Digital Policy Roundup

SIIA Weights in with White House on “Big Data and Privacy”

On Monday, SIIA submitted comments in response to the White House’s request for information on how the government can best protect citizens’ privacy in the age of “big data” analytics. SIIA’s overarching recommendation for policymakers is to proceed cautiously when considering new data policies, as these are likely to steer the future of data-driven innovation and the scope of what is possible for American innovation for decades to come. Policies that seek to curb the use of data could stifle this nascent technological and economic revolution before it can truly take hold. Additional inputs for the ongoing Obama Administration big data review process include full day workshops at UC Berkely on April 1st, and NYU on March 17th. The Administration is expected to release the outcome of the 90 day review on April 17th.

Student Data Privacy Legislative Update

Student data privacy bills are pending in a majority of state legislatures, though few have reached the finish line. Most notably, SB 167 was defeated in Georgia, a significantly modified version of NY S6007 was included in the NY State Budget signed into law yesterday, and discussions are ongoing regarding CA SB 1177. SIIA continues to emphasize the need to limit restrictions to “personally identifiable” information, the challenges to schools of parent opt-in/out policies, the important use of meta-data to drive product algorithms, and that one-size requirements on service providers will not work if they fail to address school primary governance in areas such as breach notification, data deletion, and access and correction. Meanwhile, U.S. Senator Markey (MA) indicates continued work toward introducing a bill to amend the Federal Family Educational Rights and Privacy Act (FERPA). SIIA members interested in student privacy should contact SIIA’s Mark Schneiderman.

New School Technology Funding Advances

State and federal initiatives are advancing around technology access, infrastructure and related educator supports. The 2014-2015 New York State Budget signed into law yesterday will authorize up to $2 billion from state bonds to fund school broadband infrastructure and student devices, pending voter approval, with funding distributed on a needs-base formula over the next few years to schools with a state approved technology plan. Equity in technology access was among the SIIA recommendations in testimony 18 months ago to Governor Cuomo’s education reform commission. At the federal level, the FCC issued a second NPRM for the E-rate, calling for comments on their proposed rules, including to prioritize new funding for internal connections including school Wi-Fi, eliminate or phase out voice support, and potentially provide funding eligibility to caching servers and network filtering software. Finally, President Obama’s 2015 Education Budget proposal includes $200-$500 million for a new ConnectEDucators program, which would provide competitive grants for teacher and principal professional development in the improvement of curriculum and instruction through technology.
[Read more...]

Innovative Policies, Developer Content and Data Tools are Key, According to Education Officials at SIIA Mobile Learning Forum

SIIA this week hosted a successful meeting with education policy makers to enhance dialogue with developers of moble learning and other educational technologies. Discussions helped SIIA members better understand how public policies, funding and regulations are impacting their K-20 education customers, and provided education and government officials with an better understanding of the industry’s role, questions and concerns. Among the clear conclusions from SIIA’s Education Government Forum on Mobile Learning: Educators and students are looking increasingly to deveopers and service providers for adaptive, mobile content as well as data analytics as the engines of instruction and the platform for student learning.

The conference agenda included:

  • Keynote presentations from Rich Crandall (Chief, Wyoming Department of Education), Robbie Melton (Tennessee Board of Regents) and Kathleen Styles (CPO, U.S. Department of Education);
  • Review of federal and state K-20 policy trends from both analysts and officials;
  • Discussions about the migration to mobile learning; and
  • Updates on pending regulations and funding shaping the market, includingthe E-rate, student privacy and Common Core State Standards and assessments.

Among the takeaways:

  • Leading educators are turning increasingly to mobile devices to personalize learning and meet student needs anytime/everywere — They are looking to developers for interoperable, adapative and aligned content and tools; and they are looking for flexible public policies to support that innovation including the E-rate.
  • Safeguarding student data privacy and data security are critical — A regulatory framework is now in place, and policy must not get too far ahead of the problem and unintentionally restrict data-driven learning.
  • Common Core State Standards and assessments are moving forward — Implementation is hard work, but educator and public support remains strong as does their need for aligned instructional resources, assssments and data-driven professional development.
  • Costs and quality remain primary concerns in higher education — Public policies are pushing toward an outcomes-based model built around transparency and flexibility, while entrenched interests and undefined competency metrics stand as barriers to reform.

 


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

Georgia Student Privacy Act Would be a Barrier to Student Learning

Senate Bill 167 is receiving much debate in Georgia, centered largely on its primary task of pulling the state back off  of the Common Core State Standards (CCSS). But also included in the controversial bill is a Part II, the so-called “Student Right to Privacy Act.” The Georgia House Education Committee met yesterday to consider SB167, and heard from more than 60 passionate educators, parents and business leaders. While the focus was on the CCSS provisions, SIIA (see 2:16:50 of the March 5 video) and a chorus of eduction (e.g., at 1:27:25), social welfare and business leaders spoke up against the privacy regulations. None cited a problem that needed fixing, while all raised concern with the unintended consequences of restrictive regulations that undermine necessary decision making by local administrators and school boards.

