The use of cloud-based technologies in K-12 schools is becoming increasingly complex and expansive, prompting a wide range of approaches for protecting private student data stored in the 鈥渃loud鈥 and raising serious concerns about the security of such data.
Districts ranging from the 203,000-student Houston school system to the 3,000-student Tomah, Wis., schools have outlined clear policies and practices for storing data in the cloud. Those two districts take very different approaches, however.
Tomah built its own private cloud-storage programs to prevent student information from being accessed by third-party vendors; Houston has embraced the use of companies offering cloud-computing services and is working to put best-practice guidelines in place.
The problem, experts say, is that many districts have not set clear policies for storing data in the cloud. Cloud systems typically rely on the outsourcing of computer power and some services to external servers or data centers, which are then accessed over the Internet on an as-needed basis.
A study released last month by the Fordham University Law School鈥檚 Center on Law and Information Policy, for example, notes serious lapses pertaining to control of private student information under contracts with private companies storing data in the cloud, as well as in alerting parents and students about who has access to student data.
The study鈥檚 authors put forward a series of recommendations to policymakers, including a call for a national clearinghouse focused on the issue, and for ramping up safeguards on students鈥 private information.
鈥淲e came away seeing that districts are not in a position right now to effectively deal with these privacy issues,鈥 said Joel Reidenberg, a study author and the academic director of the Center on Law and Information Policy, based in New York City. 鈥淢any districts don鈥檛 have the technical expertise to understand how the flow of data impacts student privacy, and vendors are not explaining it.鈥
鈥榃eakly Governed鈥
A study by the Fordham University Law School鈥檚 Center on Law and Information Policy found deficits in school districts鈥 protection of the privacy of student data. To improve the security and privacy of student data stored in the 鈥渃loud鈥 by an outside company, the center recommends:
鈥 Districts should incorporate language protecting the privacy of student information in contracts with companies providing cloud-storage services. They should require companies to disclose in the contracts how student data might be sold, transferred, or mined and give districts control over who accesses that information.
鈥 Contracts with cloud-service providers should address the types of security used to protect student data, how districts are to be notified of a security breach, and how a breach will be handled.
鈥 Districts should establish policies and guidelines for the use of cloud services by teachers and other staff members. The guidelines could require districts to vet cloud services proposed for use by teachers, or could bar employees from using cloud services not approved by the district.
鈥 States and larger school districts should create the position of 鈥渃hief privacy officer鈥 to address privacy issues related to student data and its cloud storage. Smaller districts could consult with state privacy officers for help.
鈥 A national research center and clearinghouse should be established to help schools, districts, states, and cloud-service providers with issues related to the privacy of student data. Such a center would provide model policies or model legislation, guidance, and research.
Source: 澳门跑狗论坛
Fordham researchers based their study on a national sample of public school districts. They asked for detailed information from 54 urban, suburban, and rural systems.
The study examined contracts between districts and technology vendors; policies governing privacy and computer use; notices sent to parents about student privacy; and districts鈥 use of free or paid third-party consulting services.
The authors conclude that privacy implications for districts鈥 use of cloud services are 鈥減oorly understood, non-transparent, and weakly governed.鈥
Only 25 percent of the districts examined made parents aware of the use of cloud services. Twenty percent did not have policies governing the use of those services, and a large plurality of districts had 鈥渞ampant gaps,鈥 the authors say, in their documentation of privacy policies in contracts and other forms. Twenty-five percent of districts had no policies at all regarding classroom teachers鈥 use of technology related to cloud storage.
鈥淚f there鈥檚 no policy, then it鈥檚 perfectly normal and legitimate for teachers to sign up for any service under the sun,鈥 Mr. Reidenberg said.
To make matters worse, districts often relinquish control of student information when using cloud services, and do not have contracts or agreements setting clear limits on the disclosure, sale, and marketing of such data, the Fordham researchers say.
The Fordham study concludes that districts, policymakers, and vendors should take several steps to increase privacy protections, including providing parents with sufficient notice of the transfer of student information to cloud-service providers, and ensuring that parental consent is sought when required by federal law; improving contracts between private vendors and districts to remove ambiguity and provide much more specific information on the disclosure and marketing of student data; and setting clearer policies on data governance within districts, including establishing rules barring employees from using unapproved cloud services.
But the Software and Information Industry Association, a trade group based in Washington, said the study focused too much on the language within contracts between vendors and districts, rather than on the actual practices of companies, and the expectation that they will behave responsibly.
Federal law restricts the transfer of student information, and private companies do not want to stray from the legal limits, the industry organization said in a statement.
鈥淭he enforcement of this law has generated a culture of business practices that respects student privacy beyond basic compliance,鈥 the SIIA said. 鈥淪chool service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions.鈥
District Approaches
Schools should think hard about how student data might be used by a third party, said Paul P. Potter, the director of technological infrastructure for Wisconsin鈥檚 Tomah district. Concerns about the privacy of student data led his district to develop its own internal cloud storage instead of contracting with a vendor.
鈥淚鈥檓 a huge proponent of the cloud as far as connectivity with the student, but I鈥檓 not a huge proponent of giving your data away to just anyone,鈥 Mr. Potter said. 鈥淚鈥檓 not willing, as a technology director, to put the privacy of our students鈥 data out there on the line in the hope that it鈥檚 secure.鈥
The Fordham study also recommends creating an independent national research center to study privacy issues, and drafting model vendor contracts. In addition, states and large districts should each hire a 鈥渃hief privacy officer鈥 responsible for maintaining data protections, the authors say.
Districts should take privacy issues related to cloud storage seriously, but scrapping the use of cloud technology is not called for, said Lenny Schad, the chief information technology officer for the Houston school district.
鈥淲e need to be concerned about what information is stored, who has access to it, and that industry best practices are put in place,鈥 he said.
Mr. Schad said it is possible to make student data secure: The banking industry and the government have been doing it for years, he said. However, he acknowledged that there are always going to be risks.
鈥淧eople are demanding guarantees, but that鈥檚 just not possible,鈥 he said. 鈥淚鈥檓 not going to guarantee we鈥檙e never going to get a virus鈥 or have a data-security breach, akin to the recent hacking of credit card data from Target customers.
In addition, Mr. Schad said, it鈥檚 critical that federal laws governing student privacy鈥攕uch as the Family Educational Rights and Privacy Act, or FERPA, and the Child Online Protection Act, or COPA鈥攂e clarified and enforced consistently to help districts understand how to comply.
Concerns about the protection of private student data have risen across the country in recent months, with parents and advocacy groups having complained that policymakers are doing too little to ensure that private data gathered via technology are kept secure.
Aimee Rogstad Guidera, the executive director of the Data Quality Campaign, a nonprofit in Washington that advocates for improved use of data in education, said the Fordham report was a reminder of the need for clearer policies on 鈥渉ow data are collected, stored, accessed, shared, and deleted.鈥
鈥淭he gaps identified in the report are not the result of incompetence or deliberate malfeasance by school leaders,鈥 she said in a statement, 鈥渂ut rather they reflect the challenge of implementing new policies and safeguards in a rapidly changing world with limited resources and many challenges to improving student achievement.鈥
Mr. Schad said concerns about privacy should make districts proactive. He cautioned against 鈥渘aysayers who want to push us back into how they were taught 25 years ago. I want to be out front on this issue.鈥
