What are the Student Data Privacy Principles?


On March 10th, the Consortium for School Networking (COSN) and the Data Quality Campaign released 10 privacy principles for student data. So what exactly are these Principles and how are they different from the Student Data Privacy Pledge? The privacy principles are a guide for protecting student data privacy in schools but more importantly, they show that anyone signing on to these principles is serious about student privacy. The guidelines are a great way to support schools and members of the educational community.

Unlike the Student Data Privacy Pledge, these principles are not enforceable by law but I don’t think that lessens the importance of signing on to these principles. Anyone signing on to the principles is sending a message that it is ingrained in their culture to integrate these guides into their organization’s thinking. And that is important because it places student data privacy at the forefront. Also worth noting is that these are matching commitments from the “other” side of the table so to speak. These are commitments from the education community to match the Pledge commitments made by vendors which shows the coordination between diverse stakeholder groups, all focused on the same ideas and goals.

Students are the ones that stand to win by the use of technology. They also are the ones that can lose it all if we are not smart when making decisions on student privacy. If we negate students in our thinking, if we do not recognize that our decisions affect kids, we cannot develop effective policies that protect student information in an equitable manner. The Principles are one more piece of the puzzle to help build consensus on best.

My favorite Principles? Easy –“Student data should be used to further and support student learning and success” and “student data should be used to inform and not replace the professional judgment of educators.” And this is important because by recognizing that student data matters and that it can and should be used to help students we are moving our conversation into a more comprehensive view of privacy instead of just one of security concerns. It is important we provide educators and educational institutions, with the best training on privacy practices while encouraging them to help students further their learning.

I am encouraged that slowly but surely we are recognizing that this conversation is about students and their future. It is about us helping them get the best education we can provide for them. Because after all, it is about students empowering their education and using the data to make education something they own and not something that just happens to them.

Our conversation shouldn’t stop here. The Principles are a great framework to follow but they certainly are not a cure all. Our conversations on privacy and data need to continue so that we can provide students with the assurance that we will protect their data, we will use it ethically and effectively and will let them take ownership of it so they can use it to their advantage.

If you want to read the principles you can find them here.



Social Media Monitoring, Privacy and Students


“Pearson is spying on kids” was the statement dominating this week. But the reality is that Pearson, like most major corporations, is involved in social media monitoring. Companies do this monitoring so that they can improve their product, provide better service or promote their brand. One could say that we should expect for major corporations to monitor our online activity when we mention their brands on social media. However, in this particular case, Pearson is not just randomly collecting everything anyone says about the test, but in fact monitoring to identify and track anything that appears to be a violation of the test integrity. In this case, the student’s tweet describing a particular test question. Further, testing companies actually have an affirmative duty to do this monitoring imposed by contract or other methods in order to ensure that schools can rely on the validity of the test results.

But for me, what is most important is the fact that we have engaged in the debate whether this practice is or isn’t acceptable while completely ignoring how students feel about this. Have we stopped to think if students care or, dare we say, expect it even? You see, as adults we can express our outrage over a multinational corporation monitoring students but are we speaking for students or for ourselves? Is this our outrage or the students?

I talk with students all the time, from elementary school age kids through college and their responses are vastly different. College students know and expect for their social media activity to be monitored, watched, some even do all they can to be noticed. K-12 students think differently. They expect to be watched by their teachers, parents, peers etc. but certainly do not expect companies monitoring social media to see who mentioned a test. And here is where it gets interesting. I asked some 5th grade students how they would feel if they posted something online and it became public information. They said that everything they do is seen by their parents and their parents are always posting things about them anyway. They expect someone to be looking at what they do all the time. So have we conditioned kids to expect to be monitored and tracked? Have we unconsciously blurred the lines between private and public for kids so much that they expect to be watched all the time? We have created an atmosphere of mistrust because we don’t trust the education and technology sector. How do we teach students to trust the technology in their schools? As many noted on Twitter, there is outrage over Pearson monitoring discussions about a test but deafening silence about constant social media monitoring students of color. There are so many instances of social media used for profiling that it is difficult to understand why it’s ok to monitor a certain group of students but not another. We need to examine online profiling and what we are doing by wanting to protect some students.

But more importantly, we must listen to students so we understand what privacy means to them and what they expect we give them when it comes to privacy protections. Students will still talk about tests. It’s what kids do. They will just do it in true private venues, in person, whispering in the backyard so that adults leave them alone. What opportunities are we missing by not acknowledging students in this debate? The issue about social media monitoring is about much more than one company concerned about one tweet. The issue is how do we come to terms that social media monitoring is persistent even in the education sector, it’s about establishing what is ok to monitor and what is not.



