Privacy and Cloud Computing in Public Schools

Report Summary

As public schools in the United States rapidly adopt cloud-computing services to fulfill their educational objectives, and transfer increasing quantities of student information to third-party providers, privacy issues become more salient and contentious. The protection of student privacy in the context of cloud computing is generally unknown both to the public and to policy-makers. This study thus focuses on K-12 public education and examines how school districts address privacy when they transfer student information to cloud computing service providers.

The goals of the study are threefold: first, to provide a national picture of cloud computing in public schools; second, to assess how public schools address their statutory obligations as well as generally accepted privacy principles in their cloud service agreements; and, third, to make recommendations based on the findings for the protection of student privacy.

Fordham CLIP selected a national sample of school districts including large, medium and small school systems from every geographic region of the country. Using state open public record laws, Fordham CLIP requested from each selected district all of the district's cloud service agreements, notices to parents, and computer use policies for teachers. All of the materials were then coded against a checklist of legal obligations and privacy norms. The purpose for this coding was to enable a general assessment and was not designed to provide a compliance audit of any school district nor of any particular vendor.

The key findings from the analysis are:

• 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.
• Cloud services are poorly understood, non-transparent, and weakly governed: only 25% of districts inform parents of cloud services, 20% of districts fail to have policies for the use of online services, and a sizeable plurality of districts have rampant gaps in their contract documentation, including missing privacy policies.
• Districts surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.
• An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information. Some services even require parents to activate accounts and consent to privacy policies that may contradict those in the district's agreement with the vendor. FERPA, PPRA and COPPA, however, contain requirements related to parental notice, consent, and access to student information.
• School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency. Yet, basic norms of information privacy require data security.

In response to these findings, Fordham CLIP proposes a set of specific, constructive recommendations for school districts and vendors to be able to address the deficiencies in privacy protection. The recommendations address transparency, data governance, contract practices, and contract terms.

Recommendations for Transparency

The existence and identity of cloud service providers should be available on district websites, and districts must provide notice to parents of these services and the types of student information that is transferred to third parties.

Recommendations for Data Governance

Districts must establish policies and implementation plans for the adoption of cloud services by teachers and staff including in-service training and easy mechanisms for teachers to adopt, and propose technologies for instructional use. Districts must address directly and publicly any policies on the use of student data for advertiser supported services. Finally, larger districts and state departments of education must designate a Chief Privacy Officer to provide advice and assistance.

Recommendations on Contracting Practices

Districts, as stewards of children's information, must properly document all cloud service agreements including maintaining fully executed contracts complete with all appendices and incorporated documents.

Recommendations on Contract Terms

Districts are often passive parties to cloud service contracts that are drafted by vendors and not subject to any negotiations. These agreements must more directly address privacy obligations. To accomplish this, vendors should include the following terms in their agreements: specification of the purpose of the agreement and the authority to enter into the agreement; specification of the types of data transferred or collected; the prohibition or limitation on re-disclosure of student data; the prohibition or limitation on the sale or marketing of student information without express parental consent; the assurance that districts will have exclusive control over data access and mining; the prohibition on new or conflicting privacy terms when parents are required to activate an account for their child; the allocation of responsibilities for granting parental access and correction capabilities; the specification of whether foreign storage and processing is allowed; the specification of whether other government agencies (such as social service agencies) may have access; the specification of data security and breach notification obligations; the prohibition on unilateral modifications; and the inclusion of a right for the district to audit/inspect vendors for compliance with contractual obligations.

Recommendation on the Creation of a National Research Center and Clearinghouse

School districts, cloud service providers, and policy-makers all have a tremendous need for assistance in addressing privacy. A national research center and clearinghouse should be established to prepare academic and policy research, convene stakeholders, draft model contract clauses, privacy notices and consent forms, and create a repository for research, model contracts and policies.

Work on this project is supported by a gift from Microsoft.

Our research team included:

• Joel R. Reidenberg; Microsoft Visiting Professor of Information Technology Policy, Princeton University; Stanley D. and Nikki Waxberg Chair and Professor of Law, Fordham University School of Law; Academic Study Director of Fordham CLIP
• N. Cameron Russell, Esq., Executive Director of Fordham CLIP
• Jordan Kovnot, Esq., Privacy Fellow and Interim Director of Fordham CLIP (through July 2013)
• Thomas Norton, Student Project Fellow
• Ryan Cloutier, Student Project Fellow
• Daniela Alvarado, Dean's Fellow

Download the Executive Summary.
Download the full report.
Read the press release.

Media Coverage

• The New York Times, December 12, 2013
• Education Week, December 13, 2013
• Slate, December 16, 2013
• Education Week, January 7, 2014
• The New York Times, February 20, 2014
• The Baltimore Sun, February 20, 2014
• The New York Times, February 25, 2014
• Portland Press Herald, March 5, 2014
• The New York Times, April 26, 2014
• NPR, April 28, 2014
• Politico, May 15, 2014
• The New York Times, September 14, 2014
• NPR Marketplace, September 15, 2014
• The Wall Street Journal, January 12, 2015
• The Hill, Op-Ed by Sens. Edward J. Markey (D-Mass.) and Orrin Hatch (R-Utah), May 15, 2015
• Education Week, Protecting Student-Data Privacy: An Expert's View (video interview with Prof. Joel Reidenberg), April 5, 2016

