The challenges of student data privacy and the opportunities ahead – my conversation with the National PTA
Last week, I was invited to participate at an event organized by the National PTA in conjunction with Microsoft to discuss the complex issues surrounding the student data privacy debate. The goal of the event was to equip PTA members with tools to become trusted messengers and champions of student data privacy. I was able to share my experiences and perspective on student data privacy as a parent.
There were many topics discussed that day such as how data are used, data sharing, privacy policies, the Cloud and Big Data. It was an ambitious conversation but one focused on balancing the benefits of collecting student data while ensuring this information is kept private and secure. I was also able to deliver the message that a class of 5th graders eloquently expressed to me – that we need to be smart about protecting student data because it is important to them.
With that in mind we talked about what Big Data sets in State Longitudinal Databases can do for students and what it cannot do for an individual student. Big Data sets tell important stories and it’s valuable information. We discussed how this data allows us to identify student needs like providing free lunch to kids who need it or how can we address chronic absenteeism, as well as how studies that are generated from Big Data sets allow us to identify issues of discrimination and bias in schools. Recognizing we need the data, how can we properly de-identify it so that it cannot be back mapped to a particular student. Maximum protection of data is important but a big concern from the group is that we provide adequate training to those allowed to work with student data.
Having privacy protections is not enough if we do not have adequate training for school staff on what information can be disclosed to others not only while a child is in school but years after they have left the school. And should we be addressing “data term limits” as to how long student data are retained after a child finishes high school. We discussed the ethical uses of data and what are beneficial uses to help our most vulnerable learners. For example, English language learners might not understand how the data can be used to help them address their different learning needs. How can we assure them that the data will be ethically used and only disclosed to those that are allowed to see the information in order to help them?
Or how does having information on students with learning disabilities help schools address their issues as learners with different needs. How can we take the data and use it to help students but give them the assurance that their disability will not be disclosed to those who do not need the information. The biggest challenge we agreed on, was building trust between schools, parents and service providers that student data are being used responsibly. By building trust we can then focus our conversation on students and providing them with tools to decide what data is collected, how it can be used and ultimately who has access to it.
Focusing our conversation on these issues helped us discuss students and their needs, data and its ethical use, and being responsible custodians of data. At the end of the day, we recognized that having adequate training and materials to support those working with student data is important. But just as important is recognizing we need the data to help students not only at a macro level with longitudinal databases but at a micro level in schools every day for individual students. I was encouraged that our conversation focused on how we can help students and protect their privacy. Our conversation was rich in addressing the issues surrounding student privacy and ensuring that schools and parents understand the importance of being responsible custodians of data. We moved away from what data should and should not be collected and focused on helping students and empowering students to be effective digital citizens.
Big data can be messy and complicated or elegantly simple. Many big data projects begin from the need to answer specific questions and with the right analytics in place organizations can find actionable insights into their operations. In addition, big data allows for different variations of computer aided designs to check how even minor variations can affect outcomes. Big data projects can obtain, process and analyze data in a variety of ways. Every data source has different characteristics and provides valuable information. With this goal in mind the National Science Foundation awarded a $4.8 million grant to an education project called LearnSphere. LearnSphere is poised to hold large amounts of anonymous student information that is routinely collected for different data analysis purposes. Most importantly, it will allow for large scale analysis down to “being able to detect emotional states from keystroke data”
So what does all this mean? I had a few questions and Dr. Kenneth Koedinger, who is spearheading this effort, was open to address my questions and concerns. Ken is a professor of Human Computer Interaction and Psychology at Carnegie Mellon University. He has an M.S. in Computer Science, a Ph.D. in Cognitive Psychology, and experience teaching in an urban high school.
Although I admire the ambitions of the project, aiming for a deeper understanding of the learning process, my initial concern was the lack of individual student acknowledgment. Data analytics can be a great tool if we need to raise efficiency in production or predict consumer behavior but students must not merely be viewed as products to be improved upon. How do we ensure that the use of such data does not aggravate existing bias and discrimination in education? What measures shall protect our most at risk students– students with learning differences, students marginalized for their race, religion or nationality. And while the project insists that kids are not numbers, the data and information generated from students are looked at as numbers, so that the data and information can be looked at in the most unbiased way possible.
