Privacy policies and Security– can we get it right???


We talk about building trust so that we can work on protecting student data privacy, but it is difficult to protect student privacy only with policy. We need to also advocate for proper encryption of databases and privacy training. Only when we educate users (schools, districts, parents, students) on proper security practices can we be confident that kids’ information will be safe. Setting policy is important. It provides us with guidelines on what set of rules ought to be followed. But rules may be broken, actually, they are commonly broken. Data breaches are happening more and more often in educational institutions. Mostly, because of someone’s negligence or lack of understanding how the system works; which is why it’s so difficult for people to trust their children’s data is being properly secured. Without real consequences for those failures, all the good policies in the world will not protect student privacy. Parents and students put their information in the hands of their schools. Schools in turn put that information in the hands of the third parties they contract with. The responsibility for the data gets passed on. There has to be adequate security protocols in place.

EdTech companies need to step up and take the lead if they are to be the stewards of our children’s data. We cannot continue to put the burden of security and privacy policies on budget strapped schools. An easy first step would be if companies requested that educational apps in their stores encrypt student data. This is a good first step. Additionally, adopting standard language related to privacy and security makes understanding complex legal issues transparent.

But I also urge school districts to look at their community. Beyond privacy laws what does the school community expect when it comes to privacy? What agreement can the community come to when the issue is the collection, use and sharing of student data? And what is important for different communities when it comes to privacy? That is an important conversation that we need to have.

School districts need to understand best security practices – securing devices, strict password policies, and security audits. School staffs need training so they can understand how to identify those educational apps that provide adequate privacy protections. While there are no measures that can guarantee 100% security and protection of student privacy, awareness of the issues and a proactive approach will prove more effective by ensuring good policy is followed and acted upon. And therefore, I urge policymakers to help schools with the administration of security safeguards.

A FERPA rewrite is important, for we need to our laws and policy to keep up with technological change, but we also need to change our entire approach to security. We must focus on students and how we can use technology to create the learning environment that works best for them.



A FERPA Rewrite?



This year, student data privacy seems to be more popular than ever. Consider this, as of March 5th, there were 138 bills addressing student data privacy. Even more interesting is how student privacy has become such a big part of the conversation in state legislatures. The main message, seems to be, how can states keep student data safe and secure while still continuing to use it to support learning?

However, what is particularly interesting is the proposed rewrite to the Family Education Rights and Privacy Act (FERPA). This rewrite would expand parental rights, set guidelines for student data use by third parties and establish penalties for failure to follow these guidelines. Congressmen John Kline and Bobby Scott circulated a draft of the proposal amongst several organizations asking for comments. Now, I haven’t seen the draft but I hope that everyone reading this is focused on building an infrastructure which safeguards student data so we can all get the most out of the technological advances sure to come. I would love to see clear guidance for schools and other education institutions. Teachers, school board members and other personnel require training on data usage by third party vendors. It is important to get this right because as Amelia Vance, NASBE’s director of education data and technology so rightly said – When regulating student data privacy: Don’t throw the baby out with the bathwater.

I see a great need to acknowledge that school personnel, school board members and third party vendors will require training on adequate data usage and protection. We can pass new laws and update FERPA, but it will not make a difference unless the people charged with carrying out these mandates are adequately prepared. The burden increasingly falls on school administrators, and what are they to do when they have limited time and are in an already budget strapped school?

The legislation will also require educational institutions to enter into a written agreements with a third parties before any data sharing can occur. This is, I believe, one of the strongest points being made on the Bill. This requirement prohibits third parties from sharing information with others unless there is a clear written agreement to do so and that this agreement is compliant with federal law. If the Bill manages to establish what requirements the written agreements should have we could be looking at increased student data protection as it relates to third party usage. Further, if strong guidelines for security standards are outlined, there could be an increase in the safety of student data as clear security standards will need to be adhered to. Requiring strong security standards for third parties will create a greater security net for student data provided there are clear and steep penalties if third parties do not comply with these requirements.

