2 years ago, the student data privacy debate sparked and created an awareness not only between schools and vendors but also with legislators. Parent concerns grew at this time as the controversy surrounding inBloom grew and fears of misuse of student data increased. In response to this, legislators in 36 states introduced 110 bills on student data privacy. By 2015, we saw even more legislation with 188 bills introduced. SOPIPA came into effect which addressed the need for regulation of the Ed-Tech industry. We spent a considerable amount of time discussing SOPIPA but what we didn’t discuss much was a law passed in 2013 in Oklahoma. Oklahoma’s student Data Accessibility, Transparency, and Accountability Acts (DATA Act) places its focus on the staff at the school, district, and state levels. At a time when parents were demanding transparency on how student data is gathered and used, this law did just that. For example, the law required that vendor contracts include provisions that safeguard privacy and included penalties for non compliance as Amelia Vance explains in NASBE’s Data Privacy Report. The law also restricted the ability to collect unnecessary sensitive data such as social security numbers and biometric information. Transparency in how and what data is collected is paramount in developing trust among parents. However, restricting the collection of certain data can bring unintended consequences. For example, limiting the ability to collect certain biometric data on students who have a learning disability. Let’s say a teacher is tracking eye movement and response to a child working on their reading skills. If a teacher can’t chart a student’s progress based on data collected they can’t have an effective assessment of that student.
Most recently, the American Civil Liberties (ACLU) introduced a model bill that could add privacy protections for students. But again, language meant to protect students could make it cumbersome for technology to be used to enhance student learning. The proposed bill includes language that parents opt in every time there is new technology used in the school. That could be somewhat complicated….just sayin’
Presenting parents with the information on what, how and why data is collected on students is what enables the dialogue between parents, schools and the Ed-tech world. We can all feel better that we have many laws, bills, proposed legislation and all of that, all of this work can be undone by school staff or teachers inadvertently disclosing student information or the use of technology in the classroom without adequate student privacy protections. So as much as we can argue that student privacy is important, that companies are working to ensure proper privacy protections none of it matters if we don’t have adequate training for school staff in particular teachers. Helping teachers understand student privacy is not only from a data collection perspective. They also need to understand privacy matters when they post their student’s work on social media or on school data walls with the student’s name for the school to see. But more importantly, as much as companies pledge to protect student data, if a teacher cannot explain to a parent how technology is used in the classroom how are they to partner with parents. We lose the opportunity to build a team composed of parents, school staff and tech companies that work together to protect student data and privacy. A new resource to help teachers understand student privacy was released by the Future of Privacy Forum and ConnectSafely appropriately called the Educator’s Guide to Student Data Privacy. This is a fantastic resource to help teachers use technology in the classroom responsibly and protect their students’ privacy.
Because think about it, if we trust our children to a school every day and we trust they are being taken care of, we should be able to trust schools and teachers are protecting our kid’s privacy as well.
My 9 year old takes better selfies than anyone I know, my 12 year old talks in “hashtag speak”, and my 3 year old swipes at every screen he sees….for most kids and tweens, technology and social media in particular is an integral part of their lives. In discussions around social media and digital citizenship we discuss privacy and how important it is to safeguard our personal information, but are kids concerned about their privacy and the implications of social media posting as we are (should) be?
We have been talking about parents posting about their kids on social media, the consequences of our actions on behalf of our own kids, but what happens when kids post about kids on social media? As I found out, it can get really messy. Kids growing up on social media is inevitable. Everyone gets to be a celebrity by blogging, tweeting or posting on Instagram and Facebook. But where it gets complicated is when kids begin to have a sense of privacy and request we, parents, don’t post about them. As parents, we respect their request and move on. For example, when kids take a selfie with their friends, who gets to post? Should anyone get to post and who decides? Unlike with their parents, kids might struggle with how they feel about their friends posting about them. And thus the privacy debate.
To most kids I have talked with, privacy comes down to having control about what they choose to disclose about themselves. So when a group of kids takes a selfie, kids need to decide who gets to post it, what comment is attached to the pic and what kind of platform it is posted on. And some could argue that a kid’s privacy is respected by not identifying them by name, by not “tagging” them. But it’s more complicated than that. Kids know the difference between public and private but we need to understand the real reasons kids take selfies and how it affects the way they view the world and how the world views them. I won’t claim to have an understanding on how they negotiate between themselves who gets to post what and who gets tagged and not, but I do know that kids are looking for us to help them navigate the complicated world of social media and protect their own privacy.
Kids have a good sense of ownership of their information and could advocate for themselves if allowed. It gets a bit more difficult for them when it’s a discussion between their peers. If one kid took a picture and posts it or shares the picture and then another posts it, what happens when kids don’t like what’s been posted about them? Because, once it’s out there, it’s out of their control. Who says what about whom? Who gets to post it first? As parents, we can help them by helping them discern between public and private, between what they feel comfortable disclosing and what is not ok. We can help them navigate this messy, complicated, social media landscape, and as more and more kids gain awareness of their own privacy, the discussions between kids will get more interesting. However, I don’t think many of these conversations are taking place between kids and we should help enable that dialogue to take place. Maybe once we acknowledge that they are owners of their information and let them decide, the conversations amongst peers will happen in a constructive way.
As my kids have repeatedly told me “privacy is what you keep private” – who gets to decide this is still up in the air. My bet is on the kids……
More than half of teens go online several times a day. Some of us could argue that our kids never go “offline” as approximately ¾ of American teens say they have access to a smartphone. Not surprisingly 71% of teens use more than one social network site, defining teens as kids between 13-17 years old. The most popular social media platforms used by teens? Facebook, Instagram and Snapchat. None of these statistics are surprising. Kids willingly use and post information about themselves on social media. Then why does it matter if parents post about their kids on social media? And why are kids not happy about the fact that the adults in their lives feel as they can post anything they choose about them?
So off I went to do one of my informal, unscientific and most likely biased polls with a sample group of guinea pigs, my kid’s friends, my kid’s, willing subject matter experts…..yep – that one….
There is a clear tension between kids feeling comfortable with posting information about themselves and adults deciding what information to post about kids. And what I find most interesting is that what kids are really saying is that they want to control their privacy – maybe not in those words but that certainly is the message. It is clear how they feel between what they decide to post versus someone else deciding. And as I have conversations with kids of different ages, they are aware that, for the most part, they are not comfortable making these decisions on their own and arbitrarily. They are looking for some form of adult guidance on being responsible at least at the outset of their social media experience. Really showing a deeper insight into their understanding of the perils of social media and internet use and the importance of their privacy.
So what can adults do to help their kids? For starters, we can make sure we teach them responsible digital citizenship. They need to understand the consequences of posting information that while not all bad, some information could be embarrassing down the road. Like pictures of me in my 80’s outfits including the fantastic hairstyles of the moment, but I digress……we need to be able to teach our children what is a good app to use, which ones to avoid, and the appropriate time to post information about themselves. The more I talk to my own kids the clearer it is. Kids are growing with technology, no doubt about it, they are also growing with an increased awareness of privacy. So how do we help them navigate this social media sandbox? For starters we need to give them the decision making power of the information we disclose about them. They are a lot more comfortable when they can decide what is disclosed about them, so why not honor that?
However, parents face many challenges when trying to help their kids navigate social media platforms and apps. There are many articles about the “best apps” or the “most popular social media platforms” but little information on what apps / social media protects their privacy and data. Further, there is very little information in a format that kids can understand and relate to. So while articles like this one from EdSurge are great for deciding whether an app is useful or not, it doesn’t provide insight into the apps privacy policies. And that matters, because apps are downloaded, most likely kids provide information about themselves, and they need to understand the ramifications of providing this information.
So as our kids continue to play in the social media sandbox, we need to help them learn how to “share” or not….depending on what they want to say about themselves.
A few weeks ago, I received an email from my kid’s school. It was a letter from the Principal talking about social media use and tips for creating a safe environment for students. It’s middle school, my kid has a smartphone and continually begs for a YouTube, Instagram and Twitter account…..hence my interest in the letter (notwithstanding my interest in privacy and all things Ed-tech). Maybe not sandbox age kids but close…..
It was an interesting letter, pointing out the benefits and perils of social media (I am sure we are all saturated with these types of communication) and I almost closed my email and hit the delete button. But what made it stand out was that the letter had a list of “top ten” apps / social media sources kids are currently using and it didn’t lecture parents on good use of screen time but it provided a nice “cheat sheet” for parents to learn about these apps. Now I don’t have an excuse to say “I’ve never heard of that but my kid always uses it.”
Most of us are using social media to communicate with our personal or professional networks and a primer on popular teen social media platforms is great. They are using these platforms to communicate with their friends and showcase what is important to them about their lives. And here is where I see the tension between what our kids voluntarily post and what we, as parents, choose to post about them. We are proud parents of our moppets and can’t wait to share with the world their latest and greatest, even if the latest is them doing something that appears funny but to our kids could be potentially embarrassing either now or in the future. The New York Times recently ran an article appropriately titled “Don’t Post About Me on Social Media, Children Say”
I advocate for us to recognize kids own their data, their information. This article certainly expresses how children see their information and how it should be disclosed. It’s interesting when you read it from a privacy standpoint as it is clear to me that kids want to protect and determine what their data trail should be. When we post specifics about our kids in social media we are contributing to their data trail but we often do not ask them how they feel about it. It was not surprising to me that this generation of kids, growing up with these technology tools understand that social media is an extension of themselves. It’s worth asking if we are protecting our kids privacy when we post information about our kids, are we aware of the history we are creating for them as they act as, well….kids…..and as much as it is newsworthy to us, after all we are the proud parents, it might not be something our kids want out about themselves.
When we talk about children’s privacy we need to include the concept of agency and granting it to kids so that they can craft their own data trail. However, often this idea is viewed as radical as we are not comfortable with allowing this. There is a real struggle between what we want to disclose about our kids and what our kids want to disclose about themselves. The idea of giving kids autonomy on decisions about their data opens the dialogue into a wider context and one in which we relinquish some of our decision making abilities regarding our kids. But I can’t help but think this is a good thing. Kids can be great advocates for themselves especially when they know we are listening. Even a very young kid can state what works and doesn’t work for them in school. What would kids determine to be their history if we empower them to make the decisions early on how to craft their story. I’m sure the social media sandbox would look vastly different.
SXSWedu is described as the conference to attend when it comes to tech and education. The events are fun, the parties can be a blast, and the innovation presented is often quite impressive. SXSWedu prides itself in bringing a diverse group of stakeholders to discuss everything and anything tech, education and lately – privacy. But to me, the bottom line is that really smart people attend SXSWedu to talk about education and technology. In education, privacy is a topic discussed and debated constantly and there were many panels focused on privacy at SXSWedu this year.
I wasn’t able to attend but I asked a couple of my privacy peeps to give me their perspective and summary of what they saw in the privacy panels they attended.
Elana Zeide, Research Fellow at New York University’s Information Law Institute, an Affiliate of the Data & Society Research Institute, and an Advisory Board member of the and iKeepSafe gave me her thoughts on the conference this year and what she saw as different from last year’s discussions. Below is her summary.
“The panels were more positive than last year, when much of the discussion was about warning vendors and educators about the dangerous consequences of poor privacy practices.”
“Many panelists also noted the potential for poorly crafted student privacy legislation to cripple core information flow in schools. For example, prohibitions on collecting biometric information impeded school obligations to students with special needs.”
“People were more aware of their responsibilities when collecting and handling student data.”
“The discussion was also much more focused on actual information privacy practices instead of education policy. People finally seem to understand that creating systems to ensure appropriate use of student data is separate from issues regarding standardized testing or the Common Core.”
Amelia Vance, Director of Education Data & Technology at the National Association of State Boards of , created an awesome Storify on some of the privacy discussions of the conference. You can read her amazing recap for a summary of what the live panels focused on and where the “privacy trends” so to speak are headed.
The full storify is here – https://storify.com/ameliaivance/eduprivacy-at-sxswedu-2016
Brenda Leong, Senior Counsel and Director of Operations at the Future of Privacy Forum participated in an interactive panel focused on discussions around trust. Brenda’s recap follows.
“I participated in a summit – which is longer and more interactive than a panel – on moving toward a “trust” model for ed tech companies in partnership with schools, particularly in terms of transparency and communication with parents. It was led by CoSN (CoSN works on behalf of ed tech leaders nationwide and provides leaders with management, community building, and advocacy tools) and we ran interactive small group sessions with teachers, ed tech vendors, parents, and advocates to identify the key barriers to trust in various contexts, with follow-on discussions to propose solutions to overcome those barriers. CoSN is putting out a school evaluation process which will include some of these ideas. One key point we all recognized was ‘how far we’ve come’ from SxSWEdu 2-3 years ago when everyone was just starting to realize privacy was a “thing” that needed to be addressed in the education context. We all agreed that it’s great that it feels like we’ve passed beyond the “fear” factor and into the “data can be such a tool– let’s see what we can do with it!” perspective. (Of course still assuming we have appropriate protections in place.)”
Thanks to Elana, Amelia, and Brenda for providing insight into this year’s SXSWedu!
Much has been discussed about the role of parental consent in education when it pertains to student data. Some are of the opinion that parents should be able to choose whether their child’s data is sent to a third party or not, others don’t believe parents should have the responsibility to make this decision. The Data Quality Campaign compiled the thoughts of different voices in education and privacy and asked whether education agencies and/or 3rd party contractors be able to share student data if a parent consents to the use or should state/federal privacy law prohibit this exemption?
The DQC brought together several voices and perspectives including the National PTA and ACLU. You can read the entire post here – http://dataqualitycampaign.org/blog/2016/02/debating-parental-consent/
It’s a worthy read providing additional information for us regarding this controversial topic.
When I was a freshman in college (bear with me, it wasn’t that long ago) I had to take a required class called “Critical Thinking.” As the title suggests, it was a course designed to teach college freshmen how to discern fact from fiction. Our professor particularly focused on teaching us the skills to read articles and decide whether they presented enough evidence to be reliable sources. I am fairly certain my professor would have been disappointed at the first draft of this blog post. I jumped to a conclusion and did the opposite of what she taught us – I did not go to the sources for clarification. News came out that California will soon release the personal information of students to a non-profit community organization and I was alarmed and immediately assumed the worst. Thankfully, my wonderful privacy peeps pulled me back from the abyss and I applied my learnings to a rewrite of the original post.
According to reports, millions of public school student records are to be handed over to the Concerned Parents Association. This organization fought in court for the data to be released in spite of objections from the California Department of Education. The intent of the organization is admirable. The Concerned Parents Association aims to determine whether California schools are violating the Individuals with Disabilities Education Act (IDEA). In order to do so, they believe they need access to all information of children K-12 who are or at some point were students in the California school system since 2008. I am sure most of us that work with students with IEP’s (Individualized Education Plans) or 504 plans have more than one story to tell in which students rights under IDEA were violated. In order for this analysis to be done millions of records with student names, address, date of birth, behavior and mental information as well as health and expulsion records will be released. It’s easy to jump to conclusions regarding the safety and privacy of such sensitive information and be concerned that the information of students will be accessible and vulnerable to misuse.
But this is what I found in the court order (not everything is listed and the complete protocols can be found here) –
- Discussions were held between the plaintiffs and the CDE regarding safeguarding student data and the court approved the security process outlined in the plaintiff’s proposed discovery protocol
- Plaintiff’s counsel will carry a third party risk assessment of their IT infrastructure and protocol for storing and transmitting student data
- All sensitive data transmitted will be on fully encrypted external hard drives
- Plaintiffs are to confirm deletion of any copies of sensitive data once it has been uploaded from the external hard drives to a fully secure server
There are other protocols outlined in the court case such as maintaining a copy of all devices used to store or access the data, maintaining a list of all the names and positions of individuals who may access this information during discovery as well as the protocols to be used to notify the affected students of this undertaking as well as the opt-out form they can use if they choose to have their information removed.
While this process may not be ideal, at least there is the comfort that the court addressed some of the issues that would arise from the movement of such a massive database outside the CDE’s system. I still have concerns and I am not entirely comfortable with the idea of releasing such a big database in this format as I think it creates vulnerabilities for those records in which students could be identified. I would prefer if the data was de-identified and I don’t believe the court addressed this. The Future of Privacy Forum wrote an excellent paper on de-identification of student data (shameless plug but it’s a great paper!) There are many de-identification techniques that can be used depending on the disclosure and risk level of the data without compromising the integrity of such information.
