4
The Journal – Connecticut Association of Boards of Education/April 2015
The Policy Corner Vincent A. Mustaro, Senior Staff Associate for Policy Service, CABE
Cloud computing/student privacy issues – needed policy direction Technology is used in innovative ways accessing the latest software applications and using electronic pathways to store and process information. School districts house, process, and transmit educational and business records increasingly online. The shift to a new digital infrastructure has been made necessary by the ubiquity of personal devices such as tablets and cell phones enabling us to access, transmit, and store vast amounts of information instantly. This technological marvel that involves process, substance, hardware and software has come to be known as “the Cloud.” The Cloud’s presence has happened so quickly and subtly that we barely perceive its operation, although we feel
devices. The news about government surveillance programs, research reports, surveys, and official guidance from the U.S. Department of Education have focused the national spotlight on data privacy, particularly privacy of student data. This increased public attention has brought a wave of proposed state and federal legislation. School leaders need to articulate the district’s commitment to protect student privacy through its policies and practices. Steps must be taken to ensure that Cloud services deployed throughout district’s offices and classrooms comply with all applicable laws and district policies. The community, including parents should be consulted and educated about the district’s use of the Cloud. Community
maintaining security for student and employee privacy. More difficult student data privacy issues arise with the universe of applications available to individual staff and students through a simple Internet connection. These applications create separate “doors” to district data that it may not be able to control in every case. District-wide data management systems and the myriad tools available for specific pedagogical needs create opportunities for release of student data. Once school district information is transferred or stored in the Cloud, rather than on an on-site server, it is housed on a system operated by others, usually on shared servers. The school district does not have physical control over the data, even if the contract states that the district retains “control.” Potential issues such as data breach, data loss, and collection and aggregation of personally identifiable data and metadata for potential use in advertising and sale to third parties may arise. Data breaches have received much public attention. The greatest concern is the ability of service providers to collect and store “profiles” of students or their families on their use of an application. Such information could be used to target advertising to students or their families.
Laws to Protect Student Data Privacy its impact. In fact, many of the educational tools employed by teachers and district offices only operate through an Internet connection. The advantages of Cloud-based platforms and learning tools include ease, convenience, 24/7 accessibility, less staff time maintaining on-site servers, individualized learning, and compliance with testing requirements. These benefits bring serious challenges, particularly the potential for loss of privacy that accompanies the transfer of personal student information to the Cloud. Concerns about data privacy must be addressed by public school districts. Cloud computing presents a great opportunity for schools, but it creates data protection and privacy issues by placing a very large amount of student, teacher, and institution data into the hands of a third-party provider. Nationally, there is increased concern about protecting student data privacy. We are now more aware now about the kinds of personal information being exchanged through digital
feedback may significantly influence the direction a school district goes with restrictions placed on student data in the Cloud.
Online or Cloud-based Tools and Student Data Privacy Every device and application with a connection to the Internet potentially collects student data. The most obvious example of a Cloud-based application is Internet-accessed email which allows users to access and send emails anytime and anywhere. The applications are installed, maintained, and upgraded remotely in the Cloud by a third-party service provider. School districts can protect student data privacy more directly through district-wide systems such as email and records management, where the district has some control over the terms of the contract with the provider. Districts are working to configure their data systems to allow for the greatest efficiency while
Some federal laws potentially govern student data privacy. The most directly applicable to school districts and service providers are the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), and the Children’s Online Privacy Protection Act (COPPA). Today, student records are often maintained electronically. School districts are moving their work and the data they collect and store to Cloud-based platforms to reduce the need for servers onsite and to allow anytime/anywhere access. Teachers and students are taking advantage of Internet and Cloud-based learning tools separate from any “official” school district program. Vendors create apps that allow them to collaborate and communicate. The implementation of the Common Core and the emphasis on testing to assess and improve student achievement and to individualize learning has resulted in school districts collecting and using student data like never before. FERPA prohibits school districts from disclosing, except in limited instances, personally identifiable information (PII) contained in students’ education records
without the consent of the parent or eligible student. Educational records may include a range of written and electronic files. Generally, anything that is considered PII in an education record, including emails and other communications or documents created by students, teachers, and administrators, is governed by FERPA. Many new technologies are likely to result in the storage or transmission of information that also will be considered an education record under FERPA, but a few may not. It is prudent for school district policy to presume that all data created by students, teachers, and staff related to students is an “education record,” and to retain control over it. This presumption will help the administration direct third-party technology providers as to how they should handle the data, how they can use it, and with whom they can share it. Storing student information in the Cloud is permitted under FERPA. The FERPA statute and regulations require schools to manage education records and student PII securely. The U.S. Department of Education suggests that schools and districts authorize its staff to use only those services in which the terms of service allow the school/ district to retain enough control, and provide sufficient parental notice, to invoke the “school official” exception of FERPA. When a school district employs online educational services, it will do so under the “school official” exception, which allows a district to disclose FERPA-protected records without parental consent to “a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions.” A district may use the so-called “school official” exception for disclosure of education records to online service providers, but the specific requirements of that exception must be met. This includes that the designated “school official” must perform a function that the school or district would otherwise have used its own employees to perform. FERPA regulates educational agencies or institutions, not Cloud service providers. The school district is responsible for privacy and security of educational data in the Cloud. When the school official exception is in play, the provider may not use FERPASee CLOUD page 14