Privacy Protection and Human Error
As part of my work, I spend a fair amount of time reading the websites of educational technology offerings. The other day, while on the site of a well-known, established product, I came across a comment from one person asking for information about another person. Both people were identified by first and last name. The question struck me as strange, so I searched the name of the person who left the comment.
The search returned several hits -- including every one of the top five -- that clearly showed the commenter was a principal at a school in the United States. Jumping to the school's Web page clearly showed that the principal's school serves young children. With that information, I returned to the comment. Now that I knew the questioner was a school principal, it became clear that the subject of the question -- who, remember, was identified by first and last name -- was almost certainly a student at the school.
I had stumbled across a comment on an edtech site on the open Web where a principal identified a student by name and asked a question that implied an issue with the student. And the question had been asked over a month ago.
To make matters worse, the vendor had answered the question and left the thread intact.
In this post, we're going to break down the ways that this exchange is problematic, what is indicated by these problems, and what to do when you encounter something similar.
Problem 1: The principal had access to large amounts of data on kids but didn't understand privacy law or the implications of sharing student information, including information about behavioral issues, on the open Web. This problem is particularly relevant now, when some people are complaining that teachers haven't been adequately trained on new privacy laws. However, the lack of awareness around privacy requirements is as old as data collection, and it's disingenuous to pretend otherwise.
Problem 2: The vendor responded to the question, allowing a student to be identified by name on their website. The vendor also was in a position to collect, manage, and store large amounts of student data, with much of that data containing potentially sensitive information.
Every member of the vendor’s staff should have been trained on handling sensitive data and on how to respond when someone discloses sensitive information in a non-secure way. When a staff member stares a potential FERPA violation in the face and blithely responds, we have a problem.
This problem is exacerbated by rhetoric used by a small but vocal set of vendors, who insist that they "get" privacy and that people with valid privacy concerns are an impediment to progress. Their stance is that people should get out of their way and let them innovate. However, when a vendor fails to adequately respond to an obvious privacy issue, it erodes confidence in the potential for sound judgment around complicated technical, pedagogical, and ethical issues. If a vendor can't master the comment field in blogging software, they have no business going anywhere near any kind of tracking or predictive analytics.
How to Respond
If you ever see an issue that’s a privacy concern, reach out to the company, school, and/or organization directly. In this case, I reached out via several private channels (email, the vendor's online support, and a phone call to their support). The comment with sensitive data and the vendor's response were removed within a couple hours. A private response is an essential part of responsible disclosure; we make privacy issues worse when we identify the existence of an issue before it has time to be addressed.
For principals, educators, and anyone else in a school setting who is managing student data: Spend some time reading through the resources at the federal Privacy Technical Assistance Center. Although some of the documents are technical and not every piece of information will be applicable in every situation, the resources there provide a sound foundation for understanding the basics. At the very least, schools and districts should create a student data privacy-protection plan.
For vendors, train your staff. If you're a founder, train yourself. For founders: Start with the PTAC and FERPA resources linked in this document. Cross-reference the data you collect for your application with the data covered under FERPA. If there’s any chance you’ll have any people under the age of 13 using your site, familiarize yourself with COPPA. Before you get any student data in your application, come up with specific questions about your application and your legal concerns and talk with a lawyer who knows privacy law.
For staff: Make sure you have a data access policy and some training on how to respond if a customer discloses private information. If you’re part of an accelerator, ask for help and guidance. Talk to other companies as well. Some great work has been done and shared.
Privacy is complicated. We will all make mistakes, but by working together, over time, hopefully we will make fewer of them and the ones we do make will be smaller. We need increased awareness of privacy and sound protection for student data. By taking concrete steps, we can improve the way we handle data and move toward having an informed conversation about both the risks and rewards of safe data use.
Related Advice & Top Picks
Your privacy is important to us. When you sign up as an advocate:
- Common Sense Kids Action will send you periodic email alerts on legislative activity that affects your community.
By providing us with your email address and clicking the submit button (above), you acknowledge and agree to the above.