A new data portal for students

Finally a new student data website that delivers better information on students? I was excited, thrilled actually, to learn that in New York City, parents of students in public schools would be able to view their children’s educational records (and information) on a new website replacing the previous ARIS data system. So I promptly made an appointment to go to my kid’s school to request a login and temporary password to access my children’s information.

Information in hand I quickly setup my login so that I could test drive this new data portal. NYC schools says the new portal is designed internally for less than $2 million and is expected to cost under $4 million for further development over the next four years. So what did I find? The portal has my kid’s name, address, last term’s grades and attendance. No more. As the parent of two children in elementary school (three kids actually but the third is not yet school age), I want comprehensive information on how my children are doing in school. I know where they live and how many days they have been absent. But what I do not have access to is how my children have progressed over time. There is no linked data through their school years. I know my 11 yr old has a good grade in math but what are his weaknesses and strengths? Where can he use some extra help and what can linked data tell his teacher about him next year? Unfortunately the new portal does not have any of this information.

The NYC DOE promises that at the end of the school year, report cards will go online and that test scores will be added once the state releases them. Previous year scores and test grades are expected to be added later in the year. But what the NYC DOE does not specify is if parents will have access to data analytics. If the portal will deliver more than a report card.

I was hoping for a robust buildout, a data portal that would extract the valuable student data that is most likely sitting in a black box somewhere in school. I understand more features will be added as the portal is expanded but unfortunately the kids continue to grow and study. We can’t afford to wait for a buildout. There is value in data but it is only valuable if we can have access to it.

I hope that over the next few months the portal will have added features, in particular features that provide valuable information that allows us to answer questions about our kid’s education and their progress. I would certainly love to have information on teacher assessments, curriculum, reporting and analysis of my child’s education. The portal has a section for parent comments and I’m certainly entering my wish list.

 

What does it take to protect student privacy?

 

We often discuss privacy in terms of what needs to be done to protect student data but the thing that has become clear in my conversations with different stakeholders is the need to focus on providing training and awareness to everyone involved in working with student data. In particular, teachers and school administrators.

Though there are numerous federal and state laws that regulate privacy and we are slowly building a greater awareness of what we need to do to increase protections for student data, I feel that we are often missing the point in these debates and conversations. There seems to be more information shared about students than ever before. Sometimes, teachers with all the good intentions breach a student’s privacy revealing deep personal details about their students. And even though this point is important, there is an even greater need for teachers and school administrators to understand that student data can be leaked, because of a mistake or misunderstanding on the implications of disclosing student data. Disclosing student data can hurt students. If a teacher is discussing a student, or group of students, struggling with certain issues then that student’s privacy was not protected. And failure to respond to these incidents can damage the relationship between teachers, parents, schools, etc. The trust we need to build upon is lost.

Privacy “accidents” happen, but we need to invest in educating schools on what are adequate privacy protections, what are best practices for discussing student information and protecting their privacy so they do not happen unnecessarily. There are a number of privacy best practices across other industries in which employees are trained. We need to have this structure available to schools. If we are going to invest time and funding to develop laws at the Federal and State level, we need to invest in “privacy education” for educational institutions. We must be able to explain in clear and easy terms – what does it mean to protect student privacy, what issues schools need to be educated on and why it matters. Recently the US DOE created PTAC – the best source for government guidance to learn about data privacy and of course the one stop shop for all things on student privacy and ed-tech FERPA|Sherpa (shameless plug). These are great resource, full of important information and videos, but I believe we need to be able to give teachers a support system that will enable and encourage them to learn more about privacy. We can’t just leave it up to them and hope schools are taking privacy seriously.

We leave our children in the care of teachers whom we trust. They are charged with making good decisions on behalf of our children. To do so, they require our support.

 

 

What is PPRA? Another student data privacy law

 

We hear a lot of conversation around FERPA and the need to update the law but there is another law that protects student privacy that has a different purpose, yet is no less important. That law is PPRA, the Protection of Pupil Rights Amendment. Both laws are important in that they provide protections for student privacy but they are different.

FERPA protects student educational records and ensures parental access to these records. It allows for a system enabling parents (or students) to correct inaccuracies in their records. FERPA also provides guidelines for who has access to these records and gives students the means to opt out of directory information (name, address, school clubs, etc.) that may be disclosed without consent unless a parent opts out of this disclosure.

But PPRA is completely different. PPRA’s purpose is to allow parents to limit the kind of personal information that a school may collect from students. For example, this information can be collected as part of surveys, physical examinations, or certain evaluations. The law requires that schools obtain written consent from parents when students are required to participate in any U.S. Department of Education funded survey, analysis, or evaluation. A simple way to understand the difference between FERPA and PPRA is that FERPA protects information the school already has on record and PPRA protects information that schools do not have but can collect for surveys.

It is worthwhile to clarify that the law applies to U.S. Dept of Ed funded surveys. Not all surveys that come home are necessarily funded by the USDOE. However, in 2001 NCLB expanded PPRA to include all applicable surveys in public schools, not just those funded by U.S. Dept of Ed funds in 8 protected categories:

  1. political affiliations or beliefs of the student or the student’s parent;
  2. mental or psychological problems of the student or the student’s family;
  3. sex behavior or attitudes;
  4. illegal, anti-social, self-incriminating, or demeaning behavior;
  5. critical appraisals of other individuals with whom respondents have close family relationships;
  6. legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
  7. religious practices, affiliations, or beliefs of the student or student’s parent; or,
  8. income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).

In other words –

For surveys that contain questions from one or more of the eight protected areas that are not funded in whole or in part with Department funds, LEAs must notify a parent at least annually, at the beginning of the school year, of the specific or approximate date(s) of the survey and provide the parent with an opportunity to opt his or her child out of participating.  LEAs must also notify parents that they have the right to review, upon request, any instructional materials used in connection with any survey that concerns one or more of the eight protected areas and those used as part of the educational curriculum.

So while PPRA doesn’t cover all surveys it does cover surveys that collect information considered “intrusive”. What I also learned is that it appears that in these cases, the surveys require prior parental consent otherwise the school cannot collect information from that student. And this is truly an opt-in option as opposed to an opt-out one. And worth noting that PPRA also has some other key requirements, besides surveys that have received little attention. Such as requiring that all instructional material (besides tests) be available to parents for review and (c)(1)(E) requires that every school have a local policy concerning “the collection, disclosure, or use of personal information collected from students for the purpose of marketing or for selling that information (or otherwise providing that information to others for that purpose), including arrangements to protect student privacy that are provided by the agency in the event of such collection, disclosure, or use.”

While our first reaction is to opt out our children from any school survey we need to think about what we are opting out from. It is important to recognize that some of these surveys could provide valuable feedback to schools – are the right kids getting support, lunch assistance, or are our children being discriminated against because of their race or gender? These surveys could yield important information so that schools get adequate funding or professional assistance to address deficiencies that are identified. Of course, not all surveys’ goal is to identify this. Others could be just aimed at marketing or addressing issues that we are not comfortable providing our children’s information for. The process must be clear, the mechanism for opting out clear and easy in the event parents feel uncomfortable. Parents must know what the survey is for, who is conducting it, how it is funded, how their child’s privacy will be protected. If we can trust the information we are given regarding the survey we can trust that if we decide to provide this information it will be used for the benefit of our children, and that is important.

I am a big advocate of having data and using it purposely. There is value in information. But parents must be given the information needed so that we can make informed decisions and be comfortable when providing details, sometimes extremely personal details, about our children.

 

What is an educational record?

This week I was fortunate enough to partake in two interesting but vastly different student privacy events. Both events discussed student data privacy in the context of online and personalized learning, and even though each event was presenting to different audiences (one was mostly to privacy lawyers, the other was to Ed-Tech companies) both events discussed student data in educational records. It is interesting because I think we all have different opinions of what an educational record is. According to the US Department of Education, an “’education record’ is defined as records that contain information directly related to a student and which are maintained by an educational agency or institution or by a party acting for the agency or institution” But what does that mean? At first glance I think of student grades, attendance or IEP information, but when we think of an educational record in the context of personalized learning it can mean and contain so much more.

It is worth thinking about an educational record as a more complete picture of a student’s learning story (or data trail) that is created as they use technology in the classroom. Let’s think this through – a student has a school educational record with name, address, grades, attendance etc., but then we begin to add more to it. For example, a teacher uses a certain software package to teach the math curriculum and students get guided by their hits and misses in answering questions and thus the software tailors the “teaching” to that particular student’s strengths and weaknesses. That information is stored and attached to that student. Further, this particular student has support services for an IEP and the service provider uses an educational app that assists with the therapy that is being provided to the child in school. Again, the software “learns” the student’s pattern and records that for the next therapy session and modifies the “teaching” as needed based on the progress that student makes. Finally, this student uses a school provided device that has location tracking. At this point an additional software is recording that student’s activity and whereabouts.

And while this data generation and tracking could sound creepy, there is tremendous value in the data the student generates. In particular, if parents and teachers can collaboratively work with the student. Because when we can use tech to not only improve learning but give students real feedback then we are empowering students to make decisions about them that can help them develop and disclose their educational story as they see fit.

And this brings us back to examining the educational record. If a student in a school system uses this software and generates data maintained by a third party provider – is that an educational record? And if it is, what ownership does the student really have of the data they are generating? Who has access to the data and who decides how it is used? At this point I struggle with the lack of recognition of student ownership. Because from an educational sense we are not allowing students to analyze the data trail they are creating. If we do not do that we continue to make education as something that happens to them, instead of the force by which they chart their progress.

So when we think of an educational record containing a story, a student’s story, there is a significant implication. I think it is worthwhile to allow students to partake in the creation of their record and have a say in how they share certain parts of their story.  Personalized learning, if done right, can provide tremendous opportunities, in particular for students with special needs. We say students ought to be informed, to make their own decisions but we deny them this opportunity when we do not allow them to participate in the creation of their educational record and reduce them to mere observed objects. The challenge in front of us is to deconstruct our traditional view of an educational record (paper files in a cabinet, anyone?) and allow students to make a decision on what their data trail tells someone about them and what story they would like to share. For example, once a 10 year old told me, “I like that I can explain to my teacher what makes it easy for me to learn in class but I don’t like repeating it every year”. So lets take that statement and think about it. What if students were given enough insight into their educational record so that they can point to their teachers / parents / therapists to the information that they feel someone should know about them. And while I advocate for learner control I do not think this is a case where we give kids carte blanche to add or delete to their record as they see fit. I see the educational record as a comprehensive picture of a student in which a student can decide what matters to them and what they can illustrate to a teacher. But they cannot do that if we do not allow them to help us construct their educational record. Maybe taking a look at the issue in this manner we can become more comfortable with the “proverbial permanent record”

 

A very busy week for FERPA

 

It has been a very very busy week for FERPA and it reminds me of Eric Carle’s The Very Busy Spider – the spider wouldn’t stop building her web. So as we busily build our privacy web, introducing more and more bills, I believe it is worth discussing the implications of proposing bills that severely restrict the effective use of data. Sen. David Vitter (R-LA) introduced an amendment to FERPA entitled the Student Privacy Protection Act. However, unlike other bills, this one seems to restrict the use of data to understand how we can support learners more effectively.

The bill would only allow aggregated, anonymized and de-identified data to be used for State Longitudinal Data Systems (SLDS) and prohibits predictive analytics. At first glance, using only aggregated data seems like a good idea, but here is the issue: the bill prohibits the use of data that helps measure student outcomes. It prohibits the use of federal funds to support “affective computing” that includes the analysis of physical or biological characteristics such as facial expressions or brain waves. And while I understand the concern of a neurotypical child to have this granular information captured, to the parent of a special needs child this information could prove to be the difference between the struggle of an academic journey to a successful one. If predictive analytics are allowed, the information obtained can prove invaluable to students with special needs.

