The Student Digital Privacy Act is Just Not Enough
As a vendor, CPSI has always been cognizant of student privacy. Remember, we were founded in 1990 – BEFORE the internet was even readily available at schools! In those days, it was very easy to keep student privacy as long as teachers or administrators didn’t share passwords. Everything was kept at the district level, and many applications were not even network based. It was very simple, and very secure. Then came the network-based applications. Now, it was a little more important to protect the privacy of students. For instance, you wouldn’t want the nurse at ABC School to see private information about students at XYZ School, even if they were in the same district. That security came through the login process then.
Then, moving forward a few years, the web was all of a sudden in every school. Teachers were on the web. Students were on the web. Parents were on the web. All of a sudden, we started thinking about privacy from the standpoint of the web. How much data is being moved out to the world? How much information can be seen? Where is the data stored? How do the companies handle the data? But several years ago, there were no large integrated databases or cloud systems that held a lot of data. Then, the most that could happen was a hijacked login name or just a couple of pieces of data that were not much use.
Now we move on to today’s world. Cloud based data systems are being used by everyone. On line learning systems are expected and used every day by schools and districts. Data is sent by the districts in the form of text files, SIF integration, REST services, web services, or some other method. The data resides at the receiving company’s database servers or cloud data system. The parents are asking many questions now. Where is my child’s data stored? Who owns my child’s data? Is it secure? Who looks at the data? What happens to my child’s data if the company goes out of business, is acquired, or sold? How do I make sure that my child’s private data does not go to strangers? Who is ensuring student privacy?
These are all very good questions. Unfortunately, there are not any very good answers. There is FERPA – we all know that this is the law that governs student privacy for those students under the age of 18. There is HIPPA – that is the health data security law governing the security of health data for everyone. Then there is the new Student Privacy Act that is currently being enacted by the FCC. What does it all mean for parents? And for students? Is it going to make a difference?
I spent a lot of time reading through the Student Privacy Act. Here are the points the general points of the Act:
1. It has a clear definition of Personally Identifiable Information (PII).
2. It clearly states that advertising is not allowed, and that companies cannot sell data for the purpose of advertisement.
3. It very clearly states that a company cannot disclose information to another party NOR can a company use the data for any other purpose other than for purposes related to K12 education.
4. It talks a lot about how companies need to implement security and that they need to make sure that data is not hacked.
But what doesn’t the Act cover? Why is it not enough?
1. The Act requires that vendors “establish, implement, and maintain reasonable security procedures” that are “appropriate” in order to “protect the confidentiality, security, and integrity, of the covered information”. There are so many definitions in this Act, but what does “reasonable” mean? Who decides the definition of “reasonable”? I am uncomfortable with leaving such a vague term when speaking about student data privacy.
2. The Act requires that vendors delete data within a reasonable amount of time not to exceed 45 days when requested to delete data. There is that phrase “reasonable” again. And 45 days? Why does it take so long? If I want my child’s data deleted, I really want it deleted immediately. I would think that 3 days would be a more reasonable time frame.
3. The Act says that vendors need to disclose in an easy-to-read format what data they are collecting, who gets the data they are collecting, and why they are collecting the data, i.e. the purpose. Thanks! But what about the permission statement from the parent? And where do they disclose the data – on a web site, a letter, or some other way?
4. The Act requires that the vendor “implement policies and procedures for responding to data breaches involving unauthorized acquisition of or access to PII that occurs”. Is this a credit card company? Have we decided that the student data is more like credit card data? Where is the definition of what policies should be implemented? Should they even have PII data for my child?
5. They have to let the schools and parents know about any data breaches that occur. How are parents notified? Is there any penalty for data breaches? How can parents rectify any issues that occur from the data breach?
6. This next one is very interesting to me, and I wonder why the time frame is so lengthy. The Act requires that the vendor delete data within a reasonable amount of time, not to exceed one year, after the vendor stops providing services to a district. One year? After the vendor stops providing service? What happened to the 45 days mentioned above? Shouldn’t the time frames be similar at the very least? As a parent, I have to now worry about data breaches for one year after my child no longer uses an application or online service.
7. The Act has a section in it about mergers and acquisitions. Basically, if a company is acquired by another company, or two companies merge, the data needs to be protected by the new company in the same way that it was protected by the first company. What is this? A pinky promise? In this age of start ups, acquisitions and mergers are everyday occurrences. The entire reason for a start up is to be acquired within 5 years of the start up. The main goal of all of these companies is profit. Many times, the data is very desirable and is a profit in itself.
8. The Act then goes through some other constructs. The Act does NOT limit the ability of a vendor to use the data for adaptive learning. I understand this clause. The Act does NOT prohibit a vendor from using the data for support and future development. I understand this clause, but who is providing support? It support in the US? Do the support technicians have signed confidentiality agreements with the vendor? Are background checks run on support personnel? The Act does NOT prohibit the vendor from marketing to parents of students whose data is collected as long as they haven’t used any PII data to get to the parents. What?????? Last, but not least, if a parent or student wants any data from the application, the vendor does not have to provide the information for free. The vendor is now allowed to charge me for gaining access to my child’s data? Is that even a fair practice?
9. The Act covers the enforcement of the policies presented. Basically, the Act says that the FTC should enforce the Act the way they enforce other policies they maintain. It gives no direct enforcement policies or consequences. The Act goes on to say that “any jurisdictional limitation of the Commission with respect to non-profit organizations shall not apply for purposes of this Act”. Does that mean that nonprofit organizations are not covered under the Act? Or does it say something else? I am really not sure.
10. And to end the Act, it states that the Act goes into effect in 18 months after the enactment of the Act. So vendors have 18 months to become compliant?
Well, I have vented quite a bit about the Student Digital Privacy Act. My next blog will go through CPSI’s version of data privacy in the cloud and how it SHOULD be implemented. A child’s private data is not something that should be dealt with lightly, and we should take every care in the world to ensure that our children are safe at school and in the virtual environment. Times have changed so rapidly, and government agencies move so slowly. This fact means that technology companies have a clear opportunity to make money on our children’s data. Data is today’s biggest commodity. We know that these cloud based services make sense, as well. Let’s just make sure that the data is protected properly.