Privacy and Cloud Computing in Public Schools (2013)Download the Executive Summary here.
Download the full report here.
Read the press release.
Princeton CITP Lecture Series - Schools and Student Data Privacy: Needs Improvement
As public schools in the United States rapidly adopt cloud-computing services to fulfill their educational objectives, and transfer increasing quantities of student information to third-party providers, privacy issues become more salient and contentious. The protection of student privacy in the context of cloud computing is generally unknown both to the public and to policy-makers. This study thus focuses on K-12 public education and examines how school districts address privacy when they transfer student information to cloud computing service providers.
The goals of the study are threefold: first, to provide a national picture of cloud computing in public schools; second, to assess how public schools address their statutory obligations as well as generally accepted privacy principles in their cloud service agreements; and, third, to make recommendations based on the findings for the protection of student privacy.
Fordham CLIP selected a national sample of school districts including large, medium and small school systems from every geographic region of the country. Using state open public record laws, Fordham CLIP requested from each selected district all of the district’s cloud service agreements, notices to parents, and computer use policies for teachers. All of the materials were then coded against a checklist of legal obligations and privacy norms. The purpose for this coding was to enable a general assessment and was not designed to provide a compliance audit of any school district nor of any particular vendor.
The key findings from the analysis are:
• 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.
• Cloud services are poorly understood, non-transparent, and weakly governed: only 25% of districts inform parents of cloud services, 20% of districts fail to have policies for the use of online services, and a sizeable plurality of districts have rampant gaps in their contract documentation, including missing privacy policies.
• Districts surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.
• An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information. Some services even require parents to activate accounts and consent to privacy policies that may contradict those in the district’s agreement with the vendor. FERPA, PPRA and COPPA, however, contain requirements related to parental notice, consent, and access to student information.
• School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency. Yet, basic norms of information privacy require data security.
In response to these findings, Fordham CLIP proposes a set of specific, constructive recommendations for school districts and vendors to be able to address the deficiencies in privacy protection. The recommendations address transparency, data governance, contract practices, and contract terms.
Recommendations for Data Governance
Recommendations on Contracting Practices
Recommendations on Contract Terms
Recommendation on the Creation of a National Research Center and Clearinghouse
Work on this project is supported by a gift from Microsoft.
Our research team included:
Joel R. Reidenberg; Microsoft Visiting Professor of Information Technology Policy, Princeton University; Stanley D. and Nikki Waxberg Chair and Professor of Law, Fordham University School of Law; Academic Study Director of Fordham CLIP
N. Cameron Russell, Esq., Executive Director of Fordham CLIP
Jordan Kovnot, Esq., Privacy Fellow and Interim Director of Fordham CLIP (through July 2013)
Thomas Norton, Student Project Fellow
Ryan Cloutier, Student Project Fellow
Daniela Alvarado, Dean's Fellow