Washington, D.C.

Recent, well-publicized breaches of personal information from national retailers received prominent play at a forum held Tuesday on student privacy, where U.S. Sen. Ed Markey of Massachusetts drew parallels to consumer security woes in announcing plans to introduce legislation meant to protect K-12 education data.

“It’s one thing to talk about Neiman-Marcus and Target. It’s another thing when the target is the children of our country,” said Markey, whose forthcoming legislation is designed to prevent student data from being used to market products to children.

His proposal would also give parents the right to access their children’s data, and amend records that are incorrect. The lawmaker said the measure also would provide safeguards—including the deletion of records—to protect children’s sensitive data.

“Permanent records should not be held permanently by companies,” the senator said in his presentation at the event, which was titled “Failing Grade: Education Records and Student Privacy.” The forum was organized by the Electronic Privacy Information Center, a public interest research center based in Washington, D.C. 

“Every adult American has had their financial data compromised in the past few years,” said panelist Joel Reidenberg, founding academic director of the Center on Law and Information Policy, Fordham Law School. Even though banks and other financial institutions have major incentives to keep such data secure, many have failed to do so. Schools and districts face a similarly complex challenge, one they are thus far largely unprepared to take on, according to Reidenberg, who was lead author on “Privacy and Cloud Computing in Public Schools,”  a report released last December.

“Our research has shown that essentially every school system in the country is outsourcing student information to outside service providers in one form or another,” he said. “Only 13 percent required deletion [of records] at the end of a contract; only one-third required security.” And, he said, 20 percent have “no idea” what technology services are being used.

Panelists were asked what measures schools and districts should take to protect students’ privacy, independent of any steps that federal policymakers, and the technology industry, might take.

Kathleen Styles, the education department’s chief privacy officer, said that, as a first step, districts should have an inventory of what software products are being used in a district.

It’s also important for schools and districts to read carefully the so-called “clickwrap agreements,” which spell out the terms and conditions of using a software license. The language of those agreements should explain what data is being collected, and for what purpose.

Transparency of data-collection practices is of utmost importance, Styles said. “We encourage districts to be clear as to what information is being collected about students, what it’s being used for, and how it’s being protected,” she explained, noting that this policy should be displayed on each school’s or district’s website.

“Schools should be very reluctant to sign on to ‘freemium'” contracts, said Khaliah Barnes, EPIC’s administrative law counsel. In the freemium model, schools and classrooms can get certain technology for free, while paying for certain extra services and data analysis. “We see companies frequently reserve the right to change the privacy contract. Don’t sign a contract that doesn’t give you bargaining power.”

Contracts should also specify that security breaches always require that the school be notified of the breach. “It’s not the private company’s call to make; the private company should always notify schools if there has been a breach of their systems,” she said.