I will certainly keep an eye on this draft as it moves through. I strongly urge anyone providing direct feedback to consider that as much as strong privacy policies are essential, the ability for students to use technology, own their data and be confident it is safe, private and secure is really what matters in this debate. Let’s continue to work on protecting student data privacy. We need to be smart about how to best protect student data, because the impact of any legislation passed will be felt for years to come. Many of these consequences are unforeseeable and we do not want to hamper the development of what could be valuable tools for helping our students learn.

Any suggestions to add to the FERPA rewrite?



What challenges are school boards facing when it comes to protecting student privacy?


Guess what?? I got to meet Kathleen Styles, the US Department of Education Chief Privacy Officer. Not only did I get to meet with her, we had the opportunity to talk student privacy and the challenges ahead. All this happened as part of a panel I participated on at the National School Boards Association (NSBA) conference in Nashville. With the increased use of student data systems and SLDS used for education decision making and reporting, this panel was particularly important for members of School Board Associations.



During the panel discussion, there were many questions about how to best protect student privacy without impeding the effective use of this information. How do we preserve the reliability of the data while ensuring student privacy? The unanimous consensus is that we need to balance the need for student data with protecting student privacy. This balance can foster trust between the stewards of the data (schools) and the owners of this data (students and parents). But how do we get there? How do we get to the point that we trust schools and school boards to make the right decisions when it comes to ensuring student privacy? My claim is that we need transparency to build trust. We cannot have privacy discussions in a vacuum or enact one-way policies and then expect parents, students and schools to work together and trust each other. Student data is a big deal. There is no other way to say it. It is student information, and yet students lack ownership in the decision making process. So we need to create concrete steps to help schools build transparency into their practices.  More importantly, there is a deep need for training and help in implementing best practices in schools so that they can not only adequately safeguard student data but build trust between all stakeholders.

This is a tall order. Members of School Boards need to gather information from various sources in order to decide what works best for their particular school district. We need to provide better guidance and information on how best to protect student privacy while implementing tight security practices. Schools require training and materials that will support the implementation of comprehensive privacy practices in schools. How can budget and time strapped schools dedicate any time to privacy? It is difficult when you have limited resources and schools are faced with an either/or decision where privacy likely always comes second. Schools are often forced to choose between fixing the desks, buying textbooks and investing in privacy. So I get it but that doesn’t mean we stop the conversation. It means we find smarter ways to work on this because the topic is so important. It is time for School Boards to provide guidance to principals and teachers and help them develop best day-to-day operation practice.

Having these panel discussions is not going to magically fix the issues we continue to struggle with when it comes to student privacy. However, making policies available to the broader audience, explaining in a clear and concise manner how data is (or isn’t) used helps shift peoples conversations and broadens everyone’s lens when moving forward. An important part of the panel discussion was how do we build that trust and enact best practices. Members of School Boards want to do the right thing but at the same time don’t want to be limited by state and federal regulations that could potentially impede the use of data.

I walked away from this panel thinking how we need to develop concrete steps to help school boards on how to create privacy frameworks that commit schools to greater transparency. Because once we have transparency and build trust our conversation can focus on establishing sound practices that will enable us to effectively use student data while protecting student privacy.

Of course, members of School Boards can always visit our own FERPA|Sherpa website or the newly developed PTAC from the US Department of Education as well as iKeepSafe’s website. All full of pragmatic, practical and objective resources for anyone looking to learn more about student data privacy. I for one consider myself incredibly lucky to have had the opportunity to be on this panel. Not only did I learn a tremendous amount on student data privacy, but I was able to meet great people like our own Ferpa|Sherpa, Alan Smpson from iKeepSafe, our panel facilitator Laurie Dechery from Lifetouch and, of course Kathleen Styles. These are conversations we need to have to establish a collaborative framework. These are the conversations that begin at conferences but continue to be debated.  I have my ideas on how many people will be attending the privacy discussions at this conference – and my guess is a lot. A lot of people will need privacy discussions to be at the forefront of future conferences.

IMG_9807 (1)




What are the Student Data Privacy Principles?


On March 10th, the Consortium for School Networking (COSN) and the Data Quality Campaign released 10 privacy principles for student data. So what exactly are these Principles and how are they different from the Student Data Privacy Pledge? The privacy principles are a guide for protecting student data privacy in schools but more importantly, they show that anyone signing on to these principles is serious about student privacy. The guidelines are a great way to support schools and members of the educational community.

