SIIA Releases Student Privacy Policy Guidelines & Recommendations During Testimony before the CA State Assembly

The safeguarding of student privacy and data security remains on the agenda for many state (and federal) policymakers. SIIA took the opportunity of its invited testimony before the California state legislature to release its new “Policy Guidelines for Building a Student Privacy Trust Framework.”

The SIIA guidelines outline principles and considerations to ensure policies are appropriately targeted to enhance student confidentiality while limiting unintended or unnecessary barriers to school operations or digital learning opportunities. SIIA shared many of these before the California State Assembly hearing  (see video starting at 33 minutes) on “Ensuring Student Privacy in the Digital Age,” hosted jointly by the Education and Select Privacy Committees.

Today, new technologies like cloud computing are enhancing school capacity, providing: adaptive and personalized learning, anytime, anywhere data access, enhanced data management functionality, powerful data analytics, and improved security. These tools and techniques allow educators to manage more data in more cost effective and sophisticated ways to inform instruction and enhance school productivity.

While a framework of laws and practices has been highly effective in safeguarding student confidentiality, we recognize the need to continually review policies and improve practices to enhance the trust framework between parents, schools and service providers.

We are pleased that stakeholders are doing just that in response to recent questions and concerns:

SIIA is working to inform legislators across the country as they develop and debate new regulation, but we are concerned some of the policy solutions may be ahead of and over-correct the actualized problems. It is important that new legislative requirements provide sufficient local flexibility, are not overly restrictive or impractical so as to discourage and stifle innovation, and are consistent with existing federal protections to avoid regulatory conflicts and stakeholder confusion.

We touched on several of our newly released policy guidelines at the California hearing:

First, new policies should limit the scope to student personally identifiable information as defined under federal law.

Second, new policies should focus on the need to educate, equip, and empower schools and educators to make informed decisions that safeguard student data and serve student learning. This can be accomplished through transparency by schools and service providers, by instituting local and state governance around data use policies, and by building capacity through investment in professional development, data security technology tools, and student digital literacy. These are important alternatives, or at least complements, to policy prohibitions that may not account for unique local and evolving circumstances.

Third, new policies should provide schools and agencies with the flexibility around the use of student information to meet their goals as determined locally within the existing framework of federal protections. SIIA agrees student personal information should not be used for non-educational purposes such as selling data to insurance companies or targeting insurance advertising. SIIA agrees it should be used only for the educational purposes for which it was entrusted. The challenge is translating these principles into statute in a manner future-proofed for the wave of digital learning transformation at home and at school. Use policies should distinguish between inappropriate commercial use of personal data for non-educational purposes and the appropriate actions of a for-profit (or non-profit) school service provider to use that information for educational uses authorized by its customers and federal law, for educational product evaluation, improvement, and development and to drive adaptive and customized learning at school and home.

Fourth, while SIIA agrees with the general practice to delete data when no longer needed for the purpose for which it was collected is the appropriate general practice, policies must differentiate around data type, use and control. For example, deletion decisions are most often under the direct control of the school (not the service provider), while new models provide for parent-consented and owned personal student accounts (and their data, apps and student-created resources). Further, absolute destruction is not appropriate where aggregated, de-identified and other anonymous data is often needed for ongoing educational purposes such as to power software algorithms or where personal information is needed for accountability systems or future transcript services.

Fifth, new policies governing local contract requirements must allow for flexibility between local schools and their service providers. Any state requirements should provide a template identifying what issues should be addressed rather than prescribing the specific terms for how.

SIIA agrees with the need to safeguard student data privacy and security. Further policy protections must be carefully crafted so that privacy protection floors do not inadvertently and unnecessarily lead to educational ceilings. SIIA instead encourages new policies to be focused on transparency, governance and capacity to empower parents and school officials to make sound and safe use of student information that advance student learning.


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

SIIA Agrees with Obama Administration’s Call for “Responsible Educational Innovation in the Digital Age”

The Obama Administration today released a report on “Big Data: Seizing Opportunities, Preserving Values.” SIIA welcomed the report’s assessment that big data provides substantial public benefits and will provide more benefits in the future.

The report highlights a number of big data opportunities, including in education:

“Beyond personalizing education, the availability of new types of data profoundly improves researchers’ ability to learn about learning. Data from a student’s experience . . . can be precisely tracked, opening the door to understanding how students move through a learning trajectory with greater fidelity, and at greater scale, than traditional education research is able to achieve. This includes gaining insight into student access of learning activities, measuring optimal practice periods for meeting different learning objectives, creating pathways through material for different learning approaches, and using that in-formation to help students who are struggling in similar ways.”

SIIA agrees with the Obama Administration and others who have found that big data improves education around the world.