What happens when a group of privacy advocates descends on an Ed-Tech conference???


Last week I attended SXSWedu and it was very interesting. I was fortunate enough to be invited to participate in a panel to discuss the challenges in student data privacy and defining data ownership. And as excited as I was to be able to participate, I looked forward to the other sessions at SXSWedu. This year there were many panels discussing student privacy (about 10), more than any other year. And that is telling, because it means that the conversation around student data privacy is becoming entrenched in the educational landscape.

So what happens when a group of privacy advocates descends on SXSWedu? The conversation changes. The conference showcased how the use of data and technology in education has the power to ensure that every student has the opportunity to maximize their education. But with the increased use of technology in the classroom comes the increased amount of student data available. And that is where the privacy conversations came in. How can we meet the unique needs of every student while ensuring that their data is being used ethically, effectively and safely, but without stifling innovation? I spoke to many different groups of people while I was there and the main concern from tech companies was – how do we get it right so that we can give parents the comfort that we are safeguarding their children’s data while simultaneously improving and enhancing our products to deliver better learning experiences? And it shouldn’t be that hard. Because when you have privacy advocates and Ed-tech companies working together you can make substantial and effective changes as Clever did in updating their privacy policy. I would like to see companies have their privacy policies right from the beginning. Make it part of their culture. When we discussed data ownership in my panel I stressed the importance of recognizing student input and creating their brand image and privacy “philosophy” with students at the center of their decision making process. Because only by recognizing students as active participants in their education will we move the conversation from one of concern about student privacy to one of collaboration.

The commitment I saw this past week does not begin and end at SXSWedu. Everyone with a stake in education has a responsibility to do more. There is an incredible opportunity at hand and it starts with our commitment to safeguard student data.



Guest Post – When talking student privacy, we need to all get on the same page

When we discuss privacy protections we often focus on what we want the industry to provide parents and students, often we do not hear from the industry. I met the founders of Education Framework and was able to take a look at their product.

Education Framework is an Ed-tech company that manages student privacy and consent services for U.S. K-12 schools. Katie was kind enough to write a guest post for us from her perspective as the founder of a company that works on student privacy but also as a parent.

Thanks Katie!


When talking student privacy, we need to all get on the same page

We operate in a digital age where technology has infiltrated our everyday lives – at home, at work, and at school. What we once considered to be private is no longer so, nor will it ever be again.

But the reality is that in education, large amounts of data are being collected on children. While some argue that this data is necessary for improving educational outcomes, others have expressed concerns that it is vulnerable to misinterpretation, misuse, and outright abuse. This holds especially true as schools increasingly explore and adopt new digital learning solutions.

As the co-founder of an Ed tech start-up that specializes in managing student data privacy obligations for schools, and a parent to two school-aged children, I have experienced, first-hand, many of the challenges that school and service providers face today. I sit in a unique position to see both sides of the coin.

On one hand, I am troubled by the amount of data that is collected on my children and the lack of transparency regarding how that information is used and stored. On the other hand, I see the value of using information to simplify processes and improve outcomes.

As a service provider, integrating with the Student Information System (SIS) makes our digital process far more efficient, but without the proper protocols in place to ensure privacy, safety and security, it could be fraught with disaster.

When we consider a student’s data chain of custody, transparency is key. We must have a clear understanding of who has access to the information, for what purpose the information is being used, and for how long it will be stored. Moreover, this information should be readily available to both parents and school administrators. Parents shouldn’t have to jump through hoops to find out what information is being collected on their children, and schools should be able to produce that information, if requested, on a moment’s notice.

But the existing model is quite the contrary. Archaic manual processes, paired with limited guidance and weak oversight, have left the privacy door open to trouble. This is particularly concerning when realizing that there are approximately 50 million students whose information is at risk for exposure. As technology usage increases in schools across the nation, parents, teachers and administrators all need to better understand their privacy obligations. And while third party service providers, like myself, must commit to actively ensuring the protection of any information accessed, we must also maintain that the most basic procedures are, in fact, in place to ensure safety and security.

However, it is confusing whether the responsibility to obtain parental consent rests on the school or the service provider when the app is used in school.  Under COPPA, the Children’s Online Protection Privacy Act, parental consent is required for any app or website that collects personal information for children 13 years and under. But determining who is responsible for actually obtaining that consent is another story.

