Policy

​Protecting Student Data and Privacy, From Inside Cambridge Public Schools

By Heather French     Dec 13, 2016

​Protecting Student Data and Privacy, From Inside Cambridge Public Schools

In order to educate our students and prepare them for the world we live in, education must keep up with current and ever evolving technology. But not all educational technology is good, of high quality, or even worth a student’s time.

More importantly, not all educational technology is safe. New apps, websites and games come out every day and teachers are often excited and ready to try them. But how do they know if these new tools are secure for our students to use?

Most applications collect some form of data from users and when it comes to children, we must be cautious as to what happens with that information. As an instructional technology specialist for Cambridge Public Schools (CPSD), one of my many roles is to advise teachers on new technology tools and be a gatekeeper for student data.

We aim to set the standard for student data and privacy at Cambridge, which serves 6,961 students. Not only are we educating our students about how to be safe online, but we ensure that the information they share online is also safe. Cambridge was one of only seven school districts in the country to be awarded the Trusted Learning Environment seal from the Consortium of School Networking in association with the School Superintendents Association, the Association of School Business Officials International, and The Association for Supervision and Curriculum Development.

Our award is a recognition of the policies and procedures in place that ensure student data is always protected. But what does that actually mean for teachers and students? CPSD doesn’t expect every teacher to read the hundreds of pages of laws that affect educational technology on top of their already very full schedules. Whenever a teacher wants to use a new app or website that involves any student data, she or he must either check in with an instructional technology specialist (who is familiar with the various student privacy laws governing educational technology listed below) or check the CPSD website for approved applications.

If an application has not previously been approved, teachers can submit a request and the vendor will be sent the CPSD Student Data Privacy Agreement (PDF). Then the company that created or manages the app or website must agree to and sign a legally binding contract guaranteeing that they will not use student information for any reason. If they won’t, there are two options: The website or app will not be made available to CPSD teachers and students, or a parent release is created and sent home to inform parents and seek parental permission. It can be quite a process and can take days or months, but we know that student data is safe.

Cambridge has been lauded time and again for this process because it has proven to keep student data safe. But is there a better way? I was inspired by EdSurge’s interview with education technology lawyer Gretchen Shipley and her remark that “school districts should not have to be working so hard to make sure that what they’re buying is a safe product.”

Companies that want schools to use their technology should be proactive in addressing these concerns without needing to be approached by the legal team of a school district. For example, if a company took to heart all of the governing laws that apply to school use of educational technology and published how they are compliant, that would be a step in the right direction. But it still might not be enough. What if, in place of awarding a seal to districts, a nationally recognized organization like CoSN awarded applications, websites, or even companies a seal that proved that they are compliant?

To learn more about what work is currently being done in the space, I spoke to Steve Smith, Chief Information Officer for Cambridge Public Schools. Here is what I learned:

A lot of the issues with managing student privacy come from the fact that the biggest governing law (FERPA) was created in 1974 by President Gerald Ford. It has been amended nine times; the last in 2001. So school districts have had to interpret the law in different ways, as the technology landscape today looks very different than that of 2001. Causing further issues for companies that create educational technology is the fact that every state has a different set of laws governing student data.

Smith told me: “Although there does not seem to be a single ‘Privacy Seal of Approval’ likely to be launched in the near future, there are a number of privacy related projects that are having positive effects on the marketplace.” He showed me how The Student Data Privacy Consortium (SDPC) is leveraging the work of the Massachusetts Student Privacy Alliance to establish a statewide privacy alliances sharing model for student data privacy agreements. Basically, Cambridge is participating in maintaining a database that shares agreements for specific applications.

“These model agreements are increasingly being accepted by vendors as the contracts to establish common student data privacy clauses and expectations, thus reducing the burden of negotiating one-off contracts,” Smith said. Currently active in 10 states, the SDPC helps maintain a database of approved applications and share the agreements between the company and each district. These previously used, shared agreements provide an easier path for other districts to reach agreement in the future. This is one way that states are attempting to make the path easier to use for vendors and educators.

In addition, three other sources of privacy related information on vendors include: iKeepSafe which offers a privacy approval service aligned specifically to California state student privacy requirements, Common Sense Media is developing a privacy rating service to rate vendor & application privacy policies and terms of service, and the Future of Privacy Forum has sponsored the “Privacy Pledge”, which now has over 300 signatories. The Privacy Pledge is a list of legally enforceable commitments by companies to safeguard student information. All of these are steps in the right direction towards keeping student data safe while opening doors for teacher use of new technology.

“Although there is no single source of application approval for privacy across the country, the combination of these four projects provide a very powerful lense through which to evaluate products,” Smith added. “These organizations and initiatives are all working very closely together as partners to support each others work with the goal of influencing the market place to address privacy concerns in a more seamless manner that support rapid adoption of safe online tools.”

At a conference in Austin, Texas, last year I heard an attendee call an app “Cambridge Approved”, referring to the fact that Cambridge was using the app and implying that it must therefore be compliant with the laws listed above. I hope that someday there is a clear and easy path for companies to keep student data safe and to be transparent about exactly how that will happen. Technology is evolving at a very fast pace and to mostly wonderful results, but after my conversation with Smith I have renewed hope that it won’t leave education behind. 

Heather French is an Instructional Technology Specialist at Cambridge Public School District.