SIIA also agrees with the Administration’s report that: “The big data revolution in education also raises serious questions about how best to protect student privacy as technology reaches further into the classroom.” Schools and service providers have a shared responsibility to protect the privacy and security of student information. The effective use of student information to improve learning will require a continued trust framework between all stakeholders – e.g., parents and schools; schools and service providers; and service providers and parents – to safeguard student data privacy and security. One way schools and service providers now achieve this trust is through policies and procedures that limit the collection and uses of student personal information to legitimate educational purposes.

As the Administration report outlines: “The Family Educational Rights and Privacy Act and Children’s Online Privacy Protection Act provide a federal regulatory framework to protect the privacy of students . . .” SIIA also recognizes the caveat that follows “. . . —but FERPA was written before the Internet, and COPPA was written before smartphones, tablets, apps, the cloud, and big data.”

To that end, SIIA believes that the obligation to safeguard student data privacy and security means that continued review and enhancements are needed in the framework of our policies, practices and technologies. Specifically, SIIA supports the Administration’s recommendation that:

“The federal government should ensure that data collected in schools is used for educational purposes and continue to support investment and innovation that raises the level of performance across our schools. To promote this innovation, it should explore how to modernize the privacy regulatory framework under the Family Educational Rights and Privacy Act and Children’s Online Privacy Protection Act and Children’s Online Privacy Protection Act to ensure two complementary goals: 1) protecting students against their data being shared or used inappropriately, especially when that data is gathered in an educational context, and 2) ensuring that innovation in educational technology, including new approaches and business models, have ample opportunity to flourish.”

As policymakers work with educators, parents and developers to examine evolving needs, it is critical that any new policies intended to create a privacy and security floor do not unintentionally create a digital learning ceiling. As the Administration notes: “Students and their families need robust protection against current and emerging harms, but they also deserve access to the learning advancements enabled by technology that promise to empower all students to reach their full potential.”

Modernizing the privacy regulatory framework need not involve new legislation. The federal government has taken important recent steps in modernizing by updating COPPA and FERPA guidance. Responding to the calls for additional industry self-regulation, our organization has released “Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services.”

Finally, SIIA also agrees that our pathway forward involves not only regulatory protections, but as importantly digital literacy to empower students and families to understand how data can be used and shared to serve them and society, and also what tools and techniques they can use to ensure appropriate use of their personally sensitive data. As the report notes, “Digital literacy—understanding how personal data is collected, shared, and used—should be recognized as an essential skill in K-12 education and be integrated into the standard curriculum.”


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

SIIA Supports FY15 Funding for ConnectEDucators

Our K-12 education system continues its embrace of technology and digital learning to improve school operations and student learning. According to SIIA’s Vision K-20 educator survey, 81% of responding K-12 educators report technology integration as highly important to them. While educator support is strong, teacher knowledge and skills continue to slow progress. The same SIIA survey found that only 20% say their institution currently has a high level of technology integration. To that end, SIIA supports President Obama’s 2015 budget proposal for ConnectEDucators, which would provide $200-$500 million in funding “to help educators leverage technology and data to provide high-quality college- and career-ready instruction that meets the needs of all students.”

Support for teachers, principals and other educators is critical to the effective use of technology in education, which in turn is necessary to ensure student success in the digital age and global economy. Educators need support not only in how to use the technology, but as importantly, in how to redesign their curriculum and instruction to a more engaging, student-centered model. This means using data systems to better understand the performance and needs of each student on a regular basis, and using the Internet, creativity and communication tools, and digital learning repositories to mix and match resources that best meet each student’s unique needs.

The budget proposal is one element of President Obama’s ConnectEd initiative announced last year, which centers around ensuring student highspeed broadband connectivity. The proposed ConnectEDucators program, would provide: (1) formula-based State Leadership Grants to help enhance state and local capacity to support the transition to digital learning; and (2) competitive, 3-year grants to school districts to support the implementation of comprehensive plans to ensure that educators have the skills and supports needed to dramatically improve student access to high-quality instruction through technology and digital learning.  Among the envisioned uses of funds are support for educators to: deliver high-quality digital learning resources and content, use a wide range of devices and digital tools, use real-time data to personalize learning, use technology to increase engagement with families and other teachers, and access online professional learning.

SIIA calls on the U.S. Congress to respond to the needs of our teachers and students and appropriate at least $200 million in FY15 funding for the ConnectEDucators program.


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

 

Innovative Policies, Developer Content and Data Tools are Key, According to Education Officials at SIIA Mobile Learning Forum

SIIA this week hosted a successful meeting with education policy makers to enhance dialogue with developers of moble learning and other educational technologies. Discussions helped SIIA members better understand how public policies, funding and regulations are impacting their K-20 education customers, and provided education and government officials with an better understanding of the industry’s role, questions and concerns. Among the clear conclusions from SIIA’s Education Government Forum on Mobile Learning: Educators and students are looking increasingly to deveopers and service providers for adaptive, mobile content as well as data analytics as the engines of instruction and the platform for student learning.

