Arne Duncan Weighs in On Student Data Privacy

Arne Duncan spoke at a public education summit yesterday put on by Common Sense Media.

From Ed Week:

The event came in the midst of a recent flurry of student data privacy-related activity. In addition to the non-binding federal guidelines, expected to be made public Tuesday afternoon, a leading technology trade group released recommendations on the issue; major state legislation on the issue was proposed in California; and U.S. Senator Edward Markey, a Democrat from Massachusetts who also spoke at Monday's school privacy summit, announced that he will soon introduce new federal legislation.

All of this is good news.

The big takeaway:

One key principle around which there is an emerging cross-sector consensus is that educational data about students should be used solely for educational purposes—and not for targeted advertising.

Industry representatives and some education officials in attendance at Monday's event supported the general notion, but said much confusion remains about what "for educational use only" means in practice and expressed concerns about how such details will be enacted in policies and contracts.

What's interesting is that the Software & Information Industry Association released their own guidelines which promptly got criticized by Joen Reidenburg from Fordham which has just released a study on student data privacy. He:

...criticized the SIIA proposal for not explicitly rejecting the use of educational data for targeted marketing, failing to include any guidelines for how long data should be stored or when it should be destroyed, and failing to include provisions for parents to access and amend their children's information, among other things.

Reidenberg, Khaliah Barnes, an attorney for the nonprofit Electronic Privacy Information Center, and others ticked off a list of concerns that continue to go largely unaddressed by legislation, regulations, industry practices, or district policies. Among them were the "vast amounts of data" collected by third-party vendors that don't fall under the jurisdiction of the Family Educational Rights and Privacy Act, or FERPA; the use of location data, biometric data, and social media to track students; the metadata generated by students' digital devices, especially when they are used outside of schools; and the growing trend of merging the "learning path" information generated by digital instructional materials with the personal data contained in student profiles.

I would NEVER wait for ed-tech vendors to police themselves if there is buck to be made. Nope, we need laws with real protections and real outcomes for violating those protections.

Duncan said using new "digital tools" and using data to personalize student learning is a good thing:
But the secretary also stressed that "school systems owe families the highest standard of security and privacy," and he sharply criticized some industry practices, including "take it or leave it 'Click Wrap' agreements" with districts that allow companies to unilaterally and without notice change their privacy practices.

"It is in your interest to police yourselves before others do," Duncan said in a pointed message to ed-tech vendors.

There's an good overview of their Privacy Technical Assistance Center (PTAC) with a Best Practices list. But here's the thing - none of this "best practices" are enforceable - they're just guidelines.

There is an awful lot of "may", "could", "might" in here.

The U.S. Department of Education established the Privacy Technical Assistance Center (PTAC) as a “one-stop” resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data. PTAC provides timely information and updated guidance on privacy, confidentiality, and security practices through a variety of resources, including training materials and opportunities to receive direct assistance with privacy, security, and confidentiality of student data systems. More PTAC information is available on

PTAC welcomes input on this document and suggestions for future technical assistance resources relating to student privacy. Comments and suggestions can be sent to

They do answer one question, straight-up :

Is Student Information Used in Online Educational Services Protected by FERPA?

It depends. Because of the diversity and variety of online educational services, there is no universal answer to this question.

There's a lengthy explanation of the differences but there you are. FERPA does not cover every situation.

And guess what the answer to this question is:

What Does FERPA Require if PII from Students’ Education Records is Disclosed to a Provider?  (editor note: PII is personally identifiable information).

It depends. Because of the diversity and variety of online educational services, there is no universal answer to this question.

A best practice?

The Department encourages schools and districts to be as transparent as possible with parents and students about how the school or district collects, shares, protects, and uses student data.

Beyond FERPA and PPRA compliance, however, the Department recommends that schools and districts clearly explain on their Web sites how and with whom they share student data, and that they post any school and district policies on outsourcing of school functions, including online educational services. Schools and districts may also want to post copies of the privacy and security provisions of important third party contracts.


Anonymous said…
I am very interested in this topic and so tracked down the NYC school district's privacy and security statement around data use within InBloom.

The bottom line there is that data can be, and has been, released to both technology vendors and 3rd party service providers without prior parental notification. The district makes no apologies on this subject. It uses cost savings and better educational opportunities for kids as its reasoning.

Definitely pertinent and timely background information for an informed Seattle discussion of the same topic.

Anonymous said…
Beyond the fact that these are guidelines, these guidelines ONLY apply to online software, applicants, and tools that are accessible to students and/or parents via the Internet. These guidelines DO NOT apply to online educational systems that students and/or parents do not have access to, such as student information systems, used for administrative purposes.

In other words, the recent guidance does not apply to inBloom and other cloud-based student information applications and such that schools and districts (and states) may contract for.

There is still much work to do to address student data privacy and security in contracted student information systems.

--- swk
SWK, that seems to be a big issue about the online education systems and that got addressed in the article. Very troubling.
Anonymous said…
To be clear: one of the points of InBloom is to collapse the separation of student information systems and software learning systems that can reach them. Once a database has the data and a sharable architecture, 3rd party providers are able to build applications to mesh with, and populate, learning "solutions" for individual academic situations.

This is how life in the cloud works. It's already here all over the place in other sectors. The K12 education sector is way behind in discussion of and implementation of this architecture. The implementation is coming though...and I hope the discussion stays ahead of it.
Obviously this did not happen in NYC.


Popular posts from this blog

Tuesday Open Thread

Seattle Public Schools and Their Principals

COVID Issues Heating up for Seattle Public Schools