Fordham Law


Cloud Computing in K-12 Expands, Raising Data Privacy Concerns

The Center on Law and Information Policy in Education Week, January 07, 2014

Media Source

The use of cloud-based technologies in K-12 schools is becoming increasingly complex and expansive, prompting a wide range of approaches for protecting private student data stored in the "cloud" and raising serious concerns about the security of such data.

Districts ranging from the 203,000-student Houston school system to the 3,000-student Tomah, Wis., schools have outlined clear policies and practices for storing data in the cloud. Those two districts take very different approaches, however.

Tomah built its own private cloud-storage programs to prevent student information from being accessed by third-party vendors; Houston has embraced the use of companies offering cloud-computing services and is working to put best-practice guidelines in place.

The problem, experts say, is that many districts have not set clear policies for storing data in the cloud. Cloud systems typically rely on the outsourcing of computer power and some services to external servers or data centers, which are then accessed over the Internet on an as-needed basis.

A study released last month by the Fordham University Law School's Center on Law and Information Policy, for example, notes serious lapses pertaining to control of private student information under contracts with private companies storing data in the cloud, as well as in alerting parents and students about who has access to student data.

The study's authors put forward a series of recommendations to policymakers, including a call for a national clearinghouse focused on the issue, and for ramping up safeguards on students' private information.

"We came away seeing that districts are not in a position right now to effectively deal with these privacy issues," said Joel Reidenberg, a study author and the academic director of the Center on Law and Information Policy, based in New York City. "Many districts don't have the technical expertise to understand how the flow of data impacts student privacy, and vendors are not explaining it."

'Weakly Governed'

Fordham researchers based their study on a national sample of public school districts. They asked for detailed information from 54 urban, suburban, and rural systems.

The study examined contracts between districts and technology vendors; policies governing privacy and computer use; notices sent to parents about student privacy; and districts' use of free or paid third-party consulting services.

The authors conclude that privacy implications for districts' use of cloud services are "poorly understood, non-transparent, and weakly governed."

Only 25 percent of the districts examined made parents aware of the use of cloud services. Twenty percent did not have policies governing the use of those services, and a large plurality of districts had "rampant gaps," the authors say, in their documentation of privacy policies in contracts and other forms. Twenty-five percent of districts had no policies at all regarding classroom teachers' use of technology related to cloud storage.

"If there's no policy, then it's perfectly normal and legitimate for teachers to sign up for any service under the sun," Mr. Reidenberg said.

To make matters worse, districts often relinquish control of student information when using cloud services, and do not have contracts or agreements setting clear limits on the disclosure, sale, and marketing of such data, the Fordham researchers say.

The Fordham study concludes that districts, policymakers, and vendors should take several steps to increase privacy protections, including providing parents with sufficient notice of the transfer of student information to cloud-service providers, and ensuring that parental consent is sought when required by federal law; improving contracts between private vendors and districts to remove ambiguity and provide much more specific information on the disclosure and marketing of student data; and setting clearer policies on data governance within districts, including establishing rules barring employees from using unapproved cloud services.

But the Software and Information Industry Association, a trade group based in Washington, said the study focused too much on the language within contracts between vendors and districts, rather than on the actual practices of companies, and the expectation that they will behave responsibly.

Federal law restricts the transfer of student information, and private companies do not want to stray from the legal limits, the industry organization said in a statement.

"The enforcement of this law has generated a culture of business practices that respects student privacy beyond basic compliance," the SIIA said. "School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions."

District Approaches

Schools should think hard about how student data might be used by a third party, said Paul P. Potter, the director of technological infrastructure for Wisconsin's Tomah district. Concerns about the privacy of student data led his district to develop its own internal cloud storage instead of contracting with a vendor.

"I'm a huge proponent of the cloud as far as connectivity with the student, but I'm not a huge proponent of giving your data away to just anyone," Mr. Potter said. "I'm not willing, as a technology director, to put the privacy of our students' data out there on the line in the hope that it's secure."

The Fordham study also recommends creating an independent national research center to study privacy issues, and drafting model vendor contracts. In addition, states and large districts should each hire a "chief privacy officer" responsible for maintaining data protections, the authors say.

Districts should take privacy issues related to cloud storage seriously, but scrapping the use of cloud technology is not called for, said Lenny Schad, the chief information technology officer for the Houston school district.

"We need to be concerned about what information is stored, who has access to it, and that industry best practices are put in place," he said.

Mr. Schad said it is possible to make student data secure: The banking industry and the government have been doing it for years, he said. However, he acknowledged that there are always going to be risks.

"People are demanding guarantees, but that's just not possible," he said. "I'm not going to guarantee we're never going to get a virus" or have a data-security breach, akin to the recent hacking of credit card data from Target customers.

In addition, Mr. Schad said, it's critical that federal laws governing student privacy—such as the Family Educational Rights and Privacy Act, or FERPA, and the Child Online Protection Act, or COPA—be clarified and enforced consistently to help districts understand how to comply.

Concerns about the protection of private student data have risen across the country in recent months, with parents and advocacy groups having complained that policymakers are doing too little to ensure that private data gathered via technology are kept secure.

Aimee Rogstad Guidera, the executive director of the Data Quality Campaign, a nonprofit in Washington that advocates for improved use of data in education, said the Fordham report was a reminder of the need for clearer policies on "how data are collected, stored, accessed, shared, and deleted."

"The gaps identified in the report are not the result of incompetence or deliberate malfeasance by school leaders," she said in a statement, "but rather they reflect the challenge of implementing new policies and safeguards in a rapidly changing world with limited resources and many challenges to improving student achievement."

Mr. Schad said concerns about privacy should make districts proactive. He cautioned against "naysayers who want to push us back into how they were taught 25 years ago. I want to be out front on this issue."