Student Data Privacy in Real Life

 

“We need to safeguard student data.” But how do we do this and what does it mean to use student data? The Ed-Fi Alliance, an organization dedicated to advancing the education technology sector and advocating for the responsible use of data to improve student achievement and teacher satisfaction, is publishing a series of posts on its website on strong data privacy practices. What is appealing in this series is that they are providing real-world examples and practical situations we can learn from.

There is nothing simple about student data privacy. The issue is so multifaceted and complex we continue to struggle with determining what is the ultimate student data privacy protection. However, this latest Ed-Fi blog’s post features Lenny Schad, Chief Technology Information Officer for the Houston Independent School District. He is an advocate for data-driven learning environments but more importantly, he is well aware of the importance of student data privacy protections and implementing a robust technology infrastructure to protect such data.

The conversations about student data privacy are important but reading about real life experiences implementing data privacy and security protections provides an entire new perspective to the topic.

Mr. Schad shared five essential best practices for district leaders to adopt:

  1. Build awareness among educators
  2. Strengthen technical solutions by consolidating and securing resources
  3. Strengthen educators’ role in the student data security chain through formal training and resources
  4. Enlist vendors as data protection partners
  5. Get started now and keep going

 

How do we keep going? There are a number of resources available, among them the Future of Privacy ForumCommon Sense Media, iKeepSafe and Consortium on School Networking (CoSN).

 

It’s a good read for anyone involved in student data but particularly for school districts.

You can read the entire post here – http://www.ed-fi.org/blog/2015/07/key-advice-on-the-new-frontiers-of-student-data-protection/

 

Enjoy reading!

 

 

And the Senate follows suit

 

It might be summer, but things are certainly not slowing down in education and student privacy. Last week the Senate, following the House’s vote, passed a rewrite of the ESEA by a pretty big 81-17 margin. This is significant in the fact that the ESEA reauthorization gives us an opportunity to purposely use student data to help us all (parents, students, schools, policymakers) make informed decisions about our children’s education. I find it particularly interesting that lawmakers are taking such a keen interest in student data and privacy but I do hope that the intent is to promote the effective use of data and not hinder its use.

In addition to the ESEA, there are several other bills from both House and Senate about student privacy, and what caught my attention is that for the most part, the focus is on protecting student data while at the same time allowing for the use of data and technology. For example, Sen. Richard Blumenthal (D-Conn) and Sen. Steve Daines (R-Mont) introduced the SAFE KIDS Act. What this Act would do is prohibit ed-tech companies from selling student data, using the information for targeted advertising or disclosing information to unapproved third parties. Noteworthy in this bill is that it requires providers of services to publicly disclose their privacy policies and provide notice before making material changes to such policies. What I would very much like is a provision asking for such privacy policies to be written concisely and in plain simple language so that we can all understand them but….wishful thinking….

In short, the SAFE KIDS Act would provide student data protections without discouraging service providers from creating innovative educational products that could help improve student learning and teaching. But while all these protections and collaborative efforts are important, we fall short if we continue to fail to include student voices in the process. We must acknowledge that the use of data in education is not only for apps and ed-tech products to be developed and used. Student voices need to be heard when groups of learners are being discriminated against because of the lack of student data. You see, educational data is not only about one student or a group of students and their educational achievements or use of technology. Educational data can help us identify students that need help in different areas and help facilitate the diversion of services to them, for example how are homeless children or those in foster care doing in school? Are we providing adequate support services for them to increase the graduation rates in this vulnerable group? What can we, as a society, do to support children who need additional resources so that we can provide to them the best education possible and the opportunity of success in their future? How are we analyzing the outcomes of different groups of students, and are we providing the services they require? All of these would not be possible without student data.

I encourage lawmakers to continue to work on protecting student privacy as it will only help further the debate and encourage others to follow suit. I appreciate the trend different bills are promoting in encouraging tech companies to voluntarily agree to a pledge to protect student information. They are all important efforts but we cannot forget that there is a greater purpose in protecting student data – and that is helping all students not just a few.

As the summer continues and the new school year approaches, I couldn’t think of better summer reading than the different bills proposed to protect student privacy. All children deserve the right to reach their full potential, but we can only help do so with complete information at our disposal. It can be done, we just need to be smart about it.