SIIA agrees with the need to safeguard student privacy and data security. A strong network of laws and business practices now does so. SIIA agrees with those concerned that Senate Bill 167 may inappropriately and unnecessarily inhibit core educational functions necessary to serve Georgia’s students.

Schools and service providers have policies and procedures in place to limit the use student personal information to legitimate educational purposes, and safeguard student privacy. For example, the federal Family Educational Rights and Privacy Act (FERPA) requires that: (1) personal student information shared with service providers be limited to uses otherwise performed by the school’s own employees; (2) the provider be under direct control of the school; and (3) the information can only be used for educational purposes. And FERPA and COPPA require parental consent if the service provider wants to use or disclose the information for its own commercial purposes. Responding to the calls for additional industry self-regulation, SIIA has released Industry Best Practices as another step to ensure safeguarding of student information.  This network of laws and practices is safeguarding student privacy and data security.

With regard to Senate Bill 167, the scope, scale, complexity and lack of clarity of the bill’s procedural and technical requirements are significant and challenging to address. The bill creates barriers and disincentives to local school systems to enhance their use of modern technologies and data systems for educational innovation and improvement, just at a time when the state is making continued investments in technology infrastructure and digital learning access.  The bill will have a chilling effect.

  1. While providers are working with schools to help them support the personalization of learning, the very broad restrictions on use of all student information for so-called commercial purposes may interfere with desired educational activities. SIIA does not defend the sale of personal student data, and such sale is already prohibited by federal law. But the bill would inhibit the use of student data to improve product efficacy, and to support recommendation engines and other analytics aimed at addressing the unique needs of each student.
  2. The bill is inconsistent in the types of student information regulated and includes narrow, one-size-fits all restrictions on the educational use and sharing of student information, whether personally identifiable or not, including duplicative requirements around testing and cloud computing. This will create barriers to use of information appropriate and necessary for educational purposes, including with subcontractors and school directed partners.
  3. Many breach notification requirements are inconsistent with standard best practices. For example, required notification of all ‘suspected’ breaches could create false-positive user fatigue, diminishing attention to actual breaches. The bill also excludes standard criteria around actual harm such as in the case of encrypted data or inadvertent exposure by educators. And, ironically, the bill would inappropriately require third parties to notify parents of a breach, thus giving them access to personal parental information to which they would/should not otherwise have access.
  4. The bill puts in place a series of escalating and potentially very large financial penalties for violations of sometimes vague requirements, not distinguishing based upon harm, negligence or intent. There appears no opportunity to first correct the violation, or for appeal. This all will provide a disincentive for outside parties to conduct business in Georgia.
  5. The prohibition on student biometric data will restrict appropriate and important educational activities, including for: (1) student identity verification for online learning or device security, and (2) embedded voice and visual diagnostics for language learning and reading comprehension. Some of these require personally identifiable information, while many do not. In all cases, broader practices and laws already ensure student privacy and data security.
  6. Lastly, while these concerns have focused on those directly impacting school service providers, SIIA notes that there are many burdensome requirements on local school systems and institutions.

In short, SIIA is concerned that SB167, while well-intentioned, is overly inclusive and restrictive. Transparency is critical, but one-size-fits-all requirements will detrimentally limit innovation, appropriate local school decisions, and appropriate educational services that benefit Georgia students. For service providers, there are significant risks and costs that may discourage doing business in Georgia.

While many of these issues are now best handled by existing federal law, state agency guidance, and local school boards, SIIA will continue to work with policy makers in Georgia and across the country on any identified needs to further ensure privacy protections for all Georgia students.

SIIA Commends U.S. DoED Guidance for Protecting Student Privacy

SIIA commended the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) for today’s release of the guidance document, “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices.” The guidance includes information related to school implementation of the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).

The guidance is consistent with the commitment of SIIA and its member companies to advance the effective use of technology in education and to safeguard student information privacy and ensure data security.  Together with SIIA’s just-released “Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services,” the guidance makes clear that all parties – technology providers, schools, students and the government – are working toward the same important goals.

The Department of Education guidance both affirms and reinforces the strong safeguards in current law. It provides an important roadmap that will help make certain educational institutions and service providers continue to appropriately handle student information.

The federal guidance is very consistent with SIIA’s recently-released Best Practices for school service providers. Together, these efforts will ensure that we continue to protect student data and that a strong relationship of trust is built between providers, schools and families.  Importantly, the efforts will help make certain our students continue to have access to leading-edge digital services critical to providing the world class education needed for success in the global economy.

SIIA’s “Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services” are available here.


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA. Follow the SIIA Education team on Twitter at @SIIAEducation.

SIIA Commends White House Review Group’s Commitment to Transparency and Oversight in Report on Surveillance and Security

Today, SIIA thanked the Review Group on Intelligence and Communications Technology for stating a commitment to transparency and oversight in its report on surveillance and security. The report details the Review Group’s recommended reforms to U.S. surveillance practices.