The conference agenda included:

  • Keynote presentations from Rich Crandall (Chief, Wyoming Department of Education), Robbie Melton (Tennessee Board of Regents) and Kathleen Styles (CPO, U.S. Department of Education);
  • Review of federal and state K-20 policy trends from both analysts and officials;
  • Discussions about the migration to mobile learning; and
  • Updates on pending regulations and funding shaping the market, includingthe E-rate, student privacy and Common Core State Standards and assessments.

Among the takeaways:

  • Leading educators are turning increasingly to mobile devices to personalize learning and meet student needs anytime/everywere — They are looking to developers for interoperable, adapative and aligned content and tools; and they are looking for flexible public policies to support that innovation including the E-rate.
  • Safeguarding student data privacy and data security are critical — A regulatory framework is now in place, and policy must not get too far ahead of the problem and unintentionally restrict data-driven learning.
  • Common Core State Standards and assessments are moving forward — Implementation is hard work, but educator and public support remains strong as does their need for aligned instructional resources, assssments and data-driven professional development.
  • Costs and quality remain primary concerns in higher education — Public policies are pushing toward an outcomes-based model built around transparency and flexibility, while entrenched interests and undefined competency metrics stand as barriers to reform.

 


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

Georgia Student Privacy Act Would be a Barrier to Student Learning

Senate Bill 167 is receiving much debate in Georgia, centered largely on its primary task of pulling the state back off  of the Common Core State Standards (CCSS). But also included in the controversial bill is a Part II, the so-called “Student Right to Privacy Act.” The Georgia House Education Committee met yesterday to consider SB167, and heard from more than 60 passionate educators, parents and business leaders. While the focus was on the CCSS provisions, SIIA (see 2:16:50 of the March 5 video) and a chorus of eduction (e.g., at 1:27:25), social welfare and business leaders spoke up against the privacy regulations. None cited a problem that needed fixing, while all raised concern with the unintended consequences of restrictive regulations that undermine necessary decision making by local administrators and school boards.

SIIA agrees with the need to safeguard student privacy and data security. A strong network of laws and business practices now does so. SIIA agrees with those concerned that Senate Bill 167 may inappropriately and unnecessarily inhibit core educational functions necessary to serve Georgia’s students.

Schools and service providers have policies and procedures in place to limit the use student personal information to legitimate educational purposes, and safeguard student privacy. For example, the federal Family Educational Rights and Privacy Act (FERPA) requires that: (1) personal student information shared with service providers be limited to uses otherwise performed by the school’s own employees; (2) the provider be under direct control of the school; and (3) the information can only be used for educational purposes. And FERPA and COPPA require parental consent if the service provider wants to use or disclose the information for its own commercial purposes. Responding to the calls for additional industry self-regulation, SIIA has released Industry Best Practices as another step to ensure safeguarding of student information.  This network of laws and practices is safeguarding student privacy and data security.

With regard to Senate Bill 167, the scope, scale, complexity and lack of clarity of the bill’s procedural and technical requirements are significant and challenging to address. The bill creates barriers and disincentives to local school systems to enhance their use of modern technologies and data systems for educational innovation and improvement, just at a time when the state is making continued investments in technology infrastructure and digital learning access.  The bill will have a chilling effect.

  1. While providers are working with schools to help them support the personalization of learning, the very broad restrictions on use of all student information for so-called commercial purposes may interfere with desired educational activities. SIIA does not defend the sale of personal student data, and such sale is already prohibited by federal law. But the bill would inhibit the use of student data to improve product efficacy, and to support recommendation engines and other analytics aimed at addressing the unique needs of each student.
  2. The bill is inconsistent in the types of student information regulated and includes narrow, one-size-fits all restrictions on the educational use and sharing of student information, whether personally identifiable or not, including duplicative requirements around testing and cloud computing. This will create barriers to use of information appropriate and necessary for educational purposes, including with subcontractors and school directed partners.
  3. Many breach notification requirements are inconsistent with standard best practices. For example, required notification of all ‘suspected’ breaches could create false-positive user fatigue, diminishing attention to actual breaches. The bill also excludes standard criteria around actual harm such as in the case of encrypted data or inadvertent exposure by educators. And, ironically, the bill would inappropriately require third parties to notify parents of a breach, thus giving them access to personal parental information to which they would/should not otherwise have access.
  4. The bill puts in place a series of escalating and potentially very large financial penalties for violations of sometimes vague requirements, not distinguishing based upon harm, negligence or intent. There appears no opportunity to first correct the violation, or for appeal. This all will provide a disincentive for outside parties to conduct business in Georgia.
  5. The prohibition on student biometric data will restrict appropriate and important educational activities, including for: (1) student identity verification for online learning or device security, and (2) embedded voice and visual diagnostics for language learning and reading comprehension. Some of these require personally identifiable information, while many do not. In all cases, broader practices and laws already ensure student privacy and data security.
  6. Lastly, while these concerns have focused on those directly impacting school service providers, SIIA notes that there are many burdensome requirements on local school systems and institutions.

