Tag Archives: FERPA

California passes “landmark bill” to protect students’ personal data

This is an important step in ensuring that we protect students’ rights and data.

Terms of Service Cheat Sheet for Parents & Teachers

This is reblogged from my post on Edudemic

If you have email, iTunes, Facebook, or any other online account, then you are familiar with Terms of Service; you know, those excessively long, confusing legal documents that we all click “accept” on so that we can download the latest episode of Modern Family. These documents are confusing, and very few of us have the time or knowledge necessary to process 56 pages of legalese (yes, the iTunes Terms of Service is 56 pages!). Fortunately, there are several movements out there to encourage technology institutions to present easier to understand and more transparent Terms of Service and Privacy Guidelines; in fact, Microsoft and Google have recently revamped their TOS agreements. In the meantime, here is a brief “cheat sheet” to help parents and teachers to assess the safety of online tools. It will also help to clarify what happens when your children engage and share online.

Keep an Eye on Age Limits!

It’s easy to want to dismiss age restrictions for online services. After all, with just a little creative math your child can use some great resources like email or Skype to communicate with family far away or even enjoy videos from YouTube. However, an age restriction may be a sign that this is a tool to examine more closely. If you find it of value to your child, then you might want to create an account in your own name and with credentials that you can use together. This could open up a myriad of opportunities to help guide your child through appropriate usage.

acceptThere are two age restrictions that frequently appear with online resources: age 18 and 13. If a company or organization requires that an individual be 18 years old to use their services, this is often a sign that they require their users to enter into legally binding contracts (such as financial agreements for purchases such as with airlines). Additionally, it may have adult content (nudity, violence, tobacco and/or alcohol use, language, etc). It is important to note that an 18 year old age restriction is not an automatic black mark. For example, if your child is working on a stock market project for school, then it may be useful for them to have access to a brokerage account in order to get up-to-the-minute stock price updates. This is an appropriate use, but because your child is under 18, it’s also a perfect opportunity for parent-child collaboration on homework; you can create the account and use it with your child!

Because of the Children’s Online Privacy Protection Act (COPPA), companies are limited on what information they can collect and share for children under the age of 13. This magic number is a prime indicator that data is being collected and shared, so keep in mind that the age 13 requirements for Facebook or Google are not arbitrary! These are organizations that make their income from selling user data to advertisers. Deciding whether the cost is worth the benefits is highly personal; however, this is a great opportunity to discuss online behavior, digital citizenship, and digital footprints before deciding to sign up.

Know what information is being Collected & keep up with Changes!

If a company is collecting data, they should state what information they are gathering – either in the Terms of Service itself or a separate privacy agreement. Google has recently published its privacy policy outlining how it collects and uses data. Still, many companies are not as transparent, so you may need to do some research on an individual businesses.

Many organizations will allow you to sign up for notifications of updates. They will email you every time that there is a change to their privacy policies. This is a great way to stay up to date. In addition to this, you can go back and check privacy policies on a regular basis (every few months). Big companies often make the news when they make drastic changes, especially if they are controversial, so pay attention to these stories and follow up with your own research. You may want to keep a special eye on things like changes to default sharing settings (public vs. private) and how data is being collected.

Don’t Be Afraid to Ask for Help!

Navigating Terms of Service and privacy policies can be confusing and challenging. Never hesitate to enlist others in your quest. Speak to other parents, join discussion groups, read websites dedicated to online privacy (check out “Terms of Service; Didn’t Read”). If your child is in school, seek out the Tech Director with questions. They navigate this world on a regular basis and can help to assuage your concerns or highlight areas where you should be more vigilant. As Director of Educational Technology, I am always eager to form partnerships with parents and colleagues to raise awareness of common security issues and keep them informed about the tools we are using in school.

The Good News: It will get Easier!

There has been a lot of push-back on the tech world to encourage companies to be more proactive and transparent in what type of data they collect and how they use it. Many organizations (such as Google and Microsoft) have responded positively to public pressure. Additionally, federal and state legislation is beginning to address online privacy with a special eye to protecting children. Reaching out to government officials and adding your voice to the cause will help to push this along. Parents are reasonably concerned about their child’s online presence; and with the abundance of online tools, it’s a challenge to keep up. However, by enlisting others and making a concerted effort, you can help to keep your children safe online.

Google Turns off Email Scanning in GAFE Enterprise Accounts

In my recent article, “Those Terms of Service on Popular Ed Tech Websites DO Matter” I brought up the fact that Google was currently embroiled in a lawsuit in California related to scanning student gmail accounts within their Google Apps for Education (GAFE) Enterprise accounts. Today on their official blog, Google has announced that it has fully turned off this feature in their GAFE suite to assuage any concerns about invading the privacy of students and teachers.

