No. 4 on our list of key ed-tech trends for the new school year is the need for K-12 leaders to navigate a data privacy minefield
[Editor’s note: This is the second in a series of stories examining five key ed-tech developments to watch for the 2014-15 school year. Our countdown continues tomorrow with No. 3.]
After the high-profile demise this past spring of inBloom, a controversial nonprofit organization that aimed to build a national, cloud-based student data system to improve education, school leaders face a puzzle: How can they balance the privacy concerns of stakeholders with the need to collect and analyze information about their students?
Amid an onslaught of criticism from parents and data privacy advocates, states that had signed agreements with inBloom began to pull out of the initiative last year, and the group shut its doors in April. Now, ed-tech observers are wondering what inBloom’s collapse will mean for other efforts to personalize instruction using cloud-based data systems.
As school leaders turn to software companies for help in collecting and storing student data in the cloud, privacy advocates worry about what will happen to the information—and whether it might be used for marketing purposes.
The Family Educational Rights and Privacy Act governs the use and disclosure of students’ personal information, but it can only penalize schools for non-compliance. The law doesn’t include any direct authority over software providers—which is one reason many policy makers think it’s time to update FERPA for the digital age.
(Next page: How new legislation intends to modernize FERPA—and the biggest lesson that school leaders can learn from the inBloom fiasco)
On July 30, Republican Sen. Orin Hatch of Utah and Democratic Sen. Edward Markey of Massachusetts introduced the “Protecting Student Privacy Act,” which intends to bring FERPA into the era of Big Data.
“Students may well have more of their personal data stored by third parties than anyone, and the widespread storage of this information puts students at risk that this data could fall into the wrong hands,” Hatch said in a press release.
“This legislation establishes security safeguards to ensure greater transparency and access to stored information for students and parents. Further, it includes a provision banning data mining for marketing or advertising purposes and other common-sense protections.”
The act requires transparency about outside parities who have access to student data; minimizes the amount of information schools can share that is personally identifiable; gives parents access to personal information about their children that is held by private companies, and provides for corrections if in error; and calls for private companies to delete personally identifiable information when it’s no longer needed for a specific purpose.
Zach Williams, director of communications for the Ogden School District in Utah, said his understanding of the new act is that it enhances FERPA, taking it from the age of paper documents to modern technology.
“Technology advances so quickly that it’s hard to write legislation that keeps up with advances,” he said. “I think this act appears to be reiterating that even if it’s a third party that has information, they still need to follow FERPA guidelines, which is something that we take very seriously already.”
Williams added: “The part I really like, as a parent, are the restrictions on advertising or marketing using student data. That’s something that really is important.”
The family advocacy group Common Sense Media supports the legislation, calling it “a step forward for fostering student privacy while permitting ed-tech innovation.”
Schools are “collecting massive amounts of sensitive student data, from test scores and assignments to disciplinary and demographic records,” said the group’s CEO, Jim Steyer, in a statement. “We share the bill’s goal of strengthening [FERPA] to help ensure that schools and the private ed-tech companies they work with protect students’ personal information and have appropriate practices for data security, use, destruction, and parental access.”
Common Sense Media’s “School Privacy Zone” campaign recommends three ideals for safeguarding student privacy: (1) students’ personal information should be used only for educational purposes; (2) students’ personal information and online activity should not be used to target advertising to students or families; (3) ed-tech providers should have appropriate data security policies in place.
Before checking a box agreeing to the terms of a software license, school leaders should carefully read the fine print to understand what they’re agreeing to—and they should make sure the agreement prohibits the company from using any data for non-educational purposes.
inBloom officials claimed to have followed these guidelines, but it didn’t matter in the end—which suggests the need for school leaders to talk openly about privacy and address parents’ concerns proactively, before it’s too late.
The need for better communication with parents is underscored by a recent study from Fordham University’s Center on Law and Information Policy, which found that 95 percent of schools use cloud services for data hosting and/or mining—but only a quarter of schools have notified parents that they use these services.
If there is a positive lesson to come out of the inBloom situation, “it’s yes, you have to have best practices in place,” said Keith Krueger, chief executive officer or the Consortium for School Networking. “But if you can’t communicate that to your community, it all falls apart.”