Parental choice…



As parents we are constantly making decisions on behalf of our children. We act in what we believe are the best interests of our children and, for the most part, make the decision quickly because we understand the ramifications of our choices and nobody knows our children as well as we do. Making choices involves weighing multiple options and selecting what we think is best. Sometimes we even make those choices without enough caffeine in our system and well, then we can debate the merits of our decisions….but I digress…..

An article from EdWeek discussing the new California law SOPIPA came across my desk and, of course, it caught my attention. What I found particularly interesting was the mention of parental choice exemptions and the passing of the bill without the controversial parental consent exemption. As it currently stands, SOPIPA doesn’t allow a parent to authorize sharing their children’s information to additional 3rd parties beyond the parties expressly identified in the law, for example colleges and future employers. However, if I wanted to allow my children’s information to be shared with a third party, like a reading tutoring service, I am not allowed to do so. Let’s say, for the sake of argument, that my child is struggling with reading comprehension and the school is using a particular reading program that is capturing valuable information on how my child is learning and progressing. If I decided I wanted to supplement the support by using a reading tutor after school, I could not legally give consent to have that data shared with my child’s tutor. While I do have access to my child’s data I cannot authorize the information to be released. I would have to pull it myself either by downloading the information and providing it to the tutor. An argument against these exemptions is that parents cannot be allowed to have these choices because they get convinced, even coerced, to give away all of their children’s information in exchange for a service. I’d argue that parents need to be given more credit than that. Parents should be the ones to decide what is in the best interest of their children.  And thus the problem, if we cannot build a complementary support system for a struggling child, at the parent’s own choosing, then we are limiting the availability of information to third parties that could help our students. If we, as parents, cannot make the choice to have this data disclosed to a third party of our choosing, then we are not being allowed to make the decisions that we believe are in the best interest of our children. Further, if parents are not allowed to provide consent to disclose this information to a third party, the burden of figuring out what information to get and how to go about obtaining it is squarely placed on the parents. It should be relatively simple for a parent to create a connection between their school’s vendor and the additional 3rd party helping that student.

And this is why student data privacy is difficult. There are no absolutes when it comes to discussing student privacy and we need to be cognizant of the ramifications, not only of our choices, but of the decisions we make when enacting laws. However, as much as I am advocating for allowing parents to be able to decide if their children’s information can be shared with a third party, we also need to be careful that we do not shift the burden of protecting student data entirely on parents. The task needs to be equally shared among parents, schools, Ed-tech vendors and even the students. Rather than enacting absolutes as the only way to protect student data, I strongly believe that we need to encourage trust. Trust between schools, parents and students is essential for all of us to understand how data is used so that we can work together to enhance a students’ learning experience. Though there are instances where the value of data collected for education is not diminished by prohibiting disclosure, there are times when comprehensive data sets gives us the ability to provide the best learning experience for these young, developing minds.



And the conversation continues……


28 laws in 15 states and 186 bills in 47 states….big numbers…all concerned with one topic, and no these laws and bills are not related to any issue made popular by a political campaign, the numbers refer to laws and bills written to protect student data privacy. It appears that not only did the conversation continue through 2015 but it was discussed outside of what I fondly call my “privacy geek” friends.

What made student privacy so prominent in 2015? Certainly the increased use of technology in the classroom made parents aware that their children’s information is being collected and used by different systems throughout the school districts. In 2014, EdTech funding increased by 55% and showed no signs of slowing down as 2015 came to an end. The use of MOOC’s increased and more and more students used Google Apps for Education in schools. All of this activity certainly brought an increased awareness that our little moppets’ personal information is being collected and stored in multiple systems.

We also discussed a project called LearnSphere meant to help educators understand student learning “better”…. fascinating if we can figure that one out but even more interesting was the fact that the project claims that the student data collected and used is de-identified and focuses on maintaining student anonymity.

Student Privacy was prevalent enough that the Electronic Frontier Foundation (EFF) filed an FTC complaint against Google arguing that the company was in violation of the Student Privacy Pledge. Noteworthy that the Student Privacy Pledge (200 signatories strong) proved to be a viable enforcement mechanism, which the EFF used to file their complaint….so there’s that. You can read the EFF complaint here and the Future of Privacy’s response to the complaint here.

