Scrutiny in California for Software in Schools

CLIP in The New York Times, February 20, 2014

Media Source

A leading California lawmaker plans to introduce state legislation on Thursday that would shore up privacy and security protections for the personal information of students in elementary through high school, a move that could alter business practices across the nearly $8 billion education technology software industry.

The bill would prohibit education-related websites, online services and mobile apps for kindergartners through 12th graders from compiling, using or sharing the personal information of those students in California for any reason other than what the school intended or for product maintenance.

The bill would also prohibit the operators of those services from using or disclosing the information of students in the state for commercial purposes like marketing. It would oblige the firms to encrypt students’ data in transit and at rest, and it would require them to delete a student’s record when it is no longer needed for the purpose the school intended.

“We don’t want to limit the legitimate use of students’ data by schools or teachers,” Senator Darrell Steinberg, a Democrat who is the sponsor of the bill and the president pro tempore of the California Senate, said in a phone interview. “We just think the public policy of California should be that the information you gather from students should be used for their educational benefit and for nothing else.”

Lawmakers like Mr. Steinberg are part of a growing cohort of children’s advocates who say they believe that regulation has failed to keep pace with the rapid adoption of education software and services by schools across the country.

A federal law, called the Family Educational Rights and Privacy Act, limits the disclosure of students’ educational records by schools that receive federal funding. But some student advocates contend that an exception in the law, allowing the outsourcing of public school functions to private companies, may reveal personal information, hypothetically making children vulnerable to predatory practices.

The prekindergarten to 12th grade education software market in the United States reached $7.97 billion in the 2011-12 school year, compared with $7.5 billion two years earlier, according to estimates from the Software and Information Industry Association, a trade group. One reason for the growth is the enthusiasm of many educators for online services and apps that can analyze student performance in real time, offering the promise of personalized learning tailored to the individual child.

But a recent study by researchers at Fordham Law School reported that American schools seemed ill-equipped to vet the data-handling practices of the services they used. Some schools, for instance, signed contracts that did not specify the kinds of student details that companies could collect or did not prohibit firms from selling students’ personal information, the researchers reported.

By aiming to regulate industry practices rather than school procedures, Mr. Steinberg’s bill is intended to prevent businesses from exploiting information like students’ names, ages, locations, family financial situations, medical information, or even their lunch preferences, said James P. Steyer, the chief executive of Common Sense Media, a children’s advocacy group based in San Francisco.

California has been a national leader in data protection. It was the first state to enact a law requiring companies to report data breaches. And last fall, Mr. Steinberg, with the backing of Mr. Steyer’s group, spearheaded the passage of the first “eraser button” law for children. It requires websites to allow users under 18 to delete their own posts.

“This isn’t going to prevent ed tech companies from doing business. It’s a very good market,” Mr. Steyer said of the new student protection bill. “But it is going to prevent companies from using software as a Trojan horse to gain access to student data for marketing purposes.”

The California effort comes at a time when federal and school officials have been talking up data-driven learning as a way to make education more engaging for students, improve their graduation rates and expand their career prospects. This month, President Obama announced industry pledges of more than $750 million to strengthen student access to high-speed Internet in their classrooms as well as to devices and software.

Under the federal education privacy law, schools that receive federal funding must generally obtain written permission from parents before sharing their children’s educational records. But an exception allows school districts to share those records — which might include academic, disciplinary or disability information — with services like online homework assignment systems, reading apps or school bus companies.

The exception requires schools to maintain control over contractors’ use of students’ educational records. But some student privacy experts caution that federal rules may not be explicit enough to cover some of the latest technologies like those used by lunch account services that, for example, can scan the veins in a child’s palm and use that unique biometric pattern to identify a student.

Officials at the Education Department have said that the agency is developing best practices for schools to use in contracting out for web services and for transparency with parents.

Many online school services already have privacy policies in which they pledge not to sell, rent or trade personal information to third parties. Take ZippSlip, a start-up that allows schools to electronically send permission slips to parents. The company collects and houses information for schools, like which students have peanut allergies or are on the soccer team.

But neither the company nor its school district clients are using the information to, say, market soccer equipment to parents, said David Leslie, the chief executive of ZippSlip.

“ZippSlip creates a data-mining opportunity that has literally never been created before,” like allowing schools to analyze parent-teacher communication patterns, Mr. Leslie said. But, he emphasized, “we are not selling data to Walmart about who might be a better candidate to buy crayons.”

Still, Mr. Steyer of Common Sense Media is urging more formal protections for student data.

“We messed up the privacy of kids, and probably adults too, in the online commercial, consumer space because we weren’t prepared for the extraordinary pace of technology,” Mr. Steyer said. “Now we have the opportunity to get it right in the school space.”