0
(0)

As computing solutions that improve learning and school operations continue to emerge, we need stakeholder consensus and better communication about how those solutions use and protect student data.

Modern information technologies play an increasingly integral role in our education system — improving learning opportunities, guiding practice, and enabling operational efficiencies. With these new tools and their reliance on student data comes the obligation for all parties to safeguard student privacy and data security.

The use of student information in schools is nothing new nor is the reliance on external providers to develop, deliver and support use of those information technologies. What is new, or at least newer, are innovations like cloud computing and data analytics that are increasing teacher and family data access, creating actionable information to drive instruction and decision making, improving data security, enhancing school capacity and productivity, and helping customize learning for each student.

Given the importance of this issue and the concern around it, we must enhance communication and trust among the triad of stakeholders: students/parents and their schools, schools and their service providers, and external service providers and students/parents. Not all stakeholders have the same level of awareness, and so steps are needed to ensure a common understanding of the benefits of the data and technologies, their appropriate uses, and how questions and concerns can be addressed by enhanced governance and transparency and a continuous improvement process for security.

The use of student information in schools is nothing new nor is the reliance on external providers to develop, deliver and support use of those information technologies.

A strong system of federal laws provides a baseline of critical protections for students and families. These laws restrict the use of student data so that it can never be used for anything other than educational purposes (without explicit parental consent).

The federal Family Educational Rights and Privacy Act (FERPA), among other things, requires that:

  • Personal information shared with service providers must be limited to uses otherwise performed by the school’s own employees;
  • The provider and information must be under the school’s direct control; and
  • The provider’s use of the information can only be for educational purposes.

FERPA applies to personally identifiable information (PII) such as student name and Social Security number and even grades that are linked to a student’s name. FERPA defines such information as “records  that contain information directly related to a student and which are maintained by an educational agency or institution or by a party acting for the agency or institution.”

FERPA and the Children’s Online Privacy Protection Act (COPPA) require parental consent both:

  • If the district wants to share personal student information for noneducational purposes and
  • If the operator wants to use or disclose the information for its own commercial purposes.

COPPA applies to personal information collected from children under age 13, whether in or out of school. While COPPA lets educators provide consent on behalf of parents, educators cannot provide, and service providers cannot knowingly accept such consent for releasing the information if it will be used for purposes other than the educational purposes for which it was intended.

Finally, the Protection of Pupil Rights Amendment (PPRA) prohibits using personal information collected from students for marketing and advertising purposes unrelated to the educational purpose for which it was collected.

What’s more, service providers have a market incentive to heed privacy expectations: If they do not live up to these responsibilities, they will lose the confidence of their customers.

Privacy and security

At ground level, schools and service providers have a strong framework of policies and procedures intended to safeguard student information. They do this by limiting the use of student personal information to legitimate educational purposes. In addition to legal restrictions, these limits are set by contracts, agreements, and the privacy policies of companies as well as school districts.

External service providers are agents of the school district; the providers use student information to deliver services needed by schools. Districts hire external providers because they have expertise and capacity in specialized areas that a school, district, or even a state agency often lacks. By outsourcing tasks to external service providers, schools, districts, and state agencies can focus on their core educational competencies while improving effectiveness and reducing costs.

Districts host the software and data for many applications and systems. Increasingly, however, service providers are hosting software and data systems remotely — “in the cloud.” These services include:

  • Student information, administrative, and other data management systems where personal student information is collected/uploaded by teachers and school administrators into a service provider’s data system; and
  • Instructional, learning, testing, and learning management applications that collect data directly through the student’s interface with the application or web site as necessary and integral to their use, but where the only personal information may be basic user account data (e.g., name or often an anonymous student identifier).

In all of these cases, the service provider stores and secures personal student information and provides tools for authorized users — educators, students, families — to access, manage, and use the information. But the district decides who is authorized to access the data. This structure is akin to a safety deposit box in a bank where the owner — in this case, the district — determines what is maintained in the box, how that valuable is used, and who has access.

When external service providers analyze or otherwise process data — such as collecting information to drive adaptive courseware or provide value-added dashboard visualization for teachers — they are largely relying on automated processes. Their employees do not see student identities. If human review is needed, service providers have internal authorization controls that limit access to only employees who are needed to perform the service, which means service providers are prevented from using personal student information in ways not authorized by the school client. This practice is prevalent in the third-party hosted, cloud-based digital file cabinets that districts increasingly rely on for cost-effective data management and security.

