Gail Marshall
Safeguarding student data: When students are connected, they must be protected

From the White House to the playhouse, the nation is demanding safeguards for student data privacy like never before.

" "If we are going to be connected, we need to be protected," " quipped President Barack Obama in January 2015 as he championed federal legislation to protect students coast to coast against the sale and misuse of their personal information.

" "We're saying that data collected on students in the classroom should only be used for educational purposes — to teach our children, not to market to our children. We want to prevent companies from selling student data to third parties for purposes other than education. We want to prevent any kind of profiling that outs certain students at a disadvantage as they go through school.

" "And we believe that this won't just give parents more peace of mind. We're confident that it will make sure the tools we use in the classroom will actually support the breakthrough research and innovations that we need to keep unlocking new educational technologies." "

Today's high-profile privacy controversy gives a whole new meaning to the old-school comedy threat: " "This will go on your permanent record." " Back in the day, that meant the report about a suspension for smoking in the bathroom or getting an award for track would go into a file folder held in an obscure warehouse. It's doubtful any future employer would go digging into that archive.

Today, it's a different story. The most savvy education technology companies are scooping up as many as 10 million unique data points on each child, each day, according to a recent investigative report from Politico. That's more data than Netflix, Facebook or even Google collect.

" "Students are tracked as they play online games, watch videos, read books, take quizzes and run laps in physical education," " Politico reports. " "The monitoring continues as they work on assignments from home, with companies logging children's locations, homework schedules, web browsing habits and, of course, their academic progress." "

Ideally, this enables educators to delve into a child's learning process like never before and create personalized lessons designed especially for their strengths and interests.

However, tapping into a huge market for what has become known as " "Big Data" " — pejorative slang for commercializing private information about students with no connection to education — that data can then be sold to third parties and used for advertising or to otherwise exploit children.

The federal laws President Obama envisions, currently under discussion, are intended to bring a measure of consistency to a patchwork of state laws now in force across the country. Within the last year, dozens of states have enacted laws on student data privacy that offer protection for students but are creating chaos in the marketplace and the classroom. Schools are demanding guarantees and vendors are trying to stay compliant with national or international products.

Last fall, California Gov. Jerry Brown signed Senate Bill 1177 and Assembly Bill 1584, which strengthen student privacy protections and hold violators — companies and schools — accountable. These two statutes are serving as the model for the national Student Digital Privacy Act currently under construction.

Vendors respond to consensus

Within weeks after Gov. Brown's announcement, the educational service industry emerged with a plan to address the seismic tremor of mistrust shaking up the marketplace. Enter the nonprofit Future of Privacy Forum and the Software & Information Industry Association (SIIA), a privacy think tank partnering with an industry group, which crafted a well-received pledge from vendors to provide transparency and protections for their clients.

" "The pledge came about because we recognized there was not a clear understanding about what was happening, the practices that were appropriate and necessary to meet the expectations of families and the requirements of the law," " explains Mark Schneiderman, SIIA senior director of education policy. " "We wanted to create a clear, concise representation of that so there would be better understanding in the community. Overall, we've been pleased with the support for the pledge." "

A handful of companies, including ISTE corporate member Microsoft, signed on at the rollout. By the end of January, 105 companies had signed on, including some of the most familiar domestic and international players, like Google, Apple, Amplify, Class Dojo and Edmodo.

The signatories agree to:

  • Not sell student information.
  • Not behaviorally target advertising.
  • Use data for authorized education purposes only.
  • Not change privacy policies without notice and choice.
  • Enforce strict limits on data retention.
  • Support parental access to, and correction of errors in, their children's information.
  • Provide comprehensive security standards.
  • Be transparent about collection and use of data.

Still, state and federal governments' move to legislate boundaries was no surprise to vendors.

" "Technology presents incredible promise to transform education, personalize instruction and help children learn," " says Cameron Evans, chief technology officer, U.S. education, at Microsoft. " "Cloud services, in particular, offer benefits to help teachers and students be more efficient and more productive and to enable learning anytime and anywhere." "

However, the technology students and teachers enjoy and rely on so much — and cloud services — also open up serious questions around the use of student data. " "Parents, students and schools will not use technology that they do not trust," " Evans says, " "and technology companies must do a better job of protecting student privacy." "

Those concerns have led Microsoft to become one of the first companies to recognize the need to treat sensitive student data in the same way it treats other enterprise data, such as government, health or financial services data (Evans says it built Office 365 and Azure from the ground up to support its privacy commitments to education customers), so the answer to the advertising question is firm.

" "All companies that provide online services to schools must be prohibited from selling student data or using student data for advertising," " he says. In that vein, Microsoft is among the first dozen groups to step up and sign the corporate pledge SIIA and the Future of Privacy put together to protect student data. After all, " "parents, teachers and students who entrust technology companies with sensitive student data must believe they will do the right thing," " Evans says. " "We also support legislation implementing the pledge, and we call on others in the industry to join us in addressing these serious issues." "

The National Parent Teachers Association was among the first to show its appreciation for the pledge signed by vendors.

