Imagine a middle school student uses the word “terrorism” in an essay, and thisessay’s transcript is stored indefinitely via a third-party vendor. Data mining flags the essay, and this resultsin an investigation of the student and the student's family.
This scenario isn’t too far-fetched, Microsoft visiting professor of InformationTechnology Policy Joel Reidenberg argued in a lecture on schools and student dataprivacy.
Reidenberg is also a professor at Fordham LawSchool, an authority on Internet law, privacy and cybersecurity, and is the FoundingAcademic Director of the Center on Law and Information Policy at Fordham.
As a precursor to his discussion on how to provide for greater student privacy,Reidenberg discussed factors that have led to the the “series of general failings” toprotect student data across the nation.
Outsourcing, lack of transparency, vague contracts, outdated laws regarding thedisclosure of student data and educational records, the reduction of IT costs andthe recent push for data analysis of schools are to blame for new risks to studentprivacy, Reidenberg argued.
Particularly, Reidenberg dwelled on the “disturbing” contracts between schooldistricts and vendors that supply IT services. Flaws in contracts include allowingvendors to make changes unilaterally, share information with third parties and storedata without basic privacy and security measures, he said.
According to Reidenberg, schools reliniquish control over information when theyoutsource to vendors that, as a result of vague contract agreements, are allowed tostore student information indefinitely, or pass it on to third parties for use in varioustypes of additional data analysis.
“Contracts are so indecipherable you can’t figure out what the service being formedis,” he explained.
To quantify his claims, Reidenberg referenced a research paper he co-authored called “Privacy andCloud Computing in Public Schools.” The findings of the study, he said, include that 95 percentof schools using IT services outsource them, while only 25 percent of schools notifyparents about cloud services and data collection.
Failure to disclose the collection of data from minors under the age of 13 isprohibited under the Children’s Online Privacy Protection Act.
“Strong and effective privacy protections for student information must be developed,or data driven educational policies will fail,” he added. “We have to establish somevery clear red lines for what is and isn’t permissible.”
Reidenberg suggested, among other things, creating a “Chief Privacy Officer” on the state and local educational level, mandatingthe improvement of contracts by establishing requirements for promoting datasecurity, and expanding existing laws like the Federal Educational Rights andPrivacy Act to address the issue of studentprivacy protection without stifling the innovation and creativity that technology bringsto the classroom.
“Education is going through a revolutionary period right now,” Ken Mitchell, a commentator at the end of the lecture, who is the superintendent of schools in South Orangetown, said. “Continuous monitoringis necessary.”
The lecture, titled "Schools and Student Data Privacy: Needs Improvement," was part of the Center for Information Technology Policy Lecture Series and took place in Sherrerd Hall 101 on Thursday at 4:30 p.m.