The arrival of new technologies in the field of education, from connected devices, student longitudinal data systems, and massive open online courses (MOOCs) present both opportunities and potential privacy risks for students and educators.  As part of my work at the Future of Privacy Forum, I have started surveying the issue of privacy in education, and early, anecdotal conversations suggest a pressing need for more education and awareness among all stakeholders.  With that in mind, I was pleased to see the Electronic Privacy Information Center (EPIC) host an informative discussion on education records and student privacy.

The focus of the discussion was on the growing “datafication” of student’s personal information.  Sen. Edward Markey (D-Mass), who has been active in the field of children’s privacy, opened the event with an introduction to the topic area.  In addition to discussing his Do Not Track Kids legislation, which would extend COPPA-type protections to 13, 14, and 15 year-olds, the Senator highlighted his new student privacy legislation.  The goals of the legislation were explained as follows:

1. Student data should never be available for commercial purposes (focus on advertising);
2. Parents should have access and rectification rights to data held by private companies, similar to what is afforded for records held by schools;
3. Safeguards should be put in place to ensure that there are real protections for student records held by third parties; and
4. Private companies must delete information that they no longer need. Student records should not be held permanently by companies, only by parents.

The panel itself featured Marc Rotenberg and Khaliah Barnes of EPIC; Kathleen Styles, Chief Privacy Officer at the Department of Education (DOE); Joel Reidenberg of Fordham Law School; Deborah Peel of Patient Privacy Rights; and Pablo Molina, Chief Information Officer at Southern Connecticut State University.

Ms. Styles opened the panel by discussing the DOE’s response to Sen. Markey’s inquiry from last October regarding DOE’s practices concerning education records. She also discussed recent changes to FERPA that allow “schools to share student data, without notifying parents, with companies to which they have outsourced core functions like scheduling or data management.”  DOE’s response is well worth reading for those interested in the issue of data sharing under FERPA.

Styles further iinsisted that any policies or potential regulatory efforts both would need involvement from parents and would require a role for industry.  She urged privacy advocates to take into account the needs of all 15,000 school districts nationwide.  She stated that DOE would be working to “increase awareness [of these issues] at the local level.”  One key “best practice” she identified was the need for local school districts to have a handle on the software they are using and that too many schools were racing through clickwrap agreements.

Joel Reidenberg, who recently released a study about school data practices in the cloud, emphasized that his research suggested schools are struggling to understand the technology and privacy issues at play.  For example, he stated that 20% of school districts are not well informed about the software they are using.  According to Reidenberg, the recent Target data breach serves as a cautionary tale for what will happen with all this student data. “There is no reason to think school databases will do any better than Target,” he concluded, arguing that schools have even less resources to protect this sensitive data that large retailers or the financial sector.

The panel also asserted that school districts possess little actual bargaining power or leverage over service providers and educational technology vendors.  Only 13% of hosting service provider contracts required the provider to delete student data at the end of a contract, and only 33% of contracts provided security protocols.  Reidenberg called for drawing “red lines” regarding purpose specifications for companies using student data, and encouraged the need to establish basic vetting and training problems within school districts.

Reidenberg also pushed back against a suggestion from Deborah Peel that parents needed to have “real choice” on the use of their children’s data.  He argued that enhanced choice would inevitably limit the educational benefits offered by these new technologies and services because parents do not always understand what is happening and may make quick decisions “based on misinformation” or other sensitivities. Speaking from her experiences in the realm of healthcare, Peel argued that patients are generally willing to share information “if asked” and that policymakers need to trust parent’s judgement when it comes to student data sharing.

Peel also emphasized that student data includes reams of information about sensitive behavioral, emotional, and social behavior. Noting that children are simply not mature, she questioned the value of any “seamless record” that combines student data into an adult record.  She highlighted the dangers of what she termed “longitudinal lifetime profiling,” which creates records that follow a student all the way into adulthood. She identified profiling of this sort as a much more challenging issue than the mere commercialization of student data. Based on her experiences in the health field, she proposed the following student data policies:

1. Students/parents have access and modification rights;

2. Students/parents be given free copies of their records;

3. Parents should be given real time knowledge of who’s accessing their children’s information and should have additional layers of choice, even when third-parties are acting on behalf of schools; and

4. School districts should have resources to hire professionals (CPO and/or CTO) to oversee education record handling and contracts with technology vendors.

Molina brought most of the event’s biggest laugh lines, suggesting at one point that “Big Data in education is the equivalent of using mechanized drones on mosquitoes.”  His remarks emphasized his experiences in higher education administration and the rich-information potential of MOOCs and other online learning experiences.  His top concern is that policymakers are ignoring the reality that learning happens over a lifetime and, thus, we must avoid stigmatizing the “twice MOOC dropouts” of the world.  He also suggested that the penalties provided by FERPA lack any real bite, and as a result, much more should be done to encourage companies and schools to implement better security measures.  He further encouraged the education industry as a whole to get active about self-regulatory efforts and to provide additional guidance to educators that go beyond mere terms of service explanations.

Khaliah Barnes recommended that parents be given a right of access to any decisional criteria used and applied to their children, similar to Jules Polonetsky and Omer Tene’s calls for “transparency of the algorithm.”  She pointed out that student classifications (e.g., a fifth grader at reader “X” level) are something that parents need to be given insight into.  She also argued that current “purpose specifications” for the collection of student data such as “educational research” are simply too broad.

According to Barnes, in order to guarantee appropriate treatment of education records, schools and school districts must:

1. Know what software is being used within the district and must read agreements with third-parties more carefully;
2. Know exactly what data is being collected; and
3. Expand transparency so that parents know exactly what is happening with their children’s data.

She also focused on the risk associated with school’s using freemium services and encouraged school contracts to require companies to inform a school upon any data breach.

EPIC’s Marc Rotenberg wondered often throughout the discussion whether it were possible to obtain all the benefits of new education technologies while successfully addressing the privacy risks.  I suppose that’s the big question.