1703 North Beauregard St.
Alexandria, VA 22311-1714
Tel: 1-800-933-ASCD (2723)
8:00 a.m. to 6:00 p.m. eastern time, Monday through Friday
Local to the D.C. area: 1-703-578-9600, press 2
Toll-free from U.S. and Canada: 1-800-933-ASCD (2723), press 2
All other countries: (International Access Code) + 1-703-578-9600, press 2
Fall 2015 | Volume 21 | Number 3
Locking the Cloud: Student Data Collection and Privacy Safeguards
Technological innovations have transformed virtually every aspect of our lives. In general, most would agree that the benefits have so far outweighed any negatives. But when it comes to our personal online data, every level of our government and society is questioning how that data should be collected, informed, utilized, and shared—and how well it is being safeguarded.
From credit scores to Facebook advertising to Internet searches, computer algorithms are driving our private and societal lives behind the scenes. As consumers, we rarely question online privacy policies—until a large-scale data breach occurs. Then, the security of our privacy takes on greater urgency and importance.
Like every major societal institution, our nation's public schools have joined the wave of electronic data collection. From the time schoolchildren enter the school building until they finish their online homework, entities that include state and federal government agencies, education technology companies, assessment contractors, and researchers are collecting, analyzing, and sharing their data—both personal and anonymous.
Until recently, the majority of student data was collected in hardcopy form and stored in locked metal cabinets. When data became digitized and online data management and storage became available, the ease with which student information can be collected and accessed increased exponentially. Today, this lode of data is often stored on cloud-based servers managed by third-party entities.
Regulations governing student data have been in place since the 1970s. The Family Educational Rights and Privacy Act (FERPA) is the most widely recognized federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education (ED).
The law mandates schools to receive written permission from legal guardians before they release information from student records. According to FERPA, however, schools can release records, without permission, to "the following parties or under the following conditions:
According to the ED, "schools may disclose, without consent, 'directory' information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school" (2015).
Given that FERPA regulations were largely written before the data revolution, many education stakeholders question whether it's sufficient to apply in a 21st century virtual context. For example, FERPA regulations do not clearly spell out whether significant portions of the digital data collected now in schools, such as academic work habits and performance, counts as part of a student's formal education record.
With growing awareness of what and how much data is being collected and shared by entities and large-scale data breaches becoming semiregular occurrences, parents are asking: What information about my child are schools collecting? How secure is it? With whom is it shared? Broadly, educators, families, and policymakers are exploring what federal, state and district privacy practices must be instituted to ensure controls on the privacy of student data. These questions naturally expand to others, such as: Are schools communicating their policies on the collection of student data with parents? Do schools have the right technology infrastructure and expertise in place to manage all the data? Who is—and who should be—overseeing and managing student (and school employee) information?
Schools have always collected student data, says Amelia Vance, director of education data and technology for the National Association of State Boards of Education. In the past, this collection was largely compliance-based to meet federal and state requirements. Today, school-based data on virtually every component of a child's education can be collected—from eligibility for free and reduced-price school meal programs to daily attendance to assessment data—and is then channeled into a centralized database, known as a statewide longitudinal data system. Such a database supports a state's ability to manage, analyze, and use educational data (including individual student records) in making informed decisions to improve student learning and outcomes, facilitate resource to increase student achievement, and close achievement gaps. Different states collect different elements of personal student data, and since 2005, more than $650 million in federal funds have been allocated to states to build these systems (Data Quality Campaign, 2014a).
But large-scale data breaches (such as those that occurred at Sony, Target, Home Depot, and the federal Office of Personnel Management) expanded the spectrum of concern around this data collection, Vance adds. "Information is not in a locked box and that frightens a lot of people," she says. This fear, Vance adds, is "completely understandable, especially when talking about kids. When does the information get deleted? When does the data collection stop? How long does the data follow them around? How do schools ensure that it's not being used in bad ways?"
"Nothing more valuable to a student than their privacy," says education advocate and blogger Leonie Haimson. "If their information is breached and put online, it could literally ruin their prospects for college [and] careers."
National concern over student data and privacy began to percolate—before boiling over—a few years back over the creation of a multistate student data collection project operated by a relatively new nonprofit organization called inBloom, which received $100 million in seed money from the Bill and Melinda Gates Foundation and the Carnegie Corporation of New York.