In fact, cloud data storage is actually far safer than storing student data on local servers. With local digital storage, there is a greater chance of human error such as a lost or stolen laptop or leaving unlocked the room that houses the data server. This is an example where size makes a positive difference in security. The scale of cloud computing enables the expertise and investments in security that a single school district could not provide. This includes predicting and identifying external threats such as hackers or malware and installing sophisticated data security technologies. Cloud computing also guards against threats such as fire, unlocked file cabinets, etc. External service providers have more effective security protections — one good reason why schools and agencies outsource data management and analytics.

One other data use is important to note: Metadata is often used to carry out internal operations, support product evaluation and improvement, and to support the end user. Such metadata is not personally identifiable but is used to catalog user interactions with the application in order to troubleshoot problems with an individual user or to identify the need for product improvement. For example, they are sophisticated enough to easily determine where students keep getting stuck on the same problem.

Metadata also delivers the ability to make ongoing improvements based on user experience. Another benefit of partnering with third-party operators is their ability to work across multiple schools and multiple applications to determine what’s working and to translate that knowledge into improved services.

Industry best practices

The obligation to safeguard student data privacy means that we need to continually review and enhance policies, practices, and technologies. Critical to that process is improving transparency and communication about technology’s value and how data is being used to advance a child’s learning experience.

To that end, the Software & Information Industry Association (SIIA) (2014) (along with the Future of Privacy Forum) recently released the following Student Privacy Pledge that already has been signed by dozens of leading companies who promise to:

  • Not sell student information;
  • Not behaviorally target advertising;
  • Not build a personal profile beyond what is needed for the authorized educational purpose;
  • Not change privacy policies without notice and choice;
  • Enforce strict limits on data retention;
  • Collect, use, and share data for authorized educational purposes only;
  • Be transparent about data collection and use;
  • Support parental access to and correction of errors in their children’s information;
  • Provide comprehensive security standards; and
  • Ensure that subcontractors also honor these commitments, along with companies maintaining the data as a result of merger or acquisition.

The pledge applies to all student personal information regardless of whether it’s considered part of an “educational record” as defined by federal law. It also applies to data collected and controlled by the school but warehoused offsite by a service provider or collected directly through student use of a mobile app or web site assigned by a teacher. It also applies to school service providers even where there is no formal contract with the school.

The pledge clearly and concisely articulates industry commitment to safeguard the privacy and security of all student personal information, detailing ongoing industry practices that go beyond all federal requirements. The pledge encourages service providers to more clearly articulate these practices and to further raise confidence in how they handle student data.

Policy considerations

While federal law already provides comprehensive protections for student data, some jurisdictions are considering further regulation. But this risks creating policies that miss their target and instead create unintended and unnecessary barriers to school operations and digital learning.

Schools must have sufficient flexibility to accommodate a wide variance of circumstances, including types of technologies, types of data, and local needs. New regulations intended to create a privacy and security floor could unintentionally create a digital learning ceiling. For example, we must avoid restrictions on using information for secondary purposes that could prevent teachers and parents from more effectively identifying a lesson or book appropriate to a student’s reading level in a manner long accepted in the analog world.

SIIA agrees with the Obama Administration’s May 2014 report on data and privacy that called for “responsible educational innovation in the digital age,” including that “students and their families need robust protection against current and emerging harms, but they also deserve access to the learning advancements enabled by technology that promise to empower all students to reach their full potential” (Podesta et al., 2014).

Rather than pursue new regulations, the best approach is for all players to work together to educate, equip, and empower schools and educators to make informed decisions that safeguard student data. External service providers and industry organizations fully recognize they play a central role in making this happen. The Student Privacy Pledge was an important step forward in this effort, and SIIA is now embarked on an active campaign to educate service providers, educators, families, and policy makers about the pledge.

As part of this effort, SIIA believes four key points about student data and related possibilities must be well understood:

#1. Educational institutions, agencies, and their service providers use deidentified, aggregate, and other anonymous information for many important educational, operational and accountability purposes.

These do not raise concerns about the student privacy and must be enabled for delivering and improving educational services. Efforts to ensure data security should focus on personally identifiable student information.

#2. Our core focus should be on data governance, transparency, and security capacity.

As technologies and educational practices advance, school districts and families need information and support to take advantage of opportunities that new technologies provide, as well as to understand and address their own responsibilities. This includes encouraging districts and service providers to be transparent about what information is collected and how it is used and empowering school officials and parents to make informed decisions.

This also includes ensuring appropriate data governance in districts and at state agencies through state and district-level boards and advisory groups comprising community members, officials, experts, and other responsible stakeholders. Finally, this includes providing high-quality professional development that prepares educators to be good stewards of student information and adroit users of technology tools.