At the federal level we had the reauthorization of the Elementary and Secondary Education Act (ESEA) but it was kinda disappointing (ok, very disappointing) to see that it failed to include significant protections relating to student data privacy. Especially considering that FERPA is well, you know, in its fourth decade and counting without any touchups…..

And closing the year strong, because we all needed to feel better about the toys our kids play with, big toy manufacturers had major data breaches. Not exactly the holiday present we were all waiting for. And as problematic as the breaches present, on many different levels, it brings parents, advocates and tech companies back to the table to continue discussing the issues surrounding the collection of data from minors.

2016 promises to be an interesting year. After all, kids will increasingly use technology at home and in schools. Even my 3 year old picks up a phone and pretends to receive and send emails. Technology is going to continue to increase its presence in all facets of our lives. Student data privacy will and should continue to be discussed so that we can protect kids’ information as much as we can. And maybe, 2016 is the year we finally stop talking about inBloom….wishful thinking.

Wishing all of you a very Happy New Year full of peace, good fortune and of course, privacy!



All I want for the holidays is…..privacy


It has been an interesting year in student privacy. It has been a very interesting year for me as I navigate a new school system with apps and integrated student portals I did not have access to before. But nothing can compare to the recent data breaches in the toy industry. So in this season of gift giving, all I want for the kids is some privacy……

It is easy to begin to condemn the different companies that were breached recently such as V-Tech, Barbie and now Hello Kitty, not only because of the size of the breach, but also because of who these breaches affected. The data breaches appeared to have affected a very large number of people – close to 5 million, if not more. When we think of data breaches we think of name, address, credit card info, birthdate etc. being breached, in some cases we disclose deeply personal information to companies such as healthcare information. But what makes it more problematic to me is that minors’ information is now in the hands of hackers that can take a child’s information and run with it.

But the privacy discussion has to be broader than being appalled at the lack of security surrounding children’s data. Once the breach happened with children’s information we can’t help but shift the conversation to discuss not only how this breach happened but what could be done to protect this information. For starters, children’s accounts were linked to their parents’ accounts. Why wouldn’t these companies silo the data sets so that if hackers wanted credit card information they would not be able to immediately link to children? I also read that the data was encrypted with antiquated systems at best. Now, I am not a data encryption expert but when it comes to personal data (in particular children’s) we should be thinking of encryption as a necessity in which corners cannot be cut, not ever. Data at rest encryption anyone?

Further, hacking children’s data takes it to a different level of concern. Most of these toys collect personal preferences from the kids playing with them. It is not only name and address that is collected but patterns, behaviors, reactions to the toy. So if a hacker has access to this information they could have a detailed picture of a family’s routines and a child’s interests etc.

So what do we do? I believe we need to reexamine how the data is collected and stored. If parent and child accounts are linked, then you literally have offered the keys to the kingdom to anyone hacking into the system. Toy companies in particular must have adequate encryption and security standards surrounding their customers’ information. Don’t forget these customers are children, little human beings. More importantly, we need to ask what data does a toy really need to work, and if the data collected makes us uneasy in the slightest way, well, maybe we shouldn’t be collecting that information for a child to play with a toy.

Finally, I think we all need to be conscious that we don’t collect (or provide) so much data from children that they turn into data entities void of any human connection. I have spoken to app and software developers and in the midst of their excitement they tend to forget who their end users are. When it comes to toys or apps geared to the under 18 crowd, we must remember that there is a little person at the other end utilizing and providing personal information in order to be entertained, engaged and challenged in their play and development. We are responsible for ensuring only the necessary data is collected, if at all. We are responsible for protecting the data collected from children. We must ensure that not only is data safe but that children are safe in case of a breach. We owe them that gift for the holidays.




Predictions for 2016 and Education Data Privacy


It has been a busy year for student data privacy with many laws passed and federal bills introduced. So no one better than super privacy geek friend, Amelia Vance to sum it up for us and give us her predictions for next year. No predictions of when the apocalypse will hit, but certainly excellent information of what happened and what to expect for 2016. Thanks Amelia!!!!

As ordinary Americans listen to an endless loop of Christmas carols, buy last-minute presents, and look forward to a couple days (or weeks) off, student data privacy geeks like me are gearing up for the new year. 2015 was an incredibly exciting year: 28 student data privacy laws passed in 15 states, which added to a total score of 30-plus states that passed at least one law on this topic since 2013. The action was not confined to state legislatures: eight federal bills were introduced in 2015. As with the state legislation, these bills varied in approach, with some focused on regulating the ed tech industry and some on putting new rules in place for schools. A few states included provisions for both: Georgia, Virginia, Delaware, and Nevada.

What is next? After two years, is it time for this topic to move off the front page of the newspaper?

I predict that public consciousness on this topic will grow even larger in 2016. Here are some things to look out for:

Jingle Bills, Jingle Bills: In 2015, 186 bills were introduced in 47 states. While we likely will not have quite so many when legislative sessions start in 2016, I still think almost every state legislature will introduce legislation on student data privacy. Few will pass. Why? Because…

Congress Is Coming to Town: By passing the Every Student Succeeds Act (ESSA) –the new version of No Child Left Behind –Congress proved it can still pass significant laws that affect every American (learn about ESSA here). Both the House and Senate introduced student data privacy bills this year, giving education organizations, privacy advocates, and the ed tech industry time to weigh in on what the federal role should be. The bills most likely to move in Congress are a school-focused bill that rewrites the Family Educational Rights and Privacy Act (FERPA) (introduced by Representatives Rokita, Fudge, Kline, and Scott) and two industry-focused bills (introduced by Representatives Polis and Messer on the House side and Senators Blumenthal and Daines on the Senate side).

I predict that many state legislatures will wait to pass new laws until they see whether the feds weigh in. However, this doesn’t mean states won’t be busy.…

All I Want for Christmas Is Implementation: Several states – most prominently California in January and Georgia in July – will begin implementing their muchvaunted student privacy laws in 2016, and we likely will see those states struggling with how to avoid accidental consequences and ensure these laws are followed at the classroom level. As I’ve said before, training (both teachers and administrators) and capacity building are essential to any student data privacy law being effective, and few state laws passed this year mentioned training or provided funds for capacity building. Some great groups are trying to support this work in many different ways, including publications highlighting best practices, badges on ed tech products so teachers can identify which have adequate privacy protections, and free online courses. However, there are 3.1 million teachers and 804,000 administrators in the country, so it’s safe to say much more support is needed. Look out for attempts to fix this problem in 2016.

Do You Hear What I Hear? Some new topics will hit front pages and be inserted into state bills in 2016. In October, the American Civil Liberties Union released model student data privacy legislation that called on states to address the amount of data schools hold as they monitor student devices. Look for privacy bills regarding 1:1 devices in 2016! Other topics that may come up are teacher data privacy, the privacy of student medical data in school records, and questions about how algorithms are used to make decisions in education.

In sum, this topic isn’t fading away. No matter what happens, there will be plenty to keep student data privacy geeks busy.


Amelia Vance is the Director of Education Data & Technology at the National Association of State Boards of Education. You can reach her with any questions or comments at [email protected].



What is the Privacy K-12 Curriculum Matrix ?


My kids have never used a rotary phone, we typically joke that my youngest swipes at any screen he can get near, we “complain” that our tweens and teens do not look up from their screens whether it is a phone, a tablet or a computer. So it is understandable that with all these technologies we are continually discussing the issue of privacy and security surrounding kids. The reality is that kids are growing, living and breathing technology whether they see it in school or at home. One of the biggest questions I struggle with is how much screen time do we allow, how much oversight should we have of their online activities, and how much personal information are they giving away when downloading and using apps. Students need to develop their own ideas and decide what works for them. However, because they are kids, we need to help them along.

With that in mind, The Internet Keep Safe Coalition (iKeepSafe) has released the Privacy K-12  Curriculum Matrix to help us understand some of the privacy and security issues our children face. Dr. Daniel Solove wrote an excellent blog about the Matrix (full disclosure, he helped in the project). The Matrix contains an overview of the privacy issues that should be taught in school at different grade levels. We often talk about the need to help students make their own informed decisions and this Matrix helps to navigate the complicated world of privacy and security.

You can read the entire post here

So as the year-end holidays are approaching, let’s help kids be more aware of the privacy and security risks they are vulnerable to.



