Cross-posted from the Digital Education blog

The U.S. Department of Education has put forward model “terms of service” for data privacy designed to guide districts on the protections they should require of companies attempting to peddlle various technology tools and systems to schools.

The document attempts to break down the language that the department says K-12 officials are likely to see in typical terms-of-service agreements—from how student “data” is defined to whether it can be used for marketing to when a vendor is obligated to destroy it after it’s no longer needed for educational purposes.

It then offers guidance for how districts can judge whether specific provisions qualify as “GOOD! This is a best practice,” or merit a “WARNING,” as a a policy “that cannot or should not be included in T.O.S,” followed by an explanation of why.

The department’s release of the nine-page document is accompanied by a video (embedded above) designed to tutor teachers, administrators, and others on how to identify and push for sound data-privacy policies.

In releasing the video for classroom educators, it’s probably safe to say the department is targeting a critical audience for addressing a district’s data-privacy concerns. A number of observers have said that some of the biggest privacy risks in schools are posed by individual teachers and others downloading apps and using other devices with little understanding of whether student data is protected, or how those tools mesh with overall district policy.

The guidance is meant to help districts with the terms-of-service agreements that typically require users to click to accept an agreement in order to gain access to a service or application for the first time, the department says.

Those documents are sometimes known as “click-wrap” agreements—and once a user at the school clicks “I agree,” those terms dictate what information the provider can collect, notes the education department.

The guidance covers 12 privacy-related terms of service provisions: how “data” is defined; data de-identification; the use of data for marketing and advertising; the modification of terms of service agreements; data collection; data use; data mining; data sharing; data transfer or destruction; rights and licensing for data; schools’ and districts’ access to data; and the security of data collected by companies.

When it comes to data-mining, for instance, a good practice is described as one in which a provider “is prohibited from mining data for any purposes other than those agreed to by the parties.” Mining or scanning of user content for advertising or marketing to students or parents should be prohibited, it says.

By contrast, K-12 officials should be wary of language that suggests that mining or scanning of data is tolerated, the department states. It warns that allowing that activity could violate the Family Educational Rights and Privacy Act, among other laws.

When reviewing language that would modifying terms of service, sound policies make it clear that ed-tech companies can’t change how data areused or shared in any way without permission from school officials.

Not good policy: if an agreement allows a provider to modify terms on their own, or says it will notify the district of “material changes.”

Sorting Through the Confusion

In issuing the guidance, Kathleen Styles, the department’s chief privacy officer, alluded to the confusion K-12 officials face in trying to decipher the terms of service agreements sent their way by vendors.

Making sense of those documents is “tough, even for lawyers,” Styles said in a statement.

The guidance is meant to “help school officials identify privacy-friendly apps and online services and avoid providers that might abuse student information,” she said, so that they will “be better able to decide whether to consent to the terms for online educational services and applications.”

Jules Polonetsky, the executive director of the Future of Privacy Forum, a Washington-based think tank that advocates for responsible data use, said many districts could have separate, broader contracts with vendors that address data privacy issues, in addition to the terms-of-service agreements.

But the terms-of-service agreements were “just as significant” legally, and so both companies and districts need to pay attention to them.

Districts vary in how much authority for signing terms-of-service agreements they give to individual administrators, such as principals, said Dorie Turner Nolt, a spokeswoman for the department, in a statement. One of the department’s goals is to make individual teachers aware that “click-wrap” terms are legal contracts, she said.

Polonetsky, a former chief privacy officer for AOL who also worked as New York City’s consumer affairs commissioner, said the document struck a good balance between addressing specific language K-12 officials should look for, and not overwhelming with details that might not be relevant to their circumstances.

(Polonetsky’s organization has been active in urging companies to address data-privacy proactively. His group was the co-sponsor of a student-data privacy pledge, which more than 100 vendors at last count have signed.)

But as such, district officials also need to delve deeper into terms-of-service to make sure data-privacy protections are up to snuff, he added.

“I’d caution any school or company not to simply say ‘I’ll take these terms and put them in a contract,” Polonetsky said, adding, “What they’re offering here is very high-level….There’s probably still going to be very detailed questions about the various [privacy questions] that can” play out.

See also:

• Millions of Student Records Sold in Bankruptcy Case
• Google Under Fire for Data-Mining Student E-Mail Messages
• Google Amends Terms for Scanning User Data
• Push for Learner Profiles Stymied by Barriers