Protect Student Privacy Online with Strong Terms of Service

Model terms of service from the U.S. Education Department are designed to help schools follow student privacy requirements and best practices.

by / March 3, 2015
It's a slippery slope when schools agree to terms of service that have "warning" language in them. Pexels | CCO license

Terms of service may read like a foreign language, but interpreters of legalese now have some guidance to evaluate whether online educational service terms actually protect student privacy.

In guidance released at the end of February, the U.S. Department of Education provided 12 types of language to either endorse or avoid at all costs when schools agree to terms of service. The guidance goes along with privacy requirements and best practices that the department published last year to help districts evaluate online services, tools and resources that collect student data.

It's important for schools to have a procedure in place to evaluate the legal and privacy implications of various terms of service before checking the box that says "I agree." If schools see any of the "warning sign" language that the department listed, they should exercise caution.

For example, a service provider may say that it can change its agreement any time without notice. That's a warning sign, because those changes might adversely affect data privacy, and school districts would be left in the dark.

Specific language that the guidance warns against is that the "provider will only notify the [School/District] of material changes," and that language is included in Maryland's 2010 contract with Google Apps for Education. "This type of agreement should never be agreed to by any school in the country," said Bradley S. Shear, a digital privacy lawyer based in Maryland.

Google has taken big hits in the privacy arena after its practice of scanning student emails for advertising purposes came to light. While it signed a Student Privacy Pledge this year along with 119 other companies, that doesn't mean that older contracts meet best privacy practices; it's just the ones signed this year that do.

Another potential warning sign is any provision that allows providers to share data with third parties without seeking authorization from the school district. While there may be times when providers do need to share data with subcontractors, school districts should know when that happens and make sure that the subcontractors abide by the terms of service as well.

On the flip side, the guidelines say it's a good sign if terms of service prohibit data mining or scanning content for advertising purposes. Similarly, it's important to limit how much data the service provider does collect to make sure it only has what it needs to fulfill the agreement. 

Good terms of service will also include provisions to secure student data, destroy or transfer it to the school district when necessary, and restrict the type of data the provider can collect. Likewise, the data de-identification process should remove all personally identifiable information, not just names and ID numbers. 

While this guidance is helpful, Shear noted that it's not enough to ensure good data privacy practices.

"It's a step in the right direction, but under no circumstances should these guidelines take the place of more robust student privacy laws," Shear said.  

Tanya Roscorla Former Managing Editor, CDE

Tanya Roscorla covered ed tech from 2009-2017.

Does Dyslexia Hold the Key to the Future of Learning?

Studies have long argued that there are three types of learners: audible, visual, or kinetic. The trick? To work out what type of learner you were, then harness it.

Distance Learning

Connected North: Distance Learning, Virtual Field Trips, and a World of Opportunity

This week, join us as we travel to the far north of Canada, where distance learning is nothing new to the schools of Connected North and virtual field trips transport students to distant places and spaces.

St. Petersburg College Achieves Security and Resiliency with Cloud Solutions

Like many industries today, higher education has largely embraced BYOD programs for the myriad benefits they provide. However, the implementation of BYOD also means a network that contains many untrusted and potentially infected devices at any time, each generating traffic that requires granular visibility and monitoring, and the timely identification of potential threats.

Platforms & Programs