School Climate & Safety

Cloud Computing in K-12 Expands, Raising Data Privacy Concerns

By Michelle R. Davis & Sean Cavanagh — January 07, 2014 6 min read
  • Save to favorites
  • Print

The use of cloud-based technologies in K-12 schools is becoming increasingly complex and expansive, prompting a wide range of approaches for protecting private student data stored in the “cloud” and raising serious concerns about the security of such data.

Districts ranging from the 203,000-student Houston school system to the 3,000-student Tomah, Wis., schools have outlined clear policies and practices for storing data in the cloud. Those two districts take very different approaches, however.

Tomah built its own private cloud-storage programs to prevent student information from being accessed by third-party vendors; Houston has embraced the use of companies offering cloud-computing services and is working to put best-practice guidelines in place.

The problem, experts say, is that many districts have not set clear policies for storing data in the cloud. Cloud systems typically rely on the outsourcing of computer power and some services to external servers or data centers, which are then accessed over the Internet on an as-needed basis.

A study released last month by the Fordham University Law School’s Center on Law and Information Policy, for example, notes serious lapses pertaining to control of private student information under contracts with private companies storing data in the cloud, as well as in alerting parents and students about who has access to student data.

The study’s authors put forward a series of recommendations to policymakers, including a call for a national clearinghouse focused on the issue, and for ramping up safeguards on students’ private information.

“We came away seeing that districts are not in a position right now to effectively deal with these privacy issues,” said Joel Reidenberg, a study author and the academic director of the Center on Law and Information Policy, based in New York City. “Many districts don’t have the technical expertise to understand how the flow of data impacts student privacy, and vendors are not explaining it.”

‘Weakly Governed’

Data Protection in the Cloud

A study by the Fordham University Law School’s Center on Law and Information Policy found deficits in school districts’ protection of the privacy of student data. To improve the security and privacy of student data stored in the “cloud” by an outside company, the center recommends:

• Districts should incorporate language protecting the privacy of student information in contracts with companies providing cloud-storage services. They should require companies to disclose in the contracts how student data might be sold, transferred, or mined and give districts control over who accesses that information.

• Contracts with cloud-service providers should address the types of security used to protect student data, how districts are to be notified of a security breach, and how a breach will be handled.

• Districts should establish policies and guidelines for the use of cloud services by teachers and other staff members. The guidelines could require districts to vet cloud services proposed for use by teachers, or could bar employees from using cloud services not approved by the district.

• States and larger school districts should create the position of “chief privacy officer” to address privacy issues related to student data and its cloud storage. Smaller districts could consult with state privacy officers for help.

• A national research center and clearinghouse should be established to help schools, districts, states, and cloud-service providers with issues related to the privacy of student data. Such a center would provide model policies or model legislation, guidance, and research.

Source: Education Week

Fordham researchers based their study on a national sample of public school districts. They asked for detailed information from 54 urban, suburban, and rural systems.

The study examined contracts between districts and technology vendors; policies governing privacy and computer use; notices sent to parents about student privacy; and districts’ use of free or paid third-party consulting services.

The authors conclude that privacy implications for districts’ use of cloud services are “poorly understood, non-transparent, and weakly governed.”

Only 25 percent of the districts examined made parents aware of the use of cloud services. Twenty percent did not have policies governing the use of those services, and a large plurality of districts had “rampant gaps,” the authors say, in their documentation of privacy policies in contracts and other forms. Twenty-five percent of districts had no policies at all regarding classroom teachers’ use of technology related to cloud storage.

“If there’s no policy, then it’s perfectly normal and legitimate for teachers to sign up for any service under the sun,” Mr. Reidenberg said.

To make matters worse, districts often relinquish control of student information when using cloud services, and do not have contracts or agreements setting clear limits on the disclosure, sale, and marketing of such data, the Fordham researchers say.

The Fordham study concludes that districts, policymakers, and vendors should take several steps to increase privacy protections, including providing parents with sufficient notice of the transfer of student information to cloud-service providers, and ensuring that parental consent is sought when required by federal law; improving contracts between private vendors and districts to remove ambiguity and provide much more specific information on the disclosure and marketing of student data; and setting clearer policies on data governance within districts, including establishing rules barring employees from using unapproved cloud services.

But the Software and Information Industry Association, a trade group based in Washington, said the study focused too much on the language within contracts between vendors and districts, rather than on the actual practices of companies, and the expectation that they will behave responsibly.

Federal law restricts the transfer of student information, and private companies do not want to stray from the legal limits, the industry organization said in a statement.

“The enforcement of this law has generated a culture of business practices that respects student privacy beyond basic compliance,” the SIIA said. “School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions.”

District Approaches

Schools should think hard about how student data might be used by a third party, said Paul P. Potter, the director of technological infrastructure for Wisconsin’s Tomah district. Concerns about the privacy of student data led his district to develop its own internal cloud storage instead of contracting with a vendor.

“I’m a huge proponent of the cloud as far as connectivity with the student, but I’m not a huge proponent of giving your data away to just anyone,” Mr. Potter said. “I’m not willing, as a technology director, to put the privacy of our students’ data out there on the line in the hope that it’s secure.”

The Fordham study also recommends creating an independent national research center to study privacy issues, and drafting model vendor contracts. In addition, states and large districts should each hire a “chief privacy officer” responsible for maintaining data protections, the authors say.

Districts should take privacy issues related to cloud storage seriously, but scrapping the use of cloud technology is not called for, said Lenny Schad, the chief information technology officer for the Houston school district.

“We need to be concerned about what information is stored, who has access to it, and that industry best practices are put in place,” he said.

Mr. Schad said it is possible to make student data secure: The banking industry and the government have been doing it for years, he said. However, he acknowledged that there are always going to be risks.

“People are demanding guarantees, but that’s just not possible,” he said. “I’m not going to guarantee we’re never going to get a virus” or have a data-security breach, akin to the recent hacking of credit card data from Target customers.

In addition, Mr. Schad said, it’s critical that federal laws governing student privacy—such as the Family Educational Rights and Privacy Act, or FERPA, and the Child Online Protection Act, or COPA—be clarified and enforced consistently to help districts understand how to comply.

Concerns about the protection of private student data have risen across the country in recent months, with parents and advocacy groups having complained that policymakers are doing too little to ensure that private data gathered via technology are kept secure.

Aimee Rogstad Guidera, the executive director of the Data Quality Campaign, a nonprofit in Washington that advocates for improved use of data in education, said the Fordham report was a reminder of the need for clearer policies on “how data are collected, stored, accessed, shared, and deleted.”

“The gaps identified in the report are not the result of incompetence or deliberate malfeasance by school leaders,” she said in a statement, “but rather they reflect the challenge of implementing new policies and safeguards in a rapidly changing world with limited resources and many challenges to improving student achievement.”

Mr. Schad said concerns about privacy should make districts proactive. He cautioned against “naysayers who want to push us back into how they were taught 25 years ago. I want to be out front on this issue.”

A version of this article appeared in the January 08, 2014 edition of Education Week as Cloud Computing Expands, Raising Data-Privacy Concerns

Events

Jobs Virtual Career Fair for Teachers and K-12 Staff
Find teaching jobs and other jobs in K-12 education at the EdWeek Top School Jobs virtual career fair.
Ed-Tech Policy Webinar Artificial Intelligence in Practice: Building a Roadmap for AI Use in Schools
AI in education: game-changer or classroom chaos? Join our webinar & learn how to navigate this evolving tech responsibly.
Education Webinar Developing and Executing Impactful Research Campaigns to Fuel Your Ed Marketing Strategy 
Develop impactful research campaigns to fuel your marketing. Join the EdWeek Research Center for a webinar with actionable take-aways for companies who sell to K-12 districts.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

School Climate & Safety A School Removed Bathroom Mirrors to Keep Students From Making TikToks. Will It Work?
The desperate strategy for keeping students in class illuminates the challenge schools face in competing with social media.
5 min read
Empty blue school bathroom showing the bathroom sinks without mirrors.
iStock/Getty
School Climate & Safety Researchers Analyzed Years of Reports to a School Safety Tipline. Here's What They Learned
More than a third of gun-related tips in one state outlined possible school attacks, a new analysis finds.
4 min read
Illustration of a cellphone with a red exclamation mark inside of a word bubble.
iStock/Getty
School Climate & Safety Could Panic Buttons Save Lives in a School Shooting? More Schools Think So
There's legislative momentum to require panic alarm systems in schools. But many districts are installing the systems without a mandate.
6 min read
Visitors walk past a makeshift memorial honoring those recently killed at Robb Elementary School, Tuesday, July 12, 2022, in Uvalde, Texas. A Texas lawmaker says surveillance video from the school hallway where police waited as a gunman opened fire in a fourth-grade classroom will be shown this weekend to residents of Uvalde.
Visitors walk past a makeshift memorial on July 12, 2022, honoring those killed at Robb Elementary School in Uvalde, Texas, in a May 2022 school shooting. Nearly a year after the Uvalde shooting, lawmakers in Texas passed a bill requiring that every public school classroom have a panic alarm system.
Eric Gay/AP
School Climate & Safety Opinion How to Strengthen the Safety and Security of Your School
Resources, guidance, and best practices can help leaders feel ready and empowered to improve their school’s safety and security.
Lindsay Burton & Michelle Kefford
6 min read
Illustration about warnings, with a businessman and woman each holding a with megaphone in front of a caution symbol.
Nuthawut Somsuk/iStock/Getty