Ed. Industry Groups Outline Steps to Protect Privacy of Student Data
The education industry and K-12 schools are struggling to plot their way out of what has quickly become an emotionally charged and polarized atmosphere around issues of student-data privacy.
Several groups are working to establish more clarity and guidance with new policies and practices, digital badges and privacy ratings, checklists, decisionmaking flow charts, and self-assessments—all designed to better align schools and companies on what is allowed and what is not in the use of student information.
Guidance is coming from Washington-based trade groups, such as the Software & Information Industry Association or SIIA, and organizations representing school professionals, like the Consortium for School Networking or CoSN, an association for district technology leaders; from nonprofit advocacy groups, such as the Internet Keep Safe Coalition (iKeepSafe), an alliance of organizations that makes recommendations about how young people can safely use digital devices and technology platforms; and from school districts themselves, notably the 210,000-student Houston district.
Their goal is to create frameworks to review the terms of agreement and privacy policies that govern software companies' and app developers' interaction with schools, to see where there might be vulnerabilities around private student data, and to provide transparency so that school leaders and parents can easily understand what kind of access companies are gaining to students' personal information, and how that access could be used.
"Cloud computing has come up so fast in the past few years, and people have not been thinking about the data that's out there," said Keith A. Bockwoldt, the director of technology services for the Township High School District 214 in Arlington Heights, Ill.
For his 12,000-student district, Mr. Bockwoldt recently started a spreadsheet that lists 32 of the hosted technology applications it uses, with online subscription services to be added soon. The spreadsheet details information like the vendors' privacy and security policies; and compliance with appropriate laws.
It's a long and growing list of online services to assess, but Mr. Bockwoldt hopes to be able to share the information with parents on the district website this summer.
Houston's Rating Matrix
The Houston Independent School District has launched just such a microsite with a rubric called "Software Ratings for Parents," explaining what types of information are collected online about students in the district.
Lenny Schad, the district's chief technology officer, said he is "formalizing a working group of school systems that will be reviewers of the rubric," with a plan for the initiative to eventually become a national repository to which other districts could contribute.
Houston's ratings system includes whether and how personally identifiable information is shared; whether email is required, or if cookies—encoded messages that web servers pass to a web browser when someone visits Internet sites—collect personal information; whether third-party ads are part of the package; and whether anonymous posting is permitted.
"I think we're going to end up with a solid product vendors can embrace," as a way of ensuring that schools' data-privacy requirements are addressed, Mr. Schad said. "Because if they don't [embrace those requirements], we will not do business with them."
Education Week got in touch with some of the companies listed on the rubric, including EasyBib, which was ranked "medium," and Animoto, which was rated "low" in the levels of privacy protection they provide.
A representative of Imagine Easy Solutions LLC, the New York City-based parent company of bibliography generator EasyBib, responded with a prepared statement: "We do our best to be user driven for our customers' needs, and plan to continue to build upon the privacy and security of our applications. What Houston ISD is doing will set the standards high for all businesses."
Brad Jefferson, the CEO and co-founder of Animoto, a New York City-based company that turns slides and photos into video and works with schools, disputed some aspects of his company's low rating.
"Any decent website is going to collect cookies and IP [Internet Protocol] addresses to make the user experience better. No company's going to share that information, unless you're really devious," he said in an interview.
Another sore point for Mr. Jefferson was the Houston district's statement that "all uploaded content can be used at the discretion of the company."
Mr. Jefferson countered: "We don't have the right to use individual content at all. We have to have your permission to render videos. It's actually diametrically opposed to what [the district] said."
"What this has prompted for me is that we should make it a bigger deal on our education pages exactly what we do, and what our practices are," said Mr. Jefferson, whose company has 10 million registered users, including 2 million in K-12 education.
Educational technology companies are being called on to do exactly what Mr. Jefferson is considering: to be more transparent by clearly explaining their companies' often-complex privacy and security practices. It's one of the actions that the SIIA recommends as a "best practice" in the list of five it released in February.
Transparency is among the requirements for app developers to receive a "Know What's Inside" digital badge from the Association for Competitive Technology, which represents app developers, and Moms With Apps, a community of parent app developers creating educational apps they would approve for their own children, which created the badge.
The SIIA best practices, broadly written to make recommendations for industry self-regulation, list these areas of guidance: defining the educational purpose in collecting students' personally identifiable information, or PII, from schools; transparency in what kinds of PII is collected and why; an agreement that PII be collected and used only as authorized by schools or required by law; an understanding that reasonably designed security policies and practices be used for what is collected; and for data-breach notification policies and procedures to be in place.
"Transparency speaks to all of these areas," said Andrew L. Bloom, the chief privacy officer for McGraw-Hill Education, in New York City, who served as one of the reviewers during development of the SIIA's best practices.
But that kind of transparency is scarce, said Jim F. Siegl, a technology architect for the 180,000-student Fairfax County, Va., schools.
He uses a car-buying analogy to explain what schools are up against: If, by law, he said, you could only buy new cars that get 50 miles to the gallon, but if gas mileage was not included on window stickers, how could you comply with the law?
"That's pretty much the state we're in right now. You really have to take apart the car to figure out if you're in compliance," Mr. Siegl said. "Not a lot of schools have the ability or the time to do that."
Vol. 33, Issue 28, Pages 16-17Published in Print: April 16, 2014, as In Data Area, Groups Push More Clarity