(This is a cross-post from the Microsoft On The Issues blog.)
How would you react if you learned that an outside agency came to your child’s school and, without your knowledge or consent, collected confidential data about your child and then used the data they gathered to make money for themselves? Would you be upset? As a parent, I believe the answer is resoundingly “yes.”
In our view, this is unacceptable. We don’t let advertising and marketing representatives come into schools to watch, listen and take away data on student interactions in the classroom so they can market to children, and we shouldn’t let that happen in the virtual world either. Cloud Services providers selling to schools and colleges should be transparent about how they use the data they collect, and get clear consent for the data they collect and use.
Student data and student privacy should not be for sale. Period.
When I speak with parents, students and educators about privacy issues in the classroom, there is broad consensus that their students need to be protected in their physical and virtual learning environments. For parents and educators that went to school before the modern Web, this goes without question.
However, as schools modernize their services for students and teachers with many of the great benefits that technology can bring to the classroom, privacy becomes a critical issue. Unwittingly, schools may risk exposing student data when working with cloud service providers that collect and use personal data in their commercial interests.
Today, there is growing concern that student data are being used for commercial purposes by some cloud service providers. One of the key challenges that concerned parents and school administrators face is a stunning lack of transparency by some technology providers regarding what student data they collect, how they use it and who they share it with.
Some vendors would like to foreclose this discussion though, claiming they do enough to protect student privacy by agreeing to not serve advertisements to students using their services. But as one higher education general counsel clearly articulated, whether a vendor serves ads to an individual student is a completely separate discussion from whether they scan student data for a range of commercial purposes.
In order for there to be informed debate, cloud service providers should be transparent in how they use student data and they should obtain clear parental consent for the collection, use and sharing of that information. At Microsoft, we understand that, along with the opportunity that cloud computing provides, we also have responsibilities to students, parents and the education community to safeguard their information.
Microsoft has made a number of important business and engineering decisions that reflect our commitment that Office 365 will enable privacy by design for our education customers. We do not scan customer email or documents for building analytics, data mining or advertising because we respect their privacy, and understand applicable regulatory requirements and cultural norms related to student privacy. We have pledged to use student data only for the purposes of providing a particular cloud service to students and not for advertising or other commercial purposes. If you are talking with a vendor who won’t make such a pledge, you should ask them, “Exactly what will you be doing with our institution and student data then?”
We are not alone in believing this student privacy is an important issue that needs to be addressed.
Two years ago, the US Department of Education, in its role as the steward of the Family Educational Rights and Privacy Act (FERPA), launched initiatives to safeguard student privacy. The initiatives included the appointment of the Department’s first ever Chief Privacy Officer and the creation of the Department’s Privacy and Technical Assistance Center (PTAC) and, in announcing these initiatives, the Secretary of Education noted “Data should only be shared with the right people for the right reasons.” The Department’s subsequent efforts included a whitepaper on cloud computing in schools, highlighting some of the key privacy requirements imposed by FERPA, including restrictions on use and sharing by cloud vendors of information contained in student education records.
And more recently, the Oregon legislature recently introduced a bill that would require the state Department of Education to appoint a Chief Privacy Officer, to provide parents with more information relating to what data is collected from students and give parents an opportunity to decline to provide certain information or restrict with whom that information is shared. In Arizona, a bill was also recently introduced to create state law remedies for violations of student privacy rights under FERPA.
These efforts show the important debate that is happening and the efforts of policy makers and communities to address these issues. Schools clearly need better guidance and more information to share with parents so they can make informed decisions. Cloud services providers can make a significant contribution to the debate by being clear and transparent today about the data they collect and how they use it.
Schools must ensure that they place appropriate limits on data collection and use best practices for cloud service providers. Protecting the privacy of our students is common sense and shouldn’t be sold to the highest bidder. Student privacy should not be for sale. Period.