You can read more about this announcement on Google’s Official Blog.

Those Terms of Service on Popular Ed Tech Websites DO Matter!

This is reblogged from my post at PLP Voices

I recently attended a prominent and popular educational technology conference. As I always do, I made sure to visit the vendors’ floor. I like to be able to chat with company representatives, see what new tools they have, play with tools hands on, and generally get a feel for promising new resources available to schools.

Reviewing Terms of ServiceAt this particular conference I was excited to visit a vendor’s booth that focused on 3D printingsoftware. It promised to be easier and more intuitive to use. When I signed up for the account necessary to use the online tool, I did something that many people do not do: I read the terms of service.

The first thing I noticed was the “age 13” requirement. I asked the representative if they had an option for children under the age of 13. She responded, “Well… not officially. But it all depends on how seriously you take the terms of service.” I promptly ended the session and walked away from the table.

Here’s the reason this exchange was so striking and troubling for me: There is a pervasive attitude in educational technology (held by educators, IT professionals, developers and students) that the terms of service “don’t matter.” After all, (nod-nod-wink-wink) you can fudge your age by a few years or a few months and take advantage of great tools such as YouTube orTwitter (both of which have such restrictions).

This is for the benefit of the children, right? If the tool is useful, many will say, why do we need to bother with such hurdles as age requirements? And let’s face it, those Terms of Service are so long – we don’t have time to read all that!

But the reality is that the Terms of Service do matter.


When discussing this issue with peers, I always highlight the fact that we cannot ask our students to behave ethically and morally if we direct them to violate policies and the rules for using tools by being deceptive. In essence we are telling our students that it is not appropriate to lie or cheat, with the caveat that it’s okay in this one situation.

If you want to advocate for an effective Digital Citizenship program, you must first take the position that behaving responsibly and appropriately online is paramount. As such, this means not violating a company’s age or usage policy (even if someone in the company might suggest it’s okay).


Legal obligations

Believe it or not, the age 13 requirement found in many Terms of Service statements is rarely an arbitrary policy. While governments (local, state, and federal) are slow to catch up with existing and emerging technology, there are several federal statutes already in place. The two most important are FERPA (Family Educational Rights and Privacy Act) and COPPA (Children’s Online Privacy Protection Act). These statutes specifically relate to what information can be collected, stored, and transferred – and they include especially stringent restrictions on children under the age of 13. By signing students up for these tools, you and your institution may be in violation of Federal law. Disregard for these policies not only compromises the safety of your students, but opens a school and individuals up to institutional and personal liability.

The ethics of commercializing education

One of the most controversial issues in education today is the commercialization of education. This is especially relevant in educational technology. Many companies offering free or heavily discounted tools use a business model based on collecting and then selling information (names, birthdates, contact lists, and more).

While the world is very much aware of these practices with Social Media tools like Facebook, other services are less obvious in the way they collect user content and what they do with it after the fact. When you see that a service requires all users to be age 13, that should be the first red flag that sensitive data is being collected and possibly redistributed or sold to third parties.

Google-Apps-EducationMost companies are not transparent about what they do with the information they collect – a practice that many of us in the educational technology sphere are rallying to change. Several states are considering legislation to put restrictions on what type of data companies can collect on students and who can then see that information.

Most recently,Google has been sued for violating student privacy and their stated contract conditions in Google Apps for Education by data mining students’ emails. (It is important to note that, at this time, Google claims that the data-mined content is not being distributed to third parties or used for advertising purposes.)

Pay attention to what companies collect

If an educational technology company collects information on your students, then it is important to take this into consideration as you consider the digital tools that you will use in your institution. Perhaps you feel that the benefits outweigh the extra cost of paying for a tool that is not underwritten by these kinds of practices (especially if your school and/or district is cash strapped). But don’t pass over these decisions lightly.

Safer tools are available

There are many great tools and online services available for students that specifically focus on protecting the information and identities of students under the age 13. Often, these have a financial cost (as they cannot make money through other avenues like advertising or selling personal data). Still the costs are negligible when you focus on how they protect children.

To find a tool that will work for your institution, be sure to go with a reputable company, read their Terms of Service, speak to a representative and ask questions such as, “How do you protect students’ identities online?” and “What do you do with the information that you collect from our students such as names and email addresses?” Companies that are truly COPPA and FERPA compliant are always willing to be open and transparent with this information.

TRUSTe-logoAnother great resource to find and assess an organization’s COPPA compliance is with TRUSTe. A TRUSTe COPPA Compliance Certification ensures that an organization meets Federal compliance for protecting the information of students under the age of 13. Recognize that not all COPPA compliant tools have been certified with TRUSTe, but that those that are have met stringent requirements and adhere to these statutes.

