The Center for Digital Education reported on a CoSN webinar where experts outlined five steps school districts should take to manage their data in the cloud. The cloud prompts school district leaders to consider where they store their data, why they’re collecting data, and how to keep it private, a panel of experts said in the webinar. And it’s not easy to keep data private in the cloud because technology and privacy policies change so quickly, said Jim Siegl, technology architect at Fairfax County Public Schools in Virginia, who moderated the webinar for CoSN. “Is privacy in the cloud possible?” Siegl said. “Yes, but it takes a lot of work and a lot of communication.”
The panel laid out five steps to ensure such privacy:
1. Communicate what data you’re collecting and why.
The U.S. Department of Education’s Chief Privacy Officer, Kathleen M. Styles, suggests that school districts maintain a page on their websites that outlines what data they collect, who has access to it, and why it’s being collected. This transparency builds trust between school districts and the community, said Aimee Guidera, executive director of the Data Quality Campaign. If the community doesn’t see the value of collecting data, they will negatively react to the practice. “If it’s all risk and no value add, that’s when fear grows,” Guidera said
2. Find out what data people need.
Ms. Guidera points out that school districts often collect data that’s not valuable because no one uses it. For every piece of data that’s collected, school districts spend money and take on the risk of guarding its privacy.
3. Make data and cloud decisions based on district values.
Mr. David Rubin, an attorney who’s a member of the Council of School Attorneys, said superintendents and school boards should make these decisions, not teachers. Many teachers have good intentions when they sign their students up for no charge websites, but they’re putting student data in the hands of a third party without the district’s knowledge. “Districts are not policing their teachers adequately in terms of signing up for these free apps,” Styles said. Any app or service should go through a procurement, policy and legal review before school districts hand over student data to third parties, Styles said. And when they do hand it over, the privacy law FERPA requires the third party to:
a) Perform a service that an educator would otherwise do;
b) Use and maintain the education records under the direct control of the school district;
c) Use education data in a manner consistent with the annual FERPA notification of rights that districts send to parents; and
d) Not disclose or use the data for unauthorized purposes.
Styles stressed that third-party providers do not own the student data and that they act at the school district’s direction.
4. Assess your record-keeping practices and clean them up.
Styles believes school districts should take the time to analyze their data collection practices and processes before moving anything to the cloud. And this analysis could help address problems that the school district previously didn’t handle, Rubin said. “Oftentimes when you’re dealing with new legal issues, it forces you to confront concerns that really have always existed, but we haven’t paid much attention to,” Rubin said
5. Take an inventory of the records you have in the cloud.
Once school districts address these problems, they may be ready to move data to the cloud. But not before they record where all of their data is located. If districts don’t take an inventory of the records they have, they’ll have a hard time finding them later when they need them.
Source: Center for Digital Education, 11/13/13, By Tanya Roscorla
[Editor’s Note: We thank Mr. David Rubin, a COSA member, for his excellent representation of the interests of school districts and school attorneys.
Another resource on the Cloud available to COSA members is the December 2011 Inquiry & Analysis article: Cloud computing issues for schools.]