New Student Privacy Guidelines Try to Address Third-Party Vendors' Data Use
By guest blogger Ben Herold, cross-posted from the Digital Education blog
Seeking to help schools and districts better protect students' privacy, the U.S. Department of Education released new guidance Tuesday on the proper use, storage, and security of the massive amounts of data being generated by new, online educational resources.
The guidelines, produced by the department's privacy technical assistance center, highlight the rapidly evolving, often-murky world of educational technology and student data privacy: "It depends" is the department's short answer to two major questions related to the laws governing the sharing of sensitive student information with third-party vendors.
Hoping to encourage better understanding and implementation of "best practices," the guidelines contain seven high-level recommendations for schools and districts.
During remarks Monday at a summit of privacy advocates and ed-tech leaders, U.S. Secretary of Education Arne Duncan was clear that stepped-up federal involvement in the hot-button issue should not force "a choice between privacy and progress."
"Together, we can and we must harness the extraordinary potential of technology to empower teachers, students and families—without faltering in our duty to protect them," Duncan said.
The new federal guidelines are non-binding and contain no new regulations, reflecting a desire to encourage "self-policing" by industry and better policies and practices by school systems as first steps towards shoring up students' privacy protections.
Dozens of privacy-related bills are making their way through statehouses this spring, however, and U.S. Senator Edward Markey, a Democrat from Massachusetts who has been critical of the education department's stance on privacy, said Monday he would soon introduce new federal legislation on the matter.
Much of the 14-page department document, titled "Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices," focuses on the Family Educational Rights and Privacy Act, or FERPA.
The law is intended to protect the personally identifiable information contained in children's education records from disclosure.
Many policymakers, advocates, and even industry officials say a baseline standard is that third-party vendors should only use such information for educational purposes.
Secretary Duncan took that position on Monday, saying that education data should not be used "to sell students snack food or video games."
The departmental guidance issued Tuesday, however, makes clear that FERPA and another relevant federal statute, the Protection of Pupil Rights Amendment, are somewhat limited in their power to prevent such outcomes in the new age of "big data" and ubiquitous digital learning tools.
Take, for example, the "metadata" collected on students via digital devices and online learning programs, which can include keystroke information, the time and place at which a device or program is being used, the type of device on which the service is being accessed, and more.
Under some circumstances, such metadata are not protected under FERPA and may thus eligible to be used for data-mining and other non-educational purposes.
According to the federal guidelines, vendors that have not collected any personally identifiable information on individual students may be permitted to use metadata for data-mining and other purposes.
And even when vendors have collected personally identifiable information on students, they may still be permitted to use metadata for their own purposes, provided those data are stripped of any identifying elements, and so long as the vendor received students' information under an exception to FERPA that allows vendors to more easily be designated as "school officials."
"Because of the diversity and variety of online educational services, there is no universal answer" to the question of whether student information is protected by FERPA, according to the guidelines. As a result, "schools and districts will typically need to evaluate the use of online educational services on a case-by-case basis to determine if FERPA-protected information is implicated."
Privacy advocates have criticized—and even sued—the department over its 2011 decision to expand the definition of who may be considered a "school official" under FERPA.
The uses of students' personally identifiable information by third-party vendors can also be murky, according to the guidelines.
Under FERPA, parental consent is usually required for the disclosure of such information, although there are exceptions. Schools and districts are also supposed to maintain "direct control" over their data, even after it is passed to third parties—a requirement that is hugely complex given the massive amounts of data now being collected, the rise of cloud-based service providers, and the rapid-fire cycle of business start-ups, mergers, and acquisitions that mark today's ed-tech landscape.
The new guidelines suggest that better contracting practices and school- and district-level policies are key to protecting student privacy amid all the confusion.
Among the best practices recommended by the department:
Maintain awareness of relevant federal, state, tribal, or local laws, particularly the Children's Online Privacy Protection Act, which includes requirements for providing online educational services to children under 13.
Be aware of which online educational services are currently being used in your district. Conducting an inventory of all such services is one specific step districts can take.
Have policies and procedures to evaluate and approve proposed online educational services, including both formal contracts and no-cost software and that requires only click-through consent.
When possible, use a written contract or legal agreement. Provisions should be included for security and data stewardship; the collection of data; the use, retention, disclosure, and destruction of data; the right of parents and students to access and modify their data; and more.
Such reliance on district contracting processes and policy development could pose a problem, given the current state of such efforts. In December, Fordham University professor Joel Reidenberg published a scathing study of the shortcoming and vulnerabilities of most districts' contracts with cloud-service providers.
The department also encourages districts to be transparent with parents and students, writing that "even in instances where FERPA does not require parental consent, schools and districts should consider whether consent is appropriate."
The department's privacy technical assistance center has invited feedback on the guidelines via comments and suggestions sent to [email protected].
Check back on the Digital Education for updates on this story.