3 ways to keep student data privacy top-of-mind in ed tech procurement

As more districts handle an increasing caseload of ed tech apps and tools, there are more opportunities for student data privacy to be at risk.

Just in Connecticut, the number of technology products used in schools has doubled since the pandemic began, said Doug Casey, executive director of the Connecticut Commission for Educational Technology.

“The average school district is using hundreds of ed tech products,” Casey said. “The process of COVID expanded that dramatically.”

The Federal Trade Commission doubled down in a May policy statement announcing it will scrutinize ed tech providers’ compliance with the Children’s Online Privacy Protection Act, or COPPA. Specifically, the commission plans to focus on the ban against mandatory collection of student data, laws barring the use of student data for commercial purposes like marketing and advertising, the time period student data is retained, and ed tech’s responsibility to maintain reasonable security measures.

This FTC message was applauded in a statement by Sara Kloek, senior director of education policy at the Software and Information Industry Association.

“The FTC’s policy statement is helpful in reiterating what has long been required by COPPA, FERPA [the Family Educational Rights and Privacy Act], and many student privacy laws at the state level: that education technology providers must prioritize data minimization, security and use restrictions. These are key priorities for SIIA members,” Kloek said.

Less than a week after the FTC released its statement on enforcing ed tech compliance with COPPA, a report by Human Rights Watch found 146 of 164 ed tech products — or 89% — reviewed by the nonpartisan international organization used data practices that potentially risked or infringed on students’ privacy rights.

As the FTC heightens its public focus on ed tech companies and more reports begin to reveal violations, experts in the data privacy and education technology field weigh in on three ways districts can securely sign contracts ensuring they don’t enable providers to violate student data privacy .

1. Take inventory of the ed tech you’re using

As more districts sign contracts with more ed tech companies, Casey said it’s helpful for districts to do an inventory of all the applications and technology tools being used, and then consider consolidating them.

Lay them out, categorize them, and ask yourself like, ‘Why do we have five, 10, 12 products that do the same thing,’” Casey said. “That’s part of what makes getting your arms around the whole data management thing a lot easier … The fewer trusted products that you have, the better when it comes to protecting student data.”

He also said while teachers may be excited to try new tools, perhaps those new tech programs are not frequently used. Or maybe a company’s data privacy terms have been overlooked, Casey said.

2. Know your state and federal laws

It’s important to use language requiring compliance with state and federal laws in contracts with ed tech providers, said Janis Kestenbaum, a former senior legal advisor at the FTC.

Casey said as districts review contracts, it’s helpful to have a checklist aligning with state and federal laws on children’s data privacy protections. If doable, there should be a district leader who is very knowledgeable about state and federal laws, particularly COPPA and FERPA, Casey said.

Some districts might have access to statewide clearinghouse data of trusted ed tech providers to tap into, as well, he said.

3. Read a company’s terms of use

While the FTC statement reiterates that the responsibility for student privacy falls more upon ed tech companies than schools, Kestenbaum said schools should closely examine how the provider plans to use student data and information.

But in a lot of cases, schools are not equipped to thoroughly read a company’s terms of service or privacy notices, said Kestenbaum, who is now a partner at law firm Perkins Coie, where she advises clients on compliance with privacy, data security and consumer protection requirements.

That’s why districts should try to look within their staff for anyone in addition to a district technology leader who can thoroughly examine a company’s data privacy policy, Casey said. This could potentially lead to partnerships among technology, academic and curriculum teams to share this responsibility, he said.

Casey added it’s key for district leaders to ask questions and push back on ed tech providers when striking up a contract. He said districts should be skeptical of companies willing to offer services to schools for free.

Leave a Reply

Your email address will not be published.