And this is where the project gets interesting. First, the data used for research has been de-identified. Demographic information has been removed from data sets researchers are looking at. The shared data sets are randomly assigned new identifiers and they do not indicate race, geographic location or school the information is coming from. Measures have been taken to make it difficult to tag records back to particular students. The project maintains there is no back mapping to the native records.
The main objective for LearnSphere is to improve student outcomes. What are the difficult parts of learning a course? Why do students have such a difficult time with certain mathematical problems and not others? For example, some might predict that math word problems will be harder for students to work through but as it turns out, some students did better with a math problem that used language instead of just looking at an equation on a piece of paper. The project will look at the learning barriers some students have and how can we use this information to improve learning designs. Where are students now in the learning process and how can we be sure we provide as much support as we can with the data we possess. As Dr. Koedinger clarified it for me “we are studying the terrain on a hiking course rather than the hikers” so how can a study like this make the terrain easier for our hikers? Well, LearnSphere aims to help us all identify those “expert blindspots.” For example, a teacher will know all his / her students but there are spots a teacher just doesn’t see because of closeness to the students. LearnSphere aims to help teachers create effective teaching environments so that our kids can hike the next hill a bit easier.
I still have some reservations when studying vast amounts of data. If data sets include student papers and extensive student data, the risk for re-identification exists. If we are studying data with such finite precision, at what point can the source of the data be tagged back to particular students? There can be no guarantee that data will be fully non-identifiable without an independent qualified expert review and approval of aggregation methodology. Leading de-identification experts need to be involved with a project of this scale. I also hope Dr Koedinger will take advantage of the opportunity to work with two of the most highly respected experts on privacy, Professors Lorrie Cranor and Allessandro Aquisti, both who happen to be located nearby at Carnegie Mellon University.
I advocate for a smart and ethical collection of data for I see the potential benefits of its use. We must remain mindful of the privacy issues raised in such a project as this. Will we truly be making it a more equitable educational system or will the algorithms of big data systematically discriminate against those learners already at a disadvantage? Projects like this can help, but only if the concerns of potential discrimination are carefully considered and the goal of helping individual students is paramount.
We ran out of time (or phone battery) when we spoke to Ken but there will be more information clarifying some of the still outstanding questions I have. Stay tuned…
In the meantime, here is a short video of Ken explaining his Learning Project
The National Association of Secondary School Principals has an initiative to provide policy recommendations to ensure the protection of student data privacy and appropriate use of student data to improve teaching and learning in the classroom.
This initiative is of particular interest in that the NASSP is opening their statement to public comments. We often ask for our voices to be heard in the student data privacy debate and this is an opportunity to submit comments and ideas.
Technology is making it easier for schools and States to collect and analyze data to help them make informed decisions on issues that need to be addressed and what is working in schools. Even though this provides valuable information, we must ensure that the guidelines established adequately protect student privacy. The preliminary statement has interest recommendations. In particular the section “Recommendations for School Leaders” as it focuses on communication and transparency. It asks that district policies related to student data are communicated to teachers and parents and that teachers are educated about the use of online educational services. These recommendations address some of the main concerns parents and school districts have.
The full text is below or you can read it here
Please consider making comments to the initiative. Parent feedback can provide deep insights into the student data privacy debate. This is an opportunity to offer our perspective. The comments section is open through January 7th, 2015.
Student Data Privacy
The NASSP Board of Directors stated on November 7, 2014 its intention to adopt the following position statement, following a 60-day comment period. NASSP members and others are invited to submit comments on this statement by January 7, 2015 to[email protected]. The Board will include public comments as it deliberates final adoption of the statement at its February 2015 meeting.
To provide policy recommendations to ensure the protection of student privacy and appropriate use of student data to improve teaching and learning in the classroom.
Data-driven decision-making has become a tenet of high-performing schools and is essential to transforming teaching and learning in the classroom. The Alliance for Excellent Education says that the “effective use of data and learning analytics are both critical components of a digital learning strategy to personalize learning for many more students, especially to increase student retention and achievement in the highest-need schools (page 2).” Narrowing achievement gaps and assisting all students to be college and career ready upon high school graduation have economic implications as well. In a report examining the potential of the use of data in education, the McKinsey Global Institute estimates “the potential value from improved instruction to be $310 billion to $370 billion per year worldwide, largely through increased lifetime earnings (page 22).”
