June 27--Experts shared conflicting advice at a congressional hearing this week on how to ensure student data privacy in the cloud, with much of the conflict revolving around whether federal legislation does enough to protect students.
Here's the main challenge with student data: School districts are contracting with third-party cloud service providers that store student data, use it to personalize learning for each student and provide detailed assessments of students' progress. Although these practices improve learning, they can cause problems when the systems that store the data aren't secure, when the school districts no longer control the data and when these vendors use the data for non-educational purposes.
"Schools essentially routinely relinquish student privacy when they contract with vendors, and parents are kept in the dark," said Joel R. Reidenberg, the founding academic director of the Center on Law and Information Policy at Fordham University.
The center's 2013 study on cloud computing in schools found that less than a quarter of the 20 school districts surveyed said their contracts reflected the purpose for disclosing student data to vendors. And many contracts allowed vendors to change the terms at will.
Another issue is that these contracts often don't require vendors to report data breaches or disclosures, and state breach reporting laws vary so widely that they may not apply either. Smaller school districts especially need legal help to create contracts that adequately secure student data and keep it private, Reidenberg said, and many of them don't have access to legal counsel. He suggests that each state should have a chief state privacy officer to help school districts navigate through legal issues such as vendor contracts.
Reidenberg's group was one of four organizations providing testimony before two House subcommittees on Wednesday, June 25. The hearing also included experts from the Software and Information Industry Association, the Idaho Department of Education and the Alliance for Excellent Education. Each organization had five minutes to make its case to subcommittee members of the Homeland Security, and Education and the Workforce committees.
The big question that stirred up debate was whether Congress should overhaul the Family Educational Rights and Privacy Act (FERPA), which requires school districts to follow specific privacy guidelines for student educational records in order to receive federal funding. The law is complex, results in different interpretations and includes exceptions that make it even more complicated.
The Center on Law and Information Policy contends the legislation that passed originally in 1974 must be overhauled to reflect the digital times we live in. Reidenberg says the law leaves too many holes and gaps for third-party companies to exploit student data for their own profit. And many school districts don't even know what's going on with their data, much less have strong contracts that dictate what vendors can do with the data
But the Software and Information Industry Association argues that existing law adequately protects student data, particularly since the U.S. Education Department released guidance earlier this year on how to handle student data in third-party cloud services, said Mark MacCarthy, vice president of public policy for the association. He's concerned that new legislation will stifle innovation.
"The effective use of education technology and student information is essential for improving student learning, for empowering parents, and ultimately for ensuring the competiveness of the U.S.," MacCarthy said.
MacCarthy says current law and best practices developed by organizations like the software association and the Consortium for School Networking are enough to keep cloud vendors from exploiting student data. MacCarthy and Reidenberg traded comments back and forth about what exactly the legislation does. And the fact that they disagreed shows that new federal legislation is needed to settle the issue, Reidenberg said.