By Benjamin Herold and Sean Cavanagh
District technology officials worried about protecting students' sensitive information, complying with federal and state privacy laws, and avoiding legal challenges and parent uproar have a new step-by-step resource for drafting data-privacy policies and contracts with the private companies handling their information.
"We've had a very rapid adoption of cloud storage and online services. All of a sudden, they're here," said Bob Moore, the founder and chief consultant of RJM Strategies and an architect of the new report, released Friday. "Districts have much more responsibility in managing these issues than they often realize."
As a result, Moore said in an interview with Education Week, one major goal of the new "Protecting Privacy in Connected Learning Toolkit," issued by the Consortium for School Networking, is to get district officials asking tougher questions—and demanding better answers—of vendors.
Every district contract with third-party vendors should specify what data will be collected, who will have access to that data, and exactly what the data will be used for, he said. Responsibility for making sure that happens is a two-way street.
"Vendors need to understand that school districts have a responsibility under the law to ask questions," Moore said.
Seeking to speak the language of the ed-tech set, the new guide, released at CoSN's annual conference in the nation's capital, is organized into flow charts and "decision-trees" that attempt to methodically take administrators through the choices they will likely face.
The document identifies three main steps in protecting student privacy: gauging a school system's overall technology and privacy needs; setting up contracts with online-service providers; and notifying parents and obtaining their consent as necessary.
A typical decision tree in the report—describing how a district should go about setting expectations on vendors—plays out as follows:
- A school system should start by ensuring that providers are using "reasonable" measures for ensuring that students' personal information is maintained. But how do you define what's reasonable?
- Federal law does not spell out specific security standards, the authors point out. But a district's security team can make a judgment about sound expectations in this area, drawing on resources such as the U.S. Department of Education's Privacy Technical Assistance Center, and the Payment Card Industry Data Security Standards. And regardless...
- A district should establish security standards for all providers who "store, process, transmit or otherwise deal with students' information. But what questions does a district need to ask a provider, to make sure those standards are being met?
- Districts should press companies about when and how student information will be stored; who will be able to access it; what security protocols are being used; and how often the provider gets rid of the information it collects, among other details.
Other recommendations follow.
The guide also offers definitions of legal and policy terms related to data privacy, as well as checklists and examples of sound policies and potential landmines.
Production of the report was spearheaded by CoSN, a Washington-based group that represents district tech officials, in partnership with Harvard Law School's Cyberlaw Clinic, which provides pro-bono guidance on Internet, technology, and intellectual property issues. The guide was endorsed by the Association of School Business Officials International. It was sponsored by Microsoft, a major provider of technology, including operating systems, to K-12 schools.
Microsoft officials have called on some technology companies, including their rival Google, to be more transparent about how they are using student data.
Moore told Education Week that recent highly publicized controversies stemming from a lawsuit challenging Google's data-mining of student email messages and parent opposition to Atlanta-based non-profit inBloom have contributed to a rising "tsunami" of concern among district tech officials.
In seeking to make sense of those instances and their implications for districts and students, Moore said, observers need to focus on both the purpose for which student data is being collected and how it's actually being used.
In the case of inBloom, Moore said, the controversy seemed to be more political than practical.
The organization is focused on warehousing student information, organizing it, and making it accessible to district-approved third-party vendors who can feed it back to educators via user-friendly tools.
"If you believe that data is important in teaching and learning, it's difficult to see how that is possibly insidious," Moore said.
But inBloom became a "lightning rod," he said, because "of other issues swirling around," including opposition to the Common Core State Standards and to the Bill & Melinda Gates Foundation, which heavily subsidized inBloom's startup costs.
In the case of Google Apps for Education, though, Moore said the combination of a commercial service provider with a clear financial interest in non-educational uses of student information with unclear policies on the company's part has led to understandable suspicion.
"Pure transparency can solve that particular issue," he said.
CoSN hopes to release quarterly updates to the new toolkit for the foreseeable future to keep pace with the rapidly changing landscape.