The Power of Data and Transparency


“It’s a massive database and why do they need so much information?” That was what someone said to me the other day when talking about student data. When we think of databases, we most likely think of enormous files that contain every piece of information whether it’s needed or not. Some databases could potentially include information we don’t even know is collected about us. But I have learned not all data is created equal when it comes to education data. I often get asked how I got involved in the student data privacy debate. It’s not a simple answer but I can try – I am a parent of three children, children that are students in a system that increasingly collects data on them. I am concerned about the information collected on my kids but more importantly on the security and privacy protections that surround it. I have worked for over 15 years in an industry that handles tremendous amounts of financial information and I wanted to understand the differences and sensitivities around the different types of data. My friends would probably say the biggest reason I am involved is because “she can’t keep quiet and tries to get involved to understand what is going on.”

And who wouldn’t be concerned when we read about State Longitudinal Databases (SLDS.) According to the US Department of Education, the program provides grants to states to design, develop, and implement statewide P-20 longitudinal data systems to capture, analyze, and use student data from preschool to high school, college, and the workforce. But the reality is that these databases provide valuable information as to how students are being served (or not) by the educational system. For example, an SLDS can provide information on when students enroll, transfer or drop out of school. It can also provide graduation rates for particular schools. This information is valuable when deciding how to allocate resources. Further, the stories these data sets can tell are significant. For example, Melinda Anderson’s article in The Atlantic poignantly explains that the need for a diverse teaching body is essential for an equitable learning experience for all children, in particular students of color because studies have shown that students of color are disproportionally discriminated against – “One study in 2007 found that youth aged 10 through 19 had just as much “implicit racial bias” as older generations did—and compared to some age groups, even more of it.” Further, Statewide reports can provide information on equity and reports that can help close achievement gaps. But none of this discussion could take place without big data sets so that analysis could be done

I would like for all of us be aware that in our effort to protect student data we might inadvertently prevent the collection and proper analysis of these important stories. We must be careful that in our effort to protect some students we are leaving others vulnerable and we just cannot afford to do so. The Data Quality Campaign has great information, in particular this one “separating Fact from Fiction” that illustrates clearly what information is collected and why. It also references an article by Elana Zeide regarding the so called “Permanent Record” and it’s virtual non existence in the k-12 space.

So the next time we talk about collecting information about our children let’s take a good look at what information is being provided and how it will be used. Because without educational databases we will not be able to determine who is getting a good education and who is unfairly being targeted.

So the next time we think about “massive databases” let’s acknowledge that there is a good side to them and we must take advantage. And this nifty graphic from Data Quality Campaign illustrates who can access student data and how it can be used. And no, I am not saying that more information than we need should be collected. Nor am I making the claim that the system is perfect. But we cannot perfect the educational system (or any system for that matter) without this valuable information.


Google, surveillance and student privacy


Having technology in our new schools has been an adventure. It’s exciting to watch the kids have access to technology and integrate it into their education. Even more interesting is how the technology has not taken over instruction but is a compliment to the teacher’s toolkit. And so it goes in middle school with the latest announcement “all students will use Google apps for education and will have an email account. They can upload their homework etc etc etc”

Very exciting, I guess. So naturally I asked my middle school son what he thought of the use of Google apps in school. His response “I hate it.” Yep, he hates it. I asked him why and the answer had nothing to do with functionality, purpose, ease of use, or anything else. He hates it because he said “teachers and the principal can see everything we do. We have no privacy. We can’t send an email to a friend in school because we know teachers can read our stuff.” His statement made me stop and think, and not because he is frustrated that a teacher will read something intended for a friend but I was taken aback when he expressed the feeling of being observed all the time. And so goes their privacy. We talk about listening to students and acknowledging their voices when it comes to privacy discussions but the sentiment “on the ground” so to speak, is very different. And it could be that teachers are conveying the message in a manner that make kids feel under observation the whole time. I am not saying that there shouldn’t be a degree of monitoring school accounts and that teachers should make their students aware of this, but there is a big difference between knowing your emails are being scanned for appropriateness and feeling under surveillance.