 

 

The importance of good data

For the first time since 2001, the U.S. House of Representatives debated and passed the reauthorization of the Elementary and Secondary Education Act. As a parent who is looking to have more robust information on my children’s education I find the reauthorization particularly interesting. Mostly because the ESEA requirement of 2002 was to provide disaggregate data to the public so that we could have better insights into schools’ academic performance. And we can argue the merits of standardized testing and whether the data collected is being used in the most effective way, but what I believe is critical is that parents have access to this data, a comprehensive set of information of their children’s education. Something that is still not possible in many states. All states have a state longitudinal data system but few (a handful maybe) can provide this information to parents and students so that we can all make informed decisions.

I think we can all agree that an updated law is necessary to provide students in America with opportunities for growth. But we cannot do so without the right information in our hands. For example, the Colorado Growth Model provides both student specific sets to parents and teachers to guide their decision making and to the public at large in an aggregate form so we can get an accurate picture of school performance. The information these data sets provide has tremendous potential. It can identify groups of vulnerable learners that are being left behind as well as provide parents with information to help their children in areas in which they may be struggling.

As the debates over ESEA continue, we must recognize that we cannot effectively help students without the correct information. We should not reduce the amount of information at our disposal. Big data sets are helpful and can identify how well certain groups of students are doing, or not. They can help us understand the impact that different policies have on schools and allow us to correct course. Robust information empowers students and parents to advocate for themselves. None of this would be possible without data.

Rather than advocating for less data collected, lets advocate for good data sets. Data that is collected purposely and kept safe and private but that is given back to students, parents and the community at large to make informed decisions about our educational system. We cannot afford to know less about student learning.

I am looking forward to following how the debate over ESEA continues but I do hope everyone recognizes the importance of data and how useful it can be in helping student learning.

And seriously, we should all be demanding evidence that all our students are learning. Isn’t that what matters at the end of the day?

 

A new data portal for students

Finally a new student data website that delivers better information on students? I was excited, thrilled actually, to learn that in New York City, parents of students in public schools would be able to view their children’s educational records (and information) on a new website replacing the previous ARIS data system. So I promptly made an appointment to go to my kid’s school to request a login and temporary password to access my children’s information.

Information in hand I quickly setup my login so that I could test drive this new data portal. NYC schools says the new portal is designed internally for less than $2 million and is expected to cost under $4 million for further development over the next four years. So what did I find? The portal has my kid’s name, address, last term’s grades and attendance. No more. As the parent of two children in elementary school (three kids actually but the third is not yet school age), I want comprehensive information on how my children are doing in school. I know where they live and how many days they have been absent. But what I do not have access to is how my children have progressed over time. There is no linked data through their school years. I know my 11 yr old has a good grade in math but what are his weaknesses and strengths? Where can he use some extra help and what can linked data tell his teacher about him next year? Unfortunately the new portal does not have any of this information.

The NYC DOE promises that at the end of the school year, report cards will go online and that test scores will be added once the state releases them. Previous year scores and test grades are expected to be added later in the year. But what the NYC DOE does not specify is if parents will have access to data analytics. If the portal will deliver more than a report card.

I was hoping for a robust buildout, a data portal that would extract the valuable student data that is most likely sitting in a black box somewhere in school. I understand more features will be added as the portal is expanded but unfortunately the kids continue to grow and study. We can’t afford to wait for a buildout. There is value in data but it is only valuable if we can have access to it.

I hope that over the next few months the portal will have added features, in particular features that provide valuable information that allows us to answer questions about our kid’s education and their progress. I would certainly love to have information on teacher assessments, curriculum, reporting and analysis of my child’s education. The portal has a section for parent comments and I’m certainly entering my wish list.

 

What does it take to protect student privacy?

 

We often discuss privacy in terms of what needs to be done to protect student data but the thing that has become clear in my conversations with different stakeholders is the need to focus on providing training and awareness to everyone involved in working with student data. In particular, teachers and school administrators.

