As reported today by the New York Times here, we are releasing our research study this morning on “Privacy and Cloud Computing in Public Schools.” Districts across the country are widely and rapidly adopting cloud services to fulfill educational objectives and take advantage of opportunities for cost savings and 24/7 services. Disturbingly, privacy protection for the children’s data is essentially lost in the cloud.
Our study looked at all the cloud computing contracts, district policies and parent notices from a national sample of school districts. We focused on K-12 public schools and examined how school districts addressed privacy when they transferred student information to cloud computing service providers.
The key findings are:
- 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.
- Vendor agreements often preclude districts from complying with statutory legal obligations under the Family Educational Rights and Privacy Act (FERPA), and the Protection of Pupil Rights Amendment as well as the privacy expectations of school communities.
- Cloud services are poorly understood, non-transparent, and weakly governed: only 25% of districts inform parents of their use of cloud services, 20% of districts fail to have policies governing the use of online services, and a sizeable plurality of districts have rampant gaps in their contract documentation, including missing privacy policies.
- Districts frequently surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.
- An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information. Some services even require parents to activate accounts and, in the process, consent to privacy policies that may contradict those in the district’s agreement with the vendor. FERPA, PPRA and COPPA, however, contain requirements related to parental notice, consent, and access to student information.
- School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency. Yet, basic norms of information privacy require data security.
In the study, we propose a set of recommendations for school districts and vendors to address the documented deficiencies in privacy protection. The recommendations call on districts to take specific steps for transparency and data governance and call on vendors as well as districts to reform their contractual terms to include specific, identified provisions protecting student data.