Washington, D.C.

The Software & Information Industry Association released five “best practices” for companies to follow in their handling of private student data, including parameters for transparency, security, and handling data breaches.

The announcement came on the same day that the School Privacy Zone, a summit of high-level stakeholders and policymakers, took place here.

The practices—on topics from authorization to transparency—describe how ed-tech businesses should handle sensitive student data in K-12 schools. The practices supplement existing practices, the SIIA said in its statement.

Releasing the “best practices” during the summit, which brought together many critics of how vendors handle data from schools, was “a good opportunity to step forward, … reinforcing core principles that we believe are already well known and understood,” said Mark Schneiderman, SIIA’s senior director of education policy. “We feel it’s critical to create a trust framework in the field.”

The move drew praise—and concerns—from Joel Reidenberg, who co-authored “Privacy and Cloud Computing in Public Schools,” a study released last December that revealed deficiencies in policies governing how districts are handling student data. While saying he was “glad to see the trade association starting to explore better practices for the industry,” he said the particular ones that were developed “fall short of parental expectations” and don’t provide remedies for all the issues documented in schools’ current contract agreements

Called “Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services,” the SIIA best practice guidelines include:

• Educational Purpose: School service providers collect, use, or share student personally identifiable information (or PII) only for educational and related purposes for which they were engaged or directed by the educational institution, in accordance with applicable state and federal laws.
• Transparency: School service providers disclose in contracts and/or privacy policies what types of student personally identifiable information are collected directly from students, and for what purposes this information is used or shared with third parties. 
• Authorization: School service providers collect, use, or share student personally identifiable information only in accordance with the provisions of their privacy policies and contracts with the educational institutions they serve, or with the consent of students or parents as authorized by law, or as otherwise directed by the educational institution or required by law.
• Security: School service providers have in place security policies and procedures reasonably designed to protect personal student information against risks such as unauthorized access or use, or unintended or inappropriate destruction, modification, or disclosure.
• Data Breach Notification: School service providers have in place reasonable policies and procedures in the case of actual data breaches, including procedures to both notify educational institutions, and as appropriate, to coordinate with educational institutions to support their notification of affected individuals, students, and families when there is a substantial risk of harm from the breach or a legal duty to provide notification.

Schneiderman, who said the document has been in the works for a number of months, called these “reinforcing core principles that we believe are already well known and understood.” While he said more work needs to be done in this area, he acknowledged that “this may be part of the solution, and not the totality of what the field needs.”

One of the areas the SIIA addressed is the definition of “educational purpose.”

“We’re concerned that, just because something may have a commercial benefit, that doesn’t mean it’s something that hurts students,” Schneiderman said. 

‘Related Purposes’

Reidenberg, who is the founding academic director of the Center on Law and Information Policy at Fordham Law School, said the SIIA guidelines allow sharing and sale for “related purposes, which many vendors will interpret to allow the sale and marketing of student profiles.”

The transparency provision, he said, “ignores vast amounts of student information that is obtained from the schools rather than directly collected from children.” Referring only to personally identifiable information in the transparency practice is “archaic,” he said, because “purportedly anonymous data is easily reverse engineered to identify particular children.”

Reidenberg said the guidelines on data security and breach notification are good, but fail to mention key areas like storage duration, data deletion, parental access, error correction, and compliance audits.

The data privacy conversation is “a nascent issue,” said the SIIA’s Schneiderman. “There’s a big learning curve for everyone. We’re just at the beginning stages of how we can effectively use data to improve learning.”

The industry wants to address the salient issues, he said.

“If there’s a backlash from parents, from policymakers, from educators, then the industry will really suffer,” he said. “It’s in our own self-interest to create a trust framework and to make sure we have the right policies and practices in place, and police our own industry.”

Ben Herold, who covered the Student Privacy Zone summit for Education Week, contributed to this blog post.