ISTELive 22: Crafting Student Data Privacy Agreements

Data privacy for students and educators is not a new concern for school systems, but it's been heightened since the COVID-19 pandemic forced classrooms into a digital setting, to an extent that more and more states are proposing their own data privacy laws. In a Wednesday session at the International Society for Technology in Education's annual conference, ISTELive 22 in New Orleans, an administrator, a vendor and an attorney shared ideas on how to put together data privacy agreements that work for all parties.

Speaking from an administrative perspective, Cambridge Public Schools CIO Steve Smith noted that staff do their best to put together a plan to ensure privacy is upheld, but it’s never foolproof.

“We try to put processes in place to ensure they are vetted properly,” Smith said. “But many times, vendors approach teachers before the district can get involved and it could be putting children at risk.”

Chief Privacy Officer Ryan Johnson, speaking for the digital learning company Savvas Learning, said that school systems often approach vendors as if they were all the same, which is far from the truth. That assumption, Johnson said, puts larger vendors like Savvas Learning in a bad light.

“We have no desire to do anything with student data, but we are treated like a pariah sometimes,” said Johnson, who in his role looks over policies and agreements to ensure Savvas follows all regulations. “Each vendor serves different functions where not all agreements are applicable across the board. I would be wary of any vendor who signed a data privacy agreement without making any changes.”

Fagen Friedman & Fulfrost’s Mark Williams, an attorney who works with schools and vendors primarily in California, said the ideal solution is to develop common expectations and identify the use of data, research and audit requirements. He said in order to make the agreement work, one needs to look into such things as limitations of liability, breach provisions, warranty clauses, indemnity clauses — a task that stretches focus.

Williams said school districts are “squeamish” on allowing unfettered use of data even if it's been de-identified, or detached from all personally identifying information, but he advised that working with companies with track records is the way to go.

“Dealing with larger, more established companies will result in an agreement you can be confident in,” Williams said.

The Student Data Privacy Consortium's (SDPC) Executive Director Larry Fruth, who moderated the session, noted that his organization can help school districts with these agreements. He said SDPC's website includes model data and privacy agreements for everything an education system needs, which schools can use or alter according to their specifications.

In total, Fruth said, 34 states have joined the consortium, forming state-based alliances to put together common agreements. He said the SDPC's platform is connected to 86 vendors and has nearly 11,000 school districts represented, comprising roughly 34 million students, 70,000 agreements and some 80,000 applications.