A uniform national policy would save a lot of time and resources, which would be especially helpful for smaller districts with more limited resources, Moore said. Without it, CIOs walk a fine line between allowing ed tech in the schools and dealing with parents’ distrust of large companies, such as Google, that collect massive amounts of student information.
Moore said the concerns are not unwarranted, citing major data breaches that have taken place at large companies including Target. If they can happen in these organizations, it is clear that the data that exists in the K-12 space is at risk, he added.
While federal privacy laws including the Family Educational Rights and Protection Act (FERPA), the Children's Online Privacy Protection Act and the Children's Internet Protection Act intend to safeguard student data, ed tech evolves so quickly that the laws soon become obsolete. In fact, a new report issued by the Parent Coalition for Student Privacy and the Network for Public Education looks at the quality of student-data privacy laws passed over the past five years. Colorado was the only state to earn a B grade.
Following federal laws are important, but districts need to implement protections that go beyond that legislation. Working with vendors that have signed the Student Privacy Pledge is a step in the right direction. The pledge has been signed by more than 300 ed tech developers. Though vendors still need to be FERPA compliant, taking an additional step to sign the pledge shows that the vendor is aware of the risks and is working to prevent them.
The Student Privacy Consortium, which is composed of vendors and several districts in many states, created a model contract that districts can use when considering whether or not to purchase ed tech. Districts can inquire about how long a vendor retains student data as well as have a review policy. Administrators are required to adhere to FERPA rules even if the parents sign waivers. Also, districts should be transparent about data collection practices and share those practices with the parents.
Compliance with these rules can be difficult for smaller districts to accomplish, however. Few smaller districts have chief privacy officers or even a full-time staff member focusing only on privacy. As education relies more on data, more information is being collected. Without someone watching the gate, breaches are likely.