Inventory of State Statutes Incorporating CLIP Recommendations (as of September 29, 2014)

Schools and Student Data Privacy: Needs Improvement, Princeton CITP Lecture Series, February 6, 2014

California Assembly Joint Informational Hearing on Ensuring Student Privacy in the Digital Age - N. Cameron Russell on CalChannel, May 14, 2014

SafeGov video interview with Joel Reidenberg on cloud computing in schools, June 2, 2014

Joel Reidenberg Testifies in Congressional Hearing on Student Data Privacy, June 25, 2014

Joel Reidenberg Testifies in Congressional Hearing on Emerging Technology and Student Privacy, February 12, 2015

Surveillance Society: Students easy targets for data miners (Part 1), August 20, 2015

Surveillance Society: Review shows few safeguards against student privacy leaks (Part 2), August 24, 2015

Ready for School - Recommendations for the  Ed Tech Industry to Protect the Privacy of Student Data (Fordham CLIP study referenced on p. 2), California Department of Justice, November 2016

Report Summary

As public schools in the United States rapidly adopt cloud-computing services to fulfill their educational objectives, and transfer increasing quantities of student information to third-party providers, privacy issues become more salient and contentious. The protection of student privacy in the context of cloud computing is generally unknown both to the public and to policy-makers. This study thus focuses on K-12 public education and examines how school districts address privacy when they transfer student information to cloud computing service providers.

The goals of the study are threefold: first, to provide a national picture of cloud computing in public schools; second, to assess how public schools address their statutory obligations as well as generally accepted privacy principles in their cloud service agreements; and, third, to make recommendations based on the findings for the protection of student privacy.

Fordham CLIP selected a national sample of school districts including large, medium and small school systems from every geographic region of the country. Using state open public record laws, Fordham CLIP requested from each selected district all of the district's cloud service agreements, notices to parents, and computer use policies for teachers. All of the materials were then coded against a checklist of legal obligations and privacy norms. The purpose for this coding was to enable a general assessment and was not designed to provide a compliance audit of any school district nor of any particular vendor.

The key findings from the analysis are:

• 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.
• Cloud services are poorly understood, non-transparent, and weakly governed: only 25% of districts inform parents of cloud services, 20% of districts fail to have policies for the use of online services, and a sizeable plurality of districts have rampant gaps in their contract documentation, including missing privacy policies.
• Districts surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.
• An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information. Some services even require parents to activate accounts and consent to privacy policies that may contradict those in the district's agreement with the vendor. FERPA, PPRA and COPPA, however, contain requirements related to parental notice, consent, and access to student information.
• School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency. Yet, basic norms of information privacy require data security.

In response to these findings, Fordham CLIP proposes a set of specific, constructive recommendations for school districts and vendors to be able to address the deficiencies in privacy protection. The recommendations address transparency, data governance, contract practices, and contract terms.

Recommendations for Transparency

The existence and identity of cloud service providers should be available on district websites, and districts must provide notice to parents of these services and the types of student information that is transferred to third parties.

Recommendations for Data Governance

Districts must establish policies and implementation plans for the adoption of cloud services by teachers and staff including in-service training and easy mechanisms for teachers to adopt, and propose technologies for instructional use. Districts must address directly and publicly any policies on the use of student data for advertiser supported services. Finally, larger districts and state departments of education must designate a Chief Privacy Officer to provide advice and assistance.

Recommendations on Contracting Practices

Districts, as stewards of children's information, must properly document all cloud service agreements including maintaining fully executed contracts complete with all appendices and incorporated documents.

Recommendations on Contract Terms

Districts are often passive parties to cloud service contracts that are drafted by vendors and not subject to any negotiations. These agreements must more directly address privacy obligations. To accomplish this, vendors should include the following terms in their agreements: specification of the purpose of the agreement and the authority to enter into the agreement; specification of the types of data transferred or collected; the prohibition or limitation on re-disclosure of student data; the prohibition or limitation on the sale or marketing of student information without express parental consent; the assurance that districts will have exclusive control over data access and mining; the prohibition on new or conflicting privacy terms when parents are required to activate an account for their child; the allocation of responsibilities for granting parental access and correction capabilities; the specification of whether foreign storage and processing is allowed; the specification of whether other government agencies (such as social service agencies) may have access; the specification of data security and breach notification obligations; the prohibition on unilateral modifications; and the inclusion of a right for the district to audit/inspect vendors for compliance with contractual obligations.

Recommendation on the Creation of a National Research Center and Clearinghouse

School districts, cloud service providers, and policy-makers all have a tremendous need for assistance in addressing privacy. A national research center and clearinghouse should be established to prepare academic and policy research, convene stakeholders, draft model contract clauses, privacy notices and consent forms, and create a repository for research, model contracts and policies.

Work on this project is supported by a gift from Microsoft.

Our research team included:

• Joel R. Reidenberg; Microsoft Visiting Professor of Information Technology Policy, Princeton University; Stanley D. and Nikki Waxberg Chair and Professor of Law, Fordham University School of Law; Academic Study Director of Fordham CLIP
• N. Cameron Russell, Esq., Executive Director of Fordham CLIP
• Jordan Kovnot, Esq., Privacy Fellow and Interim Director of Fordham CLIP (through July 2013)
• Thomas Norton, Student Project Fellow
• Ryan Cloutier, Student Project Fellow
• Daniela Alvarado, Dean's Fellow