Last year, during a snowstorm in Georgia, a school bus of young students got stuck on the road. When school administrators called parents to tell them about the snow day, they couldn’t confirm whether their children were on the bus—or where on the route the bus had stopped.
The worried parents and tense phone calls could have been avoided had the school kept track of students’ bus schedules, according to Cameron Evans, US Chief Technology Officer at Microsoft. At a panel on innovation and privacy at the SXSWedu conference on March 10, he explained, “If there had been an electronic record of when students got on the bus, and a GPS tracker inside the bus, parents would have been able to track where their students were.”
Evans’ insistence on the positive uses of student data reflects a changing tone in the conversation around student data privacy. The cautious optimism at SXSWedu 2015 stands in stark contrast to last year’s conference, which took place as data warehousing platform inBloom was on its way out the door. The nonprofit’s impending doom put edtech entrepreneurs on the defensive about protecting sensitive student information and cast a pall over privacy conversations at the conference.
But this year’s conversations are hopeful. “It’s a false dichotomy: privacy and innovation can and should exist,” insisted Khaliah Barnes, Director of Student Privacy Project at the Electronic Privacy Information Center. “The sooner we can understand that, the sooner we can have technology that benefits students without risking their privacy.”
A Clear Framework
On March 9, the Data Quality Campaign (DQC) and the Consortium for School Networking (CoSN) released an online framework of common standards for education data privacy. Over 30 nonprofits and associations have endorsed the framework, including the School Superintendents Association and the National PTA.
The 10 principles aim to create basic standards for how edtech companies and districts approach data privacy by establishing clear expectations, which include giving families and educators timely access to data and imposing limits, so that companies can only access the data they need.
“What does the data give us? How does it personalize a learning experience?” asked Keith Krueger, CEO of CoSN. “Unless we start framing it that way, we’re in a spiral around privacy without considering why we actually need the data.”
Security vs. Privacy
Other speakers emphasized the importance of well-informed parents and students. On March 10, Erwin Bomas explained a mock-up of a student-parent data management dashboard to a full room of conference attendees. The dashboard, designed by the Kennisnet Foundation in Zoetermeer and funded by the Dutch government, aims to give families an active role in how student data is used. “We want to show parents, and students themselves, who knows what about them, for what purpose, for what period, and who controls it,” Bomas said.
The dashboard, as presented by Bomas, would contain several components for different users. Parents could set privacy levels for when a school needs to ask for their permission (all applications could have access to a student’s full name, for example, but any further information would require parental consent), and set a period of how long an edtech program could access student scores or information. Students could access a dashboard of insights based on test and assignment data used by different edtech platforms. And administrators could set privacy levels schoolwide, as well as send and receive student records if a child transferred schools.
While the common standards aim to set a clear framework around privacy regulation, they remain obscure around the security of student data. The last principle of the CoSN and DQC framework, and the only one which directly addresses security, suggests that companies “maintain a security process that follows widely accepted industry best practices.” It does not explain what those industry best practices should include.
Unlike privacy, which limits how much companies can legally access and disclose student information, security addresses illegal and malicious attacks on data from hackers. “When people say privacy, they’re often really talking about security breaches,” explained Krueger. “We need to get more technical in a lot of these concerns.” Steve Schoettler, CEO of Junyo and founder of the Ed Data Privacy Consortium, agreed. “Security is neglected in a lot of these policies, in FERPA and COPPA and the industry pledge.” He warned, “No matter how many policies you have, if you put your data in an unencrypted hard drive in an unlocked office, bad things happen.”
To set standards around security, Schoettler suggested that the edtech community look to other industries, like healthcare and finance, where industry has set its own common security requirements like the PCI standard used at banks.
Second Nature
Overwhelmingly, the panelists and speakers at SXSWedu have called for the establishment of clear frameworks around student data privacy, both in the design of an edtech product and during the implementation process. Evans spelled it out for education entrepreneurs: “If privacy is not in your business by design, you should get out of this business.”
These speakers hope that common frameworks and standards will help all stakeholders—entrepreneurs, parents, educators, and students—see the protection of student information as second nature. “We have to get to the point where maintaining safety and security is part of a routine around taking care of students, like putting on a seatbelt when you get into a car,” explained Jeff Mao, Senior Director of the Learning Solutions Program at Common Sense Education. “If I’m not wearing a seatbelt, I’m not safe. Teachers don’t have that yet.”
Krueger expanded on the car analogy, calling for expanded regulation of data use. “One of the things that keeps car companies making safe cars is Consumer Reports,” he said. “We’ll only have the level of trust that we want if there’s that enforcement and liability.”
Protecting student data is both a deeply personal issue and a universal one, and the concerns of parents—many of whom are also policy-makers, entrepreneurs, and educators—will continue to shape the conversation.
“I know that the best opportunities for my kids are if we know data about their cognitive abilities, their motors skills,” said Schoettler. “I also know I wouldn’t want that data to be sent to future employers, or used in ways that wouldn’t benefit them.”