Forthcoming federal guidance on the hot-button issues of student data privacy will seek "vigorous self-policing by commercial players," but the federal government is "not going to wait for industry or rely on promises" to protect children's sensitive information, U.S. Secretary of Education Arne Duncan told privacy advocates and ed-tech industry leaders gathered here Monday.
That tension—between hoping the private sector will proactively develop and implement "best practices" on the one hand, and pushing for new legislation and regulations, on the other—dominated the "School Privacy Zone" Summit, convened by San Francisco-based nonprofit Common Sense Media.
The event came in the midst of a recent flurry of student data privacy-related activity. In addition to the non-binding federal guidelines, expected to be made public Tuesday afternoon, a leading technology trade group released recommendations on the issue; major state legislation on the issue was proposed in California; and U.S. Senator Edward Markey, a Democrat from Massachusetts who also spoke at Monday's school privacy summit, announced that he will soon introduce new federal legislation.
The confluence of efforts across sectors is a good sign, said James Steyer, the CEO of Common Sense Media, a group known for evaluating media and educational technology for use by children.
"I've never felt that industry self-regulations were sufficient to protect the interests of kids and families," Steyer said in an interview with Education Week. "We want the best [private] actors to step forward, but we also need legislation and regulation and advocacy. It's the combination that works."
'Police Yourselves Before Others Do'
In his keynote address at Monday's privacy summit, Secretary Duncan touted the "extraordinary learning opportunities" associated with new digital learning tools and the vast amounts of information they generate, citing examples of schools in Detroit, New York, Nashville, Tenn., and Huntsville, Ala. that are using technology and data to personalize student learning, free up teachers' time for high-value instructional activities, and engage parents.
But the secretary also stressed that "school systems owe families the highest standard of security and privacy," and he sharply criticized some industry practices, including "take it or leave it 'Click Wrap' agreements" with districts that allow companies to unilaterally and without notice change their privacy practices.
"It is in your interest to police yourselves before others do," Duncan said in a pointed message to ed-tech vendors.
The federal guidance to be issued Tuesday will help school systems and educators interpret the law, and will "include examples of best practice," the secretary said. The technical assistance is largely the brainchild of Kathleen Styles, the U.S. Department of Education's recently appointed chief privacy officer.
One key principle around which there is an emerging cross-sector consensus is that educational data about students should be used solely for educational purposes—and not for targeted advertising.
Industry representatives and some education officials in attendance at Monday's event supported the general notion, but said much confusion remains about what "for educational use only" means in practice and expressed concerns about how such details will be enacted in policies and contracts.
"We want [vendors] to be able to use [student] data to improve their product. On the other hand, we don't want them selling it off randomly for profit," said Jeff Mao, the learning technology policy director in the Maine education department.
Not Far Enough
Hoping to get out ahead of the rising tide of proposed bills in state legislatures around the country, the Software & Information Industry Association released on Monday its own list of best practices.
Mark Schneiderman, the group's senior director of education policy, said the recommendations were intended "to create a trust framework, and at the same time make sure [we're] not cutting off our nose to spite our face."
But privacy advocates said that the group's suggestions don't go nearly far enough. Joel Reidenberg, a Fordham law professor who recently authored a much-discussed study on the shortcomings of districts' contracts with cloud-computing service providers, criticized the SIIA proposal for not explicitly rejecting the use of educational data for targeted marketing, failing to include any guidelines for how long data should be stored or when it should be destroyed, and failing to include provisions for parents to access and amend their children's information, among other things.
Reidenberg was also critical of some state bills that have been proposed, saying they only addressed "the tip of the iceberg."
In their recent study, Reidenberg said, his team found that "school systems didn't understand what they were doing" when it came to entering agreements for cloud-computing services with private vendors, and as a result were systematically failing to notify parents about the use of web-based services to store children's sensitive information and unthinkingly "paying with students' privacy" for no-cost classroom apps and software.
Reidenberg, Khaliah Barnes, an attorney for the nonprofit Electronic Privacy Information Center, and others ticked off a list of concerns that continue to go largely unaddressed by legislation, regulations, industry practices, or district policies. Among them were the "vast amounts of data" collected by third-party vendors that don't fall under the jurisdiction of the Family Educational Rights and Privacy Act, or FERPA; the use of location data, biometric data, and social media to track students; the metadata generated by students' digital devices, especially when they are used outside of schools; and the growing trend of merging the "learning path" information generated by digital instructional materials with the personal data contained in student profiles.
Not all the news at Monday's summit was bleak.
Among the educators to address the privacy summit was Superintendent Terry Grier of the 210,000-student Houston Independent School District, currently in the midst of a digital conversion that recently featured the distribution of 18,000 laptops to high school students.
Among the policies Grier highlighted were a one-step-at-a-time approach to deploying devices; a matrix used to evaluate the privacy protections offered by all ed-tech vendors seeking contracts with the district; and a teacher-led tech committee that vets any free apps and software that educators would like to use in their classrooms.
"Every day, we're thinking about things we haven't thought about before," he said.
Two big ideas also seemed to gain immediate and widespread traction among the heavy-hitters in the audience.
Many expressed enthusiasm for a suggestion that the Federal Trade Commission and U.S. Department of Education partner to set new parameters around data security and classroom apps, widely viewed as a major threat to students' privacy.
And the notion of "Good Housekeeping"-like seal of approval for ed-tech vendors who have met agreed-upon standards for protecting students' privacy was also popular.
"Market signals matter a lot," and such an effort may have an even greater impact than government regulations, said Jim Shelton, the acting deputy secretary of the U.S. Department of Education.