Most School Districts Don’t Protect Student Data in the Cloud, Study Says

Author:
Publish date:
Social count:
0

Most U.S. school districts now use cloud-based services for everything from storing student test scores to enabling student-teacher collaboration. Most of them also have no policies or contractual requirements to protect the privacy of that data.

Those are two findings from a recent study by the Center on Law and Information Policy at the Fordham University School of Law. Available as a free download here, the report is worth reading for insights into how — and how not — to structure a cloud-services contract and tips for complying with laws such as the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act and the Protection of Pupil Rights Amendment.

The study shouldn’t necessarily send districts running from the cloud and back to premise-based solutions. Just the opposite: Hosted services remain a viable way for schools to minimize the CapEx and OpEx of IT services. And with the right provider and the right contract, hosted services can be more secure than on-premises hardware because cloud providers typically have the skills, staff and budgets to implement the patches and upgrades that plug a lot of security holes. But as the study shows, many contracts create their share of security risks.

The Fordham researchers used state open record laws to get the cloud service agreements, notices to parents and faculty computer-use policies for 20 districts* across the country. District sizes and demographics ran the gamut, from 264 students in rural Echo, Ore., to 204,245 in Houston, but several common denominators emerged:

• “Cloud services are poorly understood, non-transparent, and weakly governed.” Just 25 percent of the districts studied tell parents that they use cloud services, while 20 percent have no policies covering cloud services.

• “Districts frequently surrender control of student information when using cloud services.” Less than 7 percent of the contracts analyzed prohibit vendors from selling student information, and many allow vendors to change the contact terms without notice, a FERPA violation.

• “An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information.” In some cases, when parents activate an account, they’re consenting to a privacy policy that contradicts the terms of the contract between the vendor and the district.

• “School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency.” For example, none of the agreements analyzed required vendors to notify districts when there was a data security breach.

The study includes several pages of suggestions that districts could turn into best practices if they don’t already have them. For example, 27 percent of the agreements analyzed were for services provided free to those districts. The study warns that vendors likely are commercializing students’ personal information to make it financially viable to provide those services at no charge. “The choice to use ‘freemium’ services at the cost of student privacy should be clear, transparent and subject to public discussion,” the researchers advise.

Another recommendation is to create a chief privacy officer position both at the state and district level. “This function is ever more essential to be able to provide advice to smaller districts and districts without the resources to handle privacy issues on their own,” the study says. “For larger districts and those with extensive cloud networks and intensive data transfers, the designation of a chief privacy officer with responsibility for data governance, privacy compliance, and teacher training is necessary to assure proper stewardship of student data and to enable those districts to more effectively assure the protection of their students’ information.”

The study is the latest example of how district use of cloud services is increasingly in the public spotlight. It’s received a significant amount of mainstream media coverage. So if you’re a technology manager at a school district, don’t be surprised if you or a board member gets a call from your local newspaper or TV station looking to see how your district stacks up.

*Ed Note—All of the media coverage says 54, but according to p. 15, they had usable data from only 20.

Related

Don’t Overlook TCO for Ed Tech

When shopping for projectors, savvy education technology managers know to ferret out the total cost of ownership (TCO) rather than fixating on the lowest price. That’s why vendors are increasingly offering projectors with hybrid designs, self-cleaning filters, and light sources that last 20,000 hours or longer. The time spent calculating genuine TCO can really pay off.

Is Cloud Storage Compromising Your School's Security?

Most faculty are well aware of the free and low-cost storage and sharing services like Dropbox, Box, Google Drive, Sky Drive, and others, and are inclined to make use of them in their day-to-day work. These services provide a simple way to share with colleagues everything from course materials to exams to research and lab notes. Since they're free and easy to use, why not take advantage of them?

BYOD in Schools: Bridging or Expanding the Digital Divide?

Bring your own device (BYOD) is one of the fastest-growing trends in the enterprise and higher ed for a variety of reasons. For example, companies with a limited IT budget sometimes use BYOD to leverage the productivity benefits of the latest and greatest smartphones and tablets without having to buy them. In that sense, BYOD democratizes mobile technologies by making them available to more organizations.

Videoconferencing in Schools: A Remote Possibility

The school in the remote town of Assin Foso, Ghana, might be the last place you’d expect to find a videoconferencing system—for one, there’s no broadband service—but there it is. The story of how it got there is worth reading for any technology manager faced with projects such as setting up a videoconferencing system on short notice because a science teacher landed a virtual interview with an astronaut.

Are College Students Willing to Pay More for Faster Wi-Fi?

In theory, the aggressive rollout of fourth-generation (4G) cellular should lighten the load for overburdened campus Wi-Fi networks. After all, Long Term Evolution (LTE) — the most widely used 4G technology — delivers average speeds ranging from 10 Mbps to 35 Mbps, which makes a congested Wi-Fi network feel pokey by comparison.