The promise of inBloom was that it enabled participating school districts and states to collect and aggregate a wide range of student data from various sources, and then store it all on a cloud-based server to foster easier processing, tracking, analyzing, and sharing of the data. It was also touted as a tool that would save educators time, effort, and resources—all priceless commodities in the life of today's public school teacher or administrator.
When Haimson—a parent—became aware of inBloom operating in her state (New York), she began to investigate. "I was convinced that inBloom was in violation of FERPA. I was shocked to learn that it wasn't," she says.
Haimson and other parents raised enough concerns about inBloom, especially on the collection of personally identifiable student data, to start an onslaught of negative attention that contributed to inBloom's demise. They argued that tight controls around the use of this data had not been instituted, especially with regard to the participating education technology companies.
Colorado parent Rachael Stickland expressed "shock" upon learning her child's school district was part of inBloom. "I described myself then as a 'neophyte,'" she says "I didn't understand how much data [on my child] was being collected on a day-to-day basis."
According to Stickland, no public record of discussion exists on her school district's inBloom participation. She raised concerns with her superintendent and mounted a campaign for public vetting of the school district's decision to participate. Board member support for inBloom resulted in a political shakeup during the next school board election.
"Now we have a very active privacy community," Stickland says.
Controversy around inBloom was not limited to New York and Colorado. Pushback from parents in other states contributed to its failure. The work of those like Haimson and Stickland ultimately created an advocacy organization, the Parent Coalition for Student Privacy, for which both women serve as cochairs.
Mark Schneiderman, senior director of education policy for the Software & Information Industry Association (SIIA), acknowledges that parents and policymakers raised valid questions over the collection, dissemination, and use of student data by third-party providers, such as education software vendors.
But Schneiderman pushes back against allegations "from the court of public opinion" that districts or government agencies are selling student data to third parties.
"There is zero evidence that student data are being sold," he says. Allegations like that "are hypotheticals that create fear."
inBloom exposed critical breakdowns in communications, says Paige Kowalski, vice president of policy and advocacy for the Data Quality Campaign. "Parents were asking, 'What are you collecting? Who has access to the data?'" Unfortunately, Kowalski says, "there weren't enough people with the knowledge and expertise to fully address parent concerns."
The education sector's adoption of technology "accelerated in recent years, along with the hosting of data off campus to power third-party applications," says Schneiderman. "But too often data practices did not keep up fast enough, often a result of inadequate training and capacity. When parents started asking questions at the local school board meeting, too often school leaders didn't have the answers—not because there was intentional wrongdoing by any parties, but simply because the issue wasn't yet on their radar."
Maturity, Schneiderman acknowledges, was lacking—on both the industry and school system sides of the issue. The inBloom experience, he adds, revealed the need for greater transparency, communication, and security with student data, not that inappropriate use occurred.
For school administrators such as Mark Klein, third-party vendors are "far more successful in giving us tools to pull things together." Klein works as the superintendent of schools for the Council Rock School District in Newtown, Pa., a public school system that educates 11,000 students and employs 1,400 people.
"Just 10 years ago, everything was paper, pencil, and checkbook," Klein says. Now his school "manage[s] all of our employee benefits, student absences, [and] our school lunch portal online."
Schools, Klein says, must update to stay current, and parents expect online access to information on their children. "Parents expect online portals for a lot of things. A parent on a cell phone can add money to their kid's school lunch balance or review their child's records." There is a "huge benefit for parents to get that information on a regular basis."
One administrative dilemma to student and school employee data and records being moved online, Klein says, is that he's now required to hire two to three more people to manage all this online data, thus missing the opportunity to hire more education professionals or put "the money into classrooms."
The conversation about securing data and safeguarding privacy (across education, the public, and policymakers), Klein says, is a good one. "School districts and solicitors are going to need to be really careful on how they read confidentiality policies. It can't be 'click and go.'"
School systems are the same as any other aspect of society, Schneiderman says. Each needs to determine and document where it does and does not need to collect data. "If schools choose to manage all this data on their own, they risk failing to protect it as well as effectively us[e] it. This is an important capacity issue. There are daily changes in security threats and in technology platforms. School systems have to operate through the Internet. They have to share data with their state, and the data has to be exchanged with other entities. None of them can do it alone. And when they do they almost always fail.
"This isn't a question of if. It's what's the best way …?"
