Model terms of service from the U.S. Education Department are designed to help schools follow student privacy requirements and best practices.
Terms of service may read like a foreign language, but interpreters of legalese now have some guidance to evaluate whether online educational service terms actually protect student privacy.
In guidance released at the end of February, the U.S. Department of Education provided 12 types of language to either endorse or avoid at all costs when schools agree to terms of service. The guidance goes along with privacy requirements and best practices that the department published last year to help districts evaluate online services, tools and resources that collect student data.
It's important for schools to have a procedure in place to evaluate the legal and privacy implications of various terms of service before checking the box that says "I agree." If schools see any of the "warning sign" language that the department listed, they should exercise caution.
For example, a service provider may say that it can change its agreement any time without notice. That's a warning sign, because those changes might adversely affect data privacy, and school districts would be left in the dark.
Specific language that the guidance warns against is that the "provider will only notify the [School/District] of material changes," and that language is included in Maryland's 2010 contract with Google Apps for Education. "This type of agreement should never be agreed to by any school in the country," said Bradley S. Shear, a digital privacy lawyer based in Maryland.
Google has taken big hits in the privacy arena after its practice of scanning student emails for advertising purposes came to light. While it signed a Student Privacy Pledge this year along with 119 other companies, that doesn't mean that older contracts meet best privacy practices; it's just the ones signed this year that do.
Another potential warning sign is any provision that allows providers to share data with third parties without seeking authorization from the school district. While there may be times when providers do need to share data with subcontractors, school districts should know when that happens and make sure that the subcontractors abide by the terms of service as well.
On the flip side, the guidelines say it's a good sign if terms of service prohibit data mining or scanning content for advertising purposes. Similarly, it's important to limit how much data the service provider does collect to make sure it only has what it needs to fulfill the agreement.
Good terms of service will also include provisions to secure student data, destroy or transfer it to the school district when necessary, and restrict the type of data the provider can collect. Likewise, the data de-identification process should remove all personally identifiable information, not just names and ID numbers.
While this guidance is helpful, Shear noted that it's not enough to ensure good data privacy practices.
"It's a step in the right direction, but under no circumstances should these guidelines take the place of more robust student privacy laws," Shear said.