Technology has made it easier for principals and teachers to collect and analyze data at the school level, and districts and states are now creating longitudinal database systems to help them make structural changes in education that will have a greater impact on more students. For this reason, educators at all levels are authorizing third-party vendors to have access to student data. These vendors offer services that purport to assist educators in communicating with parents—improving the quality of education programs, providing supports and services for students, and providing secure data storage. In fact, every electronic device and application with a connection to the Internet could potentially be used to collect or access student data.
While the collection and analysis of student data is essential to the teaching and learning process, this must be done within parameters that protect the privacy of students and ensure that their data is used only for legitimate educational purposes. The Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 and generally prohibits schools from disclosing personally identifiable information in students’ education records without consent. There are exceptions to the consent requirement, including one that allows the disclosure of such information to “school officials” for educational purposes. This particular provision was expanded in 2008 when the US Department of Education approved new regulations clarifying that third-party vendors (such as those who help manage school databases or provide digital curriculum) can be included within the school official exception. While third parties must be under the direct control of the school in terms of how they use and maintain the records and only use the records for the purposes for which they were shared, there is some concern that there are still gaps in the protection of student data. Overall, while most policymakers and educators understand the value of data collection in improving educational quality, there is some concern that FERPA itself, as well as the accompanying regulations, have become outdated in the new digital age.
In 2014, a congressional hearing was held to address student data privacy issues and a Senate bill was introduced to update FERPA and clarify that third parties are forbidden from using student information for marketing and advertising purposes. Fourteen states also enacted laws to strengthen student privacy protections, and the National Conference of State Legislatures reports that more than 100 student privacy bills were introduced in 36 states. Each principals’ full understanding of and familiarity with federal, state, and district policies on data collection and student privacy requirements are essential as this issue further develops.
NASSP believes that data has the power to transform teaching and learning by helping educators identify and provide supports to all students, assisting teachers and school leaders in improving their instructional practices, and informing schoolwide improvement activities.
NASSP believes that student data should only be used for the purpose of informing education policy, practice, and research and to deliver educational services to students.
NASSP believes that technology-enhanced data collection and analysis can assist schools in the planning and delivery of a student-centered, personalized, and individualized learning experience for each student—a fundamental tenet of theBreaking Ranks framework for school improvement.
Recommendations for Federal Policymakers
- Develop policies on the use of student data that balance privacy and property protection with the need to improve teaching and learning
- Require strong encryption standards for any federal agency or vendor that is collecting and/or storing sensitive student data
- Provide guidance to states regarding the collection, storage, security protections, and destruction of student data
- Provide funding to states and districts to help them address privacy issues related to student data
- Ensure that personal information and online learning activities are not used to target advertising to students or their families
- Limit nonconsensual access to personally identifiable student data to school, district, or state educational agency employees.
Recommendations for State Policymakers
- Establish a statewide data security plan to address administrative, physical, and technical safeguards
- Develop data breach notification policies for districts and schools
- Identify a state-level official who is responsible for privacy, data security, and compliance with all federal and state privacy laws and regulations
- Develop policies on data collection, storage, and access to ensure that student data collected through statewide longitudinal data systems is protected from inappropriate sharing or use
- Provide guidance to districts and schools regarding the collection, storage, security protections, and destruction of student data.
Recommendations for District Policymakers
- Develop clear policies about what student information is collected, how that data is used, to whom the data is disclosed, and each party’s responsibilities in the event of a data breach
- Ensure that data security practices include proper data deletion and disposal, including purging of electronic data, shredding physical documents, and destroying the presence of all data on old electronic equipment where data has been stored
- Identify a district privacy officer who is responsible for monitoring and complying with federal, state, and district policies on data privacy and for guiding school leaders and teachers in their use and protection of data
- Provide training for all district staff to ensure they understand basic legal requirements, their responsibilities, and specific district policies concerning student data
- Ensure that principals receive training on policies and procedures that support prevention of—and specify steps to be taken in the event of—a data breach. This should include procedures to notify authorities, parents, and other community members
- Educate district staff about online educational services (paid and free) and how to determine whether they comply with FERPA and state and district regulations
- Coordinate an annual privacy training for all school and district employees who have access to personally identifiable student data, adopt online educational services or apps, or procure and contract with service providers
- Ensure that all third-party vendors that collect or have access to student data have written contracts that specifically address privacy and the allowable uses of personally identifiable information, and prohibit redisclosure of personally identifiable information without parental consent
- Establish a policy whereby all data created by students, teachers, and other school staff is an “education record” in order to maintain control of how outside providers may access the data
- Communicate directly with parents about the collection and use of student data and the privacy measures and protections that are in place to preempt confusion and misunderstanding
- Prior to using online educational services, ensure that the contract or “terms of service” contain all necessary legal provisions governing access, use, protection, and destruction of student data
- Ensure that agreements with outside providers include provisions allowing direct and indirect parental access to student data
- Ensure greater transparency by posting on district and school websites all policies governing the outsourcing of school functions and contracts with outside providers
- Make available a list of online educational services or apps that are used within the district.
