School Climate & Safety

Cloud Computing in K-12 Expands, Raising Data Privacy Concerns

By Michelle R. Davis & Sean Cavanagh — January 07, 2014 6 min read
  • Save to favorites
  • Print

The use of cloud-based technologies in K-12 schools is becoming increasingly complex and expansive, prompting a wide range of approaches for protecting private student data stored in the “cloud” and raising serious concerns about the security of such data.

Districts ranging from the 203,000-student Houston school system to the 3,000-student Tomah, Wis., schools have outlined clear policies and practices for storing data in the cloud. Those two districts take very different approaches, however.

Tomah built its own private cloud-storage programs to prevent student information from being accessed by third-party vendors; Houston has embraced the use of companies offering cloud-computing services and is working to put best-practice guidelines in place.

The problem, experts say, is that many districts have not set clear policies for storing data in the cloud. Cloud systems typically rely on the outsourcing of computer power and some services to external servers or data centers, which are then accessed over the Internet on an as-needed basis.

A study released last month by the Fordham University Law School’s Center on Law and Information Policy, for example, notes serious lapses pertaining to control of private student information under contracts with private companies storing data in the cloud, as well as in alerting parents and students about who has access to student data.

The study’s authors put forward a series of recommendations to policymakers, including a call for a national clearinghouse focused on the issue, and for ramping up safeguards on students’ private information.

“We came away seeing that districts are not in a position right now to effectively deal with these privacy issues,” said Joel Reidenberg, a study author and the academic director of the Center on Law and Information Policy, based in New York City. “Many districts don’t have the technical expertise to understand how the flow of data impacts student privacy, and vendors are not explaining it.”

‘Weakly Governed’

Data Protection in the Cloud

A study by the Fordham University Law School’s Center on Law and Information Policy found deficits in school districts’ protection of the privacy of student data. To improve the security and privacy of student data stored in the “cloud” by an outside company, the center recommends:

• Districts should incorporate language protecting the privacy of student information in contracts with companies providing cloud-storage services. They should require companies to disclose in the contracts how student data might be sold, transferred, or mined and give districts control over who accesses that information.

• Contracts with cloud-service providers should address the types of security used to protect student data, how districts are to be notified of a security breach, and how a breach will be handled.

• Districts should establish policies and guidelines for the use of cloud services by teachers and other staff members. The guidelines could require districts to vet cloud services proposed for use by teachers, or could bar employees from using cloud services not approved by the district.

• States and larger school districts should create the position of “chief privacy officer” to address privacy issues related to student data and its cloud storage. Smaller districts could consult with state privacy officers for help.

• A national research center and clearinghouse should be established to help schools, districts, states, and cloud-service providers with issues related to the privacy of student data. Such a center would provide model policies or model legislation, guidance, and research.

Source: Education Week

Fordham researchers based their study on a national sample of public school districts. They asked for detailed information from 54 urban, suburban, and rural systems.

The study examined contracts between districts and technology vendors; policies governing privacy and computer use; notices sent to parents about student privacy; and districts’ use of free or paid third-party consulting services.

The authors conclude that privacy implications for districts’ use of cloud services are “poorly understood, non-transparent, and weakly governed.”

Only 25 percent of the districts examined made parents aware of the use of cloud services. Twenty percent did not have policies governing the use of those services, and a large plurality of districts had “rampant gaps,” the authors say, in their documentation of privacy policies in contracts and other forms. Twenty-five percent of districts had no policies at all regarding classroom teachers’ use of technology related to cloud storage.

“If there’s no policy, then it’s perfectly normal and legitimate for teachers to sign up for any service under the sun,” Mr. Reidenberg said.

To make matters worse, districts often relinquish control of student information when using cloud services, and do not have contracts or agreements setting clear limits on the disclosure, sale, and marketing of such data, the Fordham researchers say.

The Fordham study concludes that districts, policymakers, and vendors should take several steps to increase privacy protections, including providing parents with sufficient notice of the transfer of student information to cloud-service providers, and ensuring that parental consent is sought when required by federal law; improving contracts between private vendors and districts to remove ambiguity and provide much more specific information on the disclosure and marketing of student data; and setting clearer policies on data governance within districts, including establishing rules barring employees from using unapproved cloud services.

But the Software and Information Industry Association, a trade group based in Washington, said the study focused too much on the language within contracts between vendors and districts, rather than on the actual practices of companies, and the expectation that they will behave responsibly.

Federal law restricts the transfer of student information, and private companies do not want to stray from the legal limits, the industry organization said in a statement.

“The enforcement of this law has generated a culture of business practices that respects student privacy beyond basic compliance,” the SIIA said. “School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions.”

District Approaches

Schools should think hard about how student data might be used by a third party, said Paul P. Potter, the director of technological infrastructure for Wisconsin’s Tomah district. Concerns about the privacy of student data led his district to develop its own internal cloud storage instead of contracting with a vendor.

“I’m a huge proponent of the cloud as far as connectivity with the student, but I’m not a huge proponent of giving your data away to just anyone,” Mr. Potter said. “I’m not willing, as a technology director, to put the privacy of our students’ data out there on the line in the hope that it’s secure.”

