Wednesday, August 12, 2020

Investigating Student Data Privacy Policies

The protection of student data has become the primary focus of school districts during the last few years. In Connecticut, the passing of PA-18-189 has driven how districts choose and acquire educational websites and applications. In order for a district to engage with a particular app or website, the company providing the service must sign a Student Data Privacy addendum provided by the school district. In short, this addendum requires the company to notify the school district within a certain amount of time of a student-data breach so that the school district can in turn notify families. The data in question can consist of a variety of information - student Personally-Identifying Information (PII) such as name and address, student-created content, and other automatically collected information such as device and browser info, as well as Internet Service Provider information, among others.

In my research, I review the privacy policies of the following educational services: Edpuzzle, Flipgrid, and Codesters. Predictably, there were many similarities, along with a few minor differences.

Edpuzzle was the only one of the three to have signed the Student Privacy Pledge, which was created by the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) promises that its signatories will support the effective use of student information and safeguard student privacy and information security. Edpuzzle also displays the iKeepSafe FERPA, COPPA, and CSPC seals signifying that their website and apps have been reviewed and approved for having policies and practices surrounding the collection, use, maintenance, and disclosure of personal information from children consistent with the iKeepSafe FERPA, COPPA and CSPC programs guidelines. The appearance of these together with the aforementioned Student Privacy Pledge highlights Edpuzzle's commitment to the safe and proper use of student data.

All three companies outline that certain student PII will be collected as a result of account creation, especially in the case of a "sign up with Google" option, where at the very least, name and email address are obtained. Other information that is automatically collected typically involves the following: cookies, device info, log info, location, and LMS used. 

Info that is automatically collected: cookies, device info, log info, location, and LMS used. Flipgrid and Codesters elaborate further by collecting information on the user's browser and Internet Service Provider. 

All companies have a deletion process where the user, or parent, may request that the student account be deleted and all accompanying information deleted. Interestingly, all companies retain an archive of said data after account deletion. The reason found was to provide customer support and also to prevent accidental deletion. I wonder how often a customer goes back on their request for account deletion?

All companies support the use of de-identified data, which is data that has been stripped of any PII, which may be used for research and product improvement.

They all also note that publicly visible data may be created by users as a result of using the service. For example, Flipgrid contains discussion topics where the content created by students is visible to its participants. Flipgrid notes that it is not responsible for the information disclosed in this manner. They also further note that any request to delete information presented in this manner is to be requested of the discussion topic owner, who will submit the deletion request on the user's behalf.

These and many other products are used by students of varying school ages, many of which are under the age of 13. All of the above-mentioned apps require parental consent for use. According to COPPA, the district is empowered to provide consent on behalf of the parent, assuming that the district has notified families of the applications intended for use during the school year. 

The protection of student data in the context of school may seem to many a process that never yields perceivable results outside of the lack of marketing emails. But the data created by the creation and use of accounts for these and similar products still deserves to be protected and utilized for their intended purpose - to enhance student learning.


No comments:

Post a Comment