December 13, 2013
Fordham Law School’s Center on Law and Information Policy (CLIP) today released a report on how school districts address privacy when they transfer student information to cloud computing service providers. The report marks the nation’s first in-depth analysis of this increasingly contentious issue.
The study found that as public schools in the United States rapidly adopt cloud-computing services to fulfill their educational objectives and take advantage of new technologically enabled opportunities, they transfer increasing quantities of student information to third-party providers, without requiring basic privacy protections such as strong data security measures and limitations on commercial data mining. As a result, school districts frequently fall short of federal privacy standards and of community expectations for children’s privacy. The study can be found here: http://law.fordham.edu/k12cloudprivacy.
“School districts throughout the country are embracing the use of cloud computing services for important educational goals, but have not kept pace with appropriate safeguards for the personal data of school children,” said Joel Reidenberg, a professor at Fordham Law School and the founding director of CLIP. Reidenberg points out that vendors who are not generally subject to federal privacy laws have put schools in a precarious position for the stewardship of children’s data through their contract terms. He said, “We believe there are critical actions that school districts and vendors must take to address the serious deficiencies in privacy protection.”
The goals of the study were 1) to provide a national picture of cloud computing in public schools; 2) to assess how public schools address their statutory obligations as well as generally accepted privacy principles in their cloud service agreements; and 3) to make recommendations based on the findings for the protection of student privacy.
Fordham CLIP selected a national sample of school districts including large, medium and small school systems from every geographic region of the country. Using state open public record laws, Fordham CLIP requested from each of the school districts all of the district’s cloud service agreements, notices to parents and computer use policies for teachers and examined whether the districts met privacy obligations under the Family Educational Rights and Privacy Act, the Protection of Pupil Rights Amendment, and the Children’s Online Privacy Protection Act, as well as basic fair information practices.
The key findings from the analysis are:
• 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.
• Cloud Services are poorly understood, non-transparent and weakly governed with only 25% of districts informing parents of cloud services, 20% of districts failing to have policies for the use of online services, and a sizeable plurality of districts having rampant gaps in their contract documentation including missing privacy policies.
• Districts give up control of student information when using cloud services, with fewer than 25% of the agreements specifying the purpose for disclosures of student information, fewer than 7% of the contracts restricting the sale or marketing of student information by vendors, and many agreements allowing vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.
• An overwhelming majority of cloud service contracts do not address parental notice, consent or access to student information. Some services even require parents to activate accounts and consent to privacy policies that may contradict those in the district’s agreement with the vendor. FERPA and COPPA, however, contain requirements related to parental notice, consent and access to student information.
• School district cloud service agreements generally do not provide for data security and even allow vendors with alarming frequency to retain student information in perpetuity. Yet, basic norms of information privacy require data security.
Fordham CLIP recommends that school districts and vendors take a series of specific actions to address these problems. For example, among other things, Fordham CLIP recommends 1) that the existence and identity of cloud service providers and the privacy protections should be available on district websites and districts must provide notice to parents of these services and the types of student information that is transferred to third parties; 2) that vendors and districts include explicit contract protections described in the study; and 3) districts adopt policies and implementation plans for the adoption and use of cloud services that involve student data.
The Fordham Center on Law and Information Policy (CLIP) was founded to make significant contributions to the development of law and policy for the information economy and to teach the next generation of leaders. CLIP brings together scholars, the bar, the business community, technology experts, the policy community, students, and the public to address and assess policies and solutions for cutting-edge issues that affect the evolution of the information economy.
This project was supported by a gift from Microsoft.
The New York Times
The Huffington Post
The Journal News
The National Law Review
ACT 4 Apps