notes from ‘The Educator’s Guide to Student Data Privacy’ from the Future of Privacy Forum (published: May 2016)
“Technology tools and apps are making it possible for educators and students to collaborate, create, and share ideas more easily than ever. When schools use technology, students’ data—including some personal information—is collected both by educators and often the companies that provide apps and online services. Educators use some of this data to inform their instructional practice and get to know their students better. It is just as essential for educators to protect their students as it is to help them learn” (p.2)
Alongside their advice for how student data privacy can be addressed through government regulation and policymaking, the Future of Privacy Forum have a useful primer for school leaders and teachers. Two specific pieces of advice stand out:
#1. Formulate a school-wide policy/process for selecting new educational technologies.
As we have noted elsewhere, it is recommended that schools have an ongoing commitment to dealing with data-related issues. This includes organisational factors such as appointing staff in senior positions equivalent to a Chief Information Officer and/or Data Protection Officer, as well as other more informal and ‘data stewardship’ roles. These staff can also be a key impetus for developing a school’s ‘data culture’.
Alongside this, the FPF report highlights the need for a school-specific ‘vetting’ process for any new devices, software and applications. This covers similar ground to the ‘data protection impact assessments’ (DPIA) that the EU GDPR now requires many European organisations to undertake. In short, schools are encouraged to develop a process of identifying and analysing how data privacy might be compromised by the adoption of any new piece of digital technology that is considered for use in the school.
Some US schools and school districts already maintainapproved lists of digital products, services, websites and apps. As well as approving or prohibiting the use of any specific product, these lists can also detail specific requirements, privacy options and setting that adopting teachers must apply. The FPF report suggests that any selection process addresses the following types of questions:
- Does the product collect Personally Identifiable Information (PII) – that is, any data that could potentially identify a specific individual student, teacher or parent?
- Does the vendor commit not to further share student information other than as needed to provide the educational product or service? (Such as third party cloud storage, or a subcontractor the vendor works with under contract.) The vendor should clearly promise never to sell data.
- Does the vendor create a profile of students, other than for the educational purposes specified? Vendors are not allowed to create a student profile for any reason outside of the authorized educational purpose.
- When you cancel the account or delete the app, will the vendor delete all the student data that has been provided or created?
- Does the product show advertisements to student users? Ads are allowed, but many states ban ads targeted based on data about students, and/or behavioural ads that are based on tracking a student across the web. TIP: Look for a ‘triangle i’ symbol (▷)which is an industry label indicating that a site allows behaviourally targeted advertising. These are never acceptable for school use. This would be particularly important when evaluating non-education-specific sites or services.
- Does the vendor allow parents to access data it holds about students or enable schools to access data so the school can provide the data to parents?
- Does the vendor promise that it provides appropriate security for the data it collects? TIP: A particularly secure product will specify that it uses encryption when it stores or transmits student information. Encrypting the data adds a critical layer of protection for student information and indicates a higher level of security.
- Does the vendor claim that it can change its privacy policy without notice at any time? This is a red flag for US schools— current FTC rules require that companies provide notice to users when their privacy policies change in a significant or “material” way, and get new consent for collection and use of their data.
- Does the vendor say that if the company is sold, all bets are off? The policy should state that any sale or merger will require the new company to adhere to the same protections.
- Do reviews or articles about the product or vendor raise any red flags that cause you concern?
#2. Teachers talking with students about their choice of software and apps
Secondly, the FPF report also offers some quick advice for teachers who are approached by students suggesting new and/or unapproved apps and websites to support their learning. As the report puts it, these suggestions should be taken seriously as a ‘teachable moment’, and used as the basis for discussions with the student over the data privacy connotations of each app, as well as how its use relates to the digital citizenship curriculum. The following ‘due diligence’ questions are suggested as possible conversation starters:
- Did you have to make an account in order to start using that app? If so, did you have to provide personal information (email, name, age, etc.)?
- Does the app require parental permission? Who has access to your email and other information now that you’ve created that account?
- Does the app developer share your information with others? (this information will be in their privacy policy.)
- Does the app collect additional information such as location or contacts?
As the FPF report notes, it is likely that students will not know the answers to some of these questions, so they can be encouraged to find out. As the report concludes, “it is important to explain to them that all of this information belongs to them. They should think about protecting it, and should be encouraged to discuss their choices at home with their parents as well”.