This post first appeared on Educating Modern Learners
As schools in the Northern Hemisphere are poised to kick off the new school year, they’re likely sending home a flurry of permission slips for parents and guardians to sign. Permissions for the student directory, permissions for field trips, permissions for sports and other after school activities, a photo release form, and increasingly perhaps, permissions (especially if the student is under 13 in the US) for Internet and technology usage.
The latter has become a particularly contentious issue in the last year or so, with some parents growing concerned about the amount of data that schools are collecting via the various ed-tech tools that students might use. Add to that too, the broad range of technologies being used by schools — systems that manage student reporting, special school functions, transportation and food services, and of course classroom usage. “Student data” now exists across many systems, in many software applications.
Parents concerns about their children's data and privacy are not entirely unwarranted. According to a study conducted last year by Fordham University on schools, data, and privacy,
“Cloud services are poorly understood, non-transparent, and weakly governed: only 25% of districts inform parents of their use of cloud services, 20% of districts fail to have policies governing the use of online services, and a sizeable plurality of districts have rampant gaps in their contract documentation, including missing privacy policies.”
The study also found that less than 10% of school districts negotiate contracts with technology vendors to prevent student data being shared or sold.
All this is complicated now that new education technologies are being marketed directly to teachers, sometimes bypassing any district procurement process. That means there often isn’t an opportunity for schools to negotiate what happens to student data. You click on “I agree” to the Terms of Service, and that’s it.
But there are steps that schools can take in order to do a better job protecting student privacy, and a strong first step is to improve the transparency over what data is being collected and why.
This isn’t simply a matter of following laws like FERPA (the Family Educational Rights and Privacy Act), COPPA (the Children’s Online Privacy Protection Act) or PPRA (the Protection of Pupil Rights Amendment) — although in the US at least, those do apply. These simply outline what schools must do; but there is more they could do (and that involves, for starters, involving students and not just grown-ups in the conversation).
What Should Schools Tell Parents and Students About Data?
Some questions school leaders must consider, and some suggestions for improving transparency around student privacy and student data:
- What data are you collecting about students?
Consider developing a “data inventory” that lists all the information you collect about students. (If nothing else, it will be a helpful exercise for schools to see the scope of what is being collected, let alone if this data is kept secure and/or private.)
- Why are you collecting this data?
For mandated reporting? To improve instruction? To administer services?
And consider: you can’t come up with a good reason why you’re collecting the data, perhaps ask if you should be.
- How is the data protected?
Where is the data stored? Locally? In the cloud? (And if it’s the latter, where are those servers located?)
What are the security practices and policies of your IT department? Of cloud-based services? What are your school’s policies governing access to student data?
Do researchers have access to student data? How is that disclosed?
What training do school teachers and staff have on data policies and protection? What training do students receive on data and privacy? (These questions are increasingly part of new digital literacies, it seems, that schools must help to facilitate.)
How long do you store data?
How is PII (personally identifiable information) protected? Do you de-identify data? When you display data in aggregate (say, to talk about student demographics) how do you make sure that the identity of students from “small cells” (or small groups) is not accidentally disclosed?
What is the procedure for handling a data breach?
- What data is shared? With whom? Why?
Schools contract with a wide range of third-party vendors for and products and services. Consider posting those contracts online. (The Fordham study on student privacy expressed particular concern that many schools were not able to provide signed contracts for the technologies they were using. Without these, the legal responsibilities of schools and vendors are unclear.)
Provide parents with a list of the educational software that teachers use in the classroom. Provide links to those apps' Terms of Service and Privacy Policies.
Put all this — contracts, lists of tools, Terms of Service — in one place on the school or district website. Make it is easy to locate. Use plain language — that is, avoid legal or technical jargon — to talk about data and privacy policies. (A good example of a site that helps clarify the legalese here is Terms of Service; Didn’t Read). Make sure the website is kept up-to-date throughout the school year particularly if and when teachers try new tools and if and when vendors change their terms.
Give parents a way to contact the school or district if they have questions or concerns.
Solicit feedback from the school community — that is, parents, administrators, staff, teachers, and students — about how best to handle data and privacy. Again, while there are certain legal requirements as to how schools handle student data, those should be seen as the minimum, not the maximum obligation for schools to fulfill.
Next Steps for Schools
Schools need not — and probably should not — be passive parties when it comes to data protection and the technologies they're adopting. While vendors typically do draw up the contracts for their products, schools must ensure that these are compliant with various privacy statutes, certainly. But they can advocate for more, and push vendors to take further steps to protect student privacy. They can also step up and do a better job in communicating with parents and students about data collection and usage.