September 3, 2015 Linnette Attai

When the school year wrapped up for summer, most turned their thoughts to vacations, lazy days at the beach and fun in the sun. However, for many, the focus moved from the classroom to education of a different kind: sharing knowledge about student data privacy regulation, comparing best practices with colleagues and developing ways to support schools before they open their doors again to new technology products in the classroom. Yes, the student data privacy and security conference circuit was in full swing this summer, and regardless of the venue, participants or points of view, it was clear that industry, schools, community organizations, regulators and parents all share common data privacy and security interests and concerns.

In one of the early events of the season, George Washington University Law School’s Dan Solove hosted his “Teach Privacy Higher Education Workshop,” featuring esteemed panelists Kathleen Styles, the Chief Privacy Officer for the U.S. Department of Education, Dipayan Ghosh, Technology Policy Advisor to the White House, Jules Polonetsky, Executive Director and Co-Chair of the Future of Privacy Forum and Steven McDonald, General Counsel for Rhode Island School of Design. They were joined by higher education institution representatives from around the country to talk about the new regulatory paradigm for privacy in education.

What was on everyone’s mind?

In a word: risk. The talk in sessions and in the halls was about school relationships with cloud providers and third party vendors. Schools are tasked with ensuring that their contracts include adequate privacy and security protections and that they provide adequate oversight for such protections. It’s a complicated responsibility and a significant challenge for schools with limited resources. Working sessions focused on how to help schools with data privacy and security incident response planning, and preventative measures such as policies, assessments and training.

Just a few weeks later, the International Association of Privacy Professionals hosted an event on “Student Data Privacy in an Online, Personalized Learning World.” This was another fantastic panel featuring Joseph Baranallo, the Chief Privacy Officer of the New York City Department of Education, Joel Reidenberg, the Founding Academic Director of the Center on Law and Information Policy at the Fordham University School of Law and author of the game-changing 2013 study on school contracts with cloud service providers, along with industry privacy representatives. The group discussed the ins and outs of FERPA, New York States Privacy Law, and gamely answered audience questions about where the line should be drawn between acceptable and unacceptable uses of data to personalize student learning.

Then it was time for industry to have its day. The Future of Privacy Forum hosted its second “Boot Camp for Ed Tech Startups,” and yours truly was there to deliver a presentation on COPPA requirements for vendors operating in the school environment. Of course, no ed tech privacy conference would be complete without a discussion of FERPA, and here the focus was on the impact of FERPA on companies who share the school’s role in collecting, maintaining or processing student data.

Of particular interest were discussions about the needs of the school buyer, and the perspective of school and district technology officers when reviewing privacy policies and contracts. It was emphasized yet again that the first step in having a productive conversation with a school about data privacy and security is to craft clear privacy and security policies that accurately and thoroughly reflect your practices, and that while agreements come in all different forms, they always need to make clear what is happening with the data.

In a rare treat, the audience also heard from parents about topics such as fear of data breaches and misuses of student personal information. It was a welcome reminder that parents are key stakeholders in the student data privacy conversation. Helping them understand what is happening with their children’s data is essential to their comfort and to support your school clients.

To close out the summer, StriveTogether hosted a Student Data Privacy, Policy and Advocacy convening to discuss the challenges community organizations face in gathering student data. While they need the data to support students and move the needle on critical social issues facing youth today, they share many of the same challenges that industry faces when it comes to privacy requirements. As with other events of the summer, the theme here was about building trust with school partners.

In the end, the lesson from all the events was simple and clear: success in the student data privacy and security arena starts with transparent practices and responsible stewardship of student data.