" "While technology is a powerful tool for teaching and learning, it is imperative that students' personal information is protected," " says Otha Thornton, the organization's president. " "National PTA applauds K-12 school service providers that have pledged to safeguard student data and privacy and effectively communicate with parents about how student information is used and protected. We look forward to even more support going forward." "

Of global concern

In a connected world, the use or distribution of data knows no boundaries, a fact that has led other countries to take a stand on student data privacy — some well in advance of the United States. The U.K. first addressed student data privacy concerns in 1998 with the Data Protection Act, which spells out specific, allowable uses for student data.

Under the act, schools must notify a specific government office, the Information Commissioner's Office (ICO), about why a particular school is holding student data, what data it holds, the source of the data, to whom the data is disclosed and to which countries the data may be transferred. Each school is considered a separate data user and must complete a notification annually.

In addition to safeguarding student data, the ICO informs individuals and organizations of their rights and responsibilities under the act.

Organizing for the future

Jim Siegl carries the title " "technology architect" " in the Department of Information Technology for Fairfax County Public Schools, the largest district in Virginia and 10th largest in America with about 187,000 students.

He began his career in Silicon Valley working in high tech, so privacy issues are nothing new to him. It has been an integral part of his job for more than a decade. When he worked in retail, he was known for refusing to put any product in the catalog that he had not tried out.

He brought those skills to his position at the school district, so he has been peppering vendors with questions about privacy guarantees from day one.

Siegl has become a popular go-to guy for districts to approach for advice in setting up their privacy protocols. He has written articles on the topic, and he's in demand as a workshop speaker.

With so many entities with an interest in student data privacy, where does a school district's responsibility lie?

" "I think most educators would probably agree," " he says, " "that assuring data privacy (and security and safety) are everyone's job, but defining roles is important. Lots of things that are everyone's job end up as no one's job. The role of the district is different from the role of a principal or classroom teacher." "

He ticks off four of the key areas where districts take the lead on school privacy: 

  • District and school board policies
  • Funding and contracting
  • Professional development
  • Transparency

Of those areas, Siegl suggests districts put a special emphasis on the " "transparency" " piece to take away the mysteries and misunderstandings. Employees, parents and students should first understand the who, what, why and how of the district's data management:

  • Why? What is the purpose of collecting this data? Talk to people about the value of data and how students and parents can benefit. Explain how everyone in education has been given the capacity to collect data through professional development, adequate technology and resources.
  • What? Disclose the online educational services the district is using.
  • How? Detail what the schools are doing to protect the data and what controls and choices they have. Outline how data is used, protected and shared.
  • Who? Provide a point of contact for everyone. Keep the channels open for asking questions and voicing concerns.

Parent permissions

Parental involvement and permission forms are a concern for most districts, and Siegl says this is highly individual. He cannot, however, dictate what the forms should say.

" "I wish I could give you an easy, pat answer," " he says, " "but this is a little like one teacher asking another teacher, 'What should be on the test?'" "

" "A form is a tool for facilitating a process, so the right form is the one that fits the school's process. I'd be crazy to suggest that a process from a district of one size, culture or management style would work for a district with a different one." "

In other words, there needs to be a standard process for deciding what tools you use to collect student data, and that process needs to be aligned with your school's goals, culture and capabilities.

That process " "needs buy-in from teachers and support from administrators," " he says. " "It needs training, and it needs to have the tools — like forms — that make the process consistent and efficient." "

Proper paperwork

He recommends districts have at least two basic forms: one to request a software review if the district does this at a school or district level, and also a form to collect parent permission, when applicable.

Parental consent is a tricky area, and Siegl suggests a best practice is to provide parents with information about how the data is collected and what it is used for. The U.S. Department of Education recommends including links to each vendor's privacy policy.

" "I think schools need to judge if that is sufficient," " says Siegl, including whether their parent population is likely to read and understand what they are being asked to consent to. " "There are not many schools that do a good job of this." "

An example of one that does is Canadian School District 43 in Coquitlam, British Columbia, a suburb of Vancouver.

On its website is a page called Cloud Tools, which includes an easy-to-navigate chart for parents. Here is the introduction:

This list below displays some of the cloud tools educators in our district may choose to use to enhance their teaching.

Note that student privacy and safety must supersede the ease of use and accessibility of any digital tools and therefore permission letters accompany each tool and must be completed by parents prior to their use.

If parents do not wish their child/children to create an account for a particular tool, safer alternatives are provided.

To request the addition of a tool to this list, click here to fill in an entry. (Login required.)

