Rewriting the Social Contract to Safeguard Student Data Privacy

Rewriting the Social Contract to Safeguard Student Data Privacy

By
Shutterstock

The IT department is often seen as the obstacle to progress. Teachers prefer to start using tools they find on the Internet without first “running it by IT,” and educational technology companies often approach the IT department with dread.

And now “privacy” is one more reason for IT to say no.

Despite an unsettled regulatory environment, teachers and edtech companies can take some straightforward measures to encourage tech directors to allow a product onto the network. Without this collaboration, useful tools could be blocked and student access to valuable learning opportunities could be delayed or denied.

What a difference a year makes

Seven months ago, when EdSurge’s Mary Jo Madda talked to several educators at ISTE 2015 about the risks educational technology posed to student privacy, she did not encounter much concern. Even if she had asked district technology staff, she may have been met with similar shrugs at that time.

However, driven by reports of data breaches, worried parents, and recently enacted and pending legislation, privacy has quickly become the issue stressing Tech Directors out. At CETPA, the annual gathering of K-20 technology officials across California, privacy barely made the agenda in 2014. But it was the buzz of the following year’s gathering, which featured an unprecedented three-hour discussion of the legal and policy issues surrounding the use of technology in schools.

IT is responsible for privacy in a digital world

We all expect privacy for ourselves and for our families, irrespective of the law, and we expect that privacy to be maintained when our children are at school. In a digital world, most of that responsibility falls on IT.

Historically, IT has focused on preventing “hacking”—unauthorized access to the school district’s servers. Through a combination of technology and procedures, IT creates a multi-layered defense to prevent would-be intruders from gaining entry to the network and school district staff and students from going where they are not supposed to go. In this world, student data were created and stored inside the district’s physical network or within a small number of hosted enterprise applications, such as the student information system. IT had to prevent break-ins and ensure internal users behaved.

From the Tech Director’s perspective, the threat was finite.

Where teachers see learning opportunities, IT sees threats

The migration of most new edtech tools to the web has increased the threat exponentially.

Every web application used by someone within the school system can potentially leak student data on the Internet. Since the applications are not housed on the district’s servers, the Tech Director does not have direct control over where the data are stored, how the data are used, and how the data are protected. Because most edtech companies use cloud services themselves, the number of potential leaks from any single application is further multiplied. As a result, edtech applications pose a growing vulnerability to the school system’s data. Even if IT is successful at preventing intrusions to the district’s network and inappropriate use among students and district staff, student data are still badly exposed.

And should a data breach occur, the Tech Director will be held responsible. Families, the general public and the news media will not care about the details. Even if a third party application is ultimately identified as the source of the breach, dealing with the fallout still would be a time-consuming distraction.

Given this risk, Tech Directors could become increasingly nervous about allowing access to current and future edtech applications. Regardless of who eventually bears the legal liability or the monetary consequences, it is in everyone’s interests to help mitigate these concerns.

How teachers can help lessen the risks

The legal landscape is complex and becoming even more so with the passage of each new piece of legislation. Many people have heard of FERPA, CIPA and HIPAA, but COPPA, PPRA, SOPIPA and §49073.1 are less familiar.

In Cupertino Union School District in California, educators can help prevent unauthorized use of student data by submitting tools they want to use for approval. CUSD assesses each product against a privacy checklist. At CETPA 2015, Amy Wong, the district’s Director of Instructional Technology, described how the process, which was established partly in response to parental concerns, has raised awareness of the issues by guiding teachers, administrators, parents and vendors through this shifting legal maze. Paradoxically, she said, “that raised awareness has made parents increasingly wary about data privacy.” But despite the dedicated resources, Wong noted that “staying current with privacy policies that often get changed without notice and keeping up with new tools are constant challenges.”

But many school systems do not have the budget to approach what CUSD is doing.

How companies can help the Tech Director and themselves

Companies can take steps to help the Tech Director feel better about allowing district users to access their websites. They can also avoid the distress of seeing their contracts voided for non-compliance, a real legal consequence in California.

  1. Companies should make sure they comply with all the privacy statutes before they go to market; there are numerous resources available, including the Department of Education’s Privacy Technical Assistance Center, and Fagen, Friedman & Fulfrost’s Data Privacy Guidebook.
  2. Having completed the checklists, they should signal their compliance by signing the Student Privacy Pledge. Most companies post their Privacy Policy on their websites, but these tend to list what they will and won’t do with student data. It is difficult for the Tech Director to confirm whether the website is in compliance without a deep knowledge of the statutes and a careful examination of the statements. The Student Privacy Pledge is a reassuring green flag for the Tech Director.
  3. Companies should seek an external audit of their practices, including how they protect their own servers against intruders, from an organization such as iKeepSafe which issues the iKeepSafe Privacy Badge to companies that pass their assessments. The Tech Director needs to know that the vendor follows general practices included in the Student Privacy Pledge, and that it complies with specific state laws not included in the Pledge. The iKeepSafe Privacy Badge is another reassurance.

We’re in this together

Educators should look for these green flags on the websites they want to use and forestall any objections or delays from IT.

“The advent of technology and digital education in the classroom is requiring school districts to rewrite their social contract with students and parents,” said Mark Williams, an attorney with Fagen Friedman & Fulfrost. “Part of this rewriting involves the reshaping of privacy.”

It is in everyone’s interest to help rewrite this contract.

Gee Kin Chou is a consultant who helps technology companies design and market products and services for education and the former CTO of the Oakland Unified School District.

Stay up to date on edtech. Sign up to have top stories delivered weekly.

Who we are

EdSurge helps schools find, select and use the right technology to support all learners.
© 2011-2016 EdSurge Inc. All rights reserved. Every student succeeds.