Student Privacy and Education Technology – What You Need to Know (Or Should At Least Be Asking)
What kind of information is your child sharing through the education technology used in your child’s school or classroom?
What procedure did your child’s teacher, school, or district go through to ensure that the chosen education technology is using your child’s information only for education purposes?
What board policies govern the choice of that education technology?
Have you been made aware of every piece of education technology used by your child at school?
Is anyone monitoring the use of that education technology by your child?
If your heart started beating a little faster as you read through those questions because you realized you don’t know the answers, don’t worry. Most folks don’t.
Keep reading. This one’s a little longer than most.
And by the time you finish reading this, you should have enough information to ask questions of your child’s teacher, principal, and even your school district’s technology coordinator to ensure your child’s privacy has been carefully considered where education technology is concerned.
What Is Education Technology?
To be clear, what we’re discussing is the education technology that students are using to participate in the curricular requirements in their classrooms and schools.
We are not talking about education data, which can include test data, attendance records, health records, Individual Education Programs (IEPs), or those pieces of education data that help make informed decisions about education. (See this from the National PTA and the Data Quality Campaign for more information about data privacy related to education data.)
Education technology includes the device (a.k.a., hardware) and the applications (a.k.a., software), including school-issued email accounts that students use.
The device can be a school-based computer, a school-issued device, such as iPads or Chromebooks, or a personal device, sometimes called BYOD (Bring Your Own Device), that is used to access and participate in schoolwork.
Applications (apps) include any online educational service, any cloud-computing service, or any downloaded-to-your-device program that a student uses to access and participate in schoolwork. Email accounts issued by the school are included in this category.
Because the terminology is difficult to follow, the communication between parents and school districts about this issue is difficult, too.
This Is Kind of a Big Deal
Student privacy, specifically where education technology is concerned, became a big deal a few years ago. The conversation has gotten more and more confusing as national rhetoric began blaming the collection and use of student education data through education technology on the Common Core State Standards Initiative (CCSSI).
To be clear, the world of education technology was around long before the CCSSI began. Student privacy has always been a concern. Perhaps we should thank the CCSSI for calling this issue to our attention.
Whenever our children access a site on the Internet that requires them to enter their name or email address, or even create a log-in, the recipient of that information is likely collecting it for some purpose. Until a few years ago, most of that account-creating was done at home, where we could oversee that process and know exactly to whom our children were giving their personal information.
With the increasing use of education technology in K-12 schools, though, we parents have become increasingly aware that unless someone actually tells us who is receiving our child’s information, we simply don’t know.
It doesn’t help when parents ask questions of school officials and are met with “just trust us” or “you don’t need to worry about that, we’ve got it covered”.
Because the truth is that Alabama’s school districts don’t have it covered. Education technology is the Wild West here in Alabama. Very few rules exist to ensure school districts are protecting our children’s privacy.
What Guidance or Requirements Are Out There for Alabama’s School Districts to Follow?
There are no Alabama state laws governing student privacy where education technology is concerned.
The Alabama State Department of Education (ALSDE) has issued no guidelines or requirements for school districts, either.
While the State Board of Education adopted a Data Governance policy in October 2013, that policy didn’t address data governance in education technology. Rather, it was aimed at collection of student data by schools and how schools and the ALSDE do or do not share that information.
There is no mention of governance of student privacy for education technology in the Transform 2020 guidance for school districts who are developing mandated Technology Plans, either.
Federal Laws: Which Ones Apply to Student Privacy and Education Technology?
Without state laws or state guidance, the only laws to rely upon are federal laws. But federal laws provide many exceptions that leave parents out of the loop.
The Family Educational Rights and Privacy Act (FERPA) governs access and use of education records, specifically with respect to Personally Identifiable Information (PII). However, it depends on what kind of education record is in question as to whether FERPA applies. Much of the student information provided to education technology companies can be considered “directory” information and therefore does not require parents to be notified as long as parents have not placed restrictions on the release of that directory information.
Did you notice double negative in that sentence? Here’s another way to say that: each year, the school district must tell parents what information is considered “directory” information. Typically, districts provide this information within a multi-page Student Handbook (see pages 24, 25, and 26 of the Huntsville City Schools’ Student Handbook for an example). Somewhere in the notice it will tell parents that if the parent doesn’t want the school district to release that “directory” information, that it’s the parent’s job to tell the school district not to release it. If a parent doesn’t notify the district, then “directory” information can be released without parental consent.
See this article for more information.
The Protection of Pupil’s Rights Amendment (PPRA) governs parental control over access and use of their child’s PII collected and used for marketing purposes, requiring districts to provide parents the opportunity to opt out of that collection. However, if the purpose of collecting personal information is for the exclusive purpose of developing, evaluating, or providing educational products or services for students or schools, neither parental notice nor the opt out provision is required.