Though there are numerous federal and state laws that regulate privacy and we are slowly building a greater awareness of what we need to do to increase protections for student data, I feel that we are often missing the point in these debates and conversations. There seems to be more information shared about students than ever before. Sometimes, teachers with all the good intentions breach a student’s privacy revealing deep personal details about their students. And even though this point is important, there is an even greater need for teachers and school administrators to understand that student data can be leaked, because of a mistake or misunderstanding on the implications of disclosing student data. Disclosing student data can hurt students. If a teacher is discussing a student, or group of students, struggling with certain issues then that student’s privacy was not protected. And failure to respond to these incidents can damage the relationship between teachers, parents, schools, etc. The trust we need to build upon is lost.

Privacy “accidents” happen, but we need to invest in educating schools on what are adequate privacy protections, what are best practices for discussing student information and protecting their privacy so they do not happen unnecessarily. There are a number of privacy best practices across other industries in which employees are trained. We need to have this structure available to schools. If we are going to invest time and funding to develop laws at the Federal and State level, we need to invest in “privacy education” for educational institutions. We must be able to explain in clear and easy terms – what does it mean to protect student privacy, what issues schools need to be educated on and why it matters. Recently the US DOE created PTAC – the best source for government guidance to learn about data privacy and of course the one stop shop for all things on student privacy and ed-tech FERPA|Sherpa (shameless plug). These are great resource, full of important information and videos, but I believe we need to be able to give teachers a support system that will enable and encourage them to learn more about privacy. We can’t just leave it up to them and hope schools are taking privacy seriously.

We leave our children in the care of teachers whom we trust. They are charged with making good decisions on behalf of our children. To do so, they require our support.

 

 

What is PPRA? Another student data privacy law

 

We hear a lot of conversation around FERPA and the need to update the law but there is another law that protects student privacy that has a different purpose, yet is no less important. That law is PPRA, the Protection of Pupil Rights Amendment. Both laws are important in that they provide protections for student privacy but they are different.

FERPA protects student educational records and ensures parental access to these records. It allows for a system enabling parents (or students) to correct inaccuracies in their records. FERPA also provides guidelines for who has access to these records and gives students the means to opt out of directory information (name, address, school clubs, etc.) that may be disclosed without consent unless a parent opts out of this disclosure.

But PPRA is completely different. PPRA’s purpose is to allow parents to limit the kind of personal information that a school may collect from students. For example, this information can be collected as part of surveys, physical examinations, or certain evaluations. The law requires that schools obtain written consent from parents when students are required to participate in any U.S. Department of Education funded survey, analysis, or evaluation. A simple way to understand the difference between FERPA and PPRA is that FERPA protects information the school already has on record and PPRA protects information that schools do not have but can collect for surveys.

It is worthwhile to clarify that the law applies to U.S. Dept of Ed funded surveys. Not all surveys that come home are necessarily funded by the USDOE. However, in 2001 NCLB expanded PPRA to include all applicable surveys in public schools, not just those funded by U.S. Dept of Ed funds in 8 protected categories:

  1. political affiliations or beliefs of the student or the student’s parent;
  2. mental or psychological problems of the student or the student’s family;
  3. sex behavior or attitudes;
  4. illegal, anti-social, self-incriminating, or demeaning behavior;
  5. critical appraisals of other individuals with whom respondents have close family relationships;
  6. legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
  7. religious practices, affiliations, or beliefs of the student or student’s parent; or,
  8. income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).

In other words –

For surveys that contain questions from one or more of the eight protected areas that are not funded in whole or in part with Department funds, LEAs must notify a parent at least annually, at the beginning of the school year, of the specific or approximate date(s) of the survey and provide the parent with an opportunity to opt his or her child out of participating.  LEAs must also notify parents that they have the right to review, upon request, any instructional materials used in connection with any survey that concerns one or more of the eight protected areas and those used as part of the educational curriculum.

So while PPRA doesn’t cover all surveys it does cover surveys that collect information considered “intrusive”. What I also learned is that it appears that in these cases, the surveys require prior parental consent otherwise the school cannot collect information from that student. And this is truly an opt-in option as opposed to an opt-out one. And worth noting that PPRA also has some other key requirements, besides surveys that have received little attention. Such as requiring that all instructional material (besides tests) be available to parents for review and (c)(1)(E) requires that every school have a local policy concerning “the collection, disclosure, or use of personal information collected from students for the purpose of marketing or for selling that information (or otherwise providing that information to others for that purpose), including arrangements to protect student privacy that are provided by the agency in the event of such collection, disclosure, or use.”

While our first reaction is to opt out our children from any school survey we need to think about what we are opting out from. It is important to recognize that some of these surveys could provide valuable feedback to schools – are the right kids getting support, lunch assistance, or are our children being discriminated against because of their race or gender? These surveys could yield important information so that schools get adequate funding or professional assistance to address deficiencies that are identified. Of course, not all surveys’ goal is to identify this. Others could be just aimed at marketing or addressing issues that we are not comfortable providing our children’s information for. The process must be clear, the mechanism for opting out clear and easy in the event parents feel uncomfortable. Parents must know what the survey is for, who is conducting it, how it is funded, how their child’s privacy will be protected. If we can trust the information we are given regarding the survey we can trust that if we decide to provide this information it will be used for the benefit of our children, and that is important.

I am a big advocate of having data and using it purposely. There is value in information. But parents must be given the information needed so that we can make informed decisions and be comfortable when providing details, sometimes extremely personal details, about our children.

 

What is an educational record?

This week I was fortunate enough to partake in two interesting but vastly different student privacy events. Both events discussed student data privacy in the context of online and personalized learning, and even though each event was presenting to different audiences (one was mostly to privacy lawyers, the other was to Ed-Tech companies) both events discussed student data in educational records. It is interesting because I think we all have different opinions of what an educational record is. According to the US Department of Education, an “’education record’ is defined as records that contain information directly related to a student and which are maintained by an educational agency or institution or by a party acting for the agency or institution” But what does that mean? At first glance I think of student grades, attendance or IEP information, but when we think of an educational record in the context of personalized learning it can mean and contain so much more.

It is worth thinking about an educational record as a more complete picture of a student’s learning story (or data trail) that is created as they use technology in the classroom. Let’s think this through – a student has a school educational record with name, address, grades, attendance etc., but then we begin to add more to it. For example, a teacher uses a certain software package to teach the math curriculum and students get guided by their hits and misses in answering questions and thus the software tailors the “teaching” to that particular student’s strengths and weaknesses. That information is stored and attached to that student. Further, this particular student has support services for an IEP and the service provider uses an educational app that assists with the therapy that is being provided to the child in school. Again, the software “learns” the student’s pattern and records that for the next therapy session and modifies the “teaching” as needed based on the progress that student makes. Finally, this student uses a school provided device that has location tracking. At this point an additional software is recording that student’s activity and whereabouts.

And while this data generation and tracking could sound creepy, there is tremendous value in the data the student generates. In particular, if parents and teachers can collaboratively work with the student. Because when we can use tech to not only improve learning but give students real feedback then we are empowering students to make decisions about them that can help them develop and disclose their educational story as they see fit.

And this brings us back to examining the educational record. If a student in a school system uses this software and generates data maintained by a third party provider – is that an educational record? And if it is, what ownership does the student really have of the data they are generating? Who has access to the data and who decides how it is used? At this point I struggle with the lack of recognition of student ownership. Because from an educational sense we are not allowing students to analyze the data trail they are creating. If we do not do that we continue to make education as something that happens to them, instead of the force by which they chart their progress.

So when we think of an educational record containing a story, a student’s story, there is a significant implication. I think it is worthwhile to allow students to partake in the creation of their record and have a say in how they share certain parts of their story.  Personalized learning, if done right, can provide tremendous opportunities, in particular for students with special needs. We say students ought to be informed, to make their own decisions but we deny them this opportunity when we do not allow them to participate in the creation of their educational record and reduce them to mere observed objects. The challenge in front of us is to deconstruct our traditional view of an educational record (paper files in a cabinet, anyone?) and allow students to make a decision on what their data trail tells someone about them and what story they would like to share. For example, once a 10 year old told me, “I like that I can explain to my teacher what makes it easy for me to learn in class but I don’t like repeating it every year”. So lets take that statement and think about it. What if students were given enough insight into their educational record so that they can point to their teachers / parents / therapists to the information that they feel someone should know about them. And while I advocate for learner control I do not think this is a case where we give kids carte blanche to add or delete to their record as they see fit. I see the educational record as a comprehensive picture of a student in which a student can decide what matters to them and what they can illustrate to a teacher. But they cannot do that if we do not allow them to help us construct their educational record. Maybe taking a look at the issue in this manner we can become more comfortable with the “proverbial permanent record”

 

A very busy week for FERPA

 

It has been a very very busy week for FERPA and it reminds me of Eric Carle’s The Very Busy Spider – the spider wouldn’t stop building her web. So as we busily build our privacy web, introducing more and more bills, I believe it is worth discussing the implications of proposing bills that severely restrict the effective use of data. Sen. David Vitter (R-LA) introduced an amendment to FERPA entitled the Student Privacy Protection Act. However, unlike other bills, this one seems to restrict the use of data to understand how we can support learners more effectively.

The bill would only allow aggregated, anonymized and de-identified data to be used for State Longitudinal Data Systems (SLDS) and prohibits predictive analytics. At first glance, using only aggregated data seems like a good idea, but here is the issue: the bill prohibits the use of data that helps measure student outcomes. It prohibits the use of federal funds to support “affective computing” that includes the analysis of physical or biological characteristics such as facial expressions or brain waves. And while I understand the concern of a neurotypical child to have this granular information captured, to the parent of a special needs child this information could prove to be the difference between the struggle of an academic journey to a successful one. If predictive analytics are allowed, the information obtained can prove invaluable to students with special needs.

What if we cannot use the data on an SLDS to determine how we are helping English Language Learners? How can we answer the question – Do you have information on English Language Learners? If we cannot track the performance and graduation rates of ELL’s, how can we be sure we are providing those children with the most appropriate resources and whether the application of those resources is successful? Or take the high school dropout rates. If we cannot access SLDS data, how can we measure success for all students? For example, we know that the dropout rates between Whites and Hispanics narrowed from 23 percentage points in 1990 to 8 percentage points in 2012? We can’t’ answer these questions without data. And if our goal is to provide a truly equitable education system, a system that serves all students, we cannot deny the use and analysis of this valuable data. Further, how can we determine how many students with disabilities are receiving support services in schools? And are these support services effective?

It is clear that most bills relating to student privacy are looking to protect student data and to respond to parent concerns. But we must be careful that in our effort to protect students we do not impose restrictions that would rob us of valuable insights on how to better serve their educational needs. We cannot make smart decisions without complete data sets.

It is clear that with so many student data privacy bills we are responding to parent’s concerns, however, we cannot make the bills so restrictive that we cannot use the data. Instead of restricting the use of data, I propose we train staff and make them aware of the implication of misuse of data but let’s not shut the system down and make decisions in a vacuum. We need the data, it’s important we be able to make informed decisions. Let’s focus on having comprehensive data sets and host them in secured environments with staff trained in the proper handling of data protocols. Knowledgeable staff educated in the ethical and effective use of data can better protect student privacy than removing data from an SLDS. Only by responsibly using relevant data can we ensure we deliver an equitable school system for all students.

 

 

Storytelling as Privacy

 

If you are the parent of a 5th grader in public school and live in NYC you most likely went through the dreaded “middle school application process” and while there are many issues to discuss around the concept of “choice” in schools in NYC one particular aspect caught my attention. A few weeks ago, this group of anxious and eager 11 year olds received their middle school acceptance letters. Teachers and Principals sent the message home to be mindful of their classmates who may not have gotten into the school of their choice and to respect their privacy. But what does that really mean to an 11yr old? So I asked my 11yr old friends (full disclosure they are my 11yr old kid and group of friends) what they thought privacy means to them. Some said Privacy is “when grown ups leave me alone” or “when I don’t want to tell someone something about myself.” Pretty interesting coming from 5th graders. To them, the notion of privacy isn’t a particular rigid set of rules and regulations. Privacy is having agency over what information they choose to disclose or not depending on the situation.

