A Starting Point for Ensuring Student Online Privacy
Our society is struggling with issues regarding individual privacy. Heated debates are occurring on topics that range from whether the government should be allowed to conduct mass surveillance of citizens to the information that companies should be allowed to collect based on one's computer activity -- and what they should be allowed to do with it. There are also concerns about the security of personal data in general -- consider the data breach at Target last year.
And as the federal government calls for states to develop longitudinal tracking systems of students that often use third party vendors, and as the use of education technologies that have data tracking abilities is growing for both instructional and information-storing purposes, the privacy debate is starting to permeate the education community - as well it should, given the vulnerable nature of children to privacy issues and questions as to whether schools, districts and states are properly monitoring these issues (or have the capacity to do so). But look no further than the collapse of inBloom to see the real impact that student privacy concerns have on the education sector.
A Complicated Issue
A January 2014 survey of registered voters released by CommonSense Media found that 90 percent of respondents are either very or somewhat concerned with how private companies with non-educational interests are able to access and use students' personal information. Yet a majority know not very much (32 percent) or nothing at all (30 percent) about how schools currently collect, use, store and destroy student data, including information such as social security numbers, grades and behavior and attendance records.
So how should educators address the public's concerns? Very carefully, in part because this is an emerging issue in which many educators are not well-versed.
Even finding a starting place in the conversation about student privacy can be overwhelming. Different types of education technologies collect different types of data and use that data for different purposes. And there are many different types of risks associated with student data. It is easy to see a privacy risk in considering how districts store personal information from students' school records. But many of the mobile apps used in education store and use student data, as do many of the computer programs used to personalize learning by targeting a student's individual skill level and interests.
Data in the Cloud, a legal and policy guide for school boards recently released by the National School Boards Association (NSBA), notes the possibility (among others) of:
- Data breach caused by faulty configuration, patching, and updates, or software viruses or exploits
- Data loss by users who, knowingly or not, expose information by sharing or sending it
- Collection and aggregation of personally identifiable data and metadata for potential use in advertising and sale to third parties
Compounding the situation is that the government -- at the state, federal and local levels -- is turning its eye to student privacy, and so laws and regulations in the area might be changing soon. In a June 2014 webinar on state digital learning legislation, a National Council of State Legislatures representative said that they were still tracking 108 bills related to data security and privacy in 35 states, with more than 20 bills enacted to date.
And there are also a number of federal laws that relate to student privacy, one of which is the 40-year-old Family Educational Rights and Privacy Act (FERPA), which has undergone regulatory changes in recent years that some claimed have weakened it. There are also concerns that FERPA doesn't meet the challenges of the digital age, and in May two U.S. Senators released a draft of a bill that would amend it.
Best Practices in Maintaining Student Privacy
Two recent documents -- NSBA's Data in the Cloud and the U.S. Department of Education's Protecting Student Privacy While Using Online Educational Services -- offer good introductions to issues of student privacy in the cloud-computing era. Both also provide practical tips to help protect student privacy. While these tips are geared towards the district level, it is vital that all educators -- teachers, principals, school counselors and others -- understand the implications. These tips include:
- Identifying a district-wide Chief Privacy Officer (CPO) or a group of individuals with district-wide responsibility for privacy
- Becoming aware of which online education services are currently being used - and to what extent student data is used and protected within those services -- by conducting a district-wide audit
- Consistently, clearly and regularly communicating with students, parents and the community about privacy rights and district policies and practices with regards to student data privacy (one resource, What Every Parent Should Be Asking about Education Data, a brief from the National PTA and the Data Quality Campaign that can be used by educators to identify some of parents' biggest concerns with privacy)
- Developing policies and procedures to evaluate and approve proposed online educational services, using a written contract or legal agreement when possible -- and exercising caution when forced to choose between accepting a providers' terms of service (TOS) or not using a consumer app
- Training staff to ensure consistent implementation of the district's policies and procedures regarding student privacy
- Maintaining awareness of relevant federal, state, tribal or local laws
Another resource to help district-level educators maintain student privacy is iKeepSafe's Digital Compliance and Student Privacy: A Roadmap for School Systems.
A Note Regarding Classroom Teachers
These guidelines can be read as limiting an individual teacher's choice of educational applications. To quote Data in the Cloud, "Individual classroom teachers should not make unilateral decisions regarding the implementation of online services." And the Department of Education suggests limiting the authority to accept TOS and develop policies outlining when individual teachers may download and use "Click-Wrap" software.
But districts that have adopted strong privacy policies should also have procedures in place to allow teachers to suggest apps or other online educational service that they would like to use (or have students use). While the process may slow down the introduction of the app into the learning environment, it will hopefully provide peace of mind to teachers, who will know the app has been properly vetted with regards to student privacy.
What are your thoughts and ideas about the information shared in this post? Please share in the comments section below.