“We are the resource, not the answer”

We want our students to have access to the best learning, so we research the newest tools, play with them, align them to standards, gather reports on usage and effectiveness, and help our teachers select the best use for them.

But each digital tool comes with strings attached - digital strings at that, that can ramify for one single, very visible, into a myriad of unseen ones. For each app and site collects unseen information from our students’ interaction with it. In a January release the FTC urged the edtech companies to adopt best practices to address privacy and security in their practice. In an article in February 2015, reCode was pointing out that the need for security is immediate given the fast development of the Internet of Things

This week I joined a number of school districts at Digital Promise/SIIA ETIN Conference to talk about all things digital and how they impact the digital providers. As digital consumers, in education we have been dabbling in privacy and data security for a while, but even more so in the last 4-5 years. The SIIA event was a great eye-opener. It helped me see where more help is needed, how to provide it, and my role in this quest for privacy.

The task at hand, as delineated by Mark Schneiderman, who invited us to bridge the communication and learning gap between the educators and the industry, was to point out our experience with privacy and security of our student data. The same issues were pointed out repeatedly by all speakers, in different words and on different tones.

Filtering: school districts do with various levels, and lots of blocking happens not because of the content but because of the adds on the app; companies must think about filtering third party presence on their sites/apps (adds) both for content and for privacy policies Integration: because the schools want to have all their learning happening in one place, and app and content providers are just wrapping their minds around this need, a new service appeared, the third party integration like Clever and Classlink. They create a portal between the two entities, the school learning hub and the app/content provider, facilitating the flow of information, and yes, you guessed it, data. Aaron Sokol from Clever explained today that they consider privacy an important part of their work and offer the schools the option to mediate privacy requirements directly with the companies, or through them. While that is easier in single data collecting environments, when third party data collection happens it is important to understand (on either side) the implications Awareness: we educate our students, parents and teachers on the implications of sharing information online, try to simplify the legalese of the privacy policies and create awareness and transparency about the tools so that our students are not deprived of great learning, but keep themselves safe while exploring digital engagement. As experts of their own material, if each app/content provider would have awareness tips and best practice materials for their product, the teachers and parents would understand faster how to help their students take full benefit of it. Hack-a-tonicks: because online data breach is not longer an a-ha! moment, but a reality, we use our students enthusiasm for discovery to teach them the secrets of system defense via CyberPatriot and other organizations; we encrypt data and delete any obsolete information. As legislation is refined around the length of data storage and encryption, a good practice for the digital industry would be to encrypt data, delete after contracts finish, and have a disaster recovery plan for digital breaches. A great reassurance for education entities would be to know how companies plan for disaster recovery and if they could make them available upon request to districts IT. A great resource for such awareness and preparedness benefitting all of us would be the banking industry. As more seasoned on this topic due to financial implications, they can provide very useful insight. Data brokerage: A new practice among certain digital tool providers is to collect, analyze, sort and sell user data. While “up for grabs” might be ok on the playground, as soon as we know better, we understand that other people’s belongings are theirs to give, and there is legislation to regulate this transfer. Legislation: FERPA allows “school officials” to interact with student data for educational purposes. Physically, when walking into a school building, one is required to present an ID, state their intent, is then directed to a specific location in the school, and is not allowed to walk away with student artifacts or information. Anyone interacting directly with students has to undergo a background check. Why should the online interaction with our students be any different? Are companies running background checks on their employees handling our students PII? With new edtech developments happening in the blink of and eye, the legislation regarding data must be updated. As parents, in industry or education, we all have a mutual interest in keeping our children safe online, therefore the industry should be an active participant in the legislative decisions . Future of Privacy and other organizations can mediate input and provide guidelines for privacy preparedness to help transition.

PII

Personal identifiable information, "as defined in OMB Memorandum M-07-1616 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual". In the, more and more frequent case of video creation tools, it is important to acknowledge that facial recognition, e.g. students recording (themselves or peers) to create content will automatically fall under personal identifiable information. In this case, both educators and web tools/apps that feature this type of content creation will have to ensure that this information is kept secure.

Copyright There is more and more emphasis on student as master of their own learning, a builder and explorer of knowledge. At the top of Bloom’s revised taxonomy sits creating, the ultimate evidence of mastery. Creating content not only demonstrates understanding of subject matter, but encourages self-exploration and build self-confidence. Under copyright of some privacy policies today the following is listed “you hereby grant … a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the Content (and its successors' and affiliates') business, including without limitation for promoting and redistributing part or all of the Service (and derivative works thereof) in any media formats and through any media channels” and "the compilation of all content on this site is the exclusive property of the Company and protected by U.S. and international copyright laws." Given that copyright is defined as is a form of protection given to the authors or creators of “original works of authorship,” and educators encourage originality, how encouraging is it for a student to create this type of work without having the say in how their work is being used? How do educators feel about asking their students to create work that might be used by some company in the future without a say from the authors? And how effective, in this case, are we in teaching our students that copyright is law, and that they must always be mindful of infringement or plagiarism, when their own content can be automatically repurposed?

The Future of Privacy Forum, a rather new entity supporting the awareness efforts is creating guidelines for de-identification of data, recommendations for archiving, encrypting and deleting data. New legislation is just making its way out.

So what do we do in the meantime? What if the edtech companies reduced the data they collect? After all, FTC pointed out that “data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.” Educators or edtech companies, we have something very important in common - our children. So let’s keep our children safe. Together!