Unlike the Student Data Privacy Pledge, these principles are not enforceable by law but I don’t think that lessens the importance of signing on. Anyone signing on to the principles is sending a message that it is ingrained in their culture to integrate these guides into their organization’s thinking. And that is key because it places student data privacy at the forefront. Also worth noting is that these are matching commitments from the “other” side of the table so to speak. These are commitments from the education community to match the Pledge commitments made by vendors which shows the coordination between diverse stakeholder groups, all focused on the same ideas and goals.

Students are the ones that stand to win by the use of technology. They also are the ones that can lose it all if we are not smart when making decisions on student privacy. If we negate students in our thinking, if we do not recognize that our decisions affect kids, we cannot develop effective policies that protect student information in an equitable manner. The Principles are one more piece of the puzzle to help build consensus on best practices.

My favorite Principles? Easy –“Student data should be used to further and support student learning and success” and “student data should be used to inform and not replace the professional judgment of educators.” And this is important because by recognizing that student data matters and that it can and should be used to help students we are moving our conversation into a more comprehensive view of privacy instead of just one of security concerns. It is important we provide educators and educational institutions, with the best training on privacy practices while encouraging them to help students further their learning.

I am encouraged that slowly but surely we are recognizing that this conversation is about students and their future. It is about us helping them get the best education we can provide for them. Because after all, it is about students empowering their education and using the data to make education something they own and not something that just happens to them.

Our conversation shouldn’t stop here. The Principles are a great framework to follow but they certainly are not a cure all. Our conversations on privacy and data need to continue so that we can provide students with the assurance that we will protect their data, we will use it ethically and effectively and will let them take ownership of it so they can use it to their advantage.

If you want to read the principles you can find them here.



Social Media Monitoring, Privacy and Students


“Pearson is spying on kids” was the statement dominating this week. But the reality is that Pearson, like most major corporations, is involved in social media monitoring. Companies do this monitoring so that they can improve their product, provide better service or promote their brand. One could say that we should expect for major corporations to monitor our online activity when we mention their brands on social media. However, in this particular case, Pearson is not just randomly collecting everything anyone says about the test, but in fact monitoring to identify and track anything that appears to be a violation of the test integrity. In this case, the student’s tweet describing a particular test question. Further, testing companies actually have an affirmative duty to do this monitoring imposed by contract or other methods in order to ensure that schools can rely on the validity of the test results.

But for me, what is most important is the fact that we have engaged in the debate whether this practice is or isn’t acceptable while completely ignoring how students feel about this. Have we stopped to think if students care or, dare we say, expect it even? You see, as adults we can express our outrage over a multinational corporation monitoring students but are we speaking for students or for ourselves? Is this our outrage or the students?

I talk with students all the time, from elementary school age kids through college and their responses are vastly different. College students know and expect for their social media activity to be monitored, watched, some even do all they can to be noticed. K-12 students think differently. They expect to be watched by their teachers, parents, peers etc. but certainly do not expect companies monitoring social media to see who mentioned a test. And here is where it gets interesting. I asked some 5th grade students how they would feel if they posted something online and it became public information. They said that everything they do is seen by their parents and their parents are always posting things about them anyway. They expect someone to be looking at what they do all the time. So have we conditioned kids to expect to be monitored and tracked? Have we unconsciously blurred the lines between private and public for kids so much that they expect to be watched all the time? We have created an atmosphere of mistrust because we don’t trust the education and technology sector. How do we teach students to trust the technology in their schools? As many noted on Twitter, there is outrage over Pearson monitoring discussions about a test but deafening silence about constant social media monitoring students of color. There are so many instances of social media used for profiling that it is difficult to understand why it’s ok to monitor a certain group of students but not another. We need to examine online profiling and what we are doing by wanting to protect some students.

But more importantly, we must listen to students so we understand what privacy means to them and what they expect we give them when it comes to privacy protections. Students will still talk about tests. It’s what kids do. They will just do it in true private venues, in person, whispering in the backyard so that adults leave them alone. What opportunities are we missing by not acknowledging students in this debate? The issue about social media monitoring is about much more than one company concerned about one tweet. The issue is how do we come to terms that social media monitoring is persistent even in the education sector, it’s about establishing what is ok to monitor and what is not.



