Privacy Policies and Practices

Declining costs of cloud storage have made it easier and cheaper to store data, and educational technology continues to enable greater ways to collect more and more data. This creates incentives for both institutions and ed tech providers to amass data for refining analytic tools and for potential use in future applications. The more prevalent use of remote instructional tools and services due to the pandemic will add increasing amounts of video, experiential learning and testing data, and other information about students collected in online learning environments that will be of potential value for colleges.

FERPA does not provide any specific requirements for minimizing the amount of data collected, or for retention or deletion of data, other than mandating that institutions retain records for compliance with any legal or policy requirements, such as an outstanding request for inspection. Schools may retain some data, such as student transcripts, indefinitely. However, when schools disclose PII to ed tech vendors, the FERPA requirement that the vendor protect the PII from unauthorized disclosure implies adequate destruction of data when no longer needed per Department of Education interpretation and guidance.¹ FERPA does not explicitly require institutions to establish any policies for data retention and deletion. It only specifies that when institutions choose to delete PII, they must use “reasonable methods." FERPA, however, does not provide details on such methods. Deletion may mean the overwriting or destruction of data using various means, but can also mean removal of PII through de-identification. De-identified information from education records is not subject to any further deletion requirements as, by definition, it is no longer PII under FERPA.

De-identification of data is the process of altering data, such as by removing or obscuring PII, to prevent it from being used to identify a person. De-identified data may be shared under FERPA without consent, and with any third party.² FERPA’s requirement for successful de-identification is “a reasonable determination that a student’s identity is not personally identifiable, whether through single or multiple releases, and taking into account other reasonably available information.”³ While FERPA does not specify methods for de-identification, the Department of Education’s Privacy Technical Assistance Center has released some definitions of de-identification techniques and guidance.⁴

When organizations, including higher education institutions, share data with third parties, they often rely on de-identification as a privacy protection. However, in recent years, de-identification of data has been shown to be problematic through studies demonstrating the ability to match anonymized data back to an individual (“re-identification”).⁵ Re-identification is often done using external databases to infer information about the anonymized data (known as linkage attacks). FERPA’s standard of reasonably available information presents a challenge. It is difficult to assess what information someone may be able to use in any given re-identification attack. Anonymized datasets also cannot be taken back once released, so even if data is effectively de-identified based on current standards, future techniques and newly available information could remove those protections.

Ideally, institutions should have someone with data privacy expertise assess the techniques that they or their vendors are using to anonymize data, what other controls are in place, and whether the risks of re-identification are low enough. They should also be forward looking—taking advantage of new privacy technologies for anonymization as they become available. Differential privacy has emerged as one of the most promising de-identification techniques, as it can provide formal, mathematical assurances of privacy. Private companies such as Apple are using differential privacy, as is the Census Bureau for the 2020 Census.⁶

To fully protect students’ privacy, institutions and their ed tech providers need to do more than comply with the bare minimum protections required by law. This should start with minimizing the amount of data they retain in the first place by only collecting data that has clear and necessary uses and developing policies for keeping that data only as long as it is needed. This includes clearly detailing what video and other online learning related data will be stored, and for how long.

As colleges pass data privacy obligations on to vendors and partners in the provision of online learning, schools ultimately remain responsible for protecting students. As a first-order concern, schools should ensure that the distance learning technologies they use are compliant with FERPA and other laws as applicable. With the COVID-19 pandemic, technology companies have more frequently posted information about their products and privacy policies that explain how their use of student data complies with FERPA.⁷ This may provide only part of the privacy picture, however. The detailed, full privacy policies of ed tech companies can be looked to in assessing actual privacy practices. Unfortunately, privacy policies are often lengthy, filled with jargon and legalese, and difficult to understand.⁸ How companies will protect data privacy in practice is often hard to assess.

In the K-12 context, there has been some progress in holding ed tech companies accountable through tools such as Common Sense Media’s privacy reviews of ed tech apps⁹ and the Future of Privacy Forum and the Software & Information Industry Association’s Privacy Pledge,¹⁰ a signed code of conduct for ed tech vendors. The FTC can bring civil enforcement actions against companies that sign the pledge and do not adhere to the commitments it outlines. While this pledge is targeted toward companies that provide ed tech designed for K-12 institutions, it includes signatories such as Blackboard and Canvas that provide their same platforms and tools with modifications for higher education as well.

While students and teaching faculty should carefully review the privacy policies of any remote learning ed tech they are considering using (or OPMs they are considering partnering with), assessing privacy policies should only be a first step for institutions. Schools need to fully understand what technical and administrative protections for data are in place, and ensure that ed tech companies meet both the requirements of the institution’s stated privacy practices and their system security plan to ensure privacy is protected in all phases of data collection, use, and storage. Both privacy policies and vendor contracts should, at minimum, include terms covering what data will be stored, limitations on the use of data, how data will be protected, and when and how data will be deleted. There should be clear and transparent answers to questions about a company’s data use practices: whether data is being used in secondary ways, especially uses other than the ways in which it is being explicitly used for; if any data being shared with third parties, and if so, for what purposes; whether data is being used to build any sort of profile on students, and if this profile is for non-primary or non-explicit uses; and under what terms and conditions data is shared with the government and with law enforcement. There should also be clear limits on data collection. Schools should ensure that the vendors they contract with minimize the amount of data they collect, only gathering and retaining information that has necessary, clearly stated purposes.

Institutions should also keep in mind that FERPA and other privacy laws provide a floor for privacy protection, not a ceiling. They can, and should, act in the best interests of their students and use their power as the customers of ed tech companies to enhance overall privacy. For example, unless institutions take steps to prohibit the practice, there is a risk that ed tech companies will seek to monetize student behavioral data as a funding stream, leading to extended surveillance of students’ learning experiences.¹¹