The Fordham study also recommends creating an independent national research center to study privacy issues, and drafting model vendor contracts. In addition, states and large districts should each hire a “chief privacy officer” responsible for maintaining data protections, the authors say.

Districts should take privacy issues related to cloud storage seriously, but scrapping the use of cloud technology is not called for, said Lenny Schad, the chief information technology officer for the Houston school district.

“We need to be concerned about what information is stored, who has access to it, and that industry best practices are put in place,” he said.

Mr. Schad said it is possible to make student data secure: The banking industry and the government have been doing it for years, he said. However, he acknowledged that there are always going to be risks.

“People are demanding guarantees, but that’s just not possible,” he said. “I’m not going to guarantee we’re never going to get a virus” or have a data-security breach, akin to the recent hacking of credit card data from Target customers.

In addition, Mr. Schad said, it’s critical that federal laws governing student privacy—such as the Family Educational Rights and Privacy Act, or FERPA, and the Child Online Protection Act, or COPA—be clarified and enforced consistently to help districts understand how to comply.

Concerns about the protection of private student data have risen across the country in recent months, with parents and advocacy groups having complained that policymakers are doing too little to ensure that private data gathered via technology are kept secure.

Aimee Rogstad Guidera, the executive director of the Data Quality Campaign, a nonprofit in Washington that advocates for improved use of data in education, said the Fordham report was a reminder of the need for clearer policies on “how data are collected, stored, accessed, shared, and deleted.”

“The gaps identified in the report are not the result of incompetence or deliberate malfeasance by school leaders,” she said in a statement, “but rather they reflect the challenge of implementing new policies and safeguards in a rapidly changing world with limited resources and many challenges to improving student achievement.”

Mr. Schad said concerns about privacy should make districts proactive. He cautioned against “naysayers who want to push us back into how they were taught 25 years ago. I want to be out front on this issue.”

A version of this article appeared in the January 08, 2014 edition of Education Week as Cloud Computing Expands, Raising Data-Privacy Concerns

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Classroom Technology Webinar
Academic Integrity in the Age of Artificial Intelligence
As AI writing tools rapidly evolve, learn how to set standards and expectations for your students on their use.
Content provided by Turnitin
Recruitment & Retention Live Online Discussion A Seat at the Table: Chronic Teacher Shortage: Where Do We Go From Here?  
Join Peter DeWitt, Michael Fullan, and guests for expert insights into finding solutions for the teacher shortage.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Reading & Literacy Webinar
The Science of Reading: Tools to Build Reading Proficiency
The Science of Reading has taken education by storm. Learn how Dr. Miranda Blount transformed literacy instruction in her state.
Content provided by hand2mind

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

School Climate & Safety For Drug Prevention, Scare Tactics Are Out. Here’s What’s In
Experts have advice for today's educators looking to choose effective models for drug-prevention education.
3 min read
First lady Nancy Reagan speaks at the first national conference of the National Federation of Parents for Drug-Free Youth in Washington on Oct. 11, 1982. “Many people think drug prevention is ‘just say no,’ like Nancy Reagan did in the '80s, and we know that did not work,” said Becky Vance, CEO of the Texas-based agency Drug Prevention Resources, which has advocated for evidenced-based anti-drug and alcohol abuse education for more than 85 years.
The late first lady Nancy Reagan speaks at the first national conference of the National Federation of Parents for Drug-Free Youth in Washington on Oct. 11, 1982. Experts say drug-prevention programs have evolved since those years, when many such programs turned out to be ineffective.
Barry Thumma/AP
School Climate & Safety How a Superintendent Urged Parents to Discuss Gun Violence With Their Kids
The leader of the school district that serves Monterey Park, Calif., encouraged parents not to "let the TV do the talking."
5 min read
A woman comforts her son while visiting a makeshift memorial outside Star Ballroom Dance Studio in Monterey Park, Calif., Monday, Jan. 23, 2023. Authorities searched for a motive for the gunman who killed multiple people at the ballroom dance studio during Lunar New Year celebrations.
A woman comforts her son while visiting a memorial outside the Star Ballroom Dance Studio in Monterey Park, Calif., two days after a gunman killed 11 people and injured several others as they celebrated Lunar New Year.
Jae C. Hong/AP
School Climate & Safety Guidance on Responding to Students' Questions About Shootings
A guide for educators on ways to foster a sense of safety and security among students at a time when gun violence seems widespread.
4 min read
People gather for a vigil honoring the victims of a shooting several days earlier at Star Ballroom Dance Studio, Monday, Jan. 23, 2023, in Monterey Park, Calif. A gunman killed multiple people late Saturday amid Lunar New Year's celebrations in the predominantly Asian American community.
Two days after a mass shooting that killed 11 people, people gather for a vigil outside the Star Ballroom Dance Studio in Monterey Park, Calif. In the aftermath of shootings and other community violence, educators are called on to help students process their emotions and help them feel safe.
Ashley Landis/AP
School Climate & Safety Many Schools Don't Have Carbon Monoxide Detectors. Are They Overlooking the Risk?
Less than a quarter of states have laws requiring carbon monoxide detectors in school buildings.
5 min read
Image of a carbon monoxide detector with a blurred blueprint in the background.
iStock/Getty