All I want for the holidays is…..privacy


It has been an interesting year in student privacy. It has been a very interesting year for me as I navigate a new school system with apps and integrated student portals I did not have access to before. But nothing can compare to the recent data breaches in the toy industry. So in this season of gift giving, all I want for the kids is some privacy……

It is easy to begin to condemn the different companies that were breached recently such as V-Tech, Barbie and now Hello Kitty, not only because of the size of the breach, but also because of who these breaches affected. The data breaches appeared to have affected a very large number of people – close to 5 million, if not more. When we think of data breaches we think of name, address, credit card info, birthdate etc. being breached, in some cases we disclose deeply personal information to companies such as healthcare information. But what makes it more problematic to me is that minors’ information is now in the hands of hackers that can take a child’s information and run with it.

But the privacy discussion has to be broader than being appalled at the lack of security surrounding children’s data. Once the breach happened with children’s information we can’t help but shift the conversation to discuss not only how this breach happened but what could be done to protect this information. For starters, children’s accounts were linked to their parents’ accounts. Why wouldn’t these companies silo the data sets so that if hackers wanted credit card information they would not be able to immediately link to children? I also read that the data was encrypted with antiquated systems at best. Now, I am not a data encryption expert but when it comes to personal data (in particular children’s) we should be thinking of encryption as a necessity in which corners cannot be cut, not ever. Data at rest encryption anyone?

Further, hacking children’s data takes it to a different level of concern. Most of these toys collect personal preferences from the kids playing with them. It is not only name and address that is collected but patterns, behaviors, reactions to the toy. So if a hacker has access to this information they could have a detailed picture of a family’s routines and a child’s interests etc.

So what do we do? I believe we need to reexamine how the data is collected and stored. If parent and child accounts are linked, then you literally have offered the keys to the kingdom to anyone hacking into the system. Toy companies in particular must have adequate encryption and security standards surrounding their customers’ information. Don’t forget these customers are children, little human beings. More importantly, we need to ask what data does a toy really need to work, and if the data collected makes us uneasy in the slightest way, well, maybe we shouldn’t be collecting that information for a child to play with a toy.

Finally, I think we all need to be conscious that we don’t collect (or provide) so much data from children that they turn into data entities void of any human connection. I have spoken to app and software developers and in the midst of their excitement they tend to forget who their end users are. When it comes to toys or apps geared to the under 18 crowd, we must remember that there is a little person at the other end utilizing and providing personal information in order to be entertained, engaged and challenged in their play and development. We are responsible for ensuring only the necessary data is collected, if at all. We are responsible for protecting the data collected from children. We must ensure that not only is data safe but that children are safe in case of a breach. We owe them that gift for the holidays.




Predictions for 2016 and Education Data Privacy


It has been a busy year for student data privacy with many laws passed and federal bills introduced. So no one better than super privacy geek friend, Amelia Vance to sum it up for us and give us her predictions for next year. No predictions of when the apocalypse will hit, but certainly excellent information of what happened and what to expect for 2016. Thanks Amelia!!!!

As ordinary Americans listen to an endless loop of Christmas carols, buy last-minute presents, and look forward to a couple days (or weeks) off, student data privacy geeks like me are gearing up for the new year. 2015 was an incredibly exciting year: 28 student data privacy laws passed in 15 states, which added to a total score of 30-plus states that passed at least one law on this topic since 2013. The action was not confined to state legislatures: eight federal bills were introduced in 2015. As with the state legislation, these bills varied in approach, with some focused on regulating the ed tech industry and some on putting new rules in place for schools. A few states included provisions for both: Georgia, Virginia, Delaware, and Nevada.

What is next? After two years, is it time for this topic to move off the front page of the newspaper?

I predict that public consciousness on this topic will grow even larger in 2016. Here are some things to look out for:

Jingle Bills, Jingle Bills: In 2015, 186 bills were introduced in 47 states. While we likely will not have quite so many when legislative sessions start in 2016, I still think almost every state legislature will introduce legislation on student data privacy. Few will pass. Why? Because…

Congress Is Coming to Town: By passing the Every Student Succeeds Act (ESSA) –the new version of No Child Left Behind –Congress proved it can still pass significant laws that affect every American (learn about ESSA here). Both the House and Senate introduced student data privacy bills this year, giving education organizations, privacy advocates, and the ed tech industry time to weigh in on what the federal role should be. The bills most likely to move in Congress are a school-focused bill that rewrites the Family Educational Rights and Privacy Act (FERPA) (introduced by Representatives Rokita, Fudge, Kline, and Scott) and two industry-focused bills (introduced by Representatives Polis and Messer on the House side and Senators Blumenthal and Daines on the Senate side).

I predict that many state legislatures will wait to pass new laws until they see whether the feds weigh in. However, this doesn’t mean states won’t be busy.…

All I Want for Christmas Is Implementation: Several states – most prominently California in January and Georgia in July – will begin implementing their muchvaunted student privacy laws in 2016, and we likely will see those states struggling with how to avoid accidental consequences and ensure these laws are followed at the classroom level. As I’ve said before, training (both teachers and administrators) and capacity building are essential to any student data privacy law being effective, and few state laws passed this year mentioned training or provided funds for capacity building. Some great groups are trying to support this work in many different ways, including publications highlighting best practices, badges on ed tech products so teachers can identify which have adequate privacy protections, and free online courses. However, there are 3.1 million teachers and 804,000 administrators in the country, so it’s safe to say much more support is needed. Look out for attempts to fix this problem in 2016.

Do You Hear What I Hear? Some new topics will hit front pages and be inserted into state bills in 2016. In October, the American Civil Liberties Union released model student data privacy legislation that called on states to address the amount of data schools hold as they monitor student devices. Look for privacy bills regarding 1:1 devices in 2016! Other topics that may come up are teacher data privacy, the privacy of student medical data in school records, and questions about how algorithms are used to make decisions in education.

In sum, this topic isn’t fading away. No matter what happens, there will be plenty to keep student data privacy geeks busy.


Amelia Vance is the Director of Education Data & Technology at the National Association of State Boards of Education. You can reach her with any questions or comments at [email protected].



What is the Privacy K-12 Curriculum Matrix ?


My kids have never used a rotary phone, we typically joke that my youngest swipes at any screen he can get near, we “complain” that our tweens and teens do not look up from their screens whether it is a phone, a tablet or a computer. So it is understandable that with all these technologies we are continually discussing the issue of privacy and security surrounding kids. The reality is that kids are growing, living and breathing technology whether they see it in school or at home. One of the biggest questions I struggle with is how much screen time do we allow, how much oversight should we have of their online activities, and how much personal information are they giving away when downloading and using apps. Students need to develop their own ideas and decide what works for them. However, because they are kids, we need to help them along.

With that in mind, The Internet Keep Safe Coalition (iKeepSafe) has released the Privacy K-12  Curriculum Matrix to help us understand some of the privacy and security issues our children face. Dr. Daniel Solove wrote an excellent blog about the Matrix (full disclosure, he helped in the project). The Matrix contains an overview of the privacy issues that should be taught in school at different grade levels. We often talk about the need to help students make their own informed decisions and this Matrix helps to navigate the complicated world of privacy and security.

You can read the entire post here

So as the year-end holidays are approaching, let’s help kids be more aware of the privacy and security risks they are vulnerable to.