Privacy in the digital world

Association of California School Administrators

Best practices for protecting students and their data

By Christine Jones | March | April 2023

These days technology is ubiquitous. It’s difficult to find a child without a device and a connection to the Internet. In fact, a 2019 survey conducted by the American Community Survey found that 95 percent of 3- to 18-year-olds had home internet access, specifically 88 percent had access through a computer and the remaining 6 percent had access with their phone. The adoption of the internet has been phenomenal, even outpacing the adoption of television. According to the 2020 United States Census, just 93 percent of homes had a television set, with the number declining annually.

The widespread availability of devices and access to the internet for nearly every child has brought with it some unexpected outcomes and potential pitfalls — namely, the lack of privacy. And while we should all be careful about what we share online, we need to be extra careful regarding the information of our students.

As schools become more technologically connected and sophisticated, more and more student data is generated. This data can enhance the user experience online. For example, cookies on websites store your prior information when visiting a site and allow the site to load faster the next time you visit. Having students’ health records loaded into the Student Information System will assist you when you need to write a 504 plan. Students wearing SMART ID cards can be tracked on school busses so bus drivers can know where they got on and off the bus. Cameras on campuses capture most activities, day and night.

Most can agree that having access to these tools and data improve efficiency across the organization. At the same time, private educational technology companies can collect this and other sensitive student data, including contact information, performance records, free-reduced lunch status, family demographics, discipline records and much more. They may use this information to deliver a personalized experience online, but they may also use it to target ads to students or they may even sell the information to third-party companies.

In the United States, a child must be 13 years or older to consent to give their personal information online (the age of consent is 17 in Europe and several other countries). Have you ever noticed that many sites you visit where you create an account will ask for your birthdate? This is to ensure that the applicant for an account is 13 years or older. If they are not, they are prevented from creating an account — or they need to ask a parent or guardian to create an account for them. At school we practice what is known as “in loco parentis,” meaning that in the absence of the parent, we act as the parent. When it comes to students creating accounts, like Google accounts, the school sends a notice or permission home at the beginning of the year that parents or guardians sign to allow the school to create accounts for the child. As a predominant amount of curriculum and resources are now available online, these accounts are necessary for the student to fully participate in their education. Most districts are now adopting curriculum that is either fully online or at least offers online resources as a supplement to printed curriculum. Your Tech Services department usually sets up the rostering of students into all of their accounts so they can seamlessly log in every day. Sometimes they will even provide a single sign-on platform so students log into the portal with a standard username and password and they will then be automatically connected to all of their curriculum and resources. Amazing! And convenient.

But what about all of those “other” online resources? You know, the ones the district or school may not pay for but are supposedly “guaranteed” to improve student academic success and learning. Gaming sites, assessment sites, curricular sites, behavior sites. The list is endless. It’s OK for teachers to have students create accounts for those resources, isn’t it? The answer can be complicated, but is most often “no.” There are many things to consider before hitting that “create your account here” button, such as:

Does your school or district have a Data Privacy Agreement in place with the online site?
Does the site specifically say that children under 13 are not allowed to create accounts to access their content?
What is the site’s privacy policy? Do they collect Personally Identifiable Information (PII)? If so, how do they share it with other entities? Do they sell data? How do they dispose of the data when an account is closed? Can parents, students, educators request access to the data stored online?
Does the site show advertisements to students?
Is access to the site free, freemium (partly paid, partly free) or paid?
Does the site allow social sharing, chats, forums, blogs, etc.?

Most educators I know have not stopped to consider the potential consequences of creating student accounts online. It seems innocuous for kids to create accounts that provide them access to resources that may be helpful, however there may be danger lurking nearby. There are several laws in place that remind us that we need to be careful custodians of personal student information. They also help us to protect students and their data.

FERPA (1974) – Family Educational Rights and Privacy Act. Allows for parents and students over the age of 18 to request their entire educational record and provides for the right to amend their record and have some control over their personally identifiable data.
COPPA (2000) – Child Online Privacy Protection Act. Prohibits unfair and deceptive acts and practices in connection with collection and use of personal information from and about children on the internet.
CIPA (2000) – Child’s Internet Protection Act. Requires public schools and libraries to protect children by filtering/blocking their access to potentially harmful information online.
SOPIPA (2014) – Student Online Personal Information Protection Act. Requires Edtech companies to only use student data for educational purposes, not allowing the sale of any data or showing ads to students, and allowing students and parents to request access to their data or ask for it to be properly deleted.

As educational technologies and online educational resources have grown exponentially over the past several years, our laws and protections have had a hard time keeping up with the ever-changing landscape. A July 2022 research article in PR Newswire conducted by Technavio predicts that the Edtech market will have a compound annual growth rate of 17.79 percent between 2021 to 2026 (Technavio, 2022). It’s an industry worth hundreds of billions of dollars, and the competition for educational dollars is fierce.

Unfortunately, not all of these companies have the best interest of students at heart. Some online privacy concerns include using student data to serve advertisements to students, packaging or selling student data to other vendors, and storing student data that has the potential to harm them in the future (college acceptance, employment, etc.). Additionally, some companies have not secured their own data storage leaving them (and student data) vulnerable to cyber-attacks and data breaches. As an example, in March 2022 a well-known Edtech company, Illuminate, suffered a large data breach that compromised data for over 800,000 students in New York and also affected students in dozens of districts in California. The fallout of this breach is yet to be determined. Student data may show up on the dark web and they may be affected for years to come. And keep in mind that Illuminate is a very large, recognized company that has provided online services to districts for years, not some fly-by-night startup. In other words, if it can happen to them, it can happen to anyone.

The widespread availability of devices and access to the Internet for nearly every child has brought with it some unexpected outcomes and potential pitfalls – namely the lack of privacy.

With all of this in mind, how is a teacher or principal supposed to know whether an online resource is following the laws to protect student data? The truth is that this is a decision best left to the experts in your district. The field of educational technology is broad and requires special expertise. But if you want to start the legwork of finding appropriate online resources at the grassroots level, here are a few tips to guide your journey.

1. Check the California Student Data Privacy Alliance or the National Student Data Privacy Alliance to see if the company or vendor has a signed data privacy agreement on file with your district. If not, work with your district Edtech leaders to initiate a new agreement. This agreement ensures the company or vendor will follow all state and/or national guidelines/laws to protect student data.

2. Create a “Path to Procurement” for your district. Establish a protocol that everyone should follow that includes everything from requesting new resources (curricular and non-curricular) to approval and implementation. Treat the selection of all online resources, even free ones, with the same gravity as adopting a new core curriculum.

3. Get a committee together that is willing to review new requests for online resources. Empower them with veto capacity if they find that the resource does not meet basic standards for protecting student data. Make sure your Tech Services department is represented as well. They will want to know if there will be extra work for them, such as rostering, if a new resource is approved.

4. Create an “Approved” list for your district and post it online where teachers and principals can easily find it. Often, teachers seek out additional online resources even when the district already has approved and/or purchased resources available, but teachers don’t know about them.

5. If your district doesn’t already have an Edtech specialist, get one! Whether it’s a coach, a TOSA, a coordinator or director, or a consultant, you need to have someone who is educated on Edtech law, data privacy, and acquisition of appropriate online resources for your students. Teachers and principals can’t be expected to have this expertise.

Times have certainly changed, and we must change with them. Ten years ago, it might have been a simple matter to allow individual school sites and teachers to decide what online resources were appropriate to use with their students, but that is no longer true. While teachers are still the experts when it comes to knowing their own students and their needs, they are not necessarily the most knowledgeable when it comes to selecting appropriate online resources and protecting student data online. According to EdReports, the quality of materials we provide for students greatly matters. In fact, improving the quality of resources and curriculum can be 40 times more effective than class size reduction. Now is the time to partner teachers with Edtech experts to make the best decisions possible to provide your students with the highest quality resources while still ensuring they remain safe online.

References

Technavio, “Edtech Market Research Report by Technavio predicts USD 133.05 Bn growth — North America to have a significant share.” PR Newswire, 2022.

Christine Jones is the Coordinator of Educational Technology in the Palmdale School District.