The chart provides five components: the name of the tool and a link to its description, a link to terms of use, a link to the parent permission letter and an alternate tools suggestion.

For example: " "Animoto: automatically produces beautifully orchestra-ted, completely unique video pieces from your photos, video clips, and music." " The alternatives are Windows Movie Maker, PowerPoint, PhotoStory and iMovie.

Districts also have concerns about remaining compliant with early privacy protection laws such as the Family Educational Rights and Privacy Act of 1974 (FERPA), the Children's Online Privacy Protection Act of 1998 (COPPA) and the lesser known Protection of Pupil Rights Amendment (PPRA), which requires parental notice and opt-out for collection of data from students in seven " "sensitive" " categories and requires notice and opt-out for data collected for advertising purposes.

Siegl characterizes these laws as " "a complicated and confusing bare minimum for protecting students." "

He suggests going to the Consortium for School Networking (COSN) toolkit for a good flowchart of what is required and expected. He also finds the Federal Trade Commission website's frequently asked questions area helpful, as well as the Department of Education guidelines from February 2014.

Teachers applaud legislation

Randi Weingarten, president of the American Federation of Teachers, had a positive reaction to what she sees as President Obama's call to protect students' and teachers' privacy rights.

" "Students and their personal information are not for sale," " she said shortly after Obama's comments. " "Make no mistake about it — integrating technology into our children's classrooms should not be a marketing or advertising opportunity for tech companies." "

" "Parents and educators know the importance of incorporating technology into education, especially as a tool that helps ready our children for good jobs in the 21st century economy. However, parents and educators reject profit-driven strategies that target kids with advertisements, misuse information, collect unnecessary personal data or in any way undermine the goals of providing a high-quality education and the right to privacy." "

According to Weingarten, her organization urges Congress to pass legislation that " "better protects our children's and teachers' privacy, avoids loopholes disguised as 'educational uses' and supports parents' rights." "

Education technologist and former ISTE Board Member Kathy Schrock of Eastham, Massachusetts, has given presentations to teachers all over the world. Her website is Kathy Schrock's Guide to Everything. Her best advice to teachers is to read the terms of service and to learn and pay attention to COPPA.

" "If use of the site does not violate the age restrictions, I have had success asking parents for explicit permission for their child's use of the site." "

Parents: Give schools a pop quiz

For parents and teachers, privacy responsibility means " "back to school night" " may never be simple again.

Marsali S. Hancock is president and CEO of the Internet Keep Safe Coalition. She is an expert who consults with districts on safety and privacy issues. She also is the mother of six children, ages 16 to 29. She is very well informed, but she quickly dispels the notion that she would expect a dossier from every teacher on everything.

" "You cannot be a helicopter parent for six children," " she says.

She recommends that districts have a point person prepared to address questions and provide the school privacy policy to parents. She advises parents to ask who has access to the students' data and why and how they use that data.

The ISTE position, as cited by Hilary Goldmann, ISTE senior director of government relations, reflects the organization's global awareness of the issue, as well as a sense of balance for the risks and benefits of digital tools and information. It also includes a statement of support for the educational agencies and institutions being held responsible for security and privacy:

As nations wrestle with balancing laws to protect citizens' privacy against keeping access to tools and information open, student data privacy is becoming an area of global interest. In the United States, the Family Educational Rights and Privacy Act (FERPA), a bill that was enacted in 1974, governs student protections," " she said. " "FERPA governs the rights of parents regarding student education records (for students under age 18).

" "FERPA's 2008 regulatory update permitted educational agencies and institutions to outsource certain services and functions to outside parties but continued to hold educational agencies and institutions responsible for ensuring that these outside parties do not maintain, use or disclose education records in any manner beyond what they are told by the agency or institution. With the advances in digital learning tools and online resources, many policymakers and school personnel believe it is time to review the existing FERPA regulations to ensure they adequately protect students in the digital age.

Here's where ISTE stands:

  • ISTE is steadfast in its support for protecting student privacy and that school networks are secure globally.
  • ISTE supports U.S. and global policies that balance the benefits of personalized learning and data-driven decision making with the priority to protect student information.
  • ISTE supports U.S. and global policies that educate school personnel about the legal requirements for protecting student privacy, precautions they must take and ways to strengthen school networks.

In a nod to the significance of the topic, ISTE 2015 will feature several sessions on student data privacy. Topics include " "Big Data: Information Privacy in a Media Saturated World," " and " "Protecting Student Privacy in Digital Tools for Learning." "

In children's best interest
After all the pledges, reviews, contracts and speeches, the issue is about learning and teaching and doing what is in the children's best interest. That is true in the White House and your house.

" "Michelle and I are like parents everywhere," " President Obama said in January. " "We want to make sure that our children are being smart and safe online. That's a responsibility of ours as parents. But we need partners." "
Like