What if we cannot use the data on an SLDS to determine how we are helping English Language Learners? How can we answer the question – Do you have information on English Language Learners? If we cannot track the performance and graduation rates of ELL’s, how can we be sure we are providing those children with the most appropriate resources and whether the application of those resources is successful? Or take the high school dropout rates. If we cannot access SLDS data, how can we measure success for all students? For example, we know that the dropout rates between Whites and Hispanics narrowed from 23 percentage points in 1990 to 8 percentage points in 2012? We can’t’ answer these questions without data. And if our goal is to provide a truly equitable education system, a system that serves all students, we cannot deny the use and analysis of this valuable data. Further, how can we determine how many students with disabilities are receiving support services in schools? And are these support services effective?

It is clear that most bills relating to student privacy are looking to protect student data and to respond to parent concerns. But we must be careful that in our effort to protect students we do not impose restrictions that would rob us of valuable insights on how to better serve their educational needs. We cannot make smart decisions without complete data sets.

It is clear that with so many student data privacy bills we are responding to parent’s concerns, however, we cannot make the bills so restrictive that we cannot use the data. Instead of restricting the use of data, I propose we train staff and make them aware of the implication of misuse of data but let’s not shut the system down and make decisions in a vacuum. We need the data, it’s important we be able to make informed decisions. Let’s focus on having comprehensive data sets and host them in secured environments with staff trained in the proper handling of data protocols. Knowledgeable staff educated in the ethical and effective use of data can better protect student privacy than removing data from an SLDS. Only by responsibly using relevant data can we ensure we deliver an equitable school system for all students.

 

 

Storytelling as Privacy

 

If you are the parent of a 5th grader in public school and live in NYC you most likely went through the dreaded “middle school application process” and while there are many issues to discuss around the concept of “choice” in schools in NYC one particular aspect caught my attention. A few weeks ago, this group of anxious and eager 11 year olds received their middle school acceptance letters. Teachers and Principals sent the message home to be mindful of their classmates who may not have gotten into the school of their choice and to respect their privacy. But what does that really mean to an 11yr old? So I asked my 11yr old friends (full disclosure they are my 11yr old kid and group of friends) what they thought privacy means to them. Some said Privacy is “when grown ups leave me alone” or “when I don’t want to tell someone something about myself.” Pretty interesting coming from 5th graders. To them, the notion of privacy isn’t a particular rigid set of rules and regulations. Privacy is having agency over what information they choose to disclose or not depending on the situation.

It is remarkable that to these truly connected kids, most of them having a smartphone, tablet, laptop, etc., their concept of privacy did not initially go to the electronic medium they were using and the data points they were providing. Their conception of ownership of their information and deciding how they disclose was central to their idea for defining privacy. They did not define privacy by what people should not see, they see privacy as their ability to control their own information and decide what story their information would tell. And I see similar responses when I talk to college students. Their idea of privacy is related to the concept of ownership. For most of them it’s about being able to decide when and what they want to disclose whether it is in conversations with their friends or in their social media accounts.

So as I watched these anxious soon to be middle schoolers receiving their acceptance letters, I could see the anxiety of their parents looking over their shoulder and friends wanting to know what school they got accepted into. But most kids wanted to be able to decide how and when they disclosed this truly personal piece of their story.

So as we continue our conversations around student privacy, as we debate whether laws should be updated to reflect technological advances, lets take a step back and think about how kids feel about these conversations about them that for the most part don’t include them. We talk about student privacy, we discuss what children’s data should or should not be collected but we continually leave students on the sidelines watching the debate about them but not asking for their input.

So yes, we are the responsible adults and should be making decisions that we believe are in the best interests of our children. But I urge all of us to include students in this debate. How do they feel about their privacy? Are we making decisions about their privacy when they would want something different for themselves? After all, it is their data, it is their information, it is their story. They should have a say on how their story unfolds.

 

 

 

So many privacy bills, so little time…..

 

It is May and so far 42 states have introduced 170 student privacy bills which is encouraging to know as a parent of children who will be students for quite some time. Of these, there are two Federal bills advancing in the US House of Representatives. On the one hand, Congressmen Kline (R-MN) and Scott (D-VA) circulated draft legislation to rewrite FERPA. On the other, Congressmen Polis (D-CO) and Messer (R-IN) introduced the Student Digital Privacy and Parental Rights Act. The goal of this act is mostly to regulate online service providers in a way that balances data security without hindering the ability of teachers, schools, and other stakeholders in using the data to effectively support instruction.

