Seeking to help schools and districts better protect students' privacy, the U.S. Department of Education released new guidance Tuesday on the proper use, storage, and security of the massive amounts of data being generated by new, online educational resources.
The guidelines, produced by the department's privacy technical assistance center, highlight the rapidly evolving, often-murky world of educational technology and student data privacy: "It depends" is the department's short answer to two major questions related to the laws governing the sharing of sensitive student information with third-party vendors.
Hoping to encourage better understanding and implementation of "best practices," the guidelines contain seven high-level recommendations for schools and districts.
During remarks Monday at a summit of privacy advocates and ed-tech leaders, U.S. Secretary of Education Arne Duncan was clear that stepped-up federal involvement in the hot-button issue should not force "a choice between privacy and progress."
"Together, we can and we must harness the extraordinary potential of technology to empower teachers, students and families—without faltering in our duty to protect them," Duncan said.
The new federal guidelines are non-binding and contain no new regulations, reflecting a desire to encourage "self-policing" by industry and better policies and practices by school systems as first steps towards shoring up students' privacy protections.
Dozens of privacy-related bills are making their way through statehouses this spring, however, and U.S. Senator Edward Markey, a Democrat from Massachusetts who has been critical of the education department's stance on privacy, said Monday he would soon introduce new federal legislation on the matter.
Reaction to the document from key stakeholder groups was swift, reflecting the growing urgency around data-security issues. A trade association for the software and digital content industries commended the department for an approach it said "affirms and reinforces the strong safeguards in current law," while a leading parent advocate said the guidance "completely misses the point when it comes to addressing parental concerns about their children's privacy and security."
Much of the 14-page department document, titled "Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices," focuses on the Family Educational Rights and Privacy Act, or FERPA.
The law is intended to protect the personally identifiable information contained in children's education records from disclosure.
Many policymakers, advocates, and even industry officials say a baseline standard is that third-party vendors should only use such information for educational purposes.
Secretary Duncan took that position on Monday, saying that education data should not be used "to sell students snack food or video games."
The departmental guidance issued Tuesday, however, makes clear that FERPA and another relevant federal statute, the Protection of Pupil Rights Amendment, are somewhat limited in their power to prevent such outcomes in the new age of "big data" and ubiquitous digital learning tools.
Take, for example, the "metadata" collected on students via digital devices and online learning programs, which can include keystroke information, the time and place at which a device or program is being used, the type of device on which the service is being accessed, and more.
Under some circumstances, such metadata are not protected under FERPA and may thus eligible to be used for data-mining and other non-educational purposes.
According to the federal guidelines, vendors that have not collected any personally identifiable information on individual students may be permitted to use metadata for data-mining and other purposes.
And even when vendors have collected personally identifiable information on students, they may still be permitted to use metadata for their own purposes, provided those data are stripped of any identifying elements, and so long as the vendor received students' information under an exception to FERPA that allows vendors to more easily be designated as "school officials."
"Because of the diversity and variety of online educational services, there is no universal answer" to the question of whether student information is protected by FERPA, according to the guidelines. As a result, "schools and districts will typically need to evaluate the use of online educational services on a case-by-case basis to determine if FERPA-protected information is implicated."
"The guidance really underscores the fact that student privacy rights are under attack, and it was the [department's] regulations that opened the door," said Khaliah Barnes, an attorney with the nonprofit Electronic Privacy Information Center.
The uses of students' personally identifiable information by third-party vendors can also be murky, according to the guidelines.
Under FERPA, parental consent is usually required for the disclosure of such information, although there are exceptions. Schools and districts are also supposed to maintain "direct control" over their data, even after it is passed to third parties—a requirement that is hugely complex given the massive amounts of data now being collected, the rise of cloud-based service providers, and the rapid-fire cycle of business start-ups, mergers, and acquisitions that mark today's ed-tech landscape.
The new guidelines suggest that better contracting practices and school- and district-level policies are key to protecting student privacy amid all the confusion.
Among the best practices recommended by the department:
Maintain awareness of relevant federal, state, tribal, or local laws, particularly the Children's Online Privacy Protection Act, which includes requirements for providing online educational services to children under 13.
Be aware of which online educational services are currently being used in your district. Conducting an inventory of all such services is one specific step districts can take.
Have policies and procedures to evaluate and approve proposed online educational services, including both formal contracts and no-cost software and that requires only click-through consent.
When possible, use a written contract or legal agreement. Provisions should be included for security and data stewardship; the collection of data; the use, retention, disclosure, and destruction of data; the right of parents and students to access and modify their data; and more.
Such reliance on district contracting processes and policy development could pose a problem, given the current state of such efforts. In December, Fordham University professor Joel Reidenberg published a scathing study of the shortcoming and vulnerabilities of most districts' contracts with cloud-service providers.
The department also encourages districts to be transparent with parents and students, writing that "even in instances where FERPA does not require parental consent, schools and districts should consider whether consent is appropriate."
Leonie Haimson, the executive director of New York City-based nonprofit Class Size Matters and an outspoken advocate on student-privacy issues, was harshly critical of that approach.
"In the process of encouraging a market in data-mining software and the outsourcing of education into private hands, [the department] seems willing to sacrifice our children's privacy," Haimson wrote in an email to Education Week.
The Software & Information Industry Association, meanwhile, took a much more favorable view of the department's efforts, writing in a statement that "the federal guidance is very consistent with SIIA's recently released Best Practices for school service providers."
The education department's privacy technical assistance center has invited feedback on the guidelines via comments and suggestions sent to PrivacyTA@ed.gov.
UPDATED (5:00 p.m.): Reaction from industry sources and student-privacy advocates was added to this post.
Check back on the Digital Education for updates on this story.