Districts' Use of Cloud Computing Brings Privacy Risks, Study Says
School districts have become increasingly reliant on cloud-based technologies despite "substantial deficiencies" in policies governing those Web-based systems and their protection of private student data, a new study finds.
The study, released today by the Fordham Law School's Center on Law and Information Policy, seeks to provide the first national examination of privacy and cloud computing in public schools. The study authors also put forward a series of recommendations to policymakers for ramping up safeguards on students' private information.
Fordham researchers based their study on a national sample of public school districts, asking for detailed information from 54 urban, suburban, and rural systems around the country.
Among the information they sought: contracts between districts and technology vendors; policies governing privacy and computer use; and notices sent to parents about student privacy and districts' use of free or paid, third-party consulting services.
The study concludes that privacy implications for districts' use of cloud services are "poorly understood, non-transparent, and weakly governed."
Only 25 percent of the districts examined made parents aware of the use of cloud services, according to the study. Twenty percent do not have policies governing the use of those services, and a large plurality of districts have "rampant gaps" in their documentation of privacy policies in contracts and other forms.
To make matters worse, districts often relinquish control of student information when using cloud services, and do not have contracts or agreements setting clear limits on the disclosure, sale, and marketing of that data, the Fordham researchers say.
The Fordham study concludes that districts, policymakers, and vendors should consider taking a number of steps to increase privacy protections, including:
- Providing parents with sufficient notice of the transfer of student information to cloud-service providers, and assuring that parental consent is sought when required by federal law;
- Improving contracts between private vendors and districts to remove ambiguity and provide much more specific information on the disclosure and marketing of student data;
- Setting clearer policies on data governance within districts, which includes establishing rules barring employees from using cloud services not approved by districts. States and large districts should also hire "chief privacy officers" responsible for maintaining data protections;
- Establishing a national research center and clearinghouse to study privacy issues, and draft and store model contracts on privacy issues. The center should be "independent of commercial interests to assure objectivity," the study authors said.
"School districts throughout the country are embracing the use of cloud computing services for important educational goals, but have not kept pace with appropriate safeguards for the personal data of school children," said Joel Reidenberg, a professor at Fordham's law school who worked on the study, in a statement accompanying its release. "There are critical actions that school districts and vendors must take to address the serious deficiences in privacy protection."
Concerns about protections on student privacy have boiled up in states and districts across the country in recent months, with parents and advocacy groups having complained that policymakers are doing too little to ensure that private gathered via technology is kept safe.
Aimee Rogstad Guidera, the executive director of the Data Quality Campaign, a Washington nonprofit that advocates among state policymakers and others for the improved use of data, said the report was a reminder of the need for clearer policies on " how data are collected, stored, accessed, shared, and deleted."
"The gaps identified in the report are not the result of incompetence or deliberate malfeasance by school leaders," she said in a statement, "but rather they reflect the challenge of implementing new policies and safeguards in a rapidly changing world with limited resources and many challenges to improving student achievement."
The Software and Information Industry Association, a trade association, said the study fell short because it focused too much on the language within contracts between vendors and districts, rather than on the actual practices of companies, and the expectation that they will behave responsibly.
Federal law restricts the transfer of student information, and private companies do not want to stray from the legal limits, the industry organization said.
"The enforcement of this law has generated a culture of business practices that respects student privacy beyond basic compliance," the SIIA said. "School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions."
This post was updated with comments from the SIIA.