As student data moves online, concerns from some parents and teachers are mounting around the safety of protecting the data from getting in the hands of corporations.
At the root of the angst surrounding the use of student data is a lack of trust and familiarity with how the data is collected, stored, shared, and protected. It’s a challenge to track this constantly expanding and changing landscape, as companies – each with their own set of privacy policies -- vie for their share of the $8 billion ed-tech market.
“There’s an enormous tidal wave of new applications being built for schools and for the first time, schools have tons of options for each little thing,” said Tyler Bosmeny, CEO of Clever, which provides software that works with students information systems.
The sole purpose and function of many educational application developers is to collect and analyze student data and assessments in order to help teachers adapt curriculum to students' specific levels. But fears of what will become of that data have led to a backlash against the companies collecting, storing and analyzing student data. In turn, policymakers have responded to these mounting concerns, introducing 82 bills in 32 states this year that address student privacy, according to the Data Quality Campaign.
How is Student Data Collected and Stored?
Parents often kick off their child’s electronic trail well before the first day of class. At some schools, parents register their child for school online, typing in their child’s name, address, birth date, schools, medical and behavioral history. This information (or parts of it), are often stored in a virtual folder next to other student’s registration in a Student Information System. Administrators can add attendance records to these files through integrated systems and teachers can upload test scores and scan in bubble sheets to complete the picture. Over the years, a child’s school life could be told in data points. The goal of keeping this data is build a profile that can help educators analyze the information and tailor teaching approaches to help the child learn and grow.
But the more data is collected, the harder it is for schools to keep track. Schools often find it’s cheaper and easier to have third party cloud providers like Google, Amazon and Microsoft store and maintain the student data on their servers than it is to own and operate a unique school district data center. In fact, 95 percent of schools and districts store their student information in the cloud, according a recent study on data privacy led by Professor Joel Reidenberg, director of the Center on Law and Information Policy at Fordham Law School.
It is this outsourcing of student data to third parties that puts privacy advocates on edge. In mid-April, privacy concerns grew so pronounced about inBloom – a non-profit corporation that was created to store and manage student data from a handful of states – that the group shut down as state after state pulled out of the massive project.
What Are the Fears?
Fears around how student data can be improperly used fall into a few categories: data marketers, data breaches and unshakable data trails.
In the same way that Google recommends products based on your web searches, marketers with access to student data could suggest items to children. "You don’t want to see a student write four essays on baseball and then have a company try to sell him baseball tickets,” says Joni Lupovitz, of Common Sense Media.
A second area of concern stems from the potential for data breaches, which have already happened. One breach in Tennessee in 2009 inadvertently left 18,000 K-12 student names, addresses, birth dates and full Social Security numbers on an unsecured web server for four months. “Every major financial institution has had their banking information compromised,” Reidenberg said. “There’s no reason to believe children’s information will be more secure.”
Finally, there is the risk that student data, like a tattoo, will be hard to erase. "If a child is wrongly branded as a trouble maker in third grade and the profile follows him like the no-fly list – that’s a problem," Reidenberg said.
But other education stakeholders hold a more tempered view. “There are a lot of misconceptions about storage of student data in the cloud," said Kathleen Styles, the Chief Privacy Officer at the U.S. Dept. of Education on a forum about cloud computing. There’s nothing inherently more or less secure about cloud storage compared to traditional data storage – it all depends on the specific approach and the contract terms.”
How Is Student Data Protected?
Student data is protected under a variety of state and federal laws, but the Family Educational Rights and Privacy Act, or FERPA is the most commonly cited. Under FERPA, student data can only be used for educational purposes and using student data to sell or market products is prohibited.
But FERPA’s protections get murky. For starters, FERPA allows schools to release records to other education officials without parental consent. Those education officials can be vendors, including for-profit cloud service providers that are under "direct control" of schools.
What’s more, Reidenberg argues FERPA applies only to schools receiving federal funding –- not to private companies. In his study, he found that “fewer than 7 percent of agreements between schools and developers restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice.” And his study only explored cloud computing contracts, not contracts with the myriad educational software programs and learning applications in existence.
Selling Student Data Security
Some companies are conscious of the escalating concerns about privacy and are using security as a selling point. For example, Clever doesn’t even store student data, but has a policy of only making agreements with developers who are FERPA compliant. Clever software enables students to log onto multiple apps like eSpark Learning, DreamBox and Wowzers with just one username and password. “We created Clever to create some sanity in managing those applications and knowing which ones are FERPA compliant,” he says. “There are so many options to choose from that many schools don’t know where to start.”
Another company, Illuminate, which provides student information systems, data and analysis and other software goes to great lengths to build trust with schools. Illuminate reports that it encrypts every page, stores most of its data on its own servers (not the cloud), has round the clock security on staff and trains each employee in the federal law protecting student data. “To stay up on security, it takes full-time people every day to stay on top of what’s out there. If you’re in a school district and trying to manage that on your own, that’s a very difficult task,” said company’s CEO Lane Rankin.
Even with all the security precautions, Rankin, whose business is dependent on student data, believes the issue of privacy has been overblown to some extent.
"Parents should be much more concerned about what’s going on with their bank, about all the stuff Google’s tracking every time you’re on the web, about your cell phone and what Verizon knows about your location and where you took your pictures," he said. "But student data? That’s in a very secure location, controlled by the local school district, there for the purposes of helping more students, classrooms and schools. Because it’s very benign data, advertisers aren’t going to care about this data. They care about when you’re clicking around so they can sell you more stuff."
Setting Up Protocols
School administrators, the stewards of student data, must institute technical protections against the misuse of information. “It’s up to the school or district to set the proper balance of physical, technological and administrative controls to prevent unauthorized access,” the DOE's Styles said. This means administrators decide what information goes into the cloud or to an app, who has access to it, what password protections those with access need and how much encryption to require considering the sensitivity of the data.
Beyond the technical agreements, all stakeholders can push for specific privacy principles in the contract language between schools and vendors. Common Sense Media, which launched a School Privacy Zone Campaign, suggests contracts with software companies explicitly prohibit developers from using the data for commercial purposes and only use data for educational purposes.
Both Common Sense Media and the Electronic Privacy Information Center recommend limits to the amount of data collected and the amount of time it can be stored. EPIC recommends returning control of the data to the students.
While guiding privacy principles and careful contractual language are critical, schools and parents are hard-pressed to keep pace with the technically complex and rapidly changing educational landscape. Increasingly, districts are adding a new layer of protection to their systems. They’re hiring Chief Technology Officers to guide their technological engagement, so schools have a sophisticated player of their own keeping pace in the tech race.