Fordham School of Law’s Center on Law and Information Policy (CLIP), headed by Joel Reidenberg, has released an eye-opening and sobering study of how public schools are handling privacy issues with regard to cloud computing. The study is called Privacy and Cloud Computing in Public Schools, and it is well worth a read.
Context: Education Privacy
What’s the greatest threat to children’s privacy? Social media sites? Search engines? Children’s sites?
The answer, in my opinion, is none of the above. The greatest threat to children’s privacy is schools.
When it comes to privacy issues, schools are in the Dark Ages. I cannot think of any other industry that is so far behind. Parents worry all the time about their children’s privacy online, but they often have little idea of the threats to privacy that involve schools. If the average K-12 school were a company, it would surely be the subject of a barrage of media coverage, Congressional investigations, and much more. Unfortunately, education privacy often exists below the radar, and this area hasn’t received the attention it needs.
Education privacy is regulated by the Family Educational Rights and Privacy Act (FERPA). When it was passed in the early 1970s, FERPA was one of the first federal privacy laws and the education sector became one of the first earliest sectors to have privacy regulated at the federal level. But this statute is now antiquated. Its shortcomings are legion, as I discussed earlier in another post.
That’s why the CLIP report is so important. It sheds light on just how dire the privacy situation is for schools. And it makes important recommendations for improvement.
Derelict Data Stewardship
The report focused on the use of cloud computing services by K-12 public schools. The report authors examined materials from a cross-section of school districts of all shapes, sizes, and locations. The aim of the report was to examine what is commonly referred to as “data stewardship.” Data stewardship involves an organization’s oversight, handling, and controls on the personal data it collects, stores, uses, and shares. Think of data stewardship as a kind of day care for data – when data is in the care of an organization, it has a responsibility to treat it with great care and diligence.
Are schools being good data stewards? The report’s analysis of how schools are handling cloud computing reveals that the answer is a resounding “no.”
The report begins by noting that 95% of school districts use cloud services. They are sharing sensitive student data with these third party cloud service providers.
One of the key dimensions of privacy involves providing appropriate notice and transparency regarding how information is collected, used, and disclosed. The report finds that only 25% of school districts provide adequate notice to parents about the use of cloud services.
Another key dimension of privacy involves having effective policies to govern the use of online services, and “approximately 20% of the responding districts had no policies addressing teacher use of information resources.” (p. 23).
Many dimensions of privacy are implicated in contracting with third party cloud service providers. It is here where the report’s findings are particularly disturbing.
There were many “missing or unsigned” agreements with cloud service vendors, and more than 25% of the documents provided by the school districts failed to adequately describe the services covered by the relevant agreement.” (p. 22).
Moreover, the report notes that vendor standard contracts “would often contain misleading or inappropriate provisions.” (p. 23). The report notes that sometimes vendors would “include a term specifying that the vendor would not cause the district to fall out of compliance with FERPA,” a clause which “inappropriately gives the district the impression that FERPA requirements are satisfied.” (pp. 23-24).
Only 25% of the agreements “gave districts the right to audit and inspect the vendor’s practices with respect to the transferred data.” (p. 25). A quarter of the agreements failed to prohibit or limit “re-disclosure of student data or other confidential information.” (p. 28). And none -- that’s right, none – “specifically prohibited the sale and marketing of children’s information.” (p.28). Other access and confidentiality rules of FERPA were also not accounted for in these agreements.
Even where there were contractual clauses restricting re-disclosure, “the contractual language is often ambiguous or allows for exceptions to the generally stated ban on redisclosure. This means that vendors, without violating their agreements, may engage in data mining and data sales without district approval or parental consent.” (p. 28).
The report concludes that “with respect to data control, the districts’ agreements do not generally assure compliance with FERPA.” (p. 28).
The problems go on. A third failed to “provide for the deletion of student data at the conclusion of the contract.” (p. 30). “Only one agreement (12.5%) required the vendor to notify the district in the event of a data security breach.” (p. 30).
There are many more findings in the report, and the picture they paint is clear: Many schools are failing to serve as good or even acceptable data stewards for the student data they hold.
How to Improve
It would be wrong to blame the schools. They are bombarded with tons of dire issues they need to address and many state and federal mandates. They remain in the Dark Ages on privacy because they have been left behind.
The report makes a number of very good recommendations for improvement, including greater transparency, notice to parents, recommendations on contract terms for contracts with vendors, and the creation of a national research center or clearinghouse to provide guidance to schools on privacy.
I agree with these recommendations and have some others to add.
1. Revise FERPA
FERPA lacks two key things that are critical for any privacy regulation to be effective: (1) governance requirements; and (2) meaningful enforcement. Governance requirements involve a set of structural measures to ensure that privacy is being addressed. These include requiring that there be a privacy officer (someone who has responsibility over privacy issues) as well as requiring training, internal assessments, policies, and other things. Without a governance structure, better privacy cannot be effectively implemented. Most important is that someone “own” the privacy issues, for without someone who has this responsibility, it is unclear who would do what is necessary to get it done.
Second, there must be meaningful enforcement. FERPA’s sanction is the removal of all federal funding, a sanction so impractical and severe that it has never been issued in FERPA’s history. There is no other meaningful way to enforce FERPA, and thus it really isn’t enforced in practice.
Moreover, FERPA enforcement only applies to schools. Unlike HIPAA, which gives the Department of Health and Human Services (HHS) the authority to enforce against nearly all entities that receive HIPAA-regulated information, the Department of Education lacks such authority. If a hospital gives HIPAA-regulated information (called “protective health information”) to a business to outsource functions such as billing or providing cloud services, the business that receives the information is now subject to direct enforcement by HHS. Not so for schools. The Department of Education can’t enforce against businesses receiving FERPA-regulated data.
2. FTC Enforcement Against the Vendors
The FTC should start going after some of the vendors that are not complying with FERPA. Although the Department of Education enforces FERPA, it lacks enforcement power over vendors. But the FTC has a broader enforcement scope and can enforce against companies that engage in deceptive or unfair trade practices. I don’t have space here to get into the details, but there is a good case for unfairness for many of the vendor practices. For more background, please see my forthcoming article about the FTC, The FTC and the New Common Law of Privacy, 114 Columbia Law Review (forthcoming 2014) (with Woodrow Hartzog).
3. More Media Attention
There hasn’t been sufficient media attention to the issues of education privacy. This is a situation in dire need of attention. Parents need to know that many schools are have a severe impact on their children’s privacy and are not acting as adequate data stewards of their children’s data. More pressure needs to be placed on the issue so that it gets addressed.
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells.