I had the pleasure of having the opportunity to interview Kathleen Styles about cloud computing in education. Styles is the first chief privacy officer of the U.S. Department of Education (ED). Previously, she served as the chief of the Office of Analysis and Executive Support at the U.S. Census Bureau. Without further ado, here’s the interview.
There’s a lot of controversy about storing student information in the cloud. What’s your sense of this?
Glad you asked! There are a lot of misconceptions and misinformation on this subject. For starters, many people don’t understand that storing data in the cloud simply means that a system’s servers are physically located at a remote data center, instead of on school property. There are many reasons to store data in the cloud – including powering student information systems or learning applications, or because cloud services can be less expensive than storing the data locally.
A lot of the misunderstanding stems from the belief that data that are co-hosted in the cloud are also commingled. The truth is that there are many different types of cloud agreements, and that co-hosting data is not the same as commingling data (in the same way that strangers who happen to use the same email hosting service as you do can’t see your personal email account.) There’s also nothing inherently more or less secure about cloud storage compared to traditional data storage – it all depends on the specific approach and the contract terms.
Does FERPA permit cloud solutions?
The short answer is yes, that FERPA, the Family Educational Rights and Privacy Act, does permit the use cloud services. Now for the longer, legal explanation for how. As you know, FERPA protects “education records,” or records containing information directly related to a student and maintained by an educational agency or institution. Some, but not all, of the records that schools typically want to store in the cloud will be protected by FERPA. For example, FERPA wouldn’t govern a school’s decision to house its human resource database in the cloud if that database only has information about employees, not students.
FERPA does permit schools and school districts to contract for secure cloud services. While the general rule under FERPA is that parents/students must consent before a school can disclose protected information to another party, FERPA does have exceptions, including one for school officials. Schools and school districts commonly use this exception when they need to disclose FERPA-protected information to allow a contractor to perform functions that the school or district would otherwise have used its own employees to perform.
Under the school official exception, the school or district must use reasonable methods to ensure that school officials (employees and contractors) access only those student records in which they have a legitimate educational interest. It’s up to the school or district to set the proper balance of physical, technological, and administrative controls to prevent unauthorized access. Additionally, when cloud services involve FERPA-protected information:
- The school or district must directly control the contractor’s use and maintenance of education records;
- The contract has to be for services or functions the school or district would have otherwise used its employees to perform;
- The contractor must meet the criteria for “school officials” with “legitimate educational interests,” as published by the school or district in its annual FERPA notification of rights; and
- The contractor must be subject to FERPA use and re-disclosure limitations, meaning that the contractor has to use the FERPA-protected information for the purpose for which it received it, and that the contractor may re-disclose that information if permitted under the terms of the contract (and, of course, provided that the school or district itself may re-disclose under FERPA).
What are cloud providers entitled to do with the student data once it is in the cloud?
First of all, the cloud provider must comply with both FERPA and the terms of the contract. The provider never “owns” the data, and can only act at the direction of the school or district.
Other terms depend on the agreement between the school and the district. The school or district could ask a cloud provider to re-disclose FERPA-protected information to another school official, such as an app developer, if that app developer also meets the criteria required for school officials (legitimate educational interest, etc.)
I’ve seen a lot of discussion about whether cloud providers can use the FERPA-protected information for their own purposes, such as improving their own products. A school or district could certainly require a cloud provider to do more than just store data. For instance, the school or district could also require the provider to develop products for the school or district to use with its students. During the course of providing those services, the cloud provider could use FERPA-protected information to improve the products the school or district was using. FERPA would permit the school or district to include provisions like this in its contract with the cloud provider.
On the other hand, FERPA would not allow a cloud provider to use protected data to create a product never intended for use by the school or district. Similarly it is not okay for a school or district to give FERPA-protected data to a cloud provider solely for the provider to use to develop a product to market to a school or district.
ED recently amended its FERPA regulations in 2011. Is this what permitted schools and districts to use cloud providers?
Not at all. Cloud hosting of student data has been occurring for many years, and ED recognized schools’ longstanding practice of contracting out services in its 2008 regulation changes. Neither contracting out, nor cloud services are new, and neither were at issue in the 2011 regulation changes.
Who is responsible for the privacy and security of educational data in the cloud?
Schools and districts are responsible for the protection of their data, regardless of where they are stored. It doesn’t matter whether the records are located in a locked file cabinet, in a server on the school premises, or on a server in the cloud.
How should students and parents be informed?
Schools and districts using the school official exception have to publish an annual FERPA notification of rights in a forum likely to be viewed by parents, such as a student handbook, on the school’s website, or a direct letter to parents. This annual notification should clearly explain who constitutes a school official and what constitutes a legitimate educational interest. Students and parents who want more information about their FERPA rights can consult http://www2.ed.gov/policy/gen/guid/fpco/ferpa/for-parents.pdf.
Beyond the legal requirement, we believe parental involvement and transparency are key.Cloud computing is a much-misunderstood topic, and schools and districts should be clear about what student information they are collecting, how they are protecting it, and what they are doing with it. Parents, students, teachers should be given a forum to ask questions and express concerns.
What do you recommend for schools or districts that want to use cloud services?
Schools and districts not only need to understand fully how to comply with applicable laws such as FERPA, but also need to be familiar with best practices for ensuring data security. Schools and districts should strive to meet the spirit of the law and not just the letter.
We recommend they consult our cloud computing guidance, which describes not only what is necessary for legal compliance, but also explains best practices. The document is available at: http://ptac.ed.gov/sites/default/files/cloud-computing.pdf
Our Privacy Technical Assistance Center (PTAC), can also provide additional assistance on cloud issues, including informal consultation, webinars, or site visits. PTAC can be reached at PrivacyTA@ed.gov.