What happens when a group of privacy advocates descends on an Ed-Tech conference???


Last week I attended SXSWedu and it was very interesting. I was fortunate enough to be invited to participate in a panel to discuss the challenges in student data privacy and defining data ownership. And as excited as I was to be able to participate, I looked forward to the other sessions at SXSWedu. This year there were many panels discussing student privacy (about 10), more than any other year. And that is telling, because it means that the conversation around student data privacy is becoming entrenched in the educational landscape.

So what happens when a group of privacy advocates descends on SXSWedu? The conversation changes. The conference showcased how the use of data and technology in education has the power to ensure that every student has the opportunity to maximize their education. But with the increased use of technology in the classroom comes the increased amount of student data available. And that is where the privacy conversations came in. How can we meet the unique needs of every student while ensuring that their data is being used ethically, effectively and safely, but without stifling innovation? I spoke to many different groups of people while I was there and the main concern from tech companies was – how do we get it right so that we can give parents the comfort that we are safeguarding their children’s data while simultaneously improving and enhancing our products to deliver better learning experiences? And it shouldn’t be that hard. Because when you have privacy advocates and Ed-tech companies working together you can make substantial and effective changes as Clever did in updating their privacy policy. I would like to see companies have their privacy policies right from the beginning. Make it part of their culture. When we discussed data ownership in my panel I stressed the importance of recognizing student input and creating their brand image and privacy “philosophy” with students at the center of their decision making process. Because only by recognizing students as active participants in their education will we move the conversation from one of concern about student privacy to one of collaboration.

The commitment I saw this past week does not begin and end at SXSWedu. Everyone with a stake in education has a responsibility to do more. There is an incredible opportunity at hand and it starts with our commitment to safeguard student data.



Guest Post – When talking student privacy, we need to all get on the same page

When we discuss privacy protections we often focus on what we want the industry to provide parents and students, often we do not hear from the industry. I met the founders of Education Framework and was able to take a look at their product.

Education Framework is an Ed-tech company that manages student privacy and consent services for U.S. K-12 schools. Katie was kind enough to write a guest post for us from her perspective as the founder of a company that works on student privacy but also as a parent.

Thanks Katie!


When talking student privacy, we need to all get on the same page

We operate in a digital age where technology has infiltrated our everyday lives – at home, at work, and at school. What we once considered to be private is no longer so, nor will it ever be again.

But the reality is that in education, large amounts of data are being collected on children. While some argue that this data is necessary for improving educational outcomes, others have expressed concerns that it is vulnerable to misinterpretation, misuse, and outright abuse. This holds especially true as schools increasingly explore and adopt new digital learning solutions.

As the co-founder of an Ed tech start-up that specializes in managing student data privacy obligations for schools, and a parent to two school-aged children, I have experienced, first-hand, many of the challenges that school and service providers face today. I sit in a unique position to see both sides of the coin.

On one hand, I am troubled by the amount of data that is collected on my children and the lack of transparency regarding how that information is used and stored. On the other hand, I see the value of using information to simplify processes and improve outcomes.

As a service provider, integrating with the Student Information System (SIS) makes our digital process far more efficient, but without the proper protocols in place to ensure privacy, safety and security, it could be fraught with disaster.

When we consider a student’s data chain of custody, transparency is key. We must have a clear understanding of who has access to the information, for what purpose the information is being used, and for how long it will be stored. Moreover, this information should be readily available to both parents and school administrators. Parents shouldn’t have to jump through hoops to find out what information is being collected on their children, and schools should be able to produce that information, if requested, on a moment’s notice.

But the existing model is quite the contrary. Archaic manual processes, paired with limited guidance and weak oversight, have left the privacy door open to trouble. This is particularly concerning when realizing that there are approximately 50 million students whose information is at risk for exposure. As technology usage increases in schools across the nation, parents, teachers and administrators all need to better understand their privacy obligations. And while third party service providers, like myself, must commit to actively ensuring the protection of any information accessed, we must also maintain that the most basic procedures are, in fact, in place to ensure safety and security.

However, it is confusing whether the responsibility to obtain parental consent rests on the school or the service provider when the app is used in school.  Under COPPA, the Children’s Online Protection Privacy Act, parental consent is required for any app or website that collects personal information for children 13 years and under. But determining who is responsible for actually obtaining that consent is another story.

While the collective shift in attitude indicates a general move in the right direction, much still needs to be done to actually ensure student privacy in our schools. We must critically look at how we are managing the information we have access to in order to protect student’s privacy in schools. We also need to ask ourselves if the current process for managing student information fits with the model in which we are collecting it. We need to ensure that all parties are committed to making student privacy a top priority, and that all who have access to student information clearly understand their roles and responsibilities when it comes to managing the data. We need to determine what steps need to be taken to improve our systems to be more in line with our goals. It is imperative that we all get on the same page.


Katie Onstad, Vice President and Co-Founder, Education Framework Inc.

Katie Onstad is vice-president of Education Framework Inc., an education technology company that manages student privacy and consent services for U.S. K-12 schools. Katie co-founded the business in late 2013 with her husband and business partner, Jim. When she isn’t running the business, or the household, Katie volunteers her time around the community and in the classroom at her kids’ school. Katie received her B.A. in Organizational Communication from the University of Montana and lives in Bend, Oregon with Jim and their two young daughters.



Updating FERPA, after all it’s only 40 years old

This week Congress talked about improving legislation to protect student privacy. The Subcommittee on Early Childhood, Elementary and Secondary Education conducted a hearing to discuss updating FERPA and it is important that student privacy is being discussed in Congress to raise awareness of this issue.

FERPA was enacted in 1974 and what this session made clear is that the 40 year old law can’t keep up with the rapidly developing education technology industry. So yes, FERPA needs a facelift. The discussion is moving beyond attempts to prevent the collection of data to become a dialogue involving students, parents, educators and industry leaders. Now, I am not saying it’s all good and we have nothing to worry about but I am encouraged when listening to testimony acknowledging the challenges ahead and the desire to present Congress with facts and information that will help them make informed decisions. More importantly, I feel Congress asked some of the right questions – what is the role of third party vendors, what data should we collect, what does it mean to have an SLDS and how long should we retain the data? The underlying problem is how to support and improve FERPA without shutting the system down. The hearing was not about overreach. It was about finding a balanced approach to updating a law to protect student information.

I found particularly interesting Joel Reidenberg’s proposition of data minimization: how much data should we really collect and do we need to collect every detail of a child’s educational journey? We ought to critically examine what data is required to improve education and serve each learner’s particular needs. And it’s complicated. As Shannon Siever pointed out – do we need to do a biometric scan on a student in order to deliver school lunch? No. But biometric data can provide valuable insights and benefits for a student undergoing speech therapy. So what do we limit?

Another important point discussed was that of data ownership. We need to define this concept because what data ownership means for industry is not the same as what data ownership means for students. Does one recognize students own their data while still acknowledging that third parties can use that information?

Though much was discussed during this hearing, much has yet to be discussed. If we overhaul FERPA, we must be mindful that we are not limiting our ability to study why some students are being left behind. That we adopt a comprehensive approach to the collection of information but that we protect the information of students with learning disabilities, for example.

This Committee will be well served if it considers parents as partners and not bystanders. Consider who generates the data (students), who holds the data (schools) and how the data is being used (third party vendors) in schools. Strike a balance of personalized learning and safeguarding data.

I urge Congress to be careful when considering changes in FERPA and to think seriously how these changes will impact the ability of schools to use technology to better educate students. In an effort to limit data usage we may limit how we can help students learn.

Without modernizing FERPA innovation will stall. If parents do not feel that we have a law on our side, there will be a constant tension between schools, students and service providers. FERPA needs to be updated to fit what happens in schools and technology today to build trust between all the stakeholders, foster cooperation and provide privacy protection. And don’t forget our students need to have a voice in the process – what do they expect an updated FERPA will deliver to them?

