Most School Districts Don’t Protect Student Data in the Cloud, Study Says

Most U.S. school districts now use cloud-based services for everything from storing student test scores to enabling student-teacher collaboration. Most of them also have no policies or contractual requirements to protect the privacy of that data.

Those are two findings from a recent study by the Center on Law and Information Policy at the Fordham University School of Law. Available as a free download here, the report is worth reading for insights into how — and how not — to structure a cloud-services contract and tips for complying with laws such as the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act and the Protection of Pupil Rights Amendment.

The study shouldn’t necessarily send districts running from the cloud and back to premise-based solutions. Just the opposite: Hosted services remain a viable way for schools to minimize the CapEx and OpEx of IT services. And with the right provider and the right contract, hosted services can be more secure than on-premises hardware because cloud providers typically have the skills, staff and budgets to implement the patches and upgrades that plug a lot of security holes. But as the study shows, many contracts create their share of security risks.

The Fordham researchers used state open record laws to get the cloud service agreements, notices to parents and faculty computer-use policies for 20 districts* across the country. District sizes and demographics ran the gamut, from 264 students in rural Echo, Ore., to 204,245 in Houston, but several common denominators emerged:

• “Cloud services are poorly understood, non-transparent, and weakly governed.” Just 25 percent of the districts studied tell parents that they use cloud services, while 20 percent have no policies covering cloud services.

• “Districts frequently surrender control of student information when using cloud services.” Less than 7 percent of the contracts analyzed prohibit vendors from selling student information, and many allow vendors to change the contact terms without notice, a FERPA violation.

• “An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information.” In some cases, when parents activate an account, they’re consenting to a privacy policy that contradicts the terms of the contract between the vendor and the district.

• “School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency.” For example, none of the agreements analyzed required vendors to notify districts when there was a data security breach.

The study includes several pages of suggestions that districts could turn into best practices if they don’t already have them. For example, 27 percent of the agreements analyzed were for services provided free to those districts. The study warns that vendors likely are commercializing students’ personal information to make it financially viable to provide those services at no charge. “The choice to use ‘freemium’ services at the cost of student privacy should be clear, transparent and subject to public discussion,” the researchers advise.

Another recommendation is to create a chief privacy officer position both at the state and district level. “This function is ever more essential to be able to provide advice to smaller districts and districts without the resources to handle privacy issues on their own,” the study says. “For larger districts and those with extensive cloud networks and intensive data transfers, the designation of a chief privacy officer with responsibility for data governance, privacy compliance, and teacher training is necessary to assure proper stewardship of student data and to enable those districts to more effectively assure the protection of their students’ information.”

*Ed Note—All of the media coverage says 54, but according to p. 15, they had usable data from only 20.