Recommendations for School Leaders
- Familiarize yourself with FERPA, state, and district regulations concerning student data privacy
- Consult with your school district attorney to ensure that any technologies and third-party vendors used by the school comply with FERPA and district requirements
- Communicate district policies related to student data collection and usage to your teachers and parents
- Ensure that your teachers have been educated about the use of online educational services and encourage them to use ones approved by the district
- Clearly communicate third-party vendors’ privacy, security, and breach and indemnification policies to parents about personally identifiable information that is shared with those vendors.
A friend of mine said in a conversation “the cloud is a computer in another room.” Another friend looked at me when I asked him what the cloud was and he pointed to a room full of servers. So what does the cloud really look like? For the most part, it looks like this.
Today we do many different types of work in the cloud. If you have checked your email, you have used the cloud. When using the cloud, your computer or device connects with different servers in remote locations. Some of these servers are specialized for storage, while others are running applications. The cloud can be very useful when checking email or collaborating documents online with services like Google Docs.
So why is the concept of the cloud so controversial when it comes to student data and education? I believe the debate should not strictly be about the security and privacy of student data in the cloud, but whether that data is safer in the cloud than on a local server managed by a budget strapped school district. As more schools move into a digital world with managed databases providing real time student performance, schools need the ability to manage all this information. In order to do that, cloud services that remotely host this information provide an efficient, affordable and arguably safer environment for a school to operate. If each school hosted their own server they would need IT support staff on site to manage and secure their databases. Most schools have neither the budget nor enough people to maintain these systems. Often, they are reliant on parent volunteers.
And while many arguments support using cloud service providers, we must also look at the shortfalls in these systems. Recently, the Center on Law and Information Policy at the Fordham University School of Law conducted a research study on the privacy of student data in the cloud. One of the most interesting findings, for me, was that about 95% of school districts already use cloud services for managing school operations. But that most schools had poorly executed contractual agreements. School districts did not put in place adequate privacy protection policies for student records and access controls for different individuals in the schools were not clearly defined. Further, the study found that some of the contracts did not comply with FERPA’s requirement that data be deleted after it is no longer needed for the purposes it was provided. Should we be concerned? I think so. Schools and parents should be assured that student data is adequately protected by strong privacy policies and security controls. But these concerns are more with how the contracts are structured than with how secure the data is in the cloud.
Students have a right of ownership of their data and they should be informed of how their data is collected, managed and shared amongst different service providers. Schools need to understand what security controls are in place to protect their data. The Department of Education has provided guidelines on how FERPA applies to student data stored in the cloud and schools must ensure that their cloud service provider is following these guidelines in order to provide reliable privacy protections for students.
Considering the vast amount of student data stored in the cloud and in different educational apps, it is the responsibility of schools and cloud service providers to work hand in hand with students’ privacy rights in mind. And only with transparent security and privacy practices will schools and cloud service providers be able to demonstrate to students and parents they can trust their data is safe.
What do you think a class of 5th graders would answer if you asked them if they should be allowed to have Facebook accounts? Do you think most of them would want to be on social media? Think again, most don’t believe they should.
Surprised? So was I. Recently, a class of 5th graders wrote persuasive essays on whether kids as young as 10 years old should have Facebook accounts. I was fortunate enough to be invited to their class to talk with them about their thoughts on online safety and privacy. Receiving student feedback is challenging and they can be brutally honest. But if we make a conscious effort to listen to students and their ideas and concerns we can gain great insight into what our talks about student privacy should be about. The biggest takeaway from the visit for me was that students care about their information and being safe online. They want adults to know that at the end of the day the focus should be on students and how we can protect their information. Whether it is with appropriate safeguards for online safety or protecting their privacy in schools with the educational software they use. Students want teachers and prospective schools to know about them as learners but they want to have control of the information they think is important for teachers (and schools) to know about them.