However, I do feel that we can take advantage of this situation and use it as a teaching moment for our students. The same constraints they feel in school are actually the same constraints we all operate under at work with our employer’s email. And I think that to make this a true teachable moment, we need to acknowledge that students can understand more than we give them credit for. At work, most of us sign an understanding that our work email is the property of the employer, can be monitored and should not be used for personal correspondence. For students, their school email is their “work” email and maybe we should convey that clearly to them. There is a difference between their online “school environment” and their online “personal environment”. Personal messages to friends should not be sent through school email but notes to a friend on a class project are fine. This takes me back to when email first started to be used at work (and yes, I am dating myself here but bear with me) and the CEO of the company I worked with at the time sent out a memo on the company’s email and internet use policy. He wrote “never write anything on an email that you would not be comfortable printed on the front page of a national newspaper”, and that message has stayed with me through the years. Maybe we need to explain this to students so they understand the difference between monitoring and surveillance and we should be cognizant of the message we are conveying and how it is perceived by students.

There is so much reading material on student privacy and debates on what should and shouldn’t be collected for educational purposes when it comes to student data but I didn’t find many materials on adequate teacher and school staff training, particularly helping adults convey the message to students. So I turned to a few blogs I frequently read and found this one by tech teacher extraordinaire Rafranz Davis and she, of course, had written something that related to my kid’s statement “When we decided to move forward with creating our student Google Apps accounts, I started to hear all about monitoring of teacher and student accounts.”

Rafranz explains why we need to provide teachers with the tools to implement tech effectively in the classroom and not only to use tech for tech’s sake but with purpose. Tech in the classroom cannot be effective if we only use it to “test prep” or because the kids are entertained. It needs purpose. And there has to be monitoring of students because they are being used in the school system but we have to convey the correct message to students or they will literally shut the system out. There is a big difference between monitoring student accounts for appropriateness and conveying a feeling of surveillance to kids. So much so that they decide to not use their Google accounts in school and would rather text each other. So a tool that could be very effective in communicating and helping students in their day to day classes is not being used because we, adults, have not communicated correctly with students.

Rafranz Davis’s post details some of the challenges in implementing tech in schools. More importantly, it highlights the need for adequate teacher and student education on the appropriate use of tech and how to respect student privacy while monitoring school accounts without the school becoming a surveillance state.

If you want to read the entire post you can do so here at Confessions of a Digital Leader

And let’s not forget to listen to the kids!


Reader friendly privacy policies are possible



This school year has certainly been an adventure for my family on some many levels, and I am tickled every time my kids come home with a new school letter informing me of the new app/software/technology they are using. Of course, everything that comes home is received with a healthy dose of skepticism from me. I read the flyer, peruse the app website, read the privacy policy and then get mildly annoyed at the incomprehensible language on privacy policies and sometimes give up when I can’t, for the life of me, find such information.

So when my third grader came home with a teacher’s letter that stated she had been signed up for a new app in school meant to “excite and encourage kids to read” I was less than enthused. I took a deep breath and went to the website to see what this was all about. And I was pleasantly surprised.

For starters, the privacy policy link is easy to find. That makes a big difference because every little thing matters, and it makes for a much better user experience. Once I pulled up their privacy policy I began to read it.

Of course, I was bracing myself for pages and pages of legal terms and complicated policies but that was not the case here! This app has one of the most user friendly privacy policies documents that I have seen in a long time.

I was encouraged when I began to read their privacy policies. The first three paragraphs help build my confidence as a user / parent and clearly explain what the company does and what their approach to privacy is. Not wasting time, in the second paragraph, the company laid out why they take extra precautions when signing up kids for their software. They explain that because the platform is meant for children 13 and younger they need to make sure that appropriate security and privacy practices are in place. They continue and explain that they need to comply with COPPA and include a link to the COPPA website. Further, it reminds us, parents, that we need to talk with our children about online safety and to stay involved in the kid’s online activity.

I really like how easy the document is laid out, it has short and easy to read paragraphs. All the sections have a heading in bold from what they are using cookies to through IP information and other information they collect. They clearly state how the student information is stored and they clarify that they encrypt all PII whenever it is transmitted.

Most of us have legitimate concerns of how our data is transferred to an unknown party in the case of a sale, merger or bankruptcy situation and most privacy policies do not explain clearly how data is handled in these cases. However, in this case, the company clarifies that even though the data may be transferred or sold they will notify you about this change before transferring any information and states that you may decide to continue or discontinue the service at that time. They do note that it is our own responsibility to check back regularly in case the privacy policies change (and that is fair) but they also state that if any material changes to the policy are made, they will seek consent via email before the changes become effective.