Tools that allow teachers to be administrators of the tool or service (restricting content & publication and monitoring use) can provide your students with a safe, “walled garden” environment that will allow them to take advantage of internet connectivity while being safe. Additionally, be sure that your Technology Director has fully explored the service (and continues to do so as the service is updated) to ensure that the service stays compliant with its previously stated policies (sometimes an update will negate earlier privacy restrictions). Also, any time that there is a update to those Terms of Service – read them!!

Student security comes first

Anytime you are considering an online tool or service, it’s important to ensure that the securityof your students plays a key role in your decision. Implementation of new tools in your school or classroom should never violate a company’s Terms of Service and should always be in compliance with existing law. Members of the educational community (administration, faculty, parents, and students) should be involved in the broader conversations about reasonable restrictions.

I believe it is also important to advocate for greater student privacy and security, and I think that transparency on the side of developers is absolutely vital in this process. We cannot effectively make decisions for our schools without adequate information. Ultimately, schools and districts must make choices that are right for them and their communities, with their eyes wide open.

Protecting Student Data & Privacy Online – TrustE, COPPA Compliant

Securing student data and privacy is an important topic in the economy of educational technology. While the Federal Government has declared several guidelines via COPPA and FERPA, it is very tricky to know whether or not a company or organization adheres to these requirements. Many of them assert that schools/institutions are responsible for enforcing COPPA compliance.

A great tool for educators and institutions to determine a company’s abilityto protect student data is TrustE certification.

The TRUSTe Children’s Privacy Certification program certifies compliance with the COPPA Rule and meets the requirements of TRUSTe’s standard TRUSTed Websites Program, which include ongoing site monitoring and privacy dispute resolution.

After passing the certification process, members receive TRUSTe’s trusted web seals to display throughout their respective web pages. Client Service Managers provide seal placement guidance to ensure members are maximizing the impact of the seals. More than 25 million consumers click on these seals annually to confirm TRUSTe membership.

SXSWedu – Becoming a Security Ninja

Courtesy of Intel Free Press on Flickr

Courtesy of Intel Free Press on Flickr

I can’t believe that I’m at SXSWedu!! I’m so excited for the opportunity to be around forwarding thinking, innovative educators. The first session that I’m attending is “There is No Try: Becoming a Security Ninja.” This is an important topic as we go to more cloud computing and third party technology services. The speakers are Aimee Guidera of Data Quality Campaign, Brian Rawson, Joel Reidenberg (who unfortunately was snowed in and couldn’t make it), and Lori Fey of the Ed-Fi Alliance.

This panel discussion is based as an interactive discussion, so let’s hope that I can capture the meat of the round-table! The speakers argue that data is vital for effective education today. However, we must ensure that we can safeguard that data. It’s important to use actionable, quality, and useful information but must let people feel safe using it. Parents and educators are vital for the discussion of security and educational data.

Student data privacy is one of the most important and prevalent topics in education today. Lori states that the objective of this panel is to highlight the concerns of student data and usage today. Aimee says that it’s important to distinguish bad information that is often promulgated on social media and discuss the legitimate concerns surrounding student data. Other key questions are who owns student data and what are appropriate uses of that data? Also, it’s important to keep up with federal statues of student data,  such as COPA, especially with children under 13. Also, how do we bridge the gap between security and responsible use/accessibility?

What are some of the gaps in policy that must be addressed as we move forward?

Brian states that our primary obligation is to secure and protect data that we have of students. All of the stake holders (parents, administrators, students, vendors, and government) are all key to ensuring that this data is not only effective, but protected. Vendor contracts must be compliant with federal law and government must ensure that we execute these policies effectively. Technology today enables data capture on an unprecedented scale, yet our laws and policies are racing to catch up (and are woefully behind). Our guidelines must play catchup. Another key issue is that we must be transparent in our collection, use, and protection of data.

Brian highlights vendor contracts: they must be secure and explicit, data breech and disclosure procedures must be outlined, and what exactly will be done with that data. The contracts must be public, available, and accessible to anyone who wants access to it. He also argues that FERPA training must be in place for vendor staff. Joel Reidenberg published a report recently on “Privacy and cloud computing in the Public Schools.”

Aimee also highlights that FERPA is not the ned all be all of student data and security. In fact, this conversation is continuing at the state and local level. She argues that this is vital as we have not done a great job of ensuring that parents and guardians understand what is going on with their student’s data.

Is There Agreement that Student Data is a Valuable Tool?