Vance agrees. "From who runs the bus company, to teacher e-mails, to catering. … [Data are] now stored on computers versus a file cabinet. Schools are not always equipped to keep the data safe." Larger schools and those with more financial resources may have the in-house capacity necessary to adequately secure data in a cost-efficient way. For others, Vance says, third-party providers might offer a more secure and cost-efficient solution.
But Vance stresses that school systems must exercise direct control when working with third-party data management providers. Schools need to understand and detail the contractual responsibilities, and then hold such providers to the agreements.
This requirement raises the question: have schools been doing what they should?
"It is fair for parents and privacy advocates to ask whether schools have the capacity and knowledge to adequately protect data by exercising 'direct control' over their contracts with third parties," Vance says.
Klein was an attorney with experience in software licensing before he became a school administrator. He attributes his interest in this issue to his "bizarre background."
"I think that most school leaders rely on their frontline people to stay up and worry about this. We [superintendents] stay up and worry about a lot of other things," he says.
Klein expresses "pretty deep trust in [education officials in] Pennsylvania and Washington being careful with data" that they receive from his district. He says that he doesn't understand the suspicion (nor does he believe) that government agencies are inappropriately sharing the data. "I operate under the premise that they handle [the data] with the same fidelity as I do."
Most parents, according to polling data, overwhelmingly support technology as integral to their child's education. In a recent Marketplace poll (Parents' Attitudes Toward Education Technology), 51 percent of parents thought that schools spend the right amount of money on technology in the classroom, and about 4 out of 10 parents would like schools to spend more. The survey also revealed that 80 percent of parents say technology has made it easier for them to engage with their child's education. Seventy-eight percent of parents used technology to monitor their child's grades.
But when it comes to security and privacy of their child's data, 79 percent of parents say they are somewhat, very, or extremely concerned about this issue. Approximately three-fourths of parents said they worry about advertisers' access to their children. Despite these worries, the survey revealed that parents remained positive about the digital classroom. More than 71 percent of parents reported technology has improved the "overall quality of education" for their children.
Schools, while they may be creating policies and procedures for collection and use of student data, haven't informed parents of their actions, says Kowalski. "There is a big disconnect and a lot of misunderstanding surrounding the relationship between schools and vendors and schools and parents."
As many schools create policies around the use of student data, Kowalski says that few tell parents that they are doing so. Miscommunication, she believes, was a large part of the problem with inBloom.
"The relationship between parents and schools really comes down to trust," she adds. "Schools and districts need to empower parents with information. Parents need to know what is being collected and what their school and district are doing to safeguard it. Districts and schools must demonstrate that they have the necessary resources to ensure privacy, and that they have been sufficiently trained to do this well."
The pressure is real for educators and administrators to personalize and differentiate instruction, to demonstrate teaching and learning to new educational standards, to measure competencies and achievement via assessments, and to make student and school information accessible to parents at any time, anywhere.
Often these demands can lead districts, schools, and teachers to seek free online solutions, especially in high-poverty, high-needs schools.
But these technology-based solutions are not free. "The data is the payment," Kowalski says.
"Where things get tricky and the lines of responsibility become blurred are the services and how they are used," Kowalski adds. "Are they being used by individual teachers? Are they mandated as part of a district contract? Are they school-based? Current policies are all over the place."
The potential for third-party vendors to monetize and commercialize student data is a new issue, she adds. "There are vendors and they do stand to make money. There is money on the table. This changes the conversation and elevates the concern of how data are going to be used."
It stands to reason that student data collection and mining will continue its upward trend, given the interest in education technology applications and programs to personalize instruction.
Both sides have room to evolve on this issue, says Schneiderman. "The companies that I know will be out of business if they don't have the trust of their customers. I sign the form at the doctor's office … but I trust my doctor. And I trust my bank. We should be trusting our schools, and we should be trusting our school service providers."
To that end, districts and schools must develop strong relationships with vendors.
We can see the groundswell of public interest around protecting student data in the surge of state legislation that's been introduced in the last few years. States are creating additional, tailored protections on top of the federal law (FERPA) that governs the collection, storage, and dissemination of student data.
Vance notes that many bills introduced in 2014 were "reacting to parental concerns about big companies using kids' data for marketing, instead of focusing on creating a structure to use data wisely."
