Sometimes, despite our best efforts, human mistakes can lead to unsound privacy practices.
As part of my work, I spend a fair amount of time reading through the websites of educational technology offerings. The other day, while on the site of a well-known, established product, I came across a comment from one person asking for information about another person. Both people -- the commenter and the subject of the question -- were identified by first and last name. The nature of the question struck me as strange, so I did a search on the name of the commenter.
The search returned several hits -- including every one of the top five -- that clearly showed that the commenter is a principal at a school in the United States. The school's Web page showed that the principal's school supports young children. With that information, I returned to the comment. As I now knew that the commenter was the principal of a school, it became clear that the subject of the question -- who, remember, was identified by first and last name -- was almost certainly a student at the school.
I had stumbled across a comment on an edtech site where a principal identified a student by name and asked a question that implied an issue with the student, on the open Web. The question had been asked over a month ago.
To make matters worse, the principal's question about the student had been responded to by the vendor. Staff for the company answered the question and left the thread intact.
In this post, we're going to break down the ways this exchange is problematic, what is indicated by these problems, and what to do when you encounter something similar.
Problem 1: The principal has access to large amounts of data on kids but doesn't understand privacy law or the implications of sharing student information -- including information with implications about behavioral issues -- on the open Web. This problem is particularly relevant now, when some people are complaining that teachers haven't been adequately trained on new privacy laws coming on the books. The lack of awareness around privacy requirements is as old as data collection, and it's disingenuous and ahistorical to pretend otherwise.
Problem 2: The vendor responded to the question and allowed a student to be identified by name, by that student's principal, on their product's website. The product in question here is in a position to collect, manage, and store large amounts of student data, and much of that data contains potentially sensitive student information. Every member of the vendor's staff should be trained on handling sensitive data and on how to respond when someone discloses sensitive information in a non-secure way. When a staff member stares a potential FERPA violation in the face and blithely responds, we have a problem.
This problem is exacerbated by rhetoric used by a small but vocal set of vendors, who insist that they "get" privacy and that people with valid privacy concerns are an impediment to progress. Their stance is that people should get out of their way and let them innovate. However, when a vendor fails to adequately respond to an obvious privacy issue, it erodes confidence in the potential for sound judgment around complicated technical, pedagogical, and ethical issues. If a vendor can't master the comment field in blogging software, they have no business going anywhere near any kind of tracking or predictive analytics.
How to Respond
If you ever see an issue that is a privacy concern, reach out to the company, school, and/or organization directly. In this case, I reached out via several private channels (email, the vendor's online support, and a phone call to their support). The comment with sensitive data and the vendor's response were removed within a couple hours. A private response is an essential part of responsible disclosure. We make privacy issues worse when we identify the existence of an issue before it has time to be addressed.
For principals, educators, and anyone in a school setting who is managing student data: Spend some time reading through the resources at the federal Privacy Technical Assistance Center. Though some of the documents are technical and not every piece of information will be applicable in every situation, the resources collected there provide a sound foundation for understanding the basics. At the very least, schools and districts should create a student-data-privacy-protection plan.
For vendors, train your staff. If you're a founder, train yourself. For founders: Start with the PTAC and FERPA resources linked in this document. Cross-reference the data you collect for your application with the data covered under FERPA. If there is any chance that you will have any people under the age of 13 using your site, familiarize yourself with COPPA. Before you have any student data in your application, get some specific questions about your application and your legal concerns and talk with a lawyer who knows privacy law.
For staff: Make sure you have a data-access policy and some training on how to respond if a customer discloses private information. If you are part of an accelerator, ask for help and guidance. Talk to other companies as well. There is some great work that has been done and shared.
Privacy is complicated. We will all make mistakes, but by working together, over time, we will hopefully make fewer of them, and the ones we do make will be smaller in magnitude. This is why we need an increased awareness of privacy and sound protection for student data. By taking concrete steps, however, we can improve the way we handle data and move toward having an informed conversation around both the risks and rewards of sound data use.