It is remarkable that to these truly connected kids, most of them having a smartphone, tablet, laptop, etc., their concept of privacy did not initially go to the electronic medium they were using and the data points they were providing. Their conception of ownership of their information and deciding how they disclose was central to their idea for defining privacy. They did not define privacy by what people should not see, they see privacy as their ability to control their own information and decide what story their information would tell. And I see similar responses when I talk to college students. Their idea of privacy is related to the concept of ownership. For most of them it’s about being able to decide when and what they want to disclose whether it is in conversations with their friends or in their social media accounts.

So as I watched these anxious soon to be middle schoolers receiving their acceptance letters, I could see the anxiety of their parents looking over their shoulder and friends wanting to know what school they got accepted into. But most kids wanted to be able to decide how and when they disclosed this truly personal piece of their story.

So as we continue our conversations around student privacy, as we debate whether laws should be updated to reflect technological advances, lets take a step back and think about how kids feel about these conversations about them that for the most part don’t include them. We talk about student privacy, we discuss what children’s data should or should not be collected but we continually leave students on the sidelines watching the debate about them but not asking for their input.

So yes, we are the responsible adults and should be making decisions that we believe are in the best interests of our children. But I urge all of us to include students in this debate. How do they feel about their privacy? Are we making decisions about their privacy when they would want something different for themselves? After all, it is their data, it is their information, it is their story. They should have a say on how their story unfolds.

 

 

 

So many privacy bills, so little time…..

 

It is May and so far 42 states have introduced 170 student privacy bills which is encouraging to know as a parent of children who will be students for quite some time. Of these, there are two Federal bills advancing in the US House of Representatives. On the one hand, Congressmen Kline (R-MN) and Scott (D-VA) circulated draft legislation to rewrite FERPA. On the other, Congressmen Polis (D-CO) and Messer (R-IN) introduced the Student Digital Privacy and Parental Rights Act. The goal of this act is mostly to regulate online service providers in a way that balances data security without hindering the ability of teachers, schools, and other stakeholders in using the data to effectively support instruction.

Which one is better? Well, I don’t think they are mutually exclusive. I think we can all agree that FERPA needs to be updated. It needs to address the privacy challenges that come with technological advancement. Something the 40 year old law hasn’t been able to keep up with. But what is interesting on the Polis-Messer bill is that it balances the essential need to protect student data and enables (and encourages) the use of technology without implementing unreasonable restrictions that would impede the effective use of data to help students improve their learning outcomes. More importantly, the bill bans online service providers from creating profiles of students that could be used for advertising to them or their parents, thus eliminating that creepy factor of profiling students for marketing purposes. And I am all for data use but certainly not when the data collected on my child will be used to advertise products or services to them.

Unfortunately neither bill addresses the dire need for training teachers, principals, school boards and even parents and students. Training so desperately needed. Without adequate training, they will not be able to identify what is appropriate (and legal) use of data. How can we expect schools to make the right decisions when it comes to safeguarding our children’s data when they do not have adequate training on data privacy and security? Furthermore, I do not see any acknowledgement of learner ownership in either bill. We must recognize students as the ultimate owners of their data, for without this recognition we will once again fail to make privacy something that is inextricably linked to their education and continue to make privacy something that just happens to students – if they are lucky. Finally, I find the option of opting out of data collection a weak portion of the bills. And it is simple – if we have the option of allowing students to opt out of LEA or SEA data sets we are limiting the ability of research organizations to determine whether education policies are working for every student or not. How can we build an equitable education system when we are analyzing incomplete data sets? They will then undoubtedly provide skewed results? We cannot adequately protect our most vulnerable students if policymakers are basing decisions on incomplete data. I urge all of us to think about the inequities we might be inadvertently creating when opting out of educational data sets. We cannot achieve a true equitable educational system with broken data.

Both bills have a way to go before they can become law, but this is why it’s important to join the conversation now when many states and the Federal government are first looking seriously at protecting student privacy – and that matters.

We have the responsibility and opportunity to help shape the debate that will result in policy at the State and Federal level and we cannot let this pass by. In the meantime, President Obama continues to encourage progress in safeguarding student data. Earlier this week the White House commended Representatives Polis and Messer on their efforts to protect student privacy. And well, that has to count for something – right???