Parental concerns, Vance says, also drove bills to ban things such as "biometric data collection." Biometric data can be collected through such methods as a fingerprint or iris scan and voice recognition. An example, cites Vance, is a biometric scanner used in the school cafeteria to pay for student meals. A palm scanner (where students waive their hands above a sensor) not only moves kids through the lunch line faster, she says, but also "preserves the dignity" of students who qualify for free and reduced-price lunch programs and "gives them more time eat. Research shows that kids wait until the end of the meal to eat the most nutritious foods, such as fruit."
Parents, Vance continues, can opt out of this system if they don't want their child's biometric information stored. Vance also notes that, while every state should consider the costs versus benefits of using biometric data, the previous year's debate on banning the biometric scanners barely addressed their potential value to the education community.
Protecting student data via legislation can have unintended consequences on important work, such as education research.
For example, the Kansas state legislature stated that only aggregate information could be shared with researchers. This decision that could "shut down most education research," Vance warns. "It's a big problem if superintendents and other policymakers do not have evidence-based research to help them make the best decisions."
Legislation introduced in 2015 is moving toward oversight, according to Vance. States are adding transparency requirements, security, and privacy policies. Many states have created new positions (chief privacy officers) to oversee these issues.
Vance sees "states working to put a structure in place to ensure data are both protected and used to help children succeed. Overwhelmingly, what has passed is really good."
State board of education members, Vance says, have a lot of authority in this arena, which is "great because state boards of education have meetings open to the public." State boards, she adds, can "protect privacy on an ongoing basis in a really public way, and they can make rules via public comment and faster than legislatures that only come into session once a year."
Thirty-seven state boards, according to Vance, have some authority over student data privacy, and that power expands every year as new laws and regulations are passed.
States are now implementing better privacy protections regarding student data, but the problem is not entirely solved (Hill, 2014). At least three federal draft bills are circulating in Congress. Rep. Luke Messer (R-IN) and Rep. Jared Polis (D-CO) recently introduced a bill to restrict the way companies use student data. Sen. David Vitter (R-LA) introduced a Senate bill to ensure that parents and students retain control of education records. A bipartisan bill by House Education Committee Chair John Kline (R-MN) and top Democrat Robert "Bobby" Scott (D-VA) would mount a significant overhaul of FERPA.
Haimson calls for "strong federal laws—stronger than any state bills that have been approved. States will differ in language; some won't pass anything, and many vendors want unified standards, too. The feds need to pass a very strong bill. Until that happens, I don't think student data and privacy will be safe and free from breaches or abuse."
Schneiderman thinks that between current federal laws, contracts, and the student privacy pledge, strong protections are in place around student privacy.
"We recognize it's appropriate for policymakers to review and update policies," Schneiderman states. "We've been working with federal and state legislatures to ensure that in their legislative work to make policies more explicit … that they don't go too far and create barriers to legitimate practices and technology use."
Regarding proposed new federal laws, Schneiderman believes, "our concern is the piling on. Several federal laws already exist, along with state laws …. [Are we just] adding another layer on top? If you are going to add another regulation, let's have that replace other laws." Schneiderman adds that SIIA is "calling for harmonization" of additional federal laws and federal "pre-emption of state law."
Technology has become so ubiquitous, it's hard to remember that the iPhone was introduced a mere eight years ago. In less than a decade, every aspect of our society has transformed into a highly personalized, data-driven experience. Schools are no exception.
Unfortunately, much of the work supporting this experience—from training in-house staff, to crafting privacy policies, to ensuring fidelity of third-service vendors—seems to have been learned on the fly. That approach works just fine when figuring out how to use the latest app for writing grocery store lists, but not so much when creating safeguards for the use of student data and privacy.
This privacy arena is a gray area of evolving policies, regulations, and practices. Awareness of risks to children's privacy is much greater today than it was just a few short years ago.
Concludes Haimson, "The more you give up your life to electronic communication, the more we need strict privacy protections implemented in a safe and reasonable manner."
For a complete list of resources for this issue of Policy Priorities, please visit www.ascd.org/ppfall15references.
Barbara Michelman is a freelance education writer and communications consultant in Maryland.
Copyright © 2015 by ASCD
Subscribe to ASCD Express, our twice-monthly e-mail newsletter, to have practical, actionable strategies and information delivered to your e-mail inbox twice a month.
ASCD respects intellectual property rights and adheres to the laws governing them. Learn more about our permissions policy and submit your request online.