A growing number of primary and secondary (K-12) school systems nationwide are adopting cloud-based educational technologies (“ed tech”), tools which “enable the transition of computing resources—including information processing, collection, storage, and analysis—away from localized systems (i.e., on an end user’s desktop or laptop computer) to shared, remote systems (i.e., on servers located at a data center away from the end user accessible through a network)” in the course of educational and / or academic administrative work. Cloud-based ed tech possesses unique innovative potential that can best be unlocked when the opportunities it presents are considered alongside the importance of protecting student privacy.
This paper, building upon findings of the ongoing Student Privacy Initiative under the auspices of the Berkman Center for Internet & Society at Harvard University, provides a snapshot of key aspects of a diverse—and heated—law, policy, and implementation debate that is taking place in the rapidly evolving cloud-based ed tech landscape. It aims to provide policy and decision-makers at the school district, local government, state government, and federal government levels with greater information about and clarity around the avenues available to them in evaluating privacy options. This analysis focuses on three overarching questions: who in the educational system should make cloud-based ed tech decisions; when is parental consent needed for the adoption of these technologies; and how can data transferred, stored, and analyzed through these products be kept secure and, as necessary, de-identified?
Though there is often no bright line rule that can strike an ideal balance of these and other imperatives—including normative commitments, innovative educational opportunities, and evolving privacy attitudes and expectations—the authors offer the following pragmatic recommendations based on the cloud ed tech landscape at this moment in time:
Employing (temporary) centralization of cloud-