Brenda Leong, Fellow at the Future of Privacy Forum, and I sat down to talk about my class visit. Having a conversation with students highlighted the need to remember that our debates on student data privacy are about students and how it affects them. It certainly brought the conversation back into focus.
You can watch our conversation here:
iKeepSafe, the Internet Keep Safe Coalition is an organization that provides resources for parents, educators and policymakers who teach youth how to use new media devices and platforms in safe and healthy ways. Their vision – to see generation’s of children grow up safely using technology and the Internet to become full digital citizens.
They invited me to submit my thoughts for their blog. You can read it here – Protecting kid’s privacy in the classroom and beyond
I invite you to take a look at their website. It contains valuable resources on digital safety for parents and educators.
Educational technologies are always changing and this poses a great challenge to parents and educators as our main interest is to keep children safe but encourage the technology we think shall best support our young learners. The effective and cautious use of data can improve student’s’ school experience. It can ensure that each student is receiving the personalized instruction they rightly deserve.
But there are challenges in maintaining a safe environment for children when using educational software. It is imperative that parents are informed and involved in the decisions to allow their children to have accounts at educational websites. Reading Terms of Service, while tedious and uninspiring, is important. Bill Fitzgerald has a great primer on how to“triage” Terms of Service and Privacy policies. We must continually work at improving best practices and helping parents, educators and school districts understand their rights as digital citizens. We need a system that encourages and supports parents and students to be advocates for their privacy. For in their educational careers students will trip, fall and get up – and they must know that no one will punish them for this. We must build bridges of trust between parents, educators and ed-tech companies. We all need to be smart and read terms of service and privacy policies and decide whether they make sense, comply with COPPA and work for our children.
So what works for our children? Recently, a class of 5th graders wrote persuasive essays and one of the lines (amongst the many brilliant ones) was “Kids have brains.” The topic – “Should 10 – 11 year old kids have a Facebook account?” I was fortunate to be invited to their class to talk about Facebook, online safety and what they thought of their privacy. Kids can be more perceptive than we give them credit for, and in this conversation I learned that they are very much aware of how their information can be used.
Most kids did not think it was ok for them to have a Facebook account. Some worried about how safe it was while others didn’t want their information out “there” forever. Some said they should be allowed to have an account but had strong feelings about their parents helping them navigate the online world. Certainly eye opening. Others didn’t think adults cared about their privacy. They were surprised to know of the laws passed and debates taking place around the country. But the majority agreed that it is important for the right people to know information about them as students. As one student said “it’s useful if my teacher next year knows about me and how I learn because then they can help me.” Kids get it but they want a voice in the decision making process.
Protecting student data and privacy is a challenge. Let’s be smart and work together;, we have an opportunity to shift the conversation with students at the center of the discussion. It is the only way to protect kids. We can’t afford not to do so.
More and more, students are using technology in school, from learning apps to online forums to class websites. And understandably, there is growing concern as to the efficacy of the privacy measures in place and the adequacy of the laws protecting student information. In response to this concern, two weeks ago the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) introduced the Student Privacy Pledge, which commits school service providers to the secure handling of data for K-12 students. But what does this really mean?
Basically the pledge holds accountable school service providers to the following –
- Not sell student information
- No behaviorally targeted advertising
- Use data for authorized education purposes only
- Not change privacy policies without notice and choice
- Enforce strict limits on data retention
- Support parental access to, and correction of errors in, their children’s information
- Provide comprehensive security standards
- Be transparent about collection and use of data
As of today, 32 school service providers made the pledge to keep data secure and private. You can see the list here. This pledge comes at a point where, according to trade group estimates, the pre-K – 12 education sector generates approximately $7.9 billion annually. Schools are increasingly adopting data driven technologies for learning apps and software; technology that needs student data to operate efficiently. The revenue generating numbers obviously create skepticism that the pledge is an empty set of words and a mere PR move by companies because it is not a legally binding document. But if companies violate their own public representations they could be subject to enforcement by the Federal Trade Commission under deceptive trade practices (Section 5 of the FTC Act). This is important. And though some might want to dismiss this, the FTC has charged companies with either deceptive or unfair practices. And even if there is no legal action against a company we know that a strong group of voices criticizing a company’s policies can create tremendous damage to a company’s reputation. Some call this “App Store death”. This pledge makes school service providers accountable for student’s data whether it is collected by the school and then passed to the vendor, or directly by the vendor via an app used by a student. By taking the pledge companies are making a public commitment to students, parents and schools to ensure the safe use of student information.