Is this the perfect privacy policy? No, not at all. But it is a marked improvement from many others I have read. What strikes me every time I read a privacy policy is that the language is so difficult and the document is so long that no one reads them. This privacy policy is 5 pages long (I printed it) and it’s in pretty decent font! It is easy to understand and follow and answers most of the main questions I have as a parent. More importantly, as I read through the policy, I felt that student and parental concerns are addressed and acknowledged. A much better place to be than dismissing parents and students.

I would like for more companies to adopt a similar format. It would be a welcome change by all of us, but more importantly I believe that a tone friendly privacy policy bridges the gap of communication that is currently abysmal between parents and software companies. Let’s keep it going. Reader friendly and effective privacy policies can exist.



Whose Data is it Anyway???


A year ago I had the honor to participate in a panel at SXSWedu called “Whose Data is it Anyway”, it was an engaging conversation in which we addressed, head on the issue of student ownership of data. The tension in the debate between acknowledging student ownership and privacy was interesting in that there are still many parties that do not recognize the need for bringing students and parents into the conversation.

Last week EdSurge hosted a panel on this very same topic. The panel included diverse voices from the EdTech, legal and education fields. They discussed how Edtech leaders should address privacy issues while still advancing opportunities. And while the debate is complex and worthy of a much bigger time slot than a podcast the panelists raised good points such as – how are investors, entrepreneurs and educators responding to privacy and security concerns, do companies need to comply with all the demands of privacy critics or should they decide how much they can comply with? Finally, can all stakeholders somehow reach an understanding and a midpoint in which we can agree that concerns are being addressed.

I still feel we need to get student voice included in the conversation and I think these panels would have greater depth as it would make us aware of privacy “blind spots” we cannot see unless we bring other participants into the conversation.

You can listen to the EdSurge podcast here



Student “surveillance” and their right to privacy


When I was in school (yes, dinosaurs still roamed the earth), we used to cover our notebooks or tests with our hands because we didn’t want others to see our work. We wanted to keep our school work private. When we ask our kids what they did in school we get the timeless classic “nothing” or “stuff.” So is there anything wrong when a teacher gives us the opportunity to take a look at what happens in our child’s classroom? A couple of weeks ago I saw a Tweet about a teacher using Periscope (the social media app that lets you see the world through someone else’s eyes) and his statement of how much parents appreciated “the ability to watch their kids while they were in school.”

At first glance that might seem like an interesting and exciting proposition but there is something that doesn’t sit right with me. Where do parent’s rights over their children become too overreaching that they supersede student rights? Or should they supersede student rights? The question becomes more complex when we discuss student ownership and acknowledging that students are owners not only of their data but of their education. So humor me for a second and let’s say we finally agree to give students agency and ownership of their education. If we do, would we feel that it was ok to look into their classroom through an app everyday? Maybe not.

I think it’s worthwhile to ask students how they feel about being observed through an app. An app that their parents use to observe their behaviors in the classroom. Which leads me to a proposed state law in Wyoming that would make it illegal for school districts to demand access to student’s social media accounts. In this proposal, the bill would make it a misdemeanor for school officials to request information from a non-school account. In addition, school officials cannot access or view the student’s account unless they get parental permission. This bill is making the argument that it is not ok to feel we can access all of the student’s information because as Sen. Cale Case, R-Lander, said “if you look through someone’s tablet and go through it, it’s like going through the kid’s house.” But we obviously need to be careful we do not make any law so restrictive that it impedes either school’s ability to function or be able to help students in need. Students can no longer simply cover their work with their hands so that no one can see it. Students are vulnerable to parents having total access to their school day through the use of technology, schools can access student work through school provided hardware and schools could potentially monitor students through their social media activity and we need to ensure that we do not blur the line between a student’s school life and life outside school. Because when we do, we risk taking away any sense of ownership from students. Ownership that can empower them to make decisions about their own education as well as how and what they disclose on social media. If we disavow their right to ownership, we risk on enacting laws so restrictive schools can’t conduct their day to day operations as well as neglecting a student’s education and their right to build their data trail in the way they feel represents them the best.

The more people looking at student data privacy laws the better, the more people advocate for increased protections for student privacy the better, the more voices that are brought into the conversations the better. But we cannot and must not go from protecting student data privacy to surveillance.