Denise Maes of the Colorado ACLU recently voiced her concerns to Colorado Public Radio, saying, “Once privacy is lost, it is almost impossible to get it back. Parents for the most part have no idea or remain largely unaware of how much data is collected about their children, with whom it is shared, if it’s shared at all, where it’s stored, how long it’s stored and why it’s even collected in the first instance.”
To address this concern, a growing number of states are passing significant student data privacy legislation to protect students and arm parents with more knowledge on data activities. While most agree the laws are a step in the right direction, they also come with challenges for local schools that state education departments are helping them tackle.
Unique reporting requirements
Last year, lawmakers in 15 states passed 19 student data privacy bills, according to the Data Quality Campaign, a national nonprofit focused on the use of student data. Two bills in particular stood out for their reporting and notification requirements.In Colorado, House Bill 16-1423 specifies additional responsibilities for the state education department, state board of education, local schools and contract service providers to follow, and outlines parents’ rights. For example, the state education department is responsible for sharing sample student information policies and contract language as well as training local school employees this year.
The training component is crucial. “Without training, all of the laws that have passed are just words on paper,” said Amelia Vance, policy counsel on education privacy for the Future of Privacy Forum. “They have to be implemented in schools every day as teachers are dealing with students and data on the ground.”
The Colorado law requires school districts to post online a list of the vendors they have contracts with, the actual contracts, the tools that educators use on demand and the types of personally identifiable information they collect so that parents and guardians can access them. They also need to list providers that they stopped using because of privacy reasons.
In Connecticut, Substitute House Bill 5469 includes a number of sweeping data privacy requirements, including a mandate that local and regional education boards sign a written contract with service providers whenever they share student data, and lay out what should be included in those contracts. It also specifies what education service providers can do with student data and establishes a security breach procedure for them to follow. The law created a student data privacy task force to study issues including development of a toolkit that local and regional education boards can use, and training strategies for educators and contractors that other states have used successfully.
The legislation requires local and regional boards of education to notify parents and students electronically within five business days about a new signed contract that affects them — a provision not usually found in other states’ privacy laws. These notices can number in the hundreds, flooding parents with emails, Vance said.
So far, that hasn’t happened in Connecticut. Dr. Kimberly Norton Butler, a parent advocate who pushed for the law, said she has yet to receive a single email, and is not aware of parents encountering an overwhelming amount of notifications. Jennifer Jacobson, a parent who lives in Fairfield County, agrees and has only received approximately five emails since the bill passed. Because compliance seems to waver from county to county, her biggest concern with the bill is ensuring that the mandated taskforce can help streamline implementation across the state.
Life under the new laws
With both the Connecticut and Colorado laws now in effect, schools and education departments are working through the implementation process, which has revealed some practical challenges.
In Colorado, one problem is how schools balance student privacy while encouraging teachers to find apps and Web tools that will work for their classrooms. Identifying all the apps and subscriptions that educators can use is a big undertaking because Denver Public Schools gives teachers flexibility and autonomy to pick their own, according to Kirk Anderson, the district’s former educational technology director and current director of MyTech, a district initiative designed to provide each sixth- through 12th-grader with a computing device to take home. “Teachers are really unaware of this concern so far, and they’re just now getting up to speed,” he said.
Anderson and Josh Allen, director of technical architecture, have developed an online catalog that includes tools that teachers report using in their classroom, as well as tools that the district has implemented. Based on the catalog, the team generates a website for each school that outlines the tools and data being used so parents can easily access it.
But for some parent advocates, this simply shifts the transparency responsibility to parents. Rachael Stickland lives in Colorado and is a co-founder of the Parent Coalition for Student Privacy. She was disappointed with many aspects of the law. “The passive, post-it-publicly approach assumes you have engaged parents in understanding that you need to look at these contracts, which can be challenging because they can be full of legalese and are sometimes 75 pages long,” she said. Instead, she sees a need for better enforcement of the law that establishes clear penalties for companies that operate outside of the law.
In Connecticut, Glastonbury Public Schools has taken a more restrictive approach when it comes to learning tools. Glastonbury’s IT team provides iPads for students grades K through 12 and controls which apps they can access. While the digital solution makes it easier to report the paid apps and subscriptions they’re using in the classroom, it’s still not easy to track down the online services that teachers use after accepting the operator’s terms of service.
School technology specialists work with staff members to make sure they report the use of these services, explained Brian Czapla, director of educational technology in Glastonbury. Principals and curriculum directors have protocols to follow to make sure that educators go through the technology department for approval. Czapla also serves on the Data & Privacy Advisory Council of the Connecticut Commission for Educational Technology. The council developed a student data privacy toolkit for Connecticut school districts that helps them effectively implement the new data privacy legislation.
The law’s written contract requirement may put some students at a disadvantage if they use services that don’t require a contract. For instance, some services, which include dictation tools for students with special needs, ask users to click a button saying they accept the terms of service before using it. These students typically have an individual education plan that tailors learning objectives to their needs, and because their needs differ, they may need to use different services. “From a school side, having to negotiate an individual contract for each student is really time-consuming and not necessarily what they’re equipped to do,” Vance said.
States step up
In 2016, the Connecticut State Department of Education (CSDE) launched a Data Privacy Summit to share resources and information with districts about the new law. The CSDE has also partnered with the Commission on Educational Technology in the state’s Department of Administrative Services to develop collaborative solutions such as statewide contracts for some of the most commonly used service providers in Connecticut, including Google and Microsoft. These groups are considering developing a statewide registry that allows operators to certify compliance with the data privacy legislation, said Abbe Smith, director of communications at CSDE.In Colorado, the Department of Education has provided sample contract language for schools to use with vendors, along with annotated documents that tie the contract language to the new legislation, and guidance documents to ensure that educators fully understand the law, said Jill Stacey, the department’s data privacy analyst of information management systems. The department is also focused on outreach and plans to implement regular town hall-style meetings that cover privacy and security topics; it also serves as a platform to share and gather information on best practices.
Stacey noted that the department plans to launch some larger projects to provide long-term support, including a suite of more than 40 information, privacy and security policies that districts can incorporate as appropriate. A privacy and security training program is also underway for teachers, administrators, board members and executive team members.
State support to implement these laws is critical. “It’s hugely important that we provide these services to schools because they are challenged with resources, and the more we can help them, the better,” said Stacey. “Protecting students, their parents and teachers are all very important.”
