Tuesday, December 17, 2013
Public School Use of Cloud Computing Services Causes Data Privacy Problems
Fordham Law School's Center on Law and Information Policy (CLIP) has released a report on how school districts address privacy when they transfer student information to cloud computing service providers. The report marks the nation’s first in-depth analysis of this increasingly contentious issue.
The study found that as public schools in the United States rapidly adopt cloud-computing services to fulfill their educational objectives and take advantage of new technologically enabled opportunities, they transfer increasing quantities of student information to third-party providers, without requiring basic privacy protections such as strong data security measures and limitations on commercial data mining. As a result, school districts frequently fall short of federal privacy standards and of community expectations for children’s privacy. The study can be found here: http://law.fordham.edu/k12cloudprivacy.
“School districts throughout the country are embracing the use of cloud computing services for important educational goals, but have not kept pace with appropriate safeguards for the personal data of school children,” said Joel Reidenberg, a professor at Fordham Law School and the founding director of CLIP. Reidenberg points out that vendors who are not generally subject to federal privacy laws have put schools in a precarious position for the stewardship of children’s data through their contract terms. He said, “We believe there are critical actions that school districts and vendors must take to address the serious deficiencies in privacy protection.”
The goals of the study were 1) to provide a national picture of cloud computing in public schools; 2) to assess how public schools address their statutory obligations as well as generally accepted privacy principles in their cloud service agreements; and 3) to make recommendations based on the findings for the protection of student privacy.
Fordham CLIP selected a national sample of school districts including large, medium and small school systems from every geographic region of the country. Using state open public record laws, Fordham CLIP requested from each of the school districts all of the district’s cloud service agreements, notices to parents and computer use policies for teachers and examined whether the districts met privacy obligations under the Family Educational Rights and Privacy Act, the Protection of Pupil Rights Amendment, and the Children’s Online Privacy Protection Act, as well as basic fair information practices.
The key findings from the analysis are:
• 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.
• Cloud Services are poorly understood, non-transparent and weakly governed with only 25% of districts informing parents of cloud services, 20% of districts failing to have policies for the use of online services, and a sizeable plurality of districts having rampant gaps in their contract documentation including missing privacy policies.
• Districts give up control of student information when using cloud services, with fewer than 25% of the agreements specifying the purpose for disclosures of student information, fewer than 7% of the contracts restricting the sale or marketing of student information by vendors, and many agreements allowing vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.
• An overwhelming majority of cloud service contracts do not address parental notice, consent or access to student information. Some services even require parents to activate accounts and consent to privacy policies that may contradict those in the district’s agreement with the vendor. FERPA and COPPA, however, contain requirements related to parental notice, consent and access to student information.
• School district cloud service agreements generally do not provide for data security and even allow vendors with alarming frequency to retain student information in perpetuity. Yet, basic norms of information privacy require data security.