Is the court approved protocol to safeguard the privacy of these students adequate? I am not so sure. There is a good outline on the security measures required in the transfer of files and storage but there is a difference between privacy and security. De-identifying data is not the only way to protect the privacy of students. There is also a dire need for individuals working with this information to be trained on how to maintain these databases securely to ensure the privacy of all students. Sometimes because of lack of understanding data is not handled properly and student data is exposed because it was uploaded to…..Dropbox……
Lesson learned, don’t jump to conclusions. The protocols for handling the data in this case may not be perfect but it is not the free for all scenario that is depicted in some news outlets. I am encouraged that organizations are looking to advocate for students, in particular those with disabilities, and I hope that this case brings more awareness to the need of adequate security protocols for data transfer as well as additional training for those involved in working with student data.
If you’d like to read the court order, you can find it here.
Next time I promise my college professors to apply what they so diligently taught me through my college career…..pinky promise…..
When we talk about protecting student data, we typically think of apps or student portals holding student data and the challenges of protecting this data. But the reality behind these electronic archiving mediums is that there are many human beings involved in the creation and maintenance of such systems. There are also many individuals and organizations that interact with schools on a daily basis that effectively act on behalf of the school to perform these services such as bus companies or lunch room system administrators. These individuals or organizations are called “school officials”. Under FERPA, a school official can be a teacher, counselor, admissions officer or a contractor, consultant or any organization to which a school has outsourced their services.
Students are increasingly using tech in the classroom and this technology is provided and managed by a third party (Google for example) and thus fall under the “school official” designation. We could hold a debate regarding the many concerns of multiple individuals having access to highly sensitive data. However, outsourcing services is not unusual in other environments, whether it be business, finance, technology or even medicine. And these third party providers and any sub-providers, are bound by the policies of the company they are contracted to. Parents and students have valid concerns on the amount of metadata being collected and how this is used by the school vendors. Companies are not as transparent as they need to be for us to understand their products and how the data is handled. But we also need to build a bridge between third party contractors and parents. We probably didn’t expect that our kids would go to school and have their data captured in such a way, but since this is inevitable, schools should inform parents of who the providers are so that at a minimum parents are not left wondering how their children’s data is captured and secured.
The Future of Privacy Form wrote an article on this particular topic and explains thoroughly what a school official really means and the responsibilities they hold as such.
It is important to note that although many individuals or organizations will be designated “school officials” that does not mean that they have an inherent right to all education records pertaining to students. Schools designate what information each school official receives and should be responsible when making the decision of how much data a particular vendor can have access to. A school official is in a unique position in which they may have access to tremendous amounts of information about students but they should be held accountable and act responsibly towards this data. I would love to see more communication between parents and schools regarding their school’s “school official” in order for us to understand what tasks they are performing and what data is needed. For the most part, we don’t know what apps our kids are using in school and we should have access to that information. Some could argue that providing parents with a list of all the outsource resources they use is a burden on the school, but really, all that is needed is a list of “school officials” on a website so that we can understand who the school is working with. Transparency is key and it will help build the bridge between schools and parents on how and when their children’s data will be used in school and for what purpose.
When I was in high school, a moon or two ago, I was offered a “career aptitude test” that was supposed to determine what career was best for me based on my responses. Most of us laughed at the results that came of that test. It’s 2016 and some argue that this is the year of the quantified student. Will students today laugh at that concept 20 years from now?
At first glance, one would think that the more information we can collect, analyze and provide back to students would enable them to make better choices in their education and how they carve their educational and professional paths. The claim being that with better visibility in one’s own learning patterns and behaviors we can better control the outcome of our development. With increased use of computers and apps, students are generating massive amounts of data. Data that can tell a comprehensive story of that student’s learning history as well as learning patterns, strengths and weaknesses. If we can quantify our learning then we have better insight into ourselves. But is that really the case? How do students react to the information given to them about their reading skills or mathematic learning patterns? Will students be able to see this information as a useful tool, or will they allow algorithms to determine their path? And as exciting as knowing more about ourselves may be we need to take a step back and ask the question – is it to the benefit of the student to be quantified?
More data is not necessarily more beneficial data. School should be the environment in which students are allowed to make mistakes, decide to take a class so out of their comfort zone that they might discover something new. School is the time in which mistakes can be made without fearing permanent consequences. But if we quantify student learning to such granular detail are we preventing high school students from experimenting with opportunities that can guide them to a rich a college experience?
Let’s not forget privacy. Who decides what information can be disclosed or to whom? As the quantified data grows we increasingly profile students, making the risk of exposing their data much greater. Are we protecting the student’s data trail enough that they can sufficiently control what others can see? Thus the argument continues for how to balance the ideal amount of information to enrich a student’s learning experience and control disclosure without exposing an entire dossier of information on a particular student. It seems to me that as we increasingly quantify student learning we risk shifting the focus of student data from one that is for the benefit of students to one that is for the benefit of someone else. To me that is not what student data should be about. Student data should be created, analyzed and used for the benefit of the student. If we allow quantified student data to be made available to colleges to create market driven skill sets, we are in fact negating student ownership of data. Students cease to become the focal point of education and become a product being formed to satisfy a market need and we cannot ignore students in that way.
We must understand that while generating data to quantify student progress and learning is important, we cannot create an environment that is prioritizing market needs over student needs. A student should be able to determine the educational story they choose to disclose and not have only algorithms determine the path they are to take.
As parents we are constantly making decisions on behalf of our children. We act in what we believe are the best interests of our children and, for the most part, make the decision quickly because we understand the ramifications of our choices and nobody knows our children as well as we do. Making choices involves weighing multiple options and selecting what we think is best. Sometimes we even make those choices without enough caffeine in our system and well, then we can debate the merits of our decisions….but I digress…..
An article from EdWeek discussing the new California law SOPIPA came across my desk and, of course, it caught my attention. What I found particularly interesting was the mention of parental choice exemptions and the passing of the bill without the controversial parental consent exemption. As it currently stands, SOPIPA doesn’t allow a parent to authorize sharing their children’s information to additional 3rd parties beyond the parties expressly identified in the law, for example colleges and future employers. However, if I wanted to allow my children’s information to be shared with a third party, like a reading tutoring service, I am not allowed to do so. Let’s say, for the sake of argument, that my child is struggling with reading comprehension and the school is using a particular reading program that is capturing valuable information on how my child is learning and progressing. If I decided I wanted to supplement the support by using a reading tutor after school, I could not legally give consent to have that data shared with my child’s tutor. While I do have access to my child’s data I cannot authorize the information to be released. I would have to pull it myself either by downloading the information and providing it to the tutor. An argument against these exemptions is that parents cannot be allowed to have these choices because they get convinced, even coerced, to give away all of their children’s information in exchange for a service. I’d argue that parents need to be given more credit than that. Parents should be the ones to decide what is in the best interest of their children. And thus the problem, if we cannot build a complementary support system for a struggling child, at the parent’s own choosing, then we are limiting the availability of information to third parties that could help our students. If we, as parents, cannot make the choice to have this data disclosed to a third party of our choosing, then we are not being allowed to make the decisions that we believe are in the best interest of our children. Further, if parents are not allowed to provide consent to disclose this information to a third party, the burden of figuring out what information to get and how to go about obtaining it is squarely placed on the parents. It should be relatively simple for a parent to create a connection between their school’s vendor and the additional 3rd party helping that student.
And this is why student data privacy is difficult. There are no absolutes when it comes to discussing student privacy and we need to be cognizant of the ramifications, not only of our choices, but of the decisions we make when enacting laws. However, as much as I am advocating for allowing parents to be able to decide if their children’s information can be shared with a third party, we also need to be careful that we do not shift the burden of protecting student data entirely on parents. The task needs to be equally shared among parents, schools, Ed-tech vendors and even the students. Rather than enacting absolutes as the only way to protect student data, I strongly believe that we need to encourage trust. Trust between schools, parents and students is essential for all of us to understand how data is used so that we can work together to enhance a students’ learning experience. Though there are instances where the value of data collected for education is not diminished by prohibiting disclosure, there are times when comprehensive data sets gives us the ability to provide the best learning experience for these young, developing minds.