According to a release on
CLIP reported that the study found that as public schools in
"School districts throughout the country are embracing the use of cloud computing services for important educational goals, but have not kept pace with appropriate safeguards for the personal data of school children," said
Additionally, the goals of the study were 1) to provide a national picture of cloud computing in public schools; 2) to assess how public schools address their statutory obligations as well as generally accepted privacy principles in their cloud service agreements; and 3) to make recommendations based on the findings for the protection of student privacy.
Fordham CLIP selected a national sample of school districts including large, medium and small school systems from every geographic region of the country. Using state open public record laws, Fordham CLIP requested from each of the school districts all of the district's cloud service agreements, notices to parents and computer use policies for teachers and examined whether the districts met privacy obligations under the Family Educational Rights and Privacy Act, the Protection of Pupil Rights Amendment, and the Children's Online Privacy Protection Act, as well as basic fair information practices.
The key findings from the analysis are:
-95 percent of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.
-Cloud Services are poorly understood, non-transparent and weakly governed with only 25 percent of districts informing parents of cloud services, 20 percent of districts failing to have policies for the use of online services, and a sizeable plurality of districts having rampant gaps in their contract documentation including missing privacy policies.
-Districts give up control of student information when using cloud services, with fewer than 25 percent of the agreements specifying the purpose for disclosures of student information, fewer than 7 percent of the contracts restricting the sale or marketing of student information by vendors, and many agreements allowing vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.
-An overwhelming majority of cloud service contracts do not address parental notice, consent or access to student information. Some services even require parents to activate accounts and consent to privacy policies that may contradict those in the district's agreement with the vendor. FERPA and COPPA, however, contain requirements related to parental notice, consent and access to student information.
-School district cloud service agreements generally do not provide for data security and even allow vendors with alarming frequency to retain student information in perpetuity. Yet, basic norms of information privacy require data security.
Fordham CLIP recommends that school districts and vendors take a series of specific actions to address these problems. For example, among other things, Fordham CLIP recommends 1) that the existence and identity of cloud service providers and the privacy protections should be available on district websites and districts must provide notice to parents of these services and the types of student information that is transferred to third parties; 2) that vendors and districts include explicit contract protections described in the study; and 3) districts adopt policies and implementation plans for the adoption and use of cloud services that involve student data.
The Fordham Center on Law and Information Policy (CLIP) was founded to make significant contributions to the development of law and policy for the information economy and to teach the next generation of leaders.
((Comments on this story may be sent to email@example.com))
According to a release on