Seeking to help schools protect students鈥 privacy without inhibiting the use of digital technologies in the classroom, the U.S. Department of Education released new guidance last week on the proper use, storage, and security of the massive amounts of data being generated by new, online educational resources.
鈥淭his can鈥檛 be a choice between privacy and progress,鈥 Secretary of Education Arne Duncan told a gathering of privacy advocates and ed-tech leaders who gathered for a 鈥渟ummit鈥 on the hot-button issue.
The guidance comes amid a flurry of activity around student-data privacy. Also in recent weeks, a leading technology trade group issued its own recommendations for protecting such data; major state legislation was proposed in California; U.S. Sen. Edward J. Markey, D-Mass., announced that he will soon introduce a federal bill; and the San Francisco-based nonprofit Common Sense Media hosted the high-profile 鈥淪chool Privacy Zone鈥 summit here.
James P. Steyer, the CEO of Common Sense Media, said the confluence of efforts is a good sign.
February was a busy month for a wide cross-section of groups interested in student-data privacy:
Federal Government
The U.S. Department of Education released new guidance to help schools and districts interpret major student-privacy laws and implement best practices. Sen. Edward J. Markey, D-Mass., announced that he will soon introduce new legislation on the issue.
State Government
California state Sen. Darrell Steinberg, a Democrat, sponsored a new bill that, among other goals, would prohibit providers of online educational services from using or disclosing student data for commercial purposes, such as marketing. Bills in Kansas and a number of other states are also under consideration.
Ed-Tech Industry
The Software & Information Industry Association released 鈥渂est practices for the safeguarding of student-information privacy and security for providers of school services.鈥 The recommendations focus on limiting the use of personally identifiable student information to 鈥渆ducational and related purposes鈥 and improving policies related to transparency, contracting, security, and data-breach notification.
Privacy Advocates
The nonprofit Common Sense Media hosted a 鈥淪chool Privacy Zone鈥 summit in Washington attended by dozens of advocates, ed-tech leaders, and government officials, including U.S. Secretary of Education Arne Duncan. The group recently conducted polling research on U.S. voters鈥 attitudes about student-data privacy and is promoting a set of 鈥渇undamental principles鈥 related to the issue.
鈥淚鈥檝e never felt that industry self-regulations were sufficient to protect the interests of kids and families,鈥 said Mr. Steyer, whose organization is known for evaluating media and educational technology intended for use by children. 鈥淲e want the best [private] actors to step forward, but we also need legislation and regulation and advocacy. It鈥檚 the combination that works.鈥
For its part, the federal government will seek 鈥渧igorous self-policing by commercial players鈥 handling sensitive data about children, Secretary Duncan said, but it is 鈥渘ot going to wait for industry or rely on promises鈥 to protect that information. The federal guidance is nonbinding and contains no new regulations; instead, it offers interpretations of existing laws and encourages 鈥渂est practices鈥 by schools and districts.
The 14-page document highlights the challenges of securing students鈥 data in the rapidly evolving digital education landscape. The Education Department鈥檚 short answer鈥"it depends"鈥攖o two frequently asked questions by school officials about how federal statutes apply to the sharing of sensitive student information with third-party vendors left some privacy advocates unsatisfied.
鈥淭he guidance really underscores the fact that student-privacy rights are under attack,鈥 said Khaliah Barnes, a lawyer for the nonprofit Electronic Privacy Information Center, based in Washington.
Representatives from the software industry, meanwhile, commended the department鈥檚 guidance.
Crafting Protective Measures
In his keynote address at the summit, Mr. Duncan touted the 鈥渆xtraordinary learning opportunities鈥 associated with new digital learning tools and the vast amounts of information they generate. He cited examples of schools鈥 use of technology and data to personalize student learning, free up teachers鈥 time for high-value instructional activities, and engage parents.
But the secretary also stressed that 鈥渟chool systems owe families the highest standard of security and privacy,鈥 and he sharply criticized some common industry practices, including 鈥渢ake-it-or-leave-it鈥 contracts with districts that allow companies to unilaterally and without notice change their privacy-protection practices.
鈥淚t is in your best interest to police yourselves before others do,鈥 Mr. Duncan said in a direct message to ed-tech vendors.
Many policymakers, advocates, and even industry officials say a baseline standard should be that third-party vendors use student information only for educational purposes.
The new federal guidance, however, makes clear that defining 鈥渆ducational purposes鈥 in the digital age is a complicated endeavor, and that student-privacy statutes now on the books are straining to meet the challenges presented by 鈥渂ig data鈥 and ubiquitous digital learning tools.
Take, for example, the 鈥渕etadata鈥 collected on students via digital devices and online learning programs, which can include keystroke information, the time and place at which a device is being used, and more.
Under some circumstances, such metadata are not protected under the Family Educational Rights and Privacy Act, or FERPA, a 40-year-old law intended to protect children鈥檚 educational records from disclosure. According to the new guidelines, it may thus sometimes be permissible for vendors to use such information for data-mining and other noneducational purposes.
The circumstances under which students鈥 personally identifiable information may be used by third-party vendors can also be murky. As a result, the Education Department suggests that 鈥渟chools and districts will typically need to evaluate the use of online educational services on a case-by-case basis to determine if FERPA-protected information is implicated.鈥
Some privacy advocates, though, criticize the department as having weakened FERPA by regulatory changes made in recent years.
鈥淚n the process of encouraging a market in data-mining software and the outsourcing of education into private hands, [the department] seems willing to sacrifice our children鈥檚 privacy,鈥 said Leonie Haimson, the executive director of the New York City-based nonprofit Class Size Matters and a frequent critic of industry involvement in student data-sharing initiatives.
Outlining Best Practices
Dozens of bills addressing data privacy have been proposed in a number of states in recent months, and at the federal level, Sen. Markey said last week that he would seek 鈥渘ew, updated rules鈥 to protect sensitive student information that is transferred to private companies.
The focus of the planned federal legislation, Mr. Markey said in a statement, would be prohibiting the use of such data for targeted marketing to children, ensuring parents鈥 rights to access information about their children that is held by private companies, and creating other new safeguards.
Hoping to get out ahead of the rising regulatory tide, the Software & Information Industry Association, a trade group based in Washington, released its own recommendations.
鈥淲e鈥檙e concerned about [the possibility] of legislation that might capture very appropriate uses of student information,鈥 said Mark Schneiderman, the group鈥檚 senior director of education policy. 鈥淥ur intention is to create a 鈥榯rust framework,鈥 and at the same time make sure we鈥檙e not cutting off our nose to spite our face.鈥
While the SIIA focused on best practices for industry, the Education Department focused in its new guidance on supporting smarter, more effective practices by schools and districts.
Among the federal recommendations for school systems are conducting an inventory of all online educational services now in use; developing policies to evaluate and approve proposed online educational services, including no-cost software and apps that require only click-through consent; and pursuing written contracts with all new data vendors.
But while such approaches are welcome, they might not be enough to keep up with rising parental concerns about the privacy and security of their children鈥檚 data, said Joel R. Reidenberg, a Fordham University law professor who recently published a scathing review of districts鈥 current contracts with cloud-computing service providers.
鈥淚 don鈥檛 think it鈥檚 a reasonable expectation that districts are in a position to police vendors and really take control of their data,鈥 Mr. Reidenberg said. 鈥淏ut it鈥檚 great that [the department] finally got something out.鈥