#3. It is essential to future-proof data safeguards for the wave of digital learning being embraced by families and educators at home and at school.

Districts need flexibility to determine which data to collect, with whom to share it, and for what purposes to best accomplish their operational and educational objectives. One-size-fits-all regulations will not work in a system where policies are set locally and where there is great diversity of school sizes, staffing, practices, and evolving uses of innovative technologies. For example, regulations restricting the collection of biometric data based on privacy concerns may jeopardize appropriate uses, such as using that information to verify the identity of a device user or test taker, or for digital learning such as enabling English or foreign language learning that involves recording a student’s voice

#4. Parents and guardians have a critical role in safeguarding information, and federal law requires parental consent if personal student information is used or shared for noneducational purposes.

Some have called for parental consent — either opt-in or opt-out — for each and every sharing of personal student information, even for core educational purposes. This is unrealistic and inefficient and would create vast differences in students’ school experience.

Districts need to collect information from students to operate their institutions and to educate students. They cannot manage classrooms and schools if some parents exclude their children from core educational activities. A universal opt-in or opt-out would unfairly create an imbalance of educational opportunity; some students would have access to educational resources while others would be excluded because their parents either opt out or fail to opt in. Our efforts should be focused on student data empowerment that increases student/family access to data about their children and enhances their opportunity to create a more efficient continuum between digital and analog learning inside and outside school.

What’s at stake

Education technology is increasingly mission-critical to ensuring that students receive a world-class education and that the U.S. can compete in the global economy. It is not surprising then that educators strongly support technology use. Seventy-six percent of K-12 teachers and administrators responding to SIIA’s annual Vision K-20 survey reported that technology is highly important (MMS Education, 2014).

The contributions these data-driven technologies make to education are broad and transformative.

For example:

  • Adaptive courseware adjusts content and instruction in real time to the performance and needs of each student, creating a unique learning pathway toward achievement.
  • Recommendation engines help teachers identify and deliver lessons in the modality, complexity, and representation to meet the unique needs of every student.
  • Enterprise software enables administrators to more efficiently schedule classes and bus routes, manage budgets and human resources, identify performance gaps and effective practices, and carry out administration and operations.
  • Learning analytics support ongoing, embedded evaluation of what works best with individual students and contributes to developing smarter educational systems.

These tools and techniques allow educators to manage data in more cost-effective and sophisticated ways to inform instruction and enhance school operations. The result is the ability of school systems to better identify students at risk of failure, better identify the lessons that best meet each student’s unique needs, and improve school operational productivity.

External service providers are agents of the school district; the providers use student information to deliver services needed by schools.

Data-enabled education also can help empower families to help take charge of their children’s education, identifying learning opportunities that best support their child and their needs. Parents and students need not fly blind as they determine which book, learning module, or after-school activity will best meet their abilities and learning needs.

Conclusion

We have a long way to go. According to the SIIA Vision K-20 survey, educator interest in using information systems to support instructional and administrative decisions is greater than the technology available to them (MMS Education, 2014).

With so much at stake — with regard to both student data privacy and learning advancement — SIIA and service providers are strongly committed to seeking effective solutions.

The most important goal for all stakeholders, SIIA believes, is to continually work to increase transparency and governance in ways that empower parents and district officials to safely use student information to advance student learning. Stakeholders need to improve communications about the uses and benefits of data and existing safeguards. The three layers of current protections — contracts, federal law, and industry best practices — provide a very effective and flexible security framework. This doesn’t mean policies and practices shouldn’t be reviewed and updated as needed; it means we must avoid one-size-fits-all models that will fall far short in a dynamic environment of educational change and technology innovation.

References

Family Compliance Office. (n.d.). FERPA general guidance for students. Washington DC: U.S. Department of Education. www2.ed.gov/policy/gen/guid/fpco/ferpa/students.html

MMS Education. (2014). 2014 results from the SIIA vision K-20 survey. Washington, DC: Software & Information Industry Association. http://siia.net/visionk20/2014_VK20.pdf

Podesta, J., Pritzker, P., Moniz., E., Holdren, J., & Zeints, J. (2014). Big data: Seizing opportunities, preserving values. Washington, DC: Executive Office of the President. www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf

Software & Information Industry Association. (2014). Student privacy pledge. Washington, DC: Author. http://studentprivacypledge.org/

CITATION: Schneiderman, M. (2015). Security and communication improve community trust. Phi Delta Kappan, 96 (6), 29-34.

ABOUT THE AUTHOR

default profile picture

Mark Schneiderman

MARK SCHNEIDERMAN is senior director of education policy of the Software & Information Industry Association, Washington, D.C.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.