Which one is better? Well, I don’t think they are mutually exclusive. I think we can all agree that FERPA needs to be updated. It needs to address the privacy challenges that come with technological advancement. Something the 40 year old law hasn’t been able to keep up with. But what is interesting on the Polis-Messer bill is that it balances the essential need to protect student data and enables (and encourages) the use of technology without implementing unreasonable restrictions that would impede the effective use of data to help students improve their learning outcomes. More importantly, the bill bans online service providers from creating profiles of students that could be used for advertising to them or their parents, thus eliminating that creepy factor of profiling students for marketing purposes. And I am all for data use but certainly not when the data collected on my child will be used to advertise products or services to them.

Unfortunately neither bill addresses the dire need for training teachers, principals, school boards and even parents and students. Training so desperately needed. Without adequate training, they will not be able to identify what is appropriate (and legal) use of data. How can we expect schools to make the right decisions when it comes to safeguarding our children’s data when they do not have adequate training on data privacy and security? Furthermore, I do not see any acknowledgement of learner ownership in either bill. We must recognize students as the ultimate owners of their data, for without this recognition we will once again fail to make privacy something that is inextricably linked to their education and continue to make privacy something that just happens to students – if they are lucky. Finally, I find the option of opting out of data collection a weak portion of the bills. And it is simple – if we have the option of allowing students to opt out of LEA or SEA data sets we are limiting the ability of research organizations to determine whether education policies are working for every student or not. How can we build an equitable education system when we are analyzing incomplete data sets? They will then undoubtedly provide skewed results? We cannot adequately protect our most vulnerable students if policymakers are basing decisions on incomplete data. I urge all of us to think about the inequities we might be inadvertently creating when opting out of educational data sets. We cannot achieve a true equitable educational system with broken data.

Both bills have a way to go before they can become law, but this is why it’s important to join the conversation now when many states and the Federal government are first looking seriously at protecting student privacy – and that matters.

We have the responsibility and opportunity to help shape the debate that will result in policy at the State and Federal level and we cannot let this pass by. In the meantime, President Obama continues to encourage progress in safeguarding student data. Earlier this week the White House commended Representatives Polis and Messer on their efforts to protect student privacy. And well, that has to count for something – right???

 

 

A Guide for Parents on Student Data Privacy!

 

There are many acronyms in education but some of the most talked about recently are FERPA, COPPA and PPRA. And what does all this mean? They are 3 of the main Federal laws that pertain to student data and privacy. As parents, we need to have an understanding of these laws and how they protect our children’s privacy, but it can be confusing, so in an effort to provide information to parents the Future of Privacy Forum, Connect Safely and the National PTA launched the Parent’s Guide to Student Data Privacy to help. This guide provides an overview of the law for students and parents for it’s crucial they understand their rights.

There are increasing number of documents dedicated to addressing student data privacy – the Student Data Privacy Pledge, endorsed by President Obama (shameless plug), the Student Data Principles and now a Parents’ Guide. What is interesting is that they all address different aspects of student data privacy. The Pledge is a voluntary commitment by Ed-Tech companies to safeguard student data. The Data Principles is the education community commitment (teachers, principals, state boards of education, etc.) to build transparency and trust. Both these commitments are important, but the laws that protect student’s privacy and rights can be downright confusing. So in comes the Parent’s Guide to Student Data Privacy which much needed answers to commonly held questions – who has student information, what is FERPA & COPPA, how are they different and what do they protect? When can parents “opt out” of their children’s information from shared?

What is interesting is that all these efforts are conducive to collaboration. They might not be a cure all, but they certainly start the conversation, so let’s discuss the challenges in protecting student data in this rapidly changing world. We must ask questions, ask for comprehensive protections, demand parents be included. Otherwise, their concerns will not be represented.

Regardless of how student data is maintained in schools, parent and student rights remain the same and we must not lose sight of that. We need to know what protections the laws provide as well as how other players in education are committed to protecting student data. I encourage all to refer to the Guide. It has a number of resources for parents wishing to dive deeper, but at a minimum, we now know where to start and can be advocates for our children.