While the collective shift in attitude indicates a general move in the right direction, much still needs to be done to actually ensure student privacy in our schools. We must critically look at how we are managing the information we have access to in order to protect student’s privacy in schools. We also need to ask ourselves if the current process for managing student information fits with the model in which we are collecting it. We need to ensure that all parties are committed to making student privacy a top priority, and that all who have access to student information clearly understand their roles and responsibilities when it comes to managing the data. We need to determine what steps need to be taken to improve our systems to be more in line with our goals. It is imperative that we all get on the same page.


Katie Onstad, Vice President and Co-Founder, Education Framework Inc.

Katie Onstad is vice-president of Education Framework Inc., an education technology company that manages student privacy and consent services for U.S. K-12 schools. Katie co-founded the business in late 2013 with her husband and business partner, Jim. When she isn’t running the business, or the household, Katie volunteers her time around the community and in the classroom at her kids’ school. Katie received her B.A. in Organizational Communication from the University of Montana and lives in Bend, Oregon with Jim and their two young daughters.



Updating FERPA, after all it’s only 40 years old

This week Congress talked about improving legislation to protect student privacy. The Subcommittee on Early Childhood, Elementary and Secondary Education conducted a hearing to discuss updating FERPA and it is important that student privacy is being discussed in Congress to raise awareness of this issue.

FERPA was enacted in 1974 and what this session made clear is that the 40 year old law can’t keep up with the rapidly developing education technology industry. So yes, FERPA needs a facelift. The discussion is moving beyond attempts to prevent the collection of data to become a dialogue involving students, parents, educators and industry leaders. Now, I am not saying it’s all good and we have nothing to worry about but I am encouraged when listening to testimony acknowledging the challenges ahead and the desire to present Congress with facts and information that will help them make informed decisions. More importantly, I feel Congress asked some of the right questions – what is the role of third party vendors, what data should we collect, what does it mean to have an SLDS and how long should we retain the data? The underlying problem is how to support and improve FERPA without shutting the system down. The hearing was not about overreach. It was about finding a balanced approach to updating a law to protect student information.

I found particularly interesting Joel Reidenberg’s proposition of data minimization: how much data should we really collect and do we need to collect every detail of a child’s educational journey? We ought to critically examine what data is required to improve education and serve each learner’s particular needs. And it’s complicated. As Shannon Siever pointed out – do we need to do a biometric scan on a student in order to deliver school lunch? No. But biometric data can provide valuable insights and benefits for a student undergoing speech therapy. So what do we limit?

Another important point discussed was that of data ownership. We need to define this concept because what data ownership means for industry is not the same as what data ownership means for students. Does one recognize students own their data while still acknowledging that third parties can use that information?

Though much was discussed during this hearing, much has yet to be discussed. If we overhaul FERPA, we must be mindful that we are not limiting our ability to study why some students are being left behind. That we adopt a comprehensive approach to the collection of information but that we protect the information of students with learning disabilities, for example.

This Committee will be well served if it considers parents as partners and not bystanders. Consider who generates the data (students), who holds the data (schools) and how the data is being used (third party vendors) in schools. Strike a balance of personalized learning and safeguarding data.

I urge Congress to be careful when considering changes in FERPA and to think seriously how these changes will impact the ability of schools to use technology to better educate students. In an effort to limit data usage we may limit how we can help students learn.

Without modernizing FERPA innovation will stall. If parents do not feel that we have a law on our side, there will be a constant tension between schools, students and service providers. FERPA needs to be updated to fit what happens in schools and technology today to build trust between all the stakeholders, foster cooperation and provide privacy protection. And don’t forget our students need to have a voice in the process – what do they expect an updated FERPA will deliver to them?

If you missed the hearing, here is the archived webcast - Congressional Hearing


A Privacy Dilemma


What do you do when you are faced with a privacy dilemma? This week, one of my children brought home a consent form; and it wasn’t for a field trip. It was a consent form to allow pictures to be used on a website used by many to raise funds for school projects. So I am faced with a privacy ethical dilemma. Do I protect my child’s privacy by not allowing pictures of her to be used as the letter states “on our website and may allow our donors to display all photographs on their websites and social media channels and to otherwise use the photographs for publicity and promotional purposes” or do I allow her picture to be used because her teacher is raising funds to be able to afford projects that shall further her education?

So here I am sitting with this letter trying to make the right decision. But is there a right or wrong in this case? You see, it’s difficult because ultimate ethical systems are impracticable. It is nearly impossible to define with absolutes. Ethical systems are workable as sets of principles. So do I give permission for my daughter’s pictures to be used so that her class can get much needed resources sacrificing her privacy in the process?