Policy

​Protecting Student Data and Privacy, From Inside Cambridge Public Schools

By Heather French     Dec 13, 2016

​Protecting Student Data and Privacy, From Inside Cambridge Public Schools

In order to educate our students and prepare them for the world we live in, education must keep up with current and ever evolving technology. But not all educational technology is good, of high quality, or even worth a student’s time.

More importantly, not all educational technology is safe. New apps, websites and games come out every day and teachers are often excited and ready to try them. But how do they know if these new tools are secure for our students to use?

Most applications collect some form of data from users and when it comes to children, we must be cautious as to what happens with that information. As an instructional technology specialist for Cambridge Public Schools (CPSD), one of my many roles is to advise teachers on new technology tools and be a gatekeeper for student data.

We aim to set the standard for student data and privacy at Cambridge, which serves 6,961 students. Not only are we educating our students about how to be safe online, but we ensure that the information they share online is also safe. Cambridge was one of only seven school districts in the country to be awarded the Trusted Learning Environment seal from the Consortium of School Networking in association with the School Superintendents Association, the Association of School Business Officials International, and The Association for Supervision and Curriculum Development.

Our award is a recognition of the policies and procedures in place that ensure student data is always protected. But what does that actually mean for teachers and students? CPSD doesn’t expect every teacher to read the hundreds of pages of laws that affect educational technology on top of their already very full schedules. Whenever a teacher wants to use a new app or website that involves any student data, she or he must either check in with an instructional technology specialist (who is familiar with the various student privacy laws governing educational technology listed below) or check the CPSD website for approved applications.

If an application has not previously been approved, teachers can submit a request and the vendor will be sent the CPSD Student Data Privacy Agreement (PDF). Then the company that created or manages the app or website must agree to and sign a legally binding contract guaranteeing that they will not use student information for any reason. If they won’t, there are two options: The website or app will not be made available to CPSD teachers and students, or a parent release is created and sent home to inform parents and seek parental permission. It can be quite a process and can take days or months, but we know that student data is safe.

Cambridge has been lauded time and again for this process because it has proven to keep student data safe. But is there a better way? I was inspired by EdSurge’s interview with education technology lawyer Gretchen Shipley and her remark that “school districts should not have to be working so hard to make sure that what they’re buying is a safe product.”

Companies that want schools to use their technology should be proactive in addressing these concerns without needing to be approached by the legal team of a school district. For example, if a company took to heart all of the governing laws that apply to school use of educational technology and published how they are compliant, that would be a step in the right direction. But it still might not be enough. What if, in place of awarding a seal to districts, a nationally recognized organization like CoSN awarded applications, websites, or even companies a seal that proved that they are compliant?

To learn more about what work is currently being done in the space, I spoke to Steve Smith, Chief Information Officer for Cambridge Public Schools. Here is what I learned:

A lot of the issues with managing student privacy come from the fact that the biggest governing law (FERPA) was created in 1974 by President Gerald Ford. It has been amended nine times; the last in 2001. So school districts have had to interpret the law in different ways, as the technology landscape today looks very different than that of 2001. Causing further issues for companies that create educational technology is the fact that every state has a different set of laws governing student data.

Smith told me: “Although there does not seem to be a single ‘Privacy Seal of Approval’ likely to be launched in the near future, there are a number of privacy related projects that are having positive effects on the marketplace.” He showed me how The Student Data Privacy Consortium (SDPC) is leveraging the work of the Massachusetts Student Privacy Alliance to establish a statewide privacy alliances sharing model for student data privacy agreements. Basically, Cambridge is participating in maintaining a database that shares agreements for specific applications.

“These model agreements are increasingly being accepted by vendors as the contracts to establish common student data privacy clauses and expectations, thus reducing the burden of negotiating one-off contracts,” Smith said. Currently active in 10 states, the SDPC helps maintain a database of approved applications and share the agreements between the company and each district. These previously used, shared agreements provide an easier path for other districts to reach agreement in the future. This is one way that states are attempting to make the path easier to use for vendors and educators.

In addition, three other sources of privacy related information on vendors include: iKeepSafe which offers a privacy approval service aligned specifically to California state student privacy requirements, Common Sense Media is developing a privacy rating service to rate vendor & application privacy policies and terms of service, and the Future of Privacy Forum has sponsored the “Privacy Pledge”, which now has over 300 signatories. The Privacy Pledge is a list of legally enforceable commitments by companies to safeguard student information. All of these are steps in the right direction towards keeping student data safe while opening doors for teacher use of new technology.

“Although there is no single source of application approval for privacy across the country, the combination of these four projects provide a very powerful lense through which to evaluate products,” Smith added. “These organizations and initiatives are all working very closely together as partners to support each others work with the goal of influencing the market place to address privacy concerns in a more seamless manner that support rapid adoption of safe online tools.”

At a conference in Austin, Texas, last year I heard an attendee call an app “Cambridge Approved”, referring to the fact that Cambridge was using the app and implying that it must therefore be compliant with the laws listed above. I hope that someday there is a clear and easy path for companies to keep student data safe and to be transparent about exactly how that will happen. Technology is evolving at a very fast pace and to mostly wonderful results, but after my conversation with Smith I have renewed hope that it won’t leave education behind. 

Heather French is an Instructional Technology Specialist at Cambridge Public School District.

Next In Policy

Next in Policy

STAY UP TO DATE ON EDTECH
News, research, and opportunities - sent weekly.
STAY UP TO DATE ON EDTECH
News, research, and opportunities - sent weekly.