U.S. Department of Education guidelines on student privacy

26 Feb

Many schools and districts are using cloud computing. Judith Hurwitz, Robin Bloor, Marcia Kaufman, and Fern Halper from Cloud Computing For Dummies wrote about cloud computing in What Is Cloud Computing?

Cloud computing is the next stage in the Internet’s evolution, providing the means through which everything — from computing power to computing infrastructure, applications, business processes to personal collaboration — can be delivered to you as a service wherever and whenever you need.
The “cloud” in cloud computing can be defined as the set of hardware, networks, storage, services, and interfaces that combine to deliver aspects of computing as a service. Cloud services include the delivery of software, infrastructure, and storage over the Internet (either as separate components or a complete platform) based on user demand. (See Cloud Computing Models for the lowdown on the way clouds are used.)
Cloud computing has four essential characteristics: elasticity and the ability to scale up and down, self-service provisioning and automatic deprovisioning, application programming interfaces (APIs), billing and metering of service usage in a pay-as-you-go model. (Cloud Computing Characteristics discusses these elements in detail.) This flexibility is what is attracting individuals and businesses to move to the cloud.
The world of the cloud has lots of participants:
•The end user who doesn’t have to know anything about the underlying technology.
•Business management who needs to take responsibility for the governance of data or services living in a cloud. Cloud service providers must provide a predictable and guaranteed service level and security to all their constituents. (Find out what providers have to consider in Cloud Computing Issues.)
•The cloud service provider who is responsible for IT assets and maintenance.
Cloud computing is offered in different forms: public clouds, private clouds, and hybrid clouds, which combine both public and private. (You can get a sense of the differences among these kinds of clouds in Deploying Public, Private, or Hybrids Clouds.)
Cloud computing can completely change the way companies use technology to service customers, partners, and suppliers…. http://www.dummies.com/how-to/content/what-is-cloud-computing.html

Moi wrote about cloud privacy concerns in Does ‘cloud storage’ affect student privacy rights? https://drwilda.com/2013/02/19/does-cloud-storage-affect-student-privacy-rights/

Benjamin Herold reported in the Education Week article, U.S. Education Department Issues Guidance on Student Data Privacy:

The new federal guidelines are non-binding and contain no new regulations, reflecting a desire to encourage “self-policing” by industry and better policies and practices by school systems as first steps towards shoring up students’ privacy protections.
Dozens of privacy-related bills are making their way through statehouses this spring, however, and U.S. Senator Edward Markey, a Democrat from Massachusetts who has been critical of the education department’s stance on privacy, said Monday he would soon introduce new federal legislation on the matter.
Reaction to the document from key stakeholder groups was swift, reflecting the growing urgency around data-security issues. A trade association for the software and digital content industries commended the department for an approach it said “affirms and reinforces the strong safeguards in current law,” while a leading parent advocate said the guidance “completely misses the point when it comes to addressing parental concerns about their children’s privacy and security.”
FERPA Questions
Much of the 14-page department document, titled “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices,” focuses on the Family Educational Rights and Privacy Act, or FERPA….
The departmental guidance issued Tuesday, however, makes clear that FERPA and another relevant federal statute, the Protection of Pupil Rights Amendment, are somewhat limited in their power to prevent such outcomes in the new age of “big data” and ubiqitous digital learning tools.
Take, for example, the “metadata” collected on students via digital devices and online learning programs, which can include keystroke information, the time and place at which a device or program is being used, the type of device on which the service is being accessed, and more.
Under some circumstances, such metadata are not protected under FERPA and may thus eligible to be used for data-mining and other non-educational purposes.
According to the federal guidelines, vendors that have not collected any personally identifiable information on individual students may be permitted to use metadata for data-mining and other purposes.
And even when vendors have collected personally identifiable information on students, they may still be permitted to use metadata for their own purposes, provided those data are stripped of any identifying elements, and so long as the vendor received students’ information under an exception to FERPA that allows vendors to more easily be designated as “school officials…”
Privacy advocates, however, have criticized—and even sued—the department over its recent decisions to expand the definitions of who may be authorized to gain access to student data under FERPA.
“The guidance really underscores the fact that student privacy rights are under attack, and it was the [department’s] regulations that opened the door,” said Khaliah Barnes, an attorney with the nonprofit Electronic Privacy Information Center.
Best Practices
The uses of students’ personally identifiable information by third-party vendors can also be murky, according to the guidelines.
Under FERPA, parental consent is usually required for the disclosure of such information, although there are exceptions. Schools and districts are also supposed to maintain “direct control” over their data, even after it is passed to third parties—a requirement that is hugely complex given the massive amounts of data now being collected, the rise of cloud-based service providers, and the rapid-fire cycle of business start-ups, mergers, and acquisitions that mark today’s ed-tech landscape.
The new guidelines suggest that better contracting practices and school- and district-level policies are key to protecting student privacy amid all the confusion.
Among the best practices recommended by the department:
Maintain awareness of relevant federal, state, tribal, or local laws, particularly the Children’s Online Privacy Protection Act, which includes requirements for providing online educational services to children under 13.
Be aware of which online educational services are currently being used in your district. Conducting an inventory of all such services is one specific step districts can take.
Have policies and procedures to evaluate and approve proposed online educational services, including both formal contracts and no-cost software and that requires only click-through consent.
When possible, use a written contract or legal agreement. Provisions should be included for security and data stewardship; the collection of data; the use, retention, disclosure, and destruction of data; the right of parents and students to access and modify their data; and more.
Such reliance on district contracting processes and policy development could pose a problem, given the current state of such efforts. In December, Fordham University professor Joel Reidenberg published a scathing study of the shortcoming and vulnerabilities of most districts’ contracts with cloud-service providers. http://blogs.edweek.org/edweek/DigitalEducation/2014/02/us_ed_dept_issues_guidance_on_.html