Our kids care about their privacy. It matters to them. How would they feel if we asked them if we could take their picture and post it for the world to see? I wonder sometimes what it feels like to be a kid these days. Whenever any of us pulls out a camera to document the recitation of a poem or performance of a play and post it on social media, our children’s privacy becomes public. When I was growing up I could see parent faces, now I imagine kids see camera phones…but I digress.

And this is the point when we need to stop thinking about what we want and shift our focus to the children and ask ourselves – what do they want? How do they feel? This picture, this image of my kid, is becoming part of her data trail. A data trail that she is having very little say in its forming. If others can take this picture and use it in other materials it is becoming impossible for my daughter to control her data. Which is why the issue is so complicated. But in controlling the use of her picture we are in a sense limiting the ability for the school to raise funds. And it is a struggle to deal with this tension. Who gets to decide what is right? Am I right or should the school get as many opportunities for funds as they can? Thus the privacy dilemma, in the effort to protect one am I unwillingly affecting others. A photograph is more than just a photograph.

So what do you do? Sign the paper or not?



Trust and Privacy in Education


It’s been a busy month for data privacy. We had Data Privacy Day, President Obama announced new privacy protections for students and the Department of Education is working on a National Education Technology Plan. Inherent in all these initiatives is trust. Learning to trust is probably one of the most difficult things we need to learn in life. Choosing to trust an organization with personal information is probably not as important as the decision we must make when we trust someone to educate our children. So if we trust our schools to educate our kids why can’t we trust schools and service providers with our children’s data?

Fears about the misuse of student data have become a central part of the debate in education. And the data breaches at Target & Sony only instill greater concern among parents regarding the security of their children’s data. Further, it is difficult to dismiss concerns when we read privacy policies in which companies might be able to classify student data as an asset to be transferred to a third party purchaser in case of bankruptcy. It is clear to me that we need to build trust amongst service providers, schools, parents and students. Trust is more than just being compliant with the law. Trust is about building relationships so that we all understand the sensitivities around data. Trust is about designing an ecosystem that enables learning to take place but protects student privacy.

Data privacy is difficult, it takes work, it’s complicated, it’s emotional. It seems that as much as we want to simplify the use of technology we inherently complicate it. We need to think about what is “right” and “what works.” We can’t continue to look at privacy as a right or wrong alternative. We have to be able to discuss the implication of the use of student data and what we are willing to do to reach out and trust each other to do the right thing. Trust is about transparency and transparency enables trust.

If parents and schools assume that technology service providers are “preying” on student data we are getting off to the wrong start. Everyone is on the defensive. Parents don’t trust technology, technology doesn’t trust parents and so it goes. How does technology mistrust parents? By not being fully transparent of their practices because of fear of being shut down. On the other hand, service providers are not going to gain our trust just by changing privacy policies. It is important that privacy policies align with protecting student data. We cannot accept a privacy policy that complies with legal technicalities just because they were called out on a blog or newspaper article. Why not have adequate policies from the beginning? Why must we feel, as parents, that we need to scrutinize these policies because if we don’t we are leaving our children vulnerable?

We need to work on creating opportunities to educate different stakeholders in education. We must recognize that students are central but their data is critical if we are to create opportunities that service them in the best way possible. We can’t get this wrong. We have an opportunity to work together to develop a thoughtful and comprehensive student data privacy plan. Our students, our kids, have too much at stake. If we do not build trust, work on it, and maintain it we stand to lose. Once trust is lost, it is almost impossible to get back.



Balancing Equity and Privacy in Education


We are celebrating Dr. Martin Luther King this week. Dr. King, who led the Civil Rights movement in the United States from the mid-1950’s until his death by assassination in 1968. Much has been said that education is the “civil rights issue of our time,” but when hasn’t education been a civil rights issue? You see, many minority groups have always seen education as the way (sometimes the only way) to fight discrimination. Unfortunately, discrimination and bias is present in schools today. Black students are expelled at a higher rate than white children. English Language Learners are more likely to be disciplined and discriminated against because of their and their parent’s lack of English proficiency. And although education is the surest way to fight discrimination, students of color are more likely to be in underfunded schools. But we would not know this if we didn’t have the data to back it up.

It has only been 60 years since Black and White children could legally sit side-by-side in public schools in much of this country. Studies have shown that student and teacher diversity is essential to optimize teaching and learning. Practices enacted to correct some of this have become policies that support educational goals that help students of all ethnic and racial backgrounds. We would not be able to determine this if we didn’t have hard data to identify the problem and measure the success of programs intending to address it. Sound policy requires that we have a comprehensive picture of what happens in schools.

