But even that document acknowledges limits. For example, under the question “What does FERPA require if PII from students’ education records is disclosed to a provider?” the answer begins as follows: “It depends. Because of the diversity and variety of online educational services, there is no universal answer to this question.”

Other situations, such as free online services that require signing so-called “clickwrap” agreements, seem more problematic since, simply by agreeing to them out of habit, teachers may bypass school policy. Thus the document recommends that “free online educational services go through the same (or a similar) approval process as paid educational services.”

Turning to Best Practices
That districts have not yet established consistent methods for assuring student privacy reflects the rapidly growing reliance on educational technology, says Lenny Schad, chief information technology officer for the Houston Independent School District. “This is a growing pain,” he says. “Before, we had a few systems we were sending data to. Now we have kids logging on to blogs and wikis and all over the Internet on Web 2.0 tools. And those tools are capturing student data in some form or fashion, and those that are free are mined by whoever and however many they allow. That’s what we need to get our arms around.”

Indeed, Schad himself was surprised to read a newspaper account of a Google executive admitting that his company scanned the e-mails of those using Google Docs and promptly withdrew his district’s use of the program. “It was a surprising moment,” Schad says. Six weeks after that admission, Google announced that it would stop scanning student e-mails for any reasons related to advertising.

Part of the issue is the wide variety of ways in which districts use ed tech and the Internet itself. “We have school systems out there that don’t do any Web filtering,” Schad says. “And then you have the other school systems that are very conservative. As a vendor, how do you play in that market? That’s why it’s so important that the industry comes up with baseline standards that should be in place no matter the framework. And then the vendor communities can respond to a single standard.”

One step in that direction might be the Protecting Privacy in Connected Learning Toolkit issued in March by CoSN, a step-by-step guide for educators that takes them through the decision-making process involved in signing up an online service provider or providing notification and obtaining parental consent. “School system leaders want to act in the best interests of the students and families they serve,” the kit declares. “But applying laws that could not have foreseen profound technological advances is difficult at best. Coupled with the growing realization of the value of data for both educational and commercial purposes, school leaders can sometimes find themselves at odds with the very service providers they have come to depend on for valuable educational tools.”

“CoSN is trying to move away from just legal compliance and toward normative best practices,” says Dalia Topelson, a clinical instructor and lecturer at the Cyberlaw Clinic at Harvard’s Berkman Center for Internet and Society

To that end, another goal of the toolkit is to “dispel some of the fear,” Topelson says. “If I’m a principal, I’ve got all these marketing meetings with vendors. They seem cool. I’m nervous. I know about this inBloom thing. And so what do I do?”

Further Steps
Experts say districts can take several fundamental steps to navigate this issue. One is often overlooked: ensuring that their own systems and their vendors’ systems are physically secure.

“In every privacy conversation I’ve been a part of in the past year, the issue of security comes up and someone is always quick to say that it’s a different issue,” says Bob Moore, founder and chief consultant of RJM Strategies, who works regularly with schools, education organizations, and other groups as a strategist and adviser. “One of the major reasons behind security is to protect the data. If you’re not securing your networks and servers, then you’re not doing what you need to do to protect the privacy of student data. The perfect example is Target. Target was a security breach that became a privacy issue.”

Another fundamental suggestion is even more straightforward: transparency between districts and parents and between districts and companies. “I tell business clients to just be transparent with schools about this issue,” Moore says. “Tell them what you’re collecting and why you’re collecting and how it benefits them. If we can approach this with common sense and actually talk to each other, I think this fervor of distrust doesn’t have to exist.”

Indeed, the national PTA is promoting a similar conversation from the parents’ side: a list of questions, developed in cooperation with the DQC. “It’s important that parents go to their schools and ask, ‘What kind of data are you collecting? What is this used for? How are you maintaining privacy?’” says Lee Ann Kendrick, a PTA regional advocacy specialist. “And once parents do that, they realize the sky really isn’t falling. They come back with a much better understanding of what’s going on and how they can help.”    

BTS 2014

Help | Privacy Policy




(Separate multiple email addresses with commas)

Check this box to send yourself a copy of the email.


Scholastic respects your privacy. We do not retain or distribute lists of email addresses.