Imagine a middle school student uses the word “terrorism” in an essay, and this essay’s transcript is stored indefinitely via a third-party vendor. Data mining flags the essay, and this results in an investigation of the student and the student’s family.
This scenario isn’t too far-fetched, Microsoft visiting professor of Information Technology Policy Joel Reidenberg argued in a lecture on schools and student data privacy.
Reidenberg is also a professor at Fordham Law School, an authority on Internet law, privacy and cybersecurity, and is the Founding Academic Director of the Center on Law and Information Policy at Fordham.
As a precursor to his discussion on how to provide for greater student privacy, Reidenberg discussed factors that have led to the the “series of general failings” to protect student data across the nation.
Outsourcing, lack of transparency, vague contracts, outdated laws regarding the disclosure of student data and educational records, the reduction of IT costs and the recent push for data analysis of schools are to blame for new risks to student privacy, Reidenberg argued.
Particularly, Reidenberg dwelled on the “disturbing” contracts between school districts and vendors that supply IT services. Flaws in contracts include allowing vendors to make changes unilaterally, share information with third parties and store data without basic privacy and security measures, he said.
According to Reidenberg, schools reliniquish control over information when they outsource to vendors that, as a result of vague contract agreements, are allowed to store student information indefinitely, or pass it on to third parties for use in various types of additional data analysis.
“Contracts are so indecipherable you can’t figure out what the service being formed is,” he explained.
To quantify his claims, Reidenberg referenced a research paper he co-authored called “Privacy and Cloud Computing in Public Schools.” The findings of the study, he said, include that 95 percent of schools using IT services outsource them, while only 25 percent of schools notify parents about cloud services and data collection.
Failure to disclose the collection of data from minors under the age of 13 is prohibited under the Children’s Online Privacy Protection Act.
“Strong and effective privacy protections for student information must be developed, or data driven educational policies will fail,” he added. “We have to establish some very clear red lines for what is and isn’t permissible.”
Reidenberg suggested, among other things, creating a “Chief Privacy Officer” on the state and local educational level, mandating the improvement of contracts by establishing requirements for promoting data security, and expanding existing laws like the Federal Educational Rights and Privacy Act to address the issue of student privacy protection without stifling the innovation and creativity that technology brings to the classroom.
“Education is going through a revolutionary period right now,” Ken Mitchell, a commentator at the end of the lecture, who is the superintendent of schools in South Orangetown, said. “Continuous monitoring is necessary.”
The lecture, titled “Schools and Student Data Privacy: Needs Improvement,” was part of the Center for Information Technology Policy Lecture Series and took place in Sherrerd Hall 101 on Thursday at 4:30 p.m.