Student privacy is an extremely delicate topic, important to parents, teachers, administrators, researchers, and students themselves. When we explored the history of student privacy legislation last week, we found a great deal of tension between the legal definition of student privacy and public perceptions of what privacy should be.
Th attempts to resolve some of those tensions and establish guidance for what student privacy should be, but does it clearly define privacy for all stakeholders involved? To examine this question further, we must start by examining how the Pledge defines privacy.
If we approach the definition of student privacy by strictly interpreting the Student Privacy Pledge, it’s information focused, driven by the collection, retention, usage and sharing of student personal information.
However, privacy can often have a shifting meaning depending on the people the term applies to. When students are in first, second or third grade, their privacy concerns fall with their parents or guardians. Many of those caregivers want their child’s personal information protected. As that same student ages, the privacy concerns pertaining to him or her change, and become shared by both the caregivers and the student. A high school teenager may view privacy differently, for example, not thinking as much of the long term implications of personal data usage, and instead being concerned with matters such as the school seeing their browsing history or limiting their access to websites and programs.
Privacy should extend beyond protecting student information; it should also include protecting students from situations where personal information could be asked of them or even unknowingly taken from them.
Identity Automation supports the Student Privacy Pledge, but we also think technology and access has broadened what student privacy means. It’s not just about student personal information and data. Data privacy isn’t only protecting records; it’s also limiting the accidental release of information by students who may not yet be of an age to discern if they should be providing information to a site or provider.
This broader perspective carries greater implications for both education software providers and school IT administrators.
Implications for IT Vendors
The Student Privacy Pledge has broad implications, reaching well beyond its supporters with the following commitment:
“We commit to require that our vendors with whom student personal information is shared in order to deliver the educational service, if any, are obligated to implement these same commitments for the given student personal information.”
Based on that language, technically it’s simply not good enough for an education software vendor to support the pledge. Any vendor they work with who comes in contact with student personal information must also agree to the pledge. While that’s great wishful thinking, it’s very difficult to adhere to in actual practice.
Using a fictional educational software vendor that we’ll call ClassroomTech, let’s evaluate the vendor commitment. ClassroomTech is a math and english program intended for K-12 students. It tracks individual student achievement using a profile it owns on each respective student. There are hundreds of schools across the country using it.
All ClassroomTech information is housed using cloud storage. Looking at the signatory list again, with the exception of two companies, which we’ll address shortly, I don’t see any cloud storage providers included. Remember, all of the student’s personal data is shared with that cloud vendor, so the vendor must agree to the Pledge according to its commitments. If that cloud vendor does not, then ClassroomTech is technically not upholding its agreement.
Going a step further, the IT vendors that ClassroomTech’s cloud vendor uses must also agree to the Pledge. I see very few IT vendors on that list - and none of the large, common server, networking, storage or security companies whose solutions are used to build cloud infrastructures.
I mentioned two exceptions to my comment earlier about the lack of cloud storage vendors included on the list. Those exceptions are Google and Microsoft. To give credit where credit’s due, they both may be upholding the Pledge because they’re known for building homegrown solutions not using other company’s technologies.
Getting back to our mythical ClassroomTech company, it’s obvious that they, and all other education software vendors, have a significant burden on them to ensure they’re meeting their commitment to the Student Privacy Pledge.
But is that burden too high? Is too much of a burden placed on IT vendors, while other parties who should be involved in student privacy are overlooked?
Implications for Schools
Interestingly, only IT vendors support the Pledge. Why are there no school or school district signatories?
It seems just as important for a school to take the Pledge as it is for vendors - if not more important. Ultimately, all risk associated with student privacy falls on the shoulders of a school district’s IT administrator. Is it just assumed that those IT administrators are being diligent about student privacy? It would be nice if that assumption could be made, but it doesn’t seem realistic. IT administrators have a lot on their plate, and while they all do their best, all are not experts on student privacy, its implications and its enforcement.
While the Student Privacy Pledge nicely provides some protections for school IT staff, it’s not a total safeguard. Any school district that thinks they’re adequately securing student information by purchasing from only those vendors who commit to the Pledge, is sorely mistaken.
So how does the Pledge help school IT admins?
One way is by narrowing the list of vendors the school can purchase from. By giving special treatment to those vendors who abide by the Pledge, that IT admin provides an additional layer of security on top of what he or she already has in place to protect data. The Pledge doesn’t necessarily provide any tangible security protection to the systems that are already in place, however. And that’s why we can’t simply say that school districts should begin committing to the Student Privacy Pledge to see increased protection of student privacy.
Earlier, the question was raised of why schools don’t take the Pledge. The reason is because for schools to take the pledge, it would insinuate that there are schools out there would do not agree to it. And while it’s safe to say there are school IT staffs who are not privacy experts, there are certainly no school districts that knowingly violate the spirit of the Pledge.
Schools taking the Pledge would not change how they operate day to day. It wouldn’t cause them to make active changes the way it does for IT vendors. It would simply be symbolic.
Instead of asking why schools don’t honor the Student Privacy Pledge, we should really be thinking about something completely different that both schools and IT vendors could commit to. The Pledge is what it is and so far it’s done an adequate job of bringing awareness to student privacy and urging education software vendors to change their data policies. Now it’s time to go further.
The Future of Student Privacy
The student privacy conversation will continue to evolve. In fact, in March, two congressmen introduced a bill to put further limits on how education technology companies can use information about K-12 students. The two congressmen, one Democrat and one Republican, said in interviews that they hope the bill, called the Student Digital Privacy and Parental Rights Act, will “increase trust in education technology companies.” It would “prohibit companies that operate school services — like online homework portals, digital grade books for teachers or student email programs — from knowingly using or disclosing students’ personal information to tailor advertisements to them. It would also bar them from collecting or using student data to create marketing profiles.”
Government focus on student privacy will continue to grow, and to change, as we’ve seen over the lifetime of FERPA. And while politicians can discuss what methods are right and wrong for protecting information, the stakeholders who most directly interact with the students and their data must also play a leading role in advancing student privacy.
To effectively build on the awareness and momentum that the Student Privacy Pledge has initiated around student privacy, IT vendors and schools should come together to collaborate and advance not just privacy awareness, but the actual protection of students. Both groups affect privacy, protection and security, but in much different ways. To effectively determine the best ways to protect not only student information, but also the more general interaction of students with technology, vendors and schools must work together. The Pledge isn’t enough; one side alone cannot solve anything.
IT vendors have the leading technology talent in the world. We should begin using that talent to work directly with schools in a concerted effort to protect students as they navigate the new digital world we live in. We must work with schools to go beyond securing student privacy and focus on the broader and intense mission of securing student’s actions and interaction with technology. By partnering with schools, together we can determine the best ways to develop, implement, introduce and manage security technology.