School officials face a seemingly mazelike set of challenges in attempting to protect student data, particularly as the technology that they increasingly rely on—apps, devices, programs, software, and the like—evolves in ways they cannot predict, and in some cases, in ways they may barely understand.
The complexity of the student-data landscape, and how district officials can realistically manage it, was a theme during a panel discussion earlier this week at the Washington Education Technology Policy Summit, which offered not only a legal breakdown, but also an on-the-ground look at how privacy laws apply to schools.
Four panelists took on the issue, and fielded questions from the audience: Paige Kowalski, the director of state policy and advocacy for the Data Quality Campaign; Steve Winnick, a senior counsel for the consulting group Education Counsel, LLC; Rich Contartesi, the assistant superintendent for technology services at the Loudon County schools, in Virginia; and Joseph Wender, a senior policy adviser to U.S. Sen. Ed Markey, a Massachusetts Democrat.
One consistent bit of advice offered by the panelists to distirct officials—there were several K-12 administrators in the audience—was that they be as transparent with parents as possible about the companies that have access to student data, about restrictions on how that data can be used (while also making clear how critical data can be to district functions), and, when there's a breach, about offering a clear explanation to parents of what happened.
The message to concerned parents should be "what do you guys want to see?" Kowalski said. Because "in the absence of information, they're going to believe the what-if fears?"
Even so, the difficulty that district officials face are obvious, as evidenced by the questions that emerged from district officials and others at the forum. Among the biggest challenges:
- Explaining data privacy to parents.
Tranparency is one thing. But as one district official in the audience noted, "I have 40,000 students," which means working with 100,000 or so parents and guardians.
"They all come to me and ask for the data third parties collect," he said. "It can become very overwhelming."
In some cases, parents' concerns about student privacy may not get transmitted to administrators directly.
Contartesi's district recently had a security breach, which he said officials learned about from a newspaper, which had been called by a parent who had been alerted to it. The Loudon County official said the breach came about when a company hired by the district to do security testing let some student information slip out—information that Contartesi said did not reveal the most sensitive student information, but was troubling, nonetheless.
- Regulating not only data, but the work of district staff.
Panelists and members of the audience noted that some education apps today get marketed to directly to teachers. Those teachers, in turn, may be signing up students to participate in those apps, which could be marketing to children.
That sort of well-intentioned but risky instructional activity is probably commonplace, Contartesi said. In Loudon County, district officials try to encourage teachers to route those goals through the technology department. Otherwise, "we don't really know who that vendor is."
- Figuring out who owns the data.
A district official from Louisiana recounted the state's recent decision to remove data from inBloom, after parents raised concerns about the protection of student information through the company. (InBloom officials have said those concerns are misguided.)
In that case, the "state took the data and gave it to someone else," the district official told the audience. "Our position is that the parents own it...and without parents' permission, it can't be given away."
What does the law say? A primary statute meant to protect student privacy, the Family Educational Rights and Privacy Act, does not specifically use the term "ownership," said Winnick, of Education Counsel. But a solid legal case, he said, can be made that the data belongs to the district, and to parents.
But Winnick, in a later e-mail to Education Week, also clarified that state education officials also have authority under FERPA to obtain student data and use if for myriad evaluation, audit, and compliance pursposes, and designate an "authorized respresentative" like a technology company, to help them with this work. That process is subject to safeguards under FERPA, he said. Under FERPA, he added, a school district does not have the legal right to veto a state's decision to go forward with that process, though it's possible that legal disputes could emerge if local school systems declined to provide data to the state.