In short, SIIA is concerned that SB167, while well-intentioned, is overly inclusive and restrictive. Transparency is critical, but one-size-fits-all requirements will detrimentally limit innovation, appropriate local school decisions, and appropriate educational services that benefit Georgia students. For service providers, there are significant risks and costs that may discourage doing business in Georgia.

While many of these issues are now best handled by existing federal law, state agency guidance, and local school boards, SIIA will continue to work with policy makers in Georgia and across the country on any identified needs to further ensure privacy protections for all Georgia students.

Fordham CLIP Study of Student Data Privacy Does Not Account for Protections in Federal Regulations and Business Practices

A new report out of Fordham Law School on privacy and web services in public schools made a splash in education circles after its release late last week. The report by the Center on Law and Information Policy (CLIP), “Privacy and Cloud Computing in Public Schools,” raises questions about privacy protections for K12 student data based on review of contractual agreements between schools and web service providers.

However, student privacy protections are more dynamic than what is studied in the report. In fact, student data is governed by multilayered federal regulations, such as the Family Educational Rights and Privacy Act (FERPA), and by business best practices that work in conjunction with contractual agreements to protect student information.

A recent Education Week blog post quoted several points made in SIIA’s statement on the study:

“…the study fell short because it focused too much on the language within contracts between vendors and districts, rather than on the actual practices of companies, and the expectation that they will behave responsibly.

Federal law restricts the transfer of student information, and private companies do not want to stray from the legal limits, the industry organization said.”

A related Slate story quoted SIIA’s point that:

“School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions.”

There is opportunity for continued review as technologies evolve to better meet student and school needs. While school districts should continue to review their relationships and agreements with third parties, as indicated in a Slate article Monday,  fears are unsubstantiated.

As reported in Education Week, Data Quality Campaign’s executive director Aimee Rogstad Guidera issued a statement that, “The gaps identified in the report are not the result of incompetence or deliberate malfeasance by school leaders . . . but rather they reflect the challenge of implementing new policies and safeguards in a rapidly changing world with limited resources and many challenges to improving student achievement.”

For example, SIIA’s recently released FAQ responded to the question of whether school service providers can commercialize personal student information by selling it for a profit, such as to insurance companies. The Answer: No. Service providers help manage student data as directed by the school, and under strict federal law. School service providers are operating under contracts and other agreements, along with federal regulations under FERPA, that dictate what data is collected, how it is used and with whom it is shared.

In a New York Times article on the report, U.S. Department of Education chief privacy officer Kathleen Styles said:

“Although the agency had no evidence of such abuses, she said, it is developing best practices for schools to use in ‘contracting out for web services and for transparency with parents.”

Read SIIA’s responses to FAQs on Student Information Privacy and Security in Schools to detangle these fears from fact.


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

Frequently Asked Questions about Student Data Privacy

The enhanced use of technology and data to serve students, teachers and schools has raised many important questions about student data privacy and security. While eduational practices and technologies continue to evolve, there is a strong network of policies and business practices that answer these questions.

Schools have long employed technology and data to carry out many important functions. Educator interest in effectively using data is strong. Schools have long worked effectively with school service providers to use student information to deliver technologies and services that are critical to student learning and to meeting a school’s enterprise management needs. In their use of student information, school sevice providers act exclusively for the schools or other educational authorities for whom they work.

As student personal information is used to improve learning, schools and service providers have a shared responsibility to protect the privacy and security of student information. One way they do this is by limiting the collection and uses of student personal information to legitimate educational purposes. They have policies and procedures in place to prevent unauthorized use. Importantly, this commitment is enforced by strong existing federal law.  Student information may not be transferred to outside school service providers except under strict U.S. Department of Education regulations.  These regulations, under the Family Educational Rights and Privacy Act (FERPA), mandate that the use of this data by a provider is essential, entirely under the control of the school, and that it won’t be abused in any way.

The enforcement of this law has generated a culture of business practices that respects student privacy beyond basic compliance. School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions.

The Family Educational Rights and Privacy Act (FERPA) requires that a school service provider:

  1. Must be performing a function for which the school would otherwise use its own employees;
  2. Must be under the direct control of the school with respect to the use and maintenance of educational records; and
  3. Is subject to strict rules governing the use and redisclosure of student information.

If a service provider wants to do anything with student information outside these rules, it must obtain the affirmative written consent of the student or parent.

SIIA released answers to a set of frequently asked questions (FAQs) that describes how these regulations and business practices act as a national network of rules that protect student privacy.


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

Curated By Logo