Being an effective “digital parent” includes understanding student data privacy. As you and your family members engage with learning institutions — from public schools to online universities — keep in mind how those institutions gather, store, and share student information. Fostering this awareness is part of a thriving personal privacy practice.
Student data privacy highlights the themes of transparency, notice and choice – how can students (and parents on their behalf) maintain control over the personal information collected and used ostensibly to provide educational resources? How can we promote innovation in educational technology while maintaining appropriate privacy and security protections?
Earlier this week inBloom, a non-profit offering data management tools to public schools, shut down amid controversy and parental concern over the system’s use of student data. inBloom, financed by the Bill and Melinda Gates Foundation and the Carnegie Corporation of New York, had partnered with school districts to collect data to enable analytics that could inform ways to improve student and teacher performance. The company reports its work “has been stalled because of generalized public concerns about data misuse…”
It would be short-sighted to neglect the potential for innovation in personalized learning technology and the ways parents and educators can derive valuable insights from student data. But there are many unresolved issues related to transparency of privacy practices, the breadth of student data collected, and the use of “data mining” to providing advertising and create user profiles of students. (It reinforces the call to integrate mindful living through the intelligent use of technology.) Parents want to feel that they are fully informed about their child’s learning environment and that they can trust that their children are protected – not that students and their data are somehow misused or taken advantage of.
In the case of inBloom, some of the more than 400 data fields that could be collected by school administrators seemed unrelated to an educational purpose and in some instances contained highly sensitive student information. Concerned about the level of detailed information about their children being transferred to a third-party service provider and potentially used by data mining companies, many parents objected. Privacy, after all, is a choice, and many feel “my privacy is not your product.” School districts in Louisiana and Colorado and the New York state legislature voted to end their relationships with inBloom.
The Effort to Protect Student Data
There’s a growing call for a student privacy bill of rights. The SIAA (Software & Information Industry Association), the principal trade association for the software and digital content industry, has proposed the following best practices to safeguard student information privacy and data security:
Educational Purpose: School service providers collect, use, or share student personally identifiable information (PII) only for educational and related purposes for which they were engaged or directed by the educational institution, in accordance with applicable state and federal laws.
Transparency: School service providers disclose in contracts and/or privacy policies what types of student PII are collected directly from students, and for what purposes this information is used or shared with third parties.
Authorization: School service providers collect, use, or share student PII only in accordance with the provisions of their privacy policies and contracts with the educational institutions they serve, or with the consent of students or parents as authorized by law, or as otherwise directed by the educational institution or required by law.
Security: School service providers have in place security policies and procedures reasonably designed to protect personal student information against risks such as unauthorized access or use, or unintended or inappropriate destruction, modification, or disclosure.
Data Breach Notification: School service providers have in place reasonable policies and procedures in the case of actual data breaches, including procedures to both notify educational institutions, and as appropriate, to coordinate with educational institutions to support their notification of affected individuals, students and families when there is a substantial risk of harm from the breach or a legal duty to provide notification.
Four Tips to Protect Student Privacy
1. Know your rights under existing laws
There are helpful resources online to help you understand your current rights and untangle the laws that support those rights.
COPPA is a Federal law which governs the online collection of personal information from anyone who is 13 or younger. COPPA rules specifically define what needs to be included in a website’s privacy policy. It also provides detailed instructions on how and when to acquire verifiable parental consent to collect information from children under 13. In addition, COPPA outlines a website owner’s responsibilities with regards to protecting the online safety and privacy of minors.
FERPA is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. Parents or eligible students have the right to inspect and correct the student’s education records maintained by the school. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to certain parties and under certain conditions (e.g. school officials with legitimate educational interest; other schools to which a student is transferring; and specified officials for audit or evaluation purposes.). In addition, schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must notify parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA.
The PPRA applies to programs that receive funding from the U.S. Department of Education (ED) and protects the rights of parents and students in two ways: 1) By ensuring that schools and contractors make instructional materials available for inspection by parents if those materials will be used in connection with an ED-funded survey, analysis, or evaluation in which their children participate; and 2) It ensures that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals information concerning sensitive subjects (such as mental and psychological problems potentially embarrassing to the student and his/her family; and sex behavior and attitudes.
2. Follow pending student privacy legislation
One example is SB 177. This California bill, if enacted, would allow operators of websites, online services, online applications or mobile applications to use student data strictly for school purposes. They couldn’t use, share, disclose or compile personal information about students for commercial purposes, including advertising and profiling. They also couldn’t advertise a product to a student on their site.
3. Voice your concerns about student privacy to school officials
A recent Common Sense Media survey found that 90 percent of adults are concerned about companies with non-educational interests accessing student information (64 percent are “very concerned”), 77 percent of adults would outlaw the sale of student data to marketers, and 74 percent would prohibit Internet companies from using students’ browsing habits to develop targeted ads.) Surveys matter, but only if they reflect everyone’s voice. Participate in your local school district – speak up and be an advocate for student privacy. Leonie Haimson is one of many vocal student advocates – here are her thoughts on the inBloom closure.
4. Ask questions about the educational technology used at your school
Several vendors and organizations offer similar services and technologies as inBloom, including Pearson which offers the PowerSchool student information system, and Clever, a San Francisco based technology company. Be informed about the data collection practices and student privacy issues at your school.
• What vendors are used to provide technology resources to students?
• What services do the vendors provide?
• What student data is collected, for what purpose is it used, and with whom it is shared?
• What are student and parent rights to access and correct this information?
• What are student and parent rights to limit data collection or “opt-out” of participation?
• Does the vendor use or share student data for commercial purposes not related to the online services requested by the school? For example, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes?
• What are the school and vendor security and data retention standards? Take these issues seriously, as there have been data breaches related to student information. Just this week Iowa State University announced that servers containing the social security numbers of almost 30,000 students were compromised in a security breach.
Resources
The Department of Education recently launched the Privacy Technical Assistance Center (PTAC) to help educators and parents interpret laws and share best practices around student data and privacy. Additional resources on student data privacy from the Electronic Privacy Information Center (EPIC) and Common Sense Media may be useful to you as you deepen your understanding of these issues.