As schools across the country are using online and web-based services to collect and store students' data, new research recommends that schools adopt adequate security measures to prevent the potential misuse of students information.
The examination, conducted by the Center on Law and Information Policy at Fordham Law School in New York, found flaws in the protection of student information in web-based services that public schools adopted to collect and analyze personal details about students, writes Natasha Singer of The New York Times.
School districts have contracted technology companies to outsource web-based tasks. The study found that many agreements public schools signed with service providers failed to list the type of information collected while others did not prohibit vendors from selling personal details like names, contact information or health status or using that information for marketing purposes.
"We found that when school districts are transferring student information to cloud service providers, by and large key privacy protections are absent from those arrangements," said Joel R. Reidenberg, a law professor at Fordham who led the study. "We're worried about the implications for students over time, how their personal information may be used or misused."
Schools are using automated student assessment programs or online homework management systems to help improve test scores, grades and graduation rates. The Software and Information Industry Association estimates that education technology software for prekindergarten to 12th grade is an estimated $8 billion market.
Some privacy specialists, industry executives and district officials are concerned about student privacy, saying that federal education privacy rules and local district policies are not keeping up with advances like learning apps that can record a child's every keystroke or algorithms that classify academic performance.
Experts warn that critical data could hypothetically be shared with colleges or employers without explicit prohibitions on the nonacademic use of the information.
According to the study, some districts might not completely grasp the implications of outsourcing data handling or may lack the negotiating authority to require contracts that limit information use.
"The report raises the possibility that abuses could happen with student data if contracting practices don't come up to snuff," said Kathleen Styles, the chief privacy officer of the Department of Education. Although the agency had no evidence of such abuses, she said, it is developing best practices for schools to use in "contracting out for web services and for transparency with parents."
Under the Family Educational Rights and Privacy Act (FERPA), schools are required to obtain written permission from parents before sharing students' educational records. An exception allows school districts to share student information with companies providing student information systems without parental consent.
The exception also requires districts to directly control such contractors' use of student information. If contractors misuse the data, regulators may ban districts from sharing further data with those companies.
The study recommends that school districts should have sufficient resources, including legal and technical, to protect the misuse of data.