Some of the audience members step in here to bring up that data is valuable to understand where students are in their learning and how they can help students to progress in their academics. Additionally, because privacy and security is at the forefront of discussion we are getting better at retaining info. Purser argues that electronic data is actually more secure than the “olden days” when we kept manila folders with student content that could easily be lost or picked up by prying eyes.

Data is important to focus and improve instruction in the classroom. It has increased exponentially and it can show us in a focused way what a student needs. It takes away wasted time where we used tests and reviews to try to gauge a student’s progress.  This information helps us to use this information as a diagnostic tool to pinpoint students’ needs.

Another audience member brings up the point that the data is only as good as the assessment. As such, we need to have multiple assessments that are addressed in multiple modalities. This way, the information can be put into one screen for teachers to see where/how students are struggling. We need to get the tools that are best for the student. “Data is not just a test score.” It has numerous different data points that we must explore and examine. We must use and collect data continuously to limit surprises. We must change the conversations about using tests and data as a “gotcha” and using it “as a flashlight” so that we can help every child succeed.

Another audience member asks how we train teachers for using data as an effective diagnostic. For data to be used effectively, training and effective professional development is vital. I would argue that this is also important when it comes to security of the students.

Who owns the Data?

So who owns student data? Can a parent “opt-out” of allowing a vendor having access to their student’s data? This is a current hot topic in the world of education. Parents/Guardian are concerned about who has access to their child’s data. At the same time, we need to ensure that educators have the best tools available to help their students. If we have 200 students, can we have multiple different tools/methods for each student? I can imagine the nightmare of management for teacher if some students can have data on the cloud or with specific vendors.

Aimee argues that this is why it’s important to bring parents into the discussion. They become especially nervous when they don’t understand the tools or content. Often they will pick up wrong and inaccurate information. We must make sure that they understand the role and value of data. This is true also for vendors – they must listen to the concerns of parents/administrators/teachers. They cannot dismiss those concerns and meet people where they are.

Brian also argues that we need to develop a standard lexicon when it comes to information security. We must be able to have a shared vocabulary in order to have effective conversations with one another, parents/guardians, and vendors. Security and privacy are different issues. Aimee also argues that we all need to change our responsibilities and understanding of data. This is now a shared endeavor – we all have a role to play in this conversation.

Aggregate Data vs. Individual Data

Aggregate data can be helpful, but one audience member brings up the issue that access to information on an individual level can be limited. For example, college counselors can have trouble getting access to individual data to help low-income and at risk youth become college ready.

Linking and sharing data is important but also requires effective tools in securing and protecting that data. Again, aggregate data is readily accessible. However, the struggle comes with the individual level. If we cannot link data to students, how can we effectively use it?

Aimee highlights that we also have to clarify for parents the difference between aggregate and individual data. We must limit individual, identifiable information to very few users. This is not all information that higher level politicians at the state or federal level. They may need to know that girls in low income areas are struggling with math, not the names of those individual girls.

Teaching Students Data Literacy

We focus on educating parents about data, but another audience member brings up the importance of educating students on their data literacy. While students are becoming more tech savvy, they are not always familiar with the importance of their data – how to protect it and how it can be used. So how do we go about having those conversations with students?

Courtesy of mikolajgr, http://mikolajgr.deviantart.com/

Courtesy of mikolajgr, http://mikolajgr.deviantart.com/

Many students, especially as they get older, do want more ownership and agency of their lives as well as their work. Technology has been effectively employed in high schools and is now trickling down to middle and lower schools. It’s important to have age appropriate discussions with students about this content and data. At the same time, we have to ensure that students are aware of their own presence online, especially in the realm of Social Media. Common Sense Media has some great resources in this realm. We must teach students how to protect their own information online.

Who is Beholden to the Data?

When FERPA was drafted, no one anticipated the glut of student data that would arrive. Specifically, the issue of targeted advertising. This is something that we must investigate as we go forward. Common Sense Media argues that student data should never be used for commercial purposes and I would wholly agree.

This is an issue that is currently going through federal and state legislation. Data is not cut and dry, nor is ownership. For example Google+ is a prominent tool used for Google Hangouts between teachers and students. Now, it is tied with local advertising. You can opt-out, but it requires a concerted effort. Commercialization of data is very specific and can target advertising to students and parents.


At the end of the day, the key issues here are cleaning up and demystifying privacy and security with student data, building a common vocabulary, and defining (via legislation and policy) the obligations of schools and vendors. This is not one organization’s job, it is a big conversation that must take place over multiple conversations in various contexts. As Aimee says, “We all must do it.” It’s also important to understand that there is a cost, nothing is “free.” So when using vendor’s material it’s important to understand what the business model is that supports the service.