There Is a Heightened Awareness Around Student Data Privacy. Here’s What Schools Are Doing About It

During the throes of the COVID-19 pandemic, many school districts were quick to send devices home with students and to provide digital resources that may have been engaging, but may not have been as “data safe” as districts thought. Recent articles emerged as a result of remote learning, including:

• Remote Learning Software Tracked Kids’ Data to Sell to Advertisers and Brokers
• Private equity firm is amassing companies that collect data on America’s children
• FTC (Federal Trade Commission) to ‘Crack Down’ on Ed Tech, Student Data Privacy

While these articles may seem alarming, I [Diane Doersch] feel they do not acknowledge that most school districts, under non-pandemic circumstances, most likely do have a digital resource vetting process.

When I served as Chief Technology and Information Officer for a large Wisconsin school district, it was my responsibility to ensure that the digital resources (apps, extensions, systems, digital textbooks, etc.) students were using in our school district were keeping student data safe. As I read the articles above, and many others, I realize that there appears to be a lack of clarity and understanding around the process school districts use to review digital resources.

A thorough software vetting process under non-pandemic circumstances likely begins with technology and legal departments receiving validation from the curriculum department that the resources are, indeed, good for learning; that is the No. 1 consideration when using and purchasing a digital solution. Next, a technical review ensures that the resource is interoperable, meaning that required data can flow safely and seamlessly from one system to the next. An example would be a learning management system (LMS) that is connected to the student information system (SIS) for real-time student rostering. That connection enables new students in a course to receive access to the LMS immediately, without having to wait for somebody to provide access to the materials. Finally, a non-disclosure agreement is established between the school district and the provider of the digital resource. This agreement is a promise by the provider that they will be good stewards and caretakers of student data. I applaud school districts such as Los Angeles Unified School District who post their procurement requirements to which the solution providers must adhere. Here is an example of New York City Department of Education’s student data privacy requirements. Many school districts require signed non-disclosure agreements from the digital resource provider before a purchase of their product is made.

The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) has created a list of model Terms of Service that should be included in non-disclosure agreements. Understanding the terms and conditions involved in this set of agreements can be helpful for all those who are part of the educational process:

• Teachers: As classroom practitioners who would like to use new digital resources with your students, it’s important that you initially read the Terms of Service and Privacy Policy of the digital resource. If the terms violate some of the large points below, it is not worth requesting your district to vet the resource and agree to its purchase and use.
• School Administrators: As the leaders who are often involved in the digital resource request process on behalf of your staff, it is essential that you have the skills to guide the product selection process and know how to recognize red flags in Privacy Policies and Terms of Service.
• Directors of Technology: As you make decisions about the safety and security of the digital resource, the model terms below will be helpful in reviewing the digital resource documentation. If the Privacy Policies or Terms of Service are missing key elements in data security assurances, your non-disclosure agreement with the providers must include those missing elements.
• Parents: As your children ask your permission to use various free or subscription-based apps at home, reviewing the Terms of Service and Privacy Policies with an understanding of what to look for will be helpful.

We have summarized some of the Privacy Technical Assistance Center’s model Terms of Service components below to help you understand what to look for in Privacy Policies and Terms of Service:

• The digital resource company should provide a Definition of the data collected and should explain the use and treatment of “Data.”
  1. Provider promises to maintain data, received from the District, according to the federal and state statutory provisions applicable to the data.
  2. Provider shall use Data only for the purpose of fulfilling its duties and providing services under this Agreement, and for improving services under this Agreement.
  3. Any Data held by Provider will be made available to the District upon request by the District.
  4. Provider shall store and process Data in accordance with industry best practices.
  5. Client data is the property of the District

• FERPA (Family Educational Rights and Privacy Act)
  1. In the course of providing services during the term of the Agreement, Provider shall have access to the identified student education records that are subject to FERPA, 20 U.S.C. 1232g, et seq. The information is considered confidential and is protected.
  2. If Provider experiences a disclosure or security breach concerning any education record covered by this Agreement, Provider shall immediately notify the District and take immediate steps to limit and mitigate such security breach to the extent possible.
  3. Upon termination of this Agreement, Provider shall return and/or destroy all Data or information received from District upon, and in accordance with, direction from the District.
  4. Marketing and Advertising is Prohibited. The provider shall not use any Data to advertise or market to students or their parents.
  5. The provider will not sell student data to other entities.

While the list above is not exhaustive, it does give some high-level “look fors” that teachers, school leaders, and parents can use when they review a digital resource’s Terms of Service and Privacy Policy for potential purchase and use. Non-disclosure agreements that are signed between solution providers and school districts will include these terms along with district-specific terms that are consistent with state law.

After the non-disclosure agreement is signed and the resource is purchased by the school district, the resource can be named as a district resource. In some states school districts are required to disclose to parents or guardians the titles of all the digital resources students use. It is a best practice by school districts to have the parents “opt in” or give consent for their child to use those resources.

Transparency in all resources used, including digital, is an expectation of our community. It is essential that our school districts continue to do their due diligence in the resource vetting process, making sure that it has instructional value and that it keeps our students’ data safe.