But this doesn’t mean the students who we are trying to help forfeit their privacy. Students must feel safe in making mistakes, confident their learning shall not be used against them in the future. They ought not worry that a learning disability will restrict the opportunities available to them because of what their record shows. Privacy allows students to fearlessly take risks, make mistakes and grow as learners. But if they are not offered protection, they may choose to opt out, limiting the available data, invalidating the conclusions to be drawn. If we are concerned about their future, isn’t it our job to set our students up for success?

As we advocate for student privacy we need to acknowledge that bias and discrimination are real in schools today. We need to make sure that as we address issues of privacy in education, we are cognizant of the learners that will miss out on educational opportunities because we cannot ensure that their privacy will be protected and their information will not be used against them in school.

I encourage all of us to seriously address these issues but we cannot do so without reliable studies, data sets, and trends that are studied over time. Otherwise, what is our argument? Because I “think” this is happening? We can’t ignore the entrenched bias in education but we can only address it with effective data. So as we continue this debate, let’s not forget that high quality education and privacy is not only the right of the few but of all students.


The President talks Student Privacy…wait! What??

  Student Data Privacy has become such an important topic that even the President is talking about it. Earlier this week, President Barack Obama outlined his privacy and security agenda at the FTC in advance to his State of the Union Address. Why is this important for students and parents? Because, the Administration is taking notice. The President called for companies to make a firm commitment to use student data only for educational purposes and sign

A student data privacy wish list


The New Year is here and a couple of weeks ago the kids wrote what they wished for in 2015. It was interesting to read what they hoped for in the New Year (good grades, help people and can my little brother leave me alone). We all have our wish lists for the New Year, so I stepped back and started to think what my wish list for student data privacy would look like.

It is hard to name one issue I would like addressed in the education technology sector when it comes to student data privacy, my list is much longer than my kids wrote but here are my top picks. With the ed-tech industry stating it is all good (somewhat) and some privacy advocates saying it is all bad (some of it, but not all), it is difficult for parents and schools to know what concrete steps shall ensure the privacy of student data.

For starters, I would like to define who owns student data. We need to take a close look at the definition of ownership and acknowledge students, so our conversation shifts from one in which privacy (and education) sometimes happens to a conversation in which students are telling us what is important to them when it comes to their education and privacy. As I have more and more conversations with students of all ages, I realize they are increasingly aware of how they contribute data about themselves to a system that does not give them much attention. 2015 should be the year we learn to listen.

Parents need to be informed. And I don’t mean just by issuing boilerplate press releases in which companies tell parents they care about privacy. Or School Districts sending home flyers that say student data is safe. We must invest in workshops and informational sessions in which parents can have a genuine conversation about what is important, why it matters and what we can do about it. The conversation about data collection has to turn from one of what data should and should not be collected to one in which we discuss the best ways to use the data to help our students.

Which brings me to the value of data. The phrase “data is the new oil” can certainly be true. There is arguably, great profit to be made with data in many different sectors. But I hope that in 2015, the value of data for parents and students is not strictly a monetary one; for the value lies in its impact on improving our children’s education. Parents ought to be shown the direct benefit for their kids. Unless they see these benefits, the conversations about Big Data sets in education will remain irrelevant.

With the different data breaches that occurred in 2014 in the education sector, we need not only ask the companies and schools holding student data to be responsible. We must be able to hold them accountable for misuse of student data.

My list could go on and on but if I had to pick the one thing that I think is the most important it’s  – data privacy training. Training for parents, teachers, schools and students. We need to understand the system better. I want education sessions that inform students on their data, how it is used and how to be responsible owners of their data, empowering them to be responsible digital citizens.

Last year was an interesting one (to say the least). My focus is on taking advantage of the lessons learned and moving the conversation forward. If 2015 is anything like last year, we are in for an interesting debate. How will new platforms use student data? What new studies and research shall be funded to “improve” educational outcomes? Can data truly be de-identified? What biases are being unintentionally created when some students opt out of data collection? What learners are being left behind when there are opt outs in data sets? Are we being sensitive to other cultures and addressing their concerns when it comes to their privacy? How does privacy or lack thereof affect a student’s experience?

I don’t think we will be able to answer all of these questions in one year but I am sure we will be discussing them. All of them. In the meantime, I wish you all a most wonderful 2015! What’s on your wish list?