1 of 38

Digital Citizenship Summer Webinar Series

In Defense of Student Data

August 2, 2023

Guests: Ramah Hawley and Cynthia Tougas, TEC

2 of 38

Our Data Driven World

  • Technology tools and apps make it possible to collaborate, create, share ideas, and generate data
  • Student data—including some personal information—is collected both by educators and often the companies that provide apps and online services
  • Educators use data to inform instructional practice

3 of 38

Our Data Driven World

  • But with benefits come risks
  • How are vendors using this information?
  • How can educators use this technology in a way that is safe and responsible?
  • And how does a district ensure that they are complying with all state and federal laws?

4 of 38

The Issue

  • Traditional student data included attendance, grades, discipline and health records
  • Traditional access to a student record was restricted to school personnel
  • Now with technology, ‘student record’ data is often shared with companies both directly and indirectly

5 of 38

Student Record

All information concerning a student that is organized on the basis of the student's name or in a way that such student may be individually identified, and that is kept by the public schools. It includes all such information and materials regardless of where they are located, except for the personal files of school employees.”

Source: MA 603 CMR 23.00

6 of 38

LEGAL OBLIGATIONS FOR SCHOOLS

7 of 38

Children's Online Privacy Protection Act (COPPA)

Children’s Online Privacy Protection Act

  • Places restrictions on software companies about the information they can collect about students under the age of 13
  • Students under the age of 13 cannot make their own accounts
  • Schools can consent on behalf of students

8 of 38

Protection of Pupil Rights Amendment (PPRA)

The Protection of Pupil Rights Amendment (PPRA) is a federal law that gives parents/guardians of students rights regarding , participation in protected information surveys, the collection and use of information for marketing purposes, and certain physical exams

9 of 38

Family Educational Rights and Privacy Act (FERPA)

A federal law that affords parents:

  • The right to have access to their children’s education records
  • The right to seek to have the records amended
  • The right to have some control over the disclosure of personally identifiable information from the education records

Source: Protecting Student Privacy (USDOE) https://studentprivacy.ed.gov/faq/what-ferpa

10 of 38

Personally Identifiable Information (PII)

Personally Identifiable Information (PII):

“Information that, alone or in combination, personally identifies an individual student or the student's parent or family that is maintained in education records”

Source: Colorado Department of Education

https://www.cde.state.co.us/dataprivacyandsecurity

11 of 38

Personally Identifiable Information (PII)

Generally includes, but is not limited to:

  • Student's name
  • A student's parent or other family member names
  • A student’s or family address
  • Student's social security number
  • Student number
  • Student's date of birth
  • Place of birth
  • Mother's maiden name
  • Or any other information that is linkable to a student

Source: Protecting Student Privacy (USDOE) https://studentprivacy.ed.gov/ferpa#0.1_se34.1.99_13

12 of 38

Question:

Answer: Yes!

Student data that is directly tied to a student and maintained by a school district is considered PII and is protected information

Is Student ‘Work’ Considered PII?

13 of 38

FERPA

Under FERPA, schools must have ‘verifiable written consent’ from a parent or guardian in order to disclose any information from a student’s education record

14 of 38

FERPA’s School Official Exception

Schools May Disclose Education Records to Appropriate ‘School Officials’ Without Parental Consent

  • If the school has determined they have legitimate educational interests
  • Outside parties, such as contractors, volunteers, or consultants to whom a school has ‘outsourced institutional services or functions’ may also qualify as school officials if the school determines they have a legitimate educational interest

15 of 38

FERPA’s School Official Exception

Having a data privacy agreement with a vendor legitimizes a district’s educational interest in their institutional services or functions under FERPA. This is what allows districts to use resources without always having parents give consent

16 of 38

Anonymizing Student Data

Answer: No!

The anonymized name is still directly linked to that individual student and considered a unique identifier

Does Anonymizing Student Names Solve the Issue?

17 of 38

PII as a Commodity

  • Student data concerns DO NOT just pertain to information that a teacher or student may directly provide.
  • Sophisticated algorithms may also analyze a student’s data to guess at their personal characteristics and interests, and even predict their future behavior.
  • …Let’s Meet Laila

18 of 38

19 of 38

PII as a Commodity

  • Data Brokers are a reality and it’s a thriving industry
  • Instead of selling names and birthdays, vendors charge third parties for user profiles
  • Track users’ online behavior and sell that data for profit

20 of 38

PII as a Commodity

  • Concerns
    • Identity Theft
    • Targeted Advertising
    • Profiling
  • What can educators and districts do?

Awareness is key for both educators and students!

21 of 38

Build a Data Privacy Culture

  • Identify all of the tools being used
  • Be Intentional! Do you really need 7 different apps that do the same thing? Is there equity across all of your school’s curriculum resources?
  • As curriculum experts, start by having those quality over quantity discussions

22 of 38

Vetting Applications

  • Does it even collect PII?
  • A subjective process based on the criteria
  • Vendors’ Privacy Policies and TOS
    • Time consuming and difficult
    • No true standard format
    • Scanning for keywords… the devil is in the details and it is all about semantics
    • Sometimes it isn’t about what isn’t specifically stated, but what they are not stating that is important

23 of 38

Vetting Applications

Sample Policies

24 of 38

Vetting Applications

  • Free and Paid Vetting Resources
  • Some Free Resources
    • Connect Safely - The Educator’s Guide to Student Data Privacy (An oldie, but a goodie!)
    • Common Sense Privacy Program
    • 1EdTech TrustEd Apps Directory

25 of 38

Sample Vetting Questions

  • Does the product show advertisements to student users?
  • Does the vendor allow parents to access data?
  • When you cancel the account or delete the app, will the vendor delete all the student data that has been provided or created?
  • Does the vendor provides appropriate security for the data it collects?
  • Does the vendor claim that it can change its privacy policy without notice at any time?

26 of 38

DATA PRIVACY AGREEMENTS

27 of 38

The Student Data Privacy Consortium (SDPC)

  • Started in 2015 in Cambridge, MA
  • Grown to include 33 states
  • The consortium itself is made up of various alliances
  • SDPC provides Model Agreements (DPAs) for districts to use
  • These Model Agreements have seen many revisions over the years, the latest was in 2020 with the National Model DPA

28 of 38

Why Are Student Data Privacy Agreements Vital?

  • Gives school districts ownership & control of student data
  • Defines how a vendor may & may not use student data
  • Prohibits “targeted” advertising to students
  • Gives school districts the right to audit a vendor
  • Defines minimum acceptable data security requirements
  • Requires timely district notification in event of a data breach

29 of 38

Why Are Student Data Privacy Agreements Vital?

  • It’s a LEGAL and enforceable agreement – Not a Pledge!
  • Once a DPA is signed by both parties, it supersedes a vendor’s Terms of Service and Privacy Policy
  • Also requires vendors to conduct criminal background checks on all its employees with access to students
  • Shows districts are doing their due diligence in safeguarding student information
  • Ensures a district complies with state and federal regulations as the terms of the agreement are written to address these legal obligations

30 of 38

Why Are DPAs Not Obtained?

  • No PII is collected
  • Very small start up - Can’t afford a legal team
  • Vendor shares/sells student data
  • Vendor uses targeted advertising
  • Vendor fails to align with adequate cybersecurity frameworks
  • It’s primarily a consumer product

31 of 38

Consumer vs. Educational

Many educators and students may wish to use ‘consumer’ tools, but these…

  • Are not designed for schools
  • Students are not their primary demographic
  • They don’t have privacy policies & practices in place to ensure the protection of user data to the standards of laws that protect a student’s personally identifiable information

32 of 38

Consumer vs. Educational

Example: Sketchup

    • 3D modeling and design software
    • Used in the architectural, engineering, interior design, and construction industries by professionals

Sketchup for Schools

  • NO PII is Collected for Use
  • Use of this Product Complies with Our DPA

Sketchup

  • Use of this Product Does Not Comply with Our DPA

33 of 38

Questions?

https://tec-coop.org/data-privacy/

34 of 38

Resources

Additional Professional Learning

U.S. D.O.E Privacy Technical Assistance Center

National Student Privacy & Data Security Summer Webinar Series - Day 1

Session #1: FERPA 101

Session #2: FERPA 201

8/16/2023, 2:00 PM - 8/16/2023, 4:00 PM

https://teams.microsoft.com/registration/FEVdvd6EKEmp_WrhC7rWdw,G9hol_7w_UmEbE7-OwO1fw,qPgP_M6yvkWyg0zhXFT9UA,UTDLELxsHUW8ZVGEotLJaQ,U0H0jc10dkOpX8GFE5UBcw,z40cqS4m1kORoBLIryGweQ?mode=read&tenantId=bd5d4514-84de-4928-a9fd-6ae10bbad677&webinarRing=gcc&skipauthstrap=1

National Student Privacy & Data Security Summer Webinar Series - Day 3

Session #1: Vetting Educational Technology

8/30/2023, 2:00 PM

https://teams.microsoft.com/registration/FEVdvd6EKEmp_WrhC7rWdw,G9hol_7w_UmEbE7-OwO1fw,qPgP_M6yvkWyg0zhXFT9UA,hBbTBHHFqkOjNsSkL9aNNA,2fVhw9X1JECuisf9XG21IA,vRdEFbNAj06Y6tdGBGvoEw?mode=read&tenantId=bd5d4514-84de-4928-a9fd-6ae10bbad677&webinarRing=gcc

35 of 38

Resources

Glossary Resources:

  • PTAC Glossary

https://studentprivacy.ed.gov/glossary#header-for-A

  • Student Privacy Compass: Student Privacy Primer

https://studentprivacycompass.org/resource/student-privacy-primer/

Free Resources for Vetting Applications

  • ConnectSafely Checklist

https://connectsafely.org/eduprivacy/

  • Common Sense

https://privacy.commonsense.org/

  • 1EdTech TrustEd Apps Directory

https://bit.ly/3rAQp9k

  • PTAC: Protecting Student Privacy While Using Online Educational Services: Model Terms of Service

https://studentprivacy.ed.gov/sites/default/files/resource_document/file/TOS_Guidance_Mar2016.pdf

  • Education Week: Student Data Privacy and Security: Red Flags in Terms-of-Service Agreements

https://www.edweek.org/technology/student-data-privacy-and-security-red-flags-in-terms-of-service-a

36 of 38

Resources

Other Resources

  • Student Data Privacy Consortium

https://sdpc.a4l.org/

  • The Education Cooperative Student Data Privacy Alliance

https://tec-coop.org/data-privacy/

  • Video: Governments Harm Children’s Rights in Online Learning (Human Rights Watch)

https://www.youtube.com/watch?v=sq6VrvpbxPQ&t=7s

  • Human Rights Watch Report. “How Dare They Peep into My Private Life?”

https://www.hrw.org/report/2022/05/25/how-dare-they-peep-my-private-life/childrens-rights-violations-governments

  • Common Sense Lesson: The Big Data Dilemma (Grade 9)

https://www.commonsense.org/education/digital-citizenship/lesson/the-big-data-dilemma

  • Common Sense Lesson: Big, Big Data (Grade 7)

https://www.commonsense.org/education/digital-citizenship/lesson/big-big-data

37 of 38

38 of 38

We love feedback!

&