Over the past few months, more and more people are talking about student privacy issues linked to the new technologies deployed in schools. There is a vibrant debate in progress around student privacy, and as a leading technology provider, it’s our welcome responsibility to participate.
Before we dive in, we must first clarify what we mean by the term “student data,” only then can we shed some light on pertinent topics such as who owns this data? Who should be able to use it? And in what ways are service providers permitted to use that data?
Defining Student Data
At its root, the definition of student data encompasses things we would expect to find in a student “file” such biographical and performance information. But beyond that, with numerous technologies at play, there is an increasing amount of information being generated by students, faculty and staff, expanding the meaning of “student data,” that we should also consider.
Student Data 101
Many discussions about student privacy and student data immediately reference the Family Educational and Privacy Rights Act (FERPA). FERPA is a federal law that protects the privacy of certain information, specifically, Personally Identifiable Information (PII) in so-called “education records.” Discussions in the K-6 setting also frequently reference the Children’s Online Privacy Protection Act (COPPA), which applies to online services which collect or use “personal information” of children under age 13. I mention COPPA only in passing here, since I’ll discuss it in more detail in an upcoming blog, highlighting the Federal Trade Commission’s (FTC) recent release of several new FAQs aimed at explaining the application of COPPA in schools.
The question of whether a specific piece of student data is considered “PII” from an “education record” protected by FERPA short circuits some critical discussion about what technologies are in use in schools and what information they collect, or are capable of collecting. It also potentially sidelines an important discussion about whether we care about large amounts of aggregated information that might not be “personally identifiable” under FERPA, but can still generate student privacy concerns. As two notable privacy researchers have highlighted, companies can use sophisticated data analytics tools to “anonymously” data mine customer documents or emails and then use the resulting information for a range of purposes, including building advertising profiles.
More importantly, the Department of Education, which oversees FERPA, has repeatedly cautioned that educational institutions should view FERPA as a floor and not a ceiling for protecting student privacy. In the words of the Department’s Chief Privacy Officer, Kathleen Styles, “Achieving compliance with FERPA is not the end of the story.”
Expanding Student Data
A better understanding of the technologies on school campuses helps identify the new categories of “student data” generated or stored by those technologies. For example, as schools move to cloud-based email, productivity apps and storage, the resulting files and emails are stored in and passed through remotely located servers owned and operated by the service provider. Some, if not all of that should be considered “student data”, whether it be term papers that are created and stored on the cloud service or comments from an instructor on performance in class sent via email.
There are many exciting new learning platform technologies, including online courses that may collect other categories of information about students. For example, an online course may collect data about the pace at which a student reads sections of an assignment, how long a student takes to answer specific questions or even biometric information about the student to ensure he or she is the one actually taking the exam.
While this isn’t an exhaustive catalog of what we mean when we refer to “student data,” it is a helpful starting point for schools to use as they ask questions of existing or potential new service providers. It is also a critical foundation to the discussion that follows: who owns or has rights to use these wide-ranging types of “student data”?
Ownership and Use of Student Data
We would like to think the question of ownership of “student data” is clear: Students should own their data. In the context of cloud services, Styles has recently offered some clear guidance: “The provider never ‘owns’ the data, and can only act at the direction of the school or district.”
While ownership of “student data” may be clear, the answer to the question of how third parties who have access to that data can use it is less so. Styles suggests that in addition to a service provider being able to access and use FERPA protected information to operate a specific cloud service, it would be permissible for the school to allow the service provider to “use FERPA-protected information to improve the products the school or district was using.” That is helpful guidance and confirmation of the practices that many service providers and schools have been operating under.
But there is one category of use that service providers and schools alike should note: uses of FERPA-protected information for “a product never intended for use by the school or district.” These uses are beyond what FERPA permits. While that language may not be exhaustive in terms of describing the types of uses which are not permitted, it does seem to point to a range of collateral uses, including a range of data analytics uses related to marketing and advertising. That conclusion is consistent with comments made by several other experts who have explored how FERPA applies to cloud computing services.
That comment raises important questions for schools as they explore the market for cloud services, requiring them to get clarity with respect to a service provider’s plans, if any, to make such collateral use of the school’s data. Student privacy is too important to overlook as school leaders have these necessary discussions with their cloud providers to fully understand the extent of vendor data use practices.
I think you are make some contradictory arguments here. First you say "Students should own their data" but then you seem to approve of the practice of schools and districts providing student data to vendors without their consent or that of their parents, as is happening with the risky inBloom project. Which is it?