To read the Guide please click here. Hosted at our very own FERPA|Sherpa site…..more shameless plugs….

 

 

 

The positive side of data collection  

 

When we’re talking about student data privacy we’re usually talking about things that can go wrong. We forget what a powerful tool data can be. Not only does it help teachers, parents and students identify strengths and weaknesses, but it can serve as a powerful instrument for creating equity, so long as the information is managed properly with the appropriate safeguards in place.

As I talk to people involved in student data privacy, the one question that keeps coming up is “What do you want us to know and focus on as we work on student privacy?” Student data privacy is a personal issue because it involves children. So it is important that we focus on what information we need to protect for students and how that information will be used in the future. Even though the question is seemingly simple, the answers are complex. As a parent, I want lawmakers and organizations to know that having good data sets is important. That students want information that will help them “learn better”. That the data collected belongs to them. And by recognizing their ownership they will generate more useful data from which we will all benefit.

I am concerned that in our effort to protect some students some will be left behind. For example, if we limit data collection, if we allow some to opt out of data collection, how are we skewing the results of data analysis, and its usefulness. If we want equity in education, we need a comprehensive picture of the educational system: what works and what doesn’t. How can we have a diverse school that helps all children if we do not have the data on what their needs are? How can we ensure disadvantaged children receive free or reduced price lunch so they can have a productive day at school without collecting data on their parents’ income? How can policymakers enact policy that combats societal prejudice unless they have comprehensive data sets demonstrating discrimination? Furthermore, how can we help children with learning differences if we don’t know which therapies prove the most effective? All of this information is only available if we have widespread participation, just as vaccinations only prevent disease when we all get immunized.

I understand the concern that highly personal information may be accessed by unauthorized individuals which is why there must be safeguards against breaches of privacy. Strong privacy standards, confidentiality guidelines and adequate training of personnel are essential to improving the education infrastructure. We cannot leave our most vulnerable learners unprotected.

Privacy concerns about the collection of student data are real. But we cannot allow these concerns undermine our efforts to help our most at risk students. The more we know about our students the better we can provide them with opportunities to advance in school and in life.

 

 

Privacy policies and Security– can we get it right???

 

We talk about building trust so that we can work on protecting student data privacy, but it is difficult to protect student privacy only with policy. We need to also advocate for proper encryption of databases and privacy training. Only when we educate users (schools, districts, parents, students) on proper security practices can we be confident that kids’ information will be safe. Setting policy is important. It provides us with guidelines on what set of rules ought to be followed. But rules may be broken, actually, they are commonly broken. Data breaches are happening more and more often in educational institutions. Mostly, because of someone’s negligence or lack of understanding how the system works; which is why it’s so difficult for people to trust their children’s data is being properly secured. Without real consequences for those failures, all the good policies in the world will not protect student privacy. Parents and students put their information in the hands of their schools. Schools in turn put that information in the hands of the third parties they contract with. The responsibility for the data gets passed on. There has to be adequate security protocols in place.

EdTech companies need to step up and take the lead if they are to be the stewards of our children’s data. We cannot continue to put the burden of security and privacy policies on budget strapped schools. An easy first step would be if companies requested that educational apps in their stores encrypt student data. This is a good first step. Additionally, adopting standard language related to privacy and security makes understanding complex legal issues transparent.

But I also urge school districts to look at their community. Beyond privacy laws what does the school community expect when it comes to privacy? What agreement can the community come to when the issue is the collection, use and sharing of student data? And what is important for different communities when it comes to privacy? That is an important conversation that we need to have.

School districts need to understand best security practices – securing devices, strict password policies, and security audits. School staffs need training so they can understand how to identify those educational apps that provide adequate privacy protections. While there are no measures that can guarantee 100% security and protection of student privacy, awareness of the issues and a proactive approach will prove more effective by ensuring good policy is followed and acted upon. And therefore, I urge policymakers to help schools with the administration of security safeguards.

A FERPA rewrite is important, for we need to our laws and policy to keep up with technological change, but we also need to change our entire approach to security. We must focus on students and how we can use technology to create the learning environment that works best for them.