Schools May Put Student Data at Risk

With fraud and identity theft rising and advertising becoming increasingly targeted, the challenge is to protect student privacy without undermining the educational benefits of 21st-century technology.

by Ty Tagami, The Atlanta Journal-Constitution / February 9, 2015
One of two data centers the Cumming School system uses to store student's data in Cumming, Ga. Brant Sanderlin/Atlanta Journal-Constitution/TNS

(TNS) — Schools are harnessing high-powered computer networks and sophisticated software to improve education, but privacy advocates warn they may be putting students at risk.

The fear is that their personal information can slip out of school district hands when it’s entrusted to corporations. With fraud and identity theft rising and advertising becoming increasingly targeted, the challenge is to protect student privacy without undermining the educational benefits of 21st-century technology.

School districts typically lack the resources to build sophisticated systems, so they are entrusting students’ personal information to education technology companies that can harvest details about everything from a child’s academic ability to his or her personal interests. The trade-off has led to fears among parents and privacy advocates: Are companies using the information to target advertising to children? Could a record of classroom misbehavior leak onto the Internet, haunting children years later at their first job interview?

What about that invitation the daughter of Priscilla Davenport got in the mail last summer?

“What came to my mind is how did they get her information? How did they even know to send her this letter?” said Davenport, whose daughter is a junior at McNair High School in DeKalb County, Ga. A friend at the school got the same solicitation to join a national student organization. It was based on their academic performances, so Davenport suspects the information slipped from the school. If the group knew about grades, Davenport worried, what else did they know?

The DeKalb County School District’s technology chief, Gary Brantley, said most of his system’s student data has not been put on outside “cloud” computing networks yet. He said that is likely to change, though, as a generation of technology staffers retires and the district loses the expertise to operate its own computer servers. Also, teachers are signing up students for online programs that are not vetted, he said. There are free offerings for everything from math tutoring to monitoring of classroom misbehavior.

Brantley said he plans to ask the school board to tighten the policy for teachers. “If we don’t stop it, it’s going to get out of control,” he said. “We really need tighter regulations around it.”

Forsyth County north of Atlanta has ventured further into educational technology, hiring a company to provide tailored curriculum on computing devices. Technology chief Marty Bray said he’s comfortable with safety measures in the contract, including a requirement to eventually delete the data. “We tightly control how that data is used,” Bray said. Students would suffer most if these practices were prohibited or circumscribed, he said, “because we do rely heavily on technology to do instruction.”

Privacy advocates, and even President Barack Obama, say students need more legal protection as so-called big data inundates the schoolhouse. Obama is working on a Student Data Privacy Act.

More than 100 companies have signed a privacy pledge established by privacy advocates and an industry association. Many companies that provide educational services have not, though. One of the biggest, Pearson, said in a statement to The Atlanta Journal-Constitution that it hadn’t signed “because we prefer to work directly with our customers rather than requiring a one size fits all solution.” Both Gwinnett and DeKalb counties use the company.

Several other districts in metro Atlanta were asked about the technology vendors they use but did not respond in time for this article.

Georgia legislation was introduced but not passed last year to improve protections for student information, and state Rep. Mike Dudgeon, R-Johns Creek, the vice chairman of the House Education Committee, expects more this year.

Dudgeon, an executive with a video game company, has researched the issue and doesn’t see a crisis, but said there are loopholes in the law. The 1974 federal Family Educational Rights and Privacy Act prohibits the release of certain student information, but legal experts say it doesn’t cover the way new technology collects information.

“I think there’s room for improvement,” Dudgeon said. “How about all the stuff a student does on a website? That could be turned around into marketing.”

The Georgia Department of Education has assembled a massive longitudinal data system that tracks the performance of every public school student. That system stays on secured state and school networks. Critics are increasingly worried about a different set of data, though: the information companies collect from students who use their products.

Privacy law expert Joel Reidenberg reviewed data privacy protections at 20 randomly selected school districts nationally. He and a team of lawyers determined that nearly all relied on companies to process student information but not many had adequate control over the data. Fewer than 7 percent of the contracts restricted the sale or marketing of student information, for instance.

“School district cloud service agreements ... allow vendors to retain student information in perpetuity with alarming frequency,” said the resulting report, Privacy and Cloud Computing in Public Schools.

It could affect students’ lives in unknown ways, said Reidenberg, who teaches law at Fordham University in New York. He imagines a scenario where an online test asks students to write about an event, say a terrorist attack, from different perspectives. What if the narrative is picked up by a government surveillance program, and the author gets tagged as a threat? A few years ago, he said, that would have been a crackpot’s delusion, but not anymore, not after revelations of the U.S. government’s domestic eavesdropping.

“This data just hangs around now,” he said. “It can become toxic.”

Phil Hartley, a lawyer who represents school boards across Georgia, said schools can’t change this without help. Companies get access to students because they can improve outcomes, telling schools what kind of material inspires eighth-grade boys to engage, for instance. But what if the companies also use that information for commercial purposes? Hartley asked.

“Certainly, school systems are concerned about the issue. Certainly, school systems would like to have the ability to insist upon contract language that could provide maximum protection for student privacy,” he said. But they have little leverage when bargaining for the services, he said. Just like the typical individual logging on to the Internet.

“Did you negotiate the contract with Google when you signed up?” he said. “You either sign the contract, or you get no service.”

©2015 The Atlanta Journal-Constitution (Atlanta, Ga.)