If you missed the hearing, here is the archived webcast – Congressional Hearing


A Privacy Dilemma


What do you do when you are faced with a privacy dilemma? This week, one of my children brought home a consent form; and it wasn’t for a field trip. It was a consent form to allow pictures to be used on a website used by many to raise funds for school projects. So I am faced with a privacy ethical dilemma. Do I protect my child’s privacy by not allowing pictures of her to be used as the letter states “on our website and may allow our donors to display all photographs on their websites and social media channels and to otherwise use the photographs for publicity and promotional purposes” or do I allow her picture to be used because her teacher is raising funds to be able to afford projects that shall further her education?

So here I am sitting with this letter trying to make the right decision. But is there a right or wrong in this case? You see, it’s difficult because ultimate ethical systems are impracticable. It is nearly impossible to define with absolutes. Ethical systems are workable as sets of principles. So do I give permission for my daughter’s pictures to be used so that her class can get much needed resources sacrificing her privacy in the process?

Our kids care about their privacy. It matters to them. How would they feel if we asked them if we could take their picture and post it for the world to see? I wonder sometimes what it feels like to be a kid these days. Whenever any of us pulls out a camera to document the recitation of a poem or performance of a play and post it on social media, our children’s privacy becomes public. When I was growing up I could see parent faces, now I imagine kids see camera phones…but I digress.

And this is the point when we need to stop thinking about what we want and shift our focus to the children and ask ourselves – what do they want? How do they feel? This picture, this image of my kid, is becoming part of her data trail. A data trail that she is having very little say in its forming. If others can take this picture and use it in other materials it is becoming impossible for my daughter to control her data. Which is why the issue is so complicated. But in controlling the use of her picture we are in a sense limiting the ability for the school to raise funds. And it is a struggle to deal with this tension. Who gets to decide what is right? Am I right or should the school get as many opportunities for funds as they can? Thus the privacy dilemma, in the effort to protect one am I unwillingly affecting others. A photograph is more than just a photograph.

So what do you do? Sign the paper or not?



Trust and Privacy in Education


It’s been a busy month for data privacy. We had Data Privacy Day, President Obama announced new privacy protections for students and the Department of Education is working on a National Education Technology Plan. Inherent in all these initiatives is trust. Learning to trust is probably one of the most difficult things we need to learn in life. Choosing to trust an organization with personal information is probably not as important as the decision we must make when we trust someone to educate our children. So if we trust our schools to educate our kids why can’t we trust schools and service providers with our children’s data?

Fears about the misuse of student data have become a central part of the debate in education. And the data breaches at Target & Sony only instill greater concern among parents regarding the security of their children’s data. Further, it is difficult to dismiss concerns when we read privacy policies in which companies might be able to classify student data as an asset to be transferred to a third party purchaser in case of bankruptcy. It is clear to me that we need to build trust amongst service providers, schools, parents and students. Trust is more than just being compliant with the law. Trust is about building relationships so that we all understand the sensitivities around data. Trust is about designing an ecosystem that enables learning to take place but protects student privacy.

Data privacy is difficult, it takes work, it’s complicated, it’s emotional. It seems that as much as we want to simplify the use of technology we inherently complicate it. We need to think about what is “right” and “what works.” We can’t continue to look at privacy as a right or wrong alternative. We have to be able to discuss the implication of the use of student data and what we are willing to do to reach out and trust each other to do the right thing. Trust is about transparency and transparency enables trust.

If parents and schools assume that technology service providers are “preying” on student data we are getting off to the wrong start. Everyone is on the defensive. Parents don’t trust technology, technology doesn’t trust parents and so it goes. How does technology mistrust parents? By not being fully transparent of their practices because of fear of being shut down. On the other hand, service providers are not going to gain our trust just by changing privacy policies. It is important that privacy policies align with protecting student data. We cannot accept a privacy policy that complies with legal technicalities just because they were called out on a blog or newspaper article. Why not have adequate policies from the beginning? Why must we feel, as parents, that we need to scrutinize these policies because if we don’t we are leaving our children vulnerable?

We need to work on creating opportunities to educate different stakeholders in education. We must recognize that students are central but their data is critical if we are to create opportunities that service them in the best way possible. We can’t get this wrong. We have an opportunity to work together to develop a thoughtful and comprehensive student data privacy plan. Our students, our kids, have too much at stake. If we do not build trust, work on it, and maintain it we stand to lose. Once trust is lost, it is almost impossible to get back.