SIIA is pleased that the Presidential Review Group has provided very thoughtful recommendations to preserve U.S. national security interests, but with built-in privacy protections.  In joint comments to the Review Group in October, SIIA urged the Review Group to take a hard look at how the U.S. government deploys data collection tools.  We asked for recommendations that will promote innovation and economic growth by balancing privacy protections, adequate transparency measures and critical national security objectives.  SIIA is pleased that the Review Group’s report makes recommendations affirming the need to maintain strong encryption to protect data on the Internet, increased transparency and oversight of surveillance programs.

Importantly, recognizing that government surveillance is a global imperative to protect national security, the Review Group also recommends that the U.S. Government engage internationally to explore understandings and arrangements regarding intelligence collection guidelines and practices.  SIIA agrees that it is a critical priority for governments around the world to engage in global dialogue regarding policy reforms on surveillance.  We look forward to working with the Obama Administration as they consider the Review Group’s proposed reforms to U.S. surveillance practices, and towards the goal of promoting an effective dialogue among governments around the world.


Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

Fordham CLIP Study of Student Data Privacy Does Not Account for Protections in Federal Regulations and Business Practices

A new report out of Fordham Law School on privacy and web services in public schools made a splash in education circles after its release late last week. The report by the Center on Law and Information Policy (CLIP), “Privacy and Cloud Computing in Public Schools,” raises questions about privacy protections for K12 student data based on review of contractual agreements between schools and web service providers.

However, student privacy protections are more dynamic than what is studied in the report. In fact, student data is governed by multilayered federal regulations, such as the Family Educational Rights and Privacy Act (FERPA), and by business best practices that work in conjunction with contractual agreements to protect student information.

A recent Education Week blog post quoted several points made in SIIA’s statement on the study:

“…the study fell short because it focused too much on the language within contracts between vendors and districts, rather than on the actual practices of companies, and the expectation that they will behave responsibly.

Federal law restricts the transfer of student information, and private companies do not want to stray from the legal limits, the industry organization said.”

A related Slate story quoted SIIA’s point that:

“School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions.”

There is opportunity for continued review as technologies evolve to better meet student and school needs. While school districts should continue to review their relationships and agreements with third parties, as indicated in a Slate article Monday,  fears are unsubstantiated.

As reported in Education Week, Data Quality Campaign’s executive director Aimee Rogstad Guidera issued a statement that, “The gaps identified in the report are not the result of incompetence or deliberate malfeasance by school leaders . . . but rather they reflect the challenge of implementing new policies and safeguards in a rapidly changing world with limited resources and many challenges to improving student achievement.”

For example, SIIA’s recently released FAQ responded to the question of whether school service providers can commercialize personal student information by selling it for a profit, such as to insurance companies. The Answer: No. Service providers help manage student data as directed by the school, and under strict federal law. School service providers are operating under contracts and other agreements, along with federal regulations under FERPA, that dictate what data is collected, how it is used and with whom it is shared.

In a New York Times article on the report, U.S. Department of Education chief privacy officer Kathleen Styles said:

“Although the agency had no evidence of such abuses, she said, it is developing best practices for schools to use in ‘contracting out for web services and for transparency with parents.”

Read SIIA’s responses to FAQs on Student Information Privacy and Security in Schools to detangle these fears from fact.


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

Frequently Asked Questions about Student Data Privacy

The enhanced use of technology and data to serve students, teachers and schools has raised many important questions about student data privacy and security. While eduational practices and technologies continue to evolve, there is a strong network of policies and business practices that answer these questions.

Schools have long employed technology and data to carry out many important functions. Educator interest in effectively using data is strong. Schools have long worked effectively with school service providers to use student information to deliver technologies and services that are critical to student learning and to meeting a school’s enterprise management needs. In their use of student information, school sevice providers act exclusively for the schools or other educational authorities for whom they work.

As student personal information is used to improve learning, schools and service providers have a shared responsibility to protect the privacy and security of student information. One way they do this is by limiting the collection and uses of student personal information to legitimate educational purposes. They have policies and procedures in place to prevent unauthorized use. Importantly, this commitment is enforced by strong existing federal law.  Student information may not be transferred to outside school service providers except under strict U.S. Department of Education regulations.  These regulations, under the Family Educational Rights and Privacy Act (FERPA), mandate that the use of this data by a provider is essential, entirely under the control of the school, and that it won’t be abused in any way.

The enforcement of this law has generated a culture of business practices that respects student privacy beyond basic compliance. School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions.

The Family Educational Rights and Privacy Act (FERPA) requires that a school service provider:

  1. Must be performing a function for which the school would otherwise use its own employees;
  2. Must be under the direct control of the school with respect to the use and maintenance of educational records; and
  3. Is subject to strict rules governing the use and redisclosure of student information.

If a service provider wants to do anything with student information outside these rules, it must obtain the affirmative written consent of the student or parent.

SIIA released answers to a set of frequently asked questions (FAQs) that describes how these regulations and business practices act as a national network of rules that protect student privacy.


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.