And while there is no substitute for a strong federal law, the pledge does address some of the weaknesses in FERPA. For example, the pledge applies to all student and personal data whether it is viewed as an “educational record” or not. It also applies whether the data is collected through the school or by the websites and the apps students use. It applies whether or not there is a formal contract with the school. The pledge promotes the transparency we have been asking for; transparency that is necessary to build trust amongst all stakeholders to ensure widespread participation. Parents and students have been stating, “don’t just say you are protecting student privacy, show us you are.” And as a parent, I encourage pledge signatories to do just that. For without it users will mistrust ed-tech products, hampering their adoption to the detriment of all.
I think the greatest value of the Student Privacy Pledge is that it establishes a common baseline of privacy principles that the ed-tech industry did not have before. Let’s use it to remind companies of the responsibility they have towards students, data and privacy. And while this does not create a uniform federal law or strengthen existing privacy laws, it provides a good framework for lawmakers and encourages dialogue between parents, ed-tech companies, schools and other stakeholders to ensure student data is safeguarded. As a parent, I appreciate a document stating a uniform commitment being issued by vendors in their role as stewards of student data.
I hope that this encourages other firms to sign on to the pledge to demonstrate their duty to be responsible data “citizens”. It is an interesting list of signatories. It is worth looking at who has and who has not signed on. And if not, why not?
The pledge goes effective January 2015 but it operates under a rolling admissions policy so companies can sign on to it at any time – no worries. If anybody needs a pen to sign on to the pledge, I have one you can borrow.
All parents want to keep their children safe and protecting their privacy falls under this premise. So when we talk about student data, a parent’s first reaction is “let me decide if I want my child’s information to be used by the school or not”; essentially deciding whether to opt out of data collection for school use. At first glance, the option of choice is obvious – let parents decide what data is collected about their children and what ought to remain private. But when we look at the issue more deeply we see it is not that simple. Not all data are created equal. If parents opt out, it can prevent schools from efficiently managing the day-to-day operations of such administrative tasks as dispensing free lunch to students and organizing bus routes. Furthermore, how will teachers help students learn without access to their histories, including detailed information about their special needs affecting their school performance?
We need to critically look at the implications of our choices and recognize that we cannot address privacy in education in a vacuum. The issues of equity and discrimination in our schools today cannot be addressed without adequate information. We must be able to clearly determine whether we are truly serving our students. How can parents be assured that our schools are addressing these issues if they have incomplete data sets? Providing parents with consent forms for every data collection issue in school runs the risk to protect some but not all. And we shouldn’t ask parents to be privacy auditors either. What if a parent cannot understand a complex school contract or simply does not have time to read it? We risk excluding students from beneficial educational programs and therapies, if information about them is not in the system. When wealthy parents fight to protect their children’s privacy, because their children have access to the same (or better) technology at home, they may in effect deprive lower income families of such access, since their only access to such technology is in school. We need to critically examine the role of consent and question how in our attempts to protect the privacy of some we leave others behind.
Which takes us back to student ownership of their data. As we continue to have conversations of privacy and consent on data collection we must shift our focus to include students in the decision making process. If we do not do that, we relegate them to being passive participants in their education in which education and privacy becomes something that happens to students instead of something that belongs to them. For it is their education, that is at stake. And the opportunities open to them over the rest of their lives will depend on the quality of the education they receive as children.
All students deserve the right to privacy but they also deserve access to the best education possible. If parents do not give consent to information being collected about students what opportunities are we inadvertently denying our children? It is their information – their education, and in making decisions whether asking for parental consent or not, we must make them with all students in mind.
California’s new student privacy law – A law that protects student data privacy and fosters technological innovation?
The Student Online Personal Information Protection Act (SOPIPA) or SB1177 was signed into law last week. It has been called the first in the nation law that strengthens privacy protections for the personal information of California students while permitting innovation in education and technology. There have been many student data privacy laws enacted in recent legislative sessions but many focus on either restricting the types of data collected or mandating states and/or school districts improve their governance and infrastructure to safeguard student information. But asking a school district to improve its infrastructure is easier said than done, especially without supplying the funds for implementation. And restricting data collection can veer into the path of limiting school operations and fail to serve its students.
SOPIPA is interesting in that the law places the responsibility for ensuring student data privacy on the ed-tech industry. It directly addresses the way online service providers and apps can collect and use student data. It is important to recognize that software applications need to collect data in order to personalize the service students receive but also to maintain student records for teachers to keep track of grades, student progress, reading records etc. It is also worth noting that the new law allows these service providers to use the data they have to improve their products but they cannot use the information for targeted or “behavioral” advertising. The law does not unnecessarily impede the use of data and technology, which can stall under more restrictive laws. This is what I find of great importance. This premise fosters innovation in education technologies by enabling service providers to use the de-identified data at their disposal to develop products beneficial to all.
There are also some points that require clarification. For example, what does the law define as “k-12 purposes”? Besides the services used in schools does the term include apps used outside of school by students without the school’s knowledge? And even though COPPA applies to apps generally used by the “under 13” crowd does SOPIPA protect students’ data when they use apps outside of school but the app is an “educational” one? I don’t believe this is addressed, and if it’s not, it is inadvertently creating a grey area of how student data is protected in these cases. This is where an update of FERPA and a well-delineated Federal standard is necessary. There needs to be a blanket Federal Standard that will address these issues when necessary and eliminate ambiguity as much as possible.
SOPIPA is a significant step forward. It provides a framework for stronger protections for student data and with a different (and interesting) approach than other state bills. It provides a good framework for other states to use, and I hope they do. I am encouraged to see the legislature promote collaboration, but we must not forget students in the process.
And don’t worry, there is time to debate this endlessly – the bill’s provisions will not take effect until January of 2016.
Kids love technology, it’s shiny, bright and does a lot of fancy things. In some schools technology has become as prevalent as pencil and paper. With the introduction of smartboards, computers and educational apps, technology has become a staple in schools throughout the country. It can be an important tool to help kids in school. Recently, I read an article about a 10th grader lamenting the lack of technology in the classroom. And while he made some valid points as to the usefulness of technology, the article read very much like a paid advertisement. He was a fervent advocate of using a tablet in school and how this made High School a fun experience. The excitement is contagious and I understand it. I have seen first-hand what adaptive technology can do to help students with disabilities. A child with dysgraphia can use a tablet to take a picture of the board instead of writing notes by hand. There are apps that can similarly serve to improve the educational experience of students with disabilities.
But we must take a step back and think critically how much technology is necessary to help students and that we are protecting their privacy when employing technology that compiles information about our students.
I am an advocate for using technology in schools. I do not advocate for increased screen time but quality screen time. So rather than collecting as much data as possible, I propose a smarter collection of data. And in our efforts to improve the available technology and products we must not allow students to become testers for these new products. Earlier this year, Common Sense Media asked the educational technology industry to develop tough national standards for personal data collected about students and this message needs to be acted upon. Schools also need to understand the contracts they enter with so that third party vendors are held accountable for protecting student data and their privacy. We need to recognize that in order to purposely use technology we shall have to integrate the information at our disposal.
Technology and privacy do not need to be mutually exclusive. We all have a shared responsibility to protect student privacy. Parents need to be engaged in their children’s learning and schools must learn how to safeguard student data to make use of technology in the classroom. Technology companies have an obligation to ensure the data they hold in their custody is not commercialized and that it is kept secure and with adequate privacy restrictions.
Technology can be a great equalizer in education. It can enable us to deliver to children in underserved schools the same educational opportunities their more affluent peers take for granted. Just as we have to exercise caution in protecting student privacy, we must be cautious that in enacting safeguards to protect student data we do not impede the use of valuable technology.
The key for us is to build good guidelines for implementing technological change in an evolving landscape; that we are mindful that students are the end users and beneficiaries of this technology. They stand to gain tremendous opportunities but can also lose them if the technologies are unnecessarily restricted. We must work together to integrate technology and privacy in education in a manner that is balanced so we can all reap the rewards.