The Children’s Online Privacy Protection Act (COPPA) governs a business’s online collection of information of children under age 13, requiring parental consent, but doesn’t apply when the business is dealing directly with schools, as schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf…where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose”. This means that parents don’t have to give their consent directly to the company nor to the school district if the information is being collected and used for the benefit of the school.
So that’s pretty much it. If the information being shared, collected, and used falls into one of the exceptions of FERPA, PPRA, or COPPA, parents are not required to be notified that the student is using that education technology.
National Guidance Is All We Have
The only guidance for student privacy and education technology has come from the national level.
The Privacy Technical Assistance Center (PTAC) of the U.S. Department of Education issued guidance in late February 2014, raising questions about student privacy and recommending best practices in the ever-expanding world of education technology and online educational services.
The following statements in bold are best practices for school districts suggested by PTAC.
- Maintain awareness of other relevant federal, state, tribal, or local laws: Not just FERPA, COPPA, CIPA, and PPRA.
- Be aware of which online educational services are currently being used in your district: Conduct an inventory of all online educational services in use and require frequent updates.
- Have policies and procedures to evaluate and approve proposed online educational services: Teachers need freedom to explore new apps and online education services, but schools and districts need to develop processes to ensure the service meets legal and community-acceptable guidelines. Free apps and services should be subjected to the same process that paid apps and services are.
- When possible, use a written contract or legal agreement: Having a written contract or legal agreement helps schools and districts maintain the required “direct control” over the use and maintenance of student data.
- Extra steps are necessary when accepting Click-Wrap licenses for consumer apps: Click-Wrap licenses are those quick on-screen popups that ask “do you agree to our Terms of Service”. See page 10 of the PTAC document for more information. These are likely the trickiest to navigate, because districts are faced with either accepting the terms or not using the app.
- Be transparent with parents and students: More on that below…..
- Consider that parental consent may be appropriate: Keep reading……
Being Transparent About Which Education Technology Services Are Being Used
PTAC offers detailed suggestions about what information districts should share with parents about the education technology services being used (emphasis added):
“Beyond FERPA and PPRA compliance, however, the Department recommends that schools and districts clearly explain on their Web sites how and with whom they share student data, and that they post any school and district policies on outsourcing of school functions, including online educational services. Schools and districts may also want to post copies of the privacy and security provisions of important third party contracts.
With online educational services, it can often be unclear what information is being collected while students are using the technology. Even when this information is not protected by FERPA or other privacy laws, it is a best practice to inform students and their parents of what information is being collected and how it will be used. When appropriate, the Department recommends that schools or districts develop an education technology plan that addresses student privacy and information security issues, and solicit feedback from parents about the plan prior to its implementation or the adoption of new online education services.
Transparency provides parents, students, and the general public with important information about how the school or district protects the privacy of student data. Greater transparency enables parents, students, and the public to develop informed opinions about the benefits and risks of using education technology and helps alleviate confusion and misunderstandings about what data will be shared and how they will be used.”
In July 2014, PTAC went even further with direct guidance on what school districts should do to increase transparency. (This one is a keeper. More on this in a future post).
While the ALSDE has not issued direct guidance, the issue of how much school districts need to share with parents was discussed with Alabama school district technology officers at a training session last February.
The question of how to notify parents was raised, and state officials made it clear that while parents may have already signed a notice at the beginning of the year regarding directory information, a best practice would be to inventory and list all parties with whom student data and information is shared, including education technology providers.
I did find one example of a best practice being used: Hoover City Schools has taken the step of providing families with additional information about the online education services used in conjunction with their Engaged Learning Initiative.
What Are the Rules for Using Education Technology in Your School District?
A school district’s Acceptable Use Policy or Technology Use Policy will state what the rules are for your child to use education technology in the district and what can be expected where your child’s privacy is concerned.
The policy is usually accompanied by a form (the Acceptable Use Agreement or Technology Use Agreement) that parents and students are asked to sign at the beginning of each school year. Most parents and students sign it without really understanding what it says.
If you want to view your school district’s technology policy, start with the web site, then look for the Technology department, the Board of Education policy manual, or the Student Handbook/Code of Conduct. (If you find your school district’s policy and/or agreement, please send me a link: asc(at)alabamaschoolconnection.org. I provided a few examples below, but hope to compile a full database of district policies.)
Now It’s Your Turn to Ask the Questions
If you don’t understand your district’s policy or what you and your child agreed to do when you signed that agreement, ask questions. Ask the teacher, the principal, the district technology coordinator….whoever you believe can actually answer your questions.
Which questions you should ask? Jim Steyer, CEO of Common Sense Media, suggests these:
1) Who is gathering data on my child? Is there a list of the education technology providers and their security and retention policies that is available to parents?
2) Which web sites and apps will be used in the classroom or recommended for use at home and what are their privacy policies? How do they use and share students’ personal information?
3) What information is being collected? What policies does the school or district have in place to ensure my student’s personal information is being used solely for educational purposes?
Copy and paste those questions into an email and send them to your school officials. Make sure to copy and paste this link to PTAC’s recommended transparency practices into the email, too.
The Student Online Personal Information Protection Act – What California Just Did
California’s governor just signed the Student Online Personal Information Protection Act (SOPIPA) into law on September 29, 2014. This law prohibits operators of online educational services from using student data for a non-educational purpose, period. It prohibits operators from amassing a profile on a student and/or targeting advertising to students. It also prohibits operators from selling student data, requires them to maintain adequate security procedures to protect student data and mandates that student information be deleted if a school or district requests them to do so.
Two bills were introduced into Alabama’s legislature last year to regulate online education technology providers. Neither passed. Don’t be surprised if legislators bring bills back to the legislature next March when the 2015 Legislative Session begins.
Additional Resources
Examples of Districts’ Policies/Agreements Regarding Education Technology and/or Internet Usage
As you may well imagine, the lack of state guidance has resulted in little uniformity of school district policies regarding student privacy and education technology. For their own protection, though, each school district likely has some type of acceptable use policy and/or agreement where parents and students acknowledge their responsibilities and rights in using the district’s education technology.
Here are a few examples.
Hoover City Schools’ Acceptable Use information states:
Users should have no expectation of personal privacy in connection with their usage of the device, Google Apps, and other technology resources. Hoover City Schools retains the right to monitor, access, and review all student messages or information accessed or created using HCS-owned devices HCS-sponsored GoogleApps accounts, and/or other HCS-related network files. (Section 3, “Expectation of Privacy”)
Vestavia Hills City Schools’ Acceptable Use Policy, amended this past summer, states:
In accordance with established law, data stored on Vestavia Hills City School System equipment is property of Vestavia Schools and is not private: therefore, users are advised to avoid storing personal and/or private information on the district and/or schools’ technology resources.
Vestavia Hills City Schools cannot guarantee the privacy, security, or confidentiality of any information sent or received via the Internet.
Vestavia Hills City Schools’ Technology Staff monitors all technology resource utilization.
The school district may collect and examine any personal device at any time for the purpose of enforcing the terms of this policy, investigating student discipline issues, or for any other school-related purpose.
Dothan City Schools’ Technology Use Policy states:
To maintain network integrity and to insure that the network is being used responsibly, the DTS (Director of Technology Services) and/or other designated technology staff reserve the right to inspect any and all data, including data stored by individual users on individual school or personal devices. Users should be aware that activities may be monitored at any time, without notice.
Florence City Schools’ Internet Acceptable Use policy states:
What are the privileges and rights of a student or adult user?
All users have certain privileges and rights. Infringement of or disrespect toward the rights of others may result in the loss of Internet privileges. These rights include: 1. Privacy – All users have the right to privacy. However, if a user is believed to be in violation of the guidelines, a system administrator may review communications to maintain system integrity and to ensure that users are using the system responsibly. (page 70 of Student Parent Handbook)
HOWEVER, Policy 4.9.3 of the Florence Board of Education policy manual states:
Users of school system technology resources have no personal right of privacy or confidentiality with respect to the use or content of such resources.
Here’s a look at Mobile and Baldwin County School Districts’ monitoring of students’ use of education technology from al.com’s Sally Pearsall Ericson.
Resources for School Officials
Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices – February 2014, U.S. Department of Education Privacy Technical Assistance Center (PTAC)
Transparency Best Practices for Schools and Districts – July 2014, PTAC
6 Questions Districts Should Ask Companies to Protect Student Data – September 2014, Gretchen M. Shipley, EdSurge
Student Data Privacy and Security: A Roadmap for School Systems – 2014, iKeepSafe.org
Data in the Cloud: A Legal and Policy Guide for School Boards on Student Data Privacy in the Cloud Computing Era – April 2014, National School Board Association
Protecting Privacy in Connected Learning: Ten Steps Every District Should Take Today, excerpted from source below – May 2014
Making Sense of Student Data Privacy – May 2014, Bob Moore, RJM Strategies
Student Privacy Survey Results – January 2014, Common Sense Media
School Privacy Zone – February 2014, Common Sense Media (variety of resources to inform school officials, policymakers and parents)
Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services – February 2014, Software and Information Industry Association (aimed at education technology providers)
What Happened with State Student Data Privacy Legislation in 2014 – DataQuality Campaign. A look at all of the legislation that was introduced across the country in 2014 to address student data privacy concerns.