School Climate & Safety

Cloud Computing in K-12 Expands, Raising Data Privacy Concerns

By Michelle R. Davis & Sean Cavanagh — January 07, 2014 6 min read
  • Save to favorites
  • Print

The use of cloud-based technologies in K-12 schools is becoming increasingly complex and expansive, prompting a wide range of approaches for protecting private student data stored in the “cloud” and raising serious concerns about the security of such data.

Districts ranging from the 203,000-student Houston school system to the 3,000-student Tomah, Wis., schools have outlined clear policies and practices for storing data in the cloud. Those two districts take very different approaches, however.

Tomah built its own private cloud-storage programs to prevent student information from being accessed by third-party vendors; Houston has embraced the use of companies offering cloud-computing services and is working to put best-practice guidelines in place.

The problem, experts say, is that many districts have not set clear policies for storing data in the cloud. Cloud systems typically rely on the outsourcing of computer power and some services to external servers or data centers, which are then accessed over the Internet on an as-needed basis.

A study released last month by the Fordham University Law School’s Center on Law and Information Policy, for example, notes serious lapses pertaining to control of private student information under contracts with private companies storing data in the cloud, as well as in alerting parents and students about who has access to student data.

The study’s authors put forward a series of recommendations to policymakers, including a call for a national clearinghouse focused on the issue, and for ramping up safeguards on students’ private information.

“We came away seeing that districts are not in a position right now to effectively deal with these privacy issues,” said Joel Reidenberg, a study author and the academic director of the Center on Law and Information Policy, based in New York City. “Many districts don’t have the technical expertise to understand how the flow of data impacts student privacy, and vendors are not explaining it.”

‘Weakly Governed’

Data Protection in the Cloud

A study by the Fordham University Law School’s Center on Law and Information Policy found deficits in school districts’ protection of the privacy of student data. To improve the security and privacy of student data stored in the “cloud” by an outside company, the center recommends:

• Districts should incorporate language protecting the privacy of student information in contracts with companies providing cloud-storage services. They should require companies to disclose in the contracts how student data might be sold, transferred, or mined and give districts control over who accesses that information.

• Contracts with cloud-service providers should address the types of security used to protect student data, how districts are to be notified of a security breach, and how a breach will be handled.

• Districts should establish policies and guidelines for the use of cloud services by teachers and other staff members. The guidelines could require districts to vet cloud services proposed for use by teachers, or could bar employees from using cloud services not approved by the district.

• States and larger school districts should create the position of “chief privacy officer” to address privacy issues related to student data and its cloud storage. Smaller districts could consult with state privacy officers for help.

• A national research center and clearinghouse should be established to help schools, districts, states, and cloud-service providers with issues related to the privacy of student data. Such a center would provide model policies or model legislation, guidance, and research.

Source: Education Week

Fordham researchers based their study on a national sample of public school districts. They asked for detailed information from 54 urban, suburban, and rural systems.

The study examined contracts between districts and technology vendors; policies governing privacy and computer use; notices sent to parents about student privacy; and districts’ use of free or paid third-party consulting services.

The authors conclude that privacy implications for districts’ use of cloud services are “poorly understood, non-transparent, and weakly governed.”

Only 25 percent of the districts examined made parents aware of the use of cloud services. Twenty percent did not have policies governing the use of those services, and a large plurality of districts had “rampant gaps,” the authors say, in their documentation of privacy policies in contracts and other forms. Twenty-five percent of districts had no policies at all regarding classroom teachers’ use of technology related to cloud storage.

“If there’s no policy, then it’s perfectly normal and legitimate for teachers to sign up for any service under the sun,” Mr. Reidenberg said.

To make matters worse, districts often relinquish control of student information when using cloud services, and do not have contracts or agreements setting clear limits on the disclosure, sale, and marketing of such data, the Fordham researchers say.

The Fordham study concludes that districts, policymakers, and vendors should take several steps to increase privacy protections, including providing parents with sufficient notice of the transfer of student information to cloud-service providers, and ensuring that parental consent is sought when required by federal law; improving contracts between private vendors and districts to remove ambiguity and provide much more specific information on the disclosure and marketing of student data; and setting clearer policies on data governance within districts, including establishing rules barring employees from using unapproved cloud services.

But the Software and Information Industry Association, a trade group based in Washington, said the study focused too much on the language within contracts between vendors and districts, rather than on the actual practices of companies, and the expectation that they will behave responsibly.

Federal law restricts the transfer of student information, and private companies do not want to stray from the legal limits, the industry organization said in a statement.

“The enforcement of this law has generated a culture of business practices that respects student privacy beyond basic compliance,” the SIIA said. “School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions.”