See, http://law.fordham.edu/32158.htm

Here is the citation from the U.S. Department of Education:

Protecting Student Privacy While Using Online Educational Services
PTAC is pleased to announce the release of new guidance, “Protecting Student Privacy While Using Online Educational Services.” http://ptac.ed.gov/sites/default/files/Student%20Privacy%20and%20Online%20Educational%20Services%20%28February%202014%29.pdf This guidance should clarify questions related to student privacy and the use of educational technology in the classroom.
The Department of Education and PTAC will be holding a joint webinar on March 13 to review this guidance and solicit your input on it. To register for the webinar, please click here.
If you require a reasonable accommodation to participate in the webinar, please notify Ross Lemke at ross.lemke@ed.gov by March 6th. For those who are unable to join the webinar on March 13, a recording and transcript will be posted to the PTAC website.
http://ptac.ed.gov/

See, Testing the Waters of Cloud Computing http://www.scholastic.com/browse/article.jsp?id=3753288

Sean Cavanaugh reported in the Education Week article, Districts’ Use of Cloud Computing Brings Privacy Risks, Study Says:

School districts have become increasingly reliant on cloud-based technologies despite “substantial deficiencies” in policies governing those Web-based systems and their protection of private student data, a new study finds.
The study, released today by the Fordham Law School’s Center on Law and Information Policy, seeks to provide the first national examination of privacy and cloud computing in public schools. The study authors also put forward a series of recommendations to policymakers for ramping up safeguards on students’ private information.
Fordham researchers based their study on a national sample of public school districts, asking for detailed information from 54 urban, suburban, and rural systems around the country.
Among the information they sought: contracts between districts and technology vendors; policies governing privacy and computer use; and notices sent to parents about student privacy and districts’ use of free or paid, third-party consulting services.
The study concludes that privacy implications for districts’ use of cloud services are “poorly understood, non-transparent, and weakly governed.”
Only 25 percent of the districts examined made parents aware of the use of cloud services, according to the study. Twenty percent do not have policies governing the use of those services, and a large plurality of districts have “rampant gaps” in their documentation of privacy policies in contracts and other forms.
To make matters worse, districts often relinquish control of student information when using cloud services, and do not have contracts or agreements setting clear limits on the disclosure, sale, and marketing of that data, the Fordham researchers say.
The Fordham study concludes that districts, policymakers, and vendors should consider taking a number of steps to increase privacy protections, including:
• Providing parents with sufficient notice of the transfer of student information to cloud-service providers, and assuring that parental consent is sought when required by federal law;
• Improving contracts between private vendors and districts to remove ambiguity and provide much more specific information on the disclosure and marketing of student data;
• Setting clearer policies on data governance within districts, which includes establishing rules barring employees from using cloud services not approved by districts. States and large districts should also hire “chief privacy officers” responsible for maintaining data protections;
• Establishing a national research center and clearinghouse to study privacy issues, and draft and store model contracts on privacy issues. The center should be “independent of commercial interests to assure objectivity,” the study authors said.
“School districts throughout the country are embracing the use of cloud computing services for important educational goals, but have not kept pace with appropriate safeguards for the personal data of school children,” said Joel Reidenberg, a professor at Fordham’s law school who worked on the study, in a statement accompanying its release. “There are critical actions that school districts and vendors must take to address the serious deficiences in privacy protection….” http://blogs.edweek.org/edweek/DigitalEducation/2013/12/fewer.html?intc=es

Citation:

Center on Law and Information Policy
Privacy and Cloud Computing in Public Schools
Joel R. Reidenberg, Fordham University School of Law
N. Cameron Russell, Fordham University School of Law
Jordan Kovnot, Fordham University School of Law
Thomas B. Norton, Fordham University School of Law
Ryan Cloutier, Fordham University School of Law
Daniela Alvarado, Fordham University School of Law
Download Full Text (760 KB)
http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1001&context=clip

There is a complex intertwining of laws which often prevent school officials from disclosing much about students.

Resources:

What cloud computing really means
http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031

What Is Cloud Computing?
http://www.pcmag.com/article2/0,2817,2372163,00.asp

FERPA General Guidance for Students
http://ed.gov/policy/gen/guid/fpco/ferpa/students.html

No Child Left Behind A Parents Guide
http://ed.gov/parents/academic/involve/nclbguide/parentsguide.pdf

Related:

Data mining in education
https://drwilda.com/2012/07/19/data-mining-in-education/

Who has access to student records?
https://drwilda.com/2012/06/11/who-has-access-to-student-records/

Where information leads to Hope. © Dr. Wilda.com

Dr. Wilda says this about that ©

Blogs by Dr. Wilda:

COMMENTS FROM AN OLD FART©
http://drwildaoldfart.wordpress.com/

Dr. Wilda Reviews ©
http://drwildareviews.wordpress.com/

Dr. Wilda © https://drwilda.com/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: