Seeking to help schools protect students’ privacy without inhibiting the use of digital technologies in the classroom, the U.S. Department of Education released new guidance last week on the proper use, storage, and security of the massive amounts of data being generated by new, online educational resources.
“This can’t be a choice between privacy and progress,” Secretary of Education Arne Duncan told a gathering of privacy advocates and ed-tech leaders who gathered for a “summit” on the hot-button issue.
The guidance comes amid a flurry of activity around student-data privacy. Also in recent weeks, a leading technology trade group issued its own recommendations for protecting such data; major state legislation was proposed in California; U.S. Sen. Edward J. Markey, D-Mass., announced that he will soon introduce a federal bill; and the San Francisco-based nonprofit Common Sense Media hosted the high-profile “School Privacy Zone” summit here.
James P. Steyer, the CEO of Common Sense Media, said the confluence of efforts is a good sign.
February was a busy month for a wide cross-section of groups interested in student-data privacy:
The U.S. Department of Education released new guidance to help schools and districts interpret major student-privacy laws and implement best practices. Sen. Edward J. Markey, D-Mass., announced that he will soon introduce new legislation on the issue.
California state Sen. Darrell Steinberg, a Democrat, sponsored a new bill that, among other goals, would prohibit providers of online educational services from using or disclosing student data for commercial purposes, such as marketing. Bills in Kansas and a number of other states are also under consideration.
The Software & Information Industry Association released “best practices for the safeguarding of student-information privacy and security for providers of school services.” The recommendations focus on limiting the use of personally identifiable student information to “educational and related purposes” and improving policies related to transparency, contracting, security, and data-breach notification.
The nonprofit Common Sense Media hosted a “School Privacy Zone” summit in Washington attended by dozens of advocates, ed-tech leaders, and government officials, including U.S. Secretary of Education Arne Duncan. The group recently conducted polling research on U.S. voters’ attitudes about student-data privacy and is promoting a set of “fundamental principles” related to the issue.
“I’ve never felt that industry self-regulations were sufficient to protect the interests of kids and families,” said Mr. Steyer, whose organization is known for evaluating media and educational technology intended for use by children. “We want the best [private] actors to step forward, but we also need legislation and regulation and advocacy. It’s the combination that works.”
For its part, the federal government will seek “vigorous self-policing by commercial players” handling sensitive data about children, Secretary Duncan said, but it is “not going to wait for industry or rely on promises” to protect that information. The federal guidance is nonbinding and contains no new regulations; instead, it offers interpretations of existing laws and encourages “best practices” by schools and districts.
The 14-page document highlights the challenges of securing students’ data in the rapidly evolving digital education landscape. The Education Department’s short answer—"it depends"—to two frequently asked questions by school officials about how federal statutes apply to the sharing of sensitive student information with third-party vendors left some privacy advocates unsatisfied.
“The guidance really underscores the fact that student-privacy rights are under attack,” said Khaliah Barnes, a lawyer for the nonprofit Electronic Privacy Information Center, based in Washington.
Representatives from the software industry, meanwhile, commended the department’s guidance.
Crafting Protective Measures
In his keynote address at the summit, Mr. Duncan touted the “extraordinary learning opportunities” associated with new digital learning tools and the vast amounts of information they generate. He cited examples of schools’ use of technology and data to personalize student learning, free up teachers’ time for high-value instructional activities, and engage parents.
But the secretary also stressed that “school systems owe families the highest standard of security and privacy,” and he sharply criticized some common industry practices, including “take-it-or-leave-it” contracts with districts that allow companies to unilaterally and without notice change their privacy-protection practices.
“It is in your best interest to police yourselves before others do,” Mr. Duncan said in a direct message to ed-tech vendors.
Many policymakers, advocates, and even industry officials say a baseline standard should be that third-party vendors use student information only for educational purposes.
The new federal guidance, however, makes clear that defining “educational purposes” in the digital age is a complicated endeavor, and that student-privacy statutes now on the books are straining to meet the challenges presented by “big data” and ubiquitous digital learning tools.
Take, for example, the “metadata” collected on students via digital devices and online learning programs, which can include keystroke information, the time and place at which a device is being used, and more.
Under some circumstances, such metadata are not protected under the Family Educational Rights and Privacy Act, or FERPA, a 40-year-old law intended to protect children’s educational records from disclosure. According to the new guidelines, it may thus sometimes be permissible for vendors to use such information for data-mining and other noneducational purposes.
The circumstances under which students’ personally identifiable information may be used by third-party vendors can also be murky. As a result, the Education Department suggests that “schools and districts will typically need to evaluate the use of online educational services on a case-by-case basis to determine if FERPA-protected information is implicated.”
Some privacy advocates, though, criticize the department as having weakened FERPA by regulatory changes made in recent years.
“In the process of encouraging a market in data-mining software and the outsourcing of education into private hands, [the department] seems willing to sacrifice our children’s privacy,” said Leonie Haimson, the executive director of the New York City-based nonprofit Class Size Matters and a frequent critic of industry involvement in student data-sharing initiatives.
Outlining Best Practices
Dozens of bills addressing data privacy have been proposed in a number of states in recent months, and at the federal level, Sen. Markey said last week that he would seek “new, updated rules” to protect sensitive student information that is transferred to private companies.
The focus of the planned federal legislation, Mr. Markey said in a statement, would be prohibiting the use of such data for targeted marketing to children, ensuring parents’ rights to access information about their children that is held by private companies, and creating other new safeguards.
Hoping to get out ahead of the rising regulatory tide, the Software & Information Industry Association, a trade group based in Washington, released its own recommendations.
“We’re concerned about [the possibility] of legislation that might capture very appropriate uses of student information,” said Mark Schneiderman, the group’s senior director of education policy. “Our intention is to create a ‘trust framework,’ and at the same time make sure we’re not cutting off our nose to spite our face.”
While the SIIA focused on best practices for industry, the Education Department focused in its new guidance on supporting smarter, more effective practices by schools and districts.
Among the federal recommendations for school systems are conducting an inventory of all online educational services now in use; developing policies to evaluate and approve proposed online educational services, including no-cost software and apps that require only click-through consent; and pursuing written contracts with all new data vendors.
But while such approaches are welcome, they might not be enough to keep up with rising parental concerns about the privacy and security of their children’s data, said Joel R. Reidenberg, a Fordham University law professor who recently published a scathing review of districts’ current contracts with cloud-computing service providers.
“I don’t think it’s a reasonable expectation that districts are in a position to police vendors and really take control of their data,” Mr. Reidenberg said. “But it’s great that [the department] finally got something out.”
A version of this article appeared in the March 05, 2014 edition of Education Week as U.S. Outlines Data-Privacy Guidelines