District Approaches

Schools should think hard about how student data might be used by a third party, said Paul P. Potter, the director of technological infrastructure for Wisconsin’s Tomah district. Concerns about the privacy of student data led his district to develop its own internal cloud storage instead of contracting with a vendor.

“I’m a huge proponent of the cloud as far as connectivity with the student, but I’m not a huge proponent of giving your data away to just anyone,” Mr. Potter said. “I’m not willing, as a technology director, to put the privacy of our students’ data out there on the line in the hope that it’s secure.”

The Fordham study also recommends creating an independent national research center to study privacy issues, and drafting model vendor contracts. In addition, states and large districts should each hire a “chief privacy officer” responsible for maintaining data protections, the authors say.

Districts should take privacy issues related to cloud storage seriously, but scrapping the use of cloud technology is not called for, said Lenny Schad, the chief information technology officer for the Houston school district.

“We need to be concerned about what information is stored, who has access to it, and that industry best practices are put in place,” he said.

Mr. Schad said it is possible to make student data secure: The banking industry and the government have been doing it for years, he said. However, he acknowledged that there are always going to be risks.

“People are demanding guarantees, but that’s just not possible,” he said. “I’m not going to guarantee we’re never going to get a virus” or have a data-security breach, akin to the recent hacking of credit card data from Target customers.

In addition, Mr. Schad said, it’s critical that federal laws governing student privacy—such as the Family Educational Rights and Privacy Act, or FERPA, and the Child Online Protection Act, or COPA—be clarified and enforced consistently to help districts understand how to comply.

Concerns about the protection of private student data have risen across the country in recent months, with parents and advocacy groups having complained that policymakers are doing too little to ensure that private data gathered via technology are kept secure.

Aimee Rogstad Guidera, the executive director of the Data Quality Campaign, a nonprofit in Washington that advocates for improved use of data in education, said the Fordham report was a reminder of the need for clearer policies on “how data are collected, stored, accessed, shared, and deleted.”

“The gaps identified in the report are not the result of incompetence or deliberate malfeasance by school leaders,” she said in a statement, “but rather they reflect the challenge of implementing new policies and safeguards in a rapidly changing world with limited resources and many challenges to improving student achievement.”

Mr. Schad said concerns about privacy should make districts proactive. He cautioned against “naysayers who want to push us back into how they were taught 25 years ago. I want to be out front on this issue.”

A version of this article appeared in the January 08, 2014 edition of Education Week as Cloud Computing Expands, Raising Data-Privacy Concerns

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Law & Courts Webinar
Future of the First Amendment: Exploring Trends in High School Students’ Views of Free Speech
Learn how educators are navigating student free speech issues and addressing controversial topics like gender and race in the classroom.
Content provided by The John S. and James L. Knight Foundation
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Well-Being Webinar
Start Strong With Solid SEL Implementation: Success Strategies for the New School Year
Join Satchel Pulse to learn why implementing a solid SEL program at the beginning of the year will deliver maximum impact to your students.
Content provided by Satchel Pulse
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Webinar
Real-World Problem Solving: How Invention Education Drives Student Learning
Hear from student inventors and K-12 teachers about how invention education enhances learning, opens minds, and preps students for the future.
Content provided by The Lemelson Foundation

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

School Climate & Safety Opinion This Is What Happens to a Student’s Brain When Exposed to Gun Violence
Traumatized and hypervigilant brains cannot learn effectively, write a behavioral neuroscientist and a school psychologist.
Amanda M. Dettmer & Tammy L. Hughes
5 min read
Conceptual illustration of a lone figure standing in a sea of bullets
Vanessa Solis/Education Week and Jorm Sangsorn/iStock; Getty images
School Climate & Safety From Our Research Center What Would Make Schools Safer? Here's What Educators Say
Respondents to a national survey of educators said measures like red flag laws, more school counselors are key to any school safety law.
7 min read
Photograph of crime scene tape and school.
F.Sheehan/Education Week and Getty
School Climate & Safety From Our Research Center 'The World Feels Less Stable': Educators' Sense of School Safety Right Now
6 in 10 educators said a mass shooting by a student or outsider was their biggest source of fear.
7 min read
Woman standing on a paper boat with a tsunami wave approaching.
iStock/Getty Images Plus
School Climate & Safety Texas Top Cop: Uvalde Police Could Have Ended Rampage Early On
The head of the Texas state police pronounced the law enforcement response an “abject failure.”
5 min read
FILE - Law enforcement, and other first responders, gather outside Robb Elementary School following a shooting, on May 24, 2022, in Uvalde, Texas. Law enforcement authorities had enough officers on the scene of the Uvalde school massacre to have stopped the gunman three minutes after he entered the building, the Texas public safety chief testified Tuesday, June 21 pronouncing the police response an “abject failure.”(AP Photo/Dario Lopez-Mills, File)