Recent News

Trust in the Classroom: Protecting Student Data Privacy and Security

The expanding array of education opportunities enabled by digital technology and broadband networks necessitates a renewed commitment to establishing trust with teachers, parents, and students that sensitive information is securely protected. Teachers and students have access to new tools and resources ranging from online gradebooks to online courses, personalized blended learning platforms, and math apps for tablets. These new resources support teaching and learning but also raise important questions around how sensitive data is protected, used, and under what conditions is shared with whom.

Parents deserve to know what data is being collected on their children and they deserve to know that steps are being taken to securely safeguard that data and ensure the privacy of their student. Parents also deserve to have the best educational options possible for their children, and those options are increasingly dependent on technology that uses data to personalize instruction for each student.

Safeguarding sensitive student data means more than just rejecting all data collection. Individualized learning can only exists with the proper and effective use of relevant student data—whether that information comes in the form of a teacher’s observation in her classroom or the electronic record of a student’s completing an assignment. The crucial element is to store that information securely and ensure student privacy is protected.

At the heart of any forward-thinking education system should be a clear and explicit listing of the rights of a parent and student, a detailing of the measures being taken to protect that privacy, as well as a clear assigning of responsibility for the trust and maintenance of that protection.

There is patchwork of state and federal privacy laws related to children, including COPPA, CIPA, and FERPA. As states take steps to clearly address through policy the rights of students and districts and education providers work to put into practice new systems, it’s worth unpacking some recent legislation which can help to inform this work. Back in May of 2013, Georgia Governor Nathan Deal signed an executive order officially prohibiting the federal government from collecting a broad range of personally identifiable data on students and their families. Oklahoma’s recent student data privacy bill is one example that was expanded upon by ALEC in September 2013 to provide a template other states can use to protect their students. The Data Quality Campaign has also released some key principles. Each of these examples embraces good governance, transparency, and accountability as fundamental components of promoting student data protections.

The Student Data Accessibility, Transparency, and Accountability Act in particular outlines six critical sets of activities for state policymakers:

  1. Inventory what type of data is being collected. Knowing is the first step, and this model language would require the state to annual audit and publish an inventory and dictionary of what type of student data is currently being collected. Any data that has been proposed to be included for future collection will be required to have a supporting statement explaining why it is necessary to have that data collected.
  2. Avoid unnecessary collection. Data that isn’t collected can’t be breached or used improperly. There are certain pieces of information that do not belong in an educational record, such as a student’s (or a family’s) political affiliation or voting record.
  3. Ensure data remains close to the student. There are benefits for those in a school to know certain medical information on students, such as if a student has an allergy or requires the administering of medicine. However, knowing that a specific student is allergic to penicillin shouldn’t go beyond the school’s doors. Multiple layers need to exist to ensure there are adequate protections around the flow of student data, detailing what can be collected at the school, and how much of that information is permitted to flow to the district, to the state, and lastly, the federal government. This is true for those private companies and nonprofits providing services to a school as well, be it an online gradebook, an online courses, dual enrollment program, or a personalized, blended learning platform.
  4. Define parental access. Parents are given the explicit right to access and review their child’s education record. Schools must provide electronic copies of student records to their parents upon request. Parents must be notified of their rights as they relate to their child’s personal information. This is new in education but it isn’t new in other areas of sensitive information such as electronic medical records. New requirements under the Meaningful Use incentive program require patients to have access to their records within three days of request. Most patients have immediate access via secure websites. If we can do this in healthcare, surely we can do it in education.
  5. Establish a Chief Privacy Officer. A Chief Privacy Officer would be charged as the primary person responsible for ensuring all educational privacy and security policies—federal or state—are faithfully implemented. The CPO would work with the legislature, the Department of Education, local districts, and the general public to share best practices and develop policies to create a culture that respects privacy and security. Shortly after the release of this model language, Alabama became the first state to create the position of a chief privacy officer for education. Parents need to know who they can turn to if they feel their child’s privacy was violated. Schools need someone they can consult with to guide their practices and procedures. A state CPO would help.
  6. Develop security plans. The state would be required to develop policies for keeping sensitive information from getting into the wrong hands: who has access to what data and when. Policies also must be developed to prepare for and mitigate against data breaches. Security practices, procedures, and technologies need to be constantly reviewed and assessed for weaknesses and vulnerabilities.

These concepts are largely the same as those advocated for by bloggers such as FunnyMonkey and other privacy experts. Far from a vacuum, there is a strong desire for action by policymakers. We saw another reminder of that reality as Common Sense Media released a survey showing that, “91 percent of respondents support stronger parental-consent requirements related to the sharing of sensitive student data, and 89 percent supported tighter security standards for cloud storage.” While the desire is there, the challenge is enacting smart policy that thoughtfully establishes protections without preventing the next generation learning teachers and students demand.

Whether a district maintains control of all student data internally or contracts out to vendors for assistance; whether that sensitive data is stored on servers within a school building or is stored out of state in the cloud, proper data protection policies are needed.

We would also argue that the solution goes beyond simply passing more laws and regulations. Schools need to update their practices, as highlighted by a recent Fordham Law School report. And as we outlined in our Data BackPack paper, we think there are opportunities for the technology community to offer new solutions to privacy and security. In addition to standard privacy controls such as encryption for sensitive information and user authentication, there is a need to explore a Facebook-like set of privacy management tools that let parents determine what data gets shared, and with whom. Parents could determine, for instance, if they were comfortable with sharing information about their child’s profile with outside community organizations, institutions of higher education, tutors, or a MOOC. The key design principle must be to give users the tools to control what is shared with whom in a way that is easy to understand and allows the parent and student to know when information is disclosed and to whom.

The effective and careful use of data has transformed our society. It has made society more productive and efficient in all stages of life. The thoughtful use of data in school can increase the effectiveness of teachers and ensure each student is receiving the personalized instruction they deserve. But these new opportunities must be coupled to new safeguards. Parents should clearly understand the rights of their students and the steps that their state is taking to protect them. Policies taken by security-minded states like Oklahoma paved the way for the development of this stringent model legislation. It should spur legislators and parents to examine their own state’s safeguards for data. Trust remains a timeless and central ingredient of any classroom.