One advantage technology brings to education is an unprecedented capacity to record and analyze data. More and more, school districts and states are partnering with technology providers to support them in a multitude of data management practices, such as tracking attendance or academic performance.
But Fordham Law School’s Center on Law and Information Policy says districts aren’t prepared to responsibly manage such partnerships. The center’s new study, released in mid-December, found that public school districts are not taking the steps necessary to keep student data secure when transferring it to “cloud” service providers.
For the uninitiated, in simple terms, the cloud refers to a network (aka the Internet) in which files and information are stored, rather than on a local hard drive. This means one can gain access anywhere at any time, and information can be shared with multiple users. While the cloud offers many benefits, like cost savings and efficiency, there has been growing concern from businesses and the federal government about the security implications of cloud computing, which can make sensitive data more vulnerable.
Similar security and privacy concerns have been raised as school districts share student data with external organizations. New York parents filed suit last month claiming the New York State Department of Education’s partnership with inBloom, a non-profit service which stores student data, violates student privacy and parental consent laws. States like Louisiana, Georgia, Kentucky, and Delaware, and districts like Jefferson County, CO, have opted to end or turn down partnerships with inBloom due to similar reservations.
The Fordham Law Center’s analysis of vendor contracts and district policies in 20 school districts did not uncover much to allay these fears, finding that districts were not well-equipped to quell cloud-related privacy risks. While 19 of the 20 districts used a cloud service to process student information for some purpose, like data analytics or online assessment, 55% of vendor contracts were so difficult to understand that researchers were unable to identify its particular function. According to the authors, this lack of transparency makes effective public oversight of such practices “extremely difficult—if not impossible.” What’s more, many of these agreements failed to meet federal privacy requirements. The study also uncovered weak governance policies; for example, 20% of districts did not have policies addressing teacher use of information resources, meaning that district administration would be unable to monitor the use of cloud services within a school or classroom for compliance with federal law. The authors claim their findings imply an “overwhelming need for public schools and vendors to improve their information practices.”
Some have already begun to encourage such improvements. Oklahoma passed a student privacy bill earlier this year, and states like AZ, NE, MA, and NY have attempted to pursue similar legislation. In October, Common Sense Media sent a letter to 11 ed-tech companies urging them to pay more attention to the appropriate use of student personal information. Most recently, the American Legislative Exchange Council (ALEC) created a template bill that would require state school boards to appoint a “chief privacy officer,” create a data-security plan, and publish an inventory of all student-level data being collected by the state, among other provisions.
The report’s authors also offer several recommendations, including keeping parents informed, negotiating more specific parameters around what vendors can do with student information, proper documentation of contractual commitments, and strengthening data governance practices, which might include hiring a “chief privacy officer” charged with assuring protection of student information. They also suggest creating a National Research Center and Clearinghouse, responsible for research and informing stakeholders on privacy issues, as well as drafting model contract clauses, privacy notices, and consent forms.
Such risks are not reason to abandon public education’s forays into the digital world. Yet celebratory accounts of technology’s potential to transform educational practice should be tempered with an understanding that new practices will introduce unfamiliar challenges. Savvy digital leadership will require a willingness to anticipate and address those challenges, which is likely to be no small feat.
Follow AEIdeas on Twitter at @AEIdeas.