- eSchool News - https://www.eschoolnews.com -

3 myths about school data privacy in the cloud

privacy-cloud

Experts say privacy is possible if you take these critical steps

As schools and districts struggle to keep up with big data management and analysis, many are worried about how student data privacy will be affected once it’s in the cloud. However, experts say concerns should be less about nitty-gritty IT details and more about school staff investment.

Experts from government, law, and data organizations recently gave advice to schools and districts during a webinar presented by the Consortium for School Networking [1] (CoSN), “Is Privacy in the Cloud Possible?”

Panelists described how many concerns about privacy in the cloud are myths; in actuality, the real concerns for student privacy have little to do with shady contracts or online hackers: it’s the school staff that need some help.

Educators can follow the conversation on Twitter with the hashtag #eSNTopNews

(Next page: Myth #1)

Aimee Guidera, executive director of the Data Quality Campaign [2] (DQC) said it’s important for schools and districts to remember why data is being collected.

“It’s important to remember that we’re going through all of this to turn the data into actionable results,” she explained. “Data can help with transparency and accountability, improving system performance, and increase student achievement. It can also help scale best practices.”

[See “Major ed data report reveals states’ improvements.” [3]]

Guidera said that as states and districts move toward empowering stakeholders with actionable data, they are also increasing focus on safeguarding and privacy issues.

Yet, many states, districts, schools, and the public may have misconceptions or “myths that can be busted” about student data privacy in the cloud, said Guidera:

Myth #1: Third Party Providers (TPPs) can sell data or misappropriate the data for non-educational purposes.

According to Kathleen Styles, chief privacy officer for the U.S. Department of Education [4], the Family Educational Rights and Privacy Act [5] (FERPA) protects student data from TPP misappropriation.

FERPA, passed in 1974, gives parents and eligible students the right to access and seek to amend their children’s education records. It also protects personally identifiable information (PII) from education records from unauthorized disclosure, and requires written consent before sharing PII, unless an exception applies.

“FERPA covers education records directly related to a student and records maintained by an educational agency or institution or a party acting for the agency or institution. Many people are now asking if new types of data count as education records,” said Styles. “They’re wondering what happens to things like digital breadcrumbs.”

Styles explained how schools or local education agencies (LEAs) can use the School Official Exemption (SOE) to disclose education records to a TPP if the TPP:

“It’s important to remember that for schools and LEAs, TPPs must meet the criteria under [SOE],” said Styles. “However, state education agencies cannot use the [SOE]; therefore, they must designate TPPs as ‘authorized representatives’ under the Audit and Evaluation Exception.”

Specifically regarding cloud services, FERPA allows the use of cloud services, but the arrangement must meet the SOE requirements, noted Styles.

“Schools and districts own the data, regardless of the TPP, and are always responsible for it, even when shared” stressed Styles. “The IT provider must comply with both FERPA and the terms of the school or district contract. The provider never ‘owns’ the data, and can only act at the direction of the school or district.”

Another safeguard exists at the state level, said Styles, as SEAs are under the same FERPA requirements as TPPs if they provide centralized IT services, such as Student Information Systems, to LEAs in their state.

(Next page: It’s an all-staff effort)

Myth #2: Data privacy is a concern for just the IT department.

According to David Rubin, attorney for the Council of School Attorneys [6], one of the biggest challenges to protecting data privacy in the cloud is the lack of understanding by school boards and district superintendents.

“You start to talk to them about data privacy and cloud warehousing and you see their eyes glaze over. With so much jargon it’s easy to say ‘it’s a problem for IT,’ but everyone should be well-versed in data privacy,” explained Rubin. “That’s why it’s good to relate data privacy in the cloud to a symbol and use language they can understand.”

Rubin gave the example of describing the cloud as a physical warehouse in the city somewhere.

“Tell them to think of questions like ‘Is the building secure?’ ‘What boxes of files in the warehouse need to have their own special security?’ ‘What happens if the boxes are stolen? What measures are in place?’ ‘Does the warehouse itself comply with city ordinances?’ ‘Will the file boxes be mixed in with other files from other people?’ ‘What happens if there’s an emergency like flooding and the boxes need to be moved?’ ‘If the warehouse is just beyond the state line, do laws in that state comply to the laws in my state?’ All of these questions should be the same ones you consider when moving to the cloud.”

Another large concern for schools, noted Rubin, is when individual teachers, trying to help their students, start downloading ‘free’ apps on mobile devices—apps that could have teachers clicking away student privacy rights.

“Teachers are accepting terms of service that may be directly violating student privacy laws and that can’t happen,” said Rubin. “Teachers need to be made aware of this fact as they start incorporating mobile devices into the classroom.”

Jim Siegl, technology architect for Fairfax County Public Schools (FCPS), said that a recent update to the Children’s Online Privacy Protection Act [7](COPPA) in July 2013 extended to apps and expanded its definition of PII to include geolocation data, files that contain a child’s image or voice, and “persistent identifiers” (e.g. tracking cookies) that could be used to build a profile over time and across different websites or online services.

“COPPA does not apply to school districts that contract with websites to offer online programs solely for the benefit of their students and for no other commercial purpose,” explained Siegl. “Schools can inform parents of non-commercial use platforms through school AUPs [Acceptable Use Policies], and for commercial platforms they can send out consent forms.”

Siegl also mentioned that iTunes now has a “kid’s” category [8] to screen vendors and weed out behavioral advertising.

(Next page: Should all data be in the cloud?)

Myth #3: All data should be in the cloud.

One of the first things schools should do before moving data to the cloud, said Guidera, is to think of data like a house—one where housekeeping is needed.

“Store only the data you really need,” she said. “If you can’t explain to the community, parents, and stakeholders why you need the data for an action plan you shouldn’t be collecting it and putting it on the cloud.”

“Clean up your data gathering practices before moving to the cloud,” said Rubin. “The old data collecting practices from 10 years ago should be revisited. You should also have a mapping system so you can know what data you’re moving to the cloud in order to keep better track of it.”

Guidera also recommended that schools and districts should establish data governance that addresses how policies and practices are implemented and enforced; as well as build the capacity of all end users to protect the data.

“There’s this other huge myth that if data needs to be kept safe it will be restrictive—it doesn’t have to be. Keeping data safe doesn’t mean it should be near impossible to analyze and distribute to staff, families, and the community. There’s a healthy balance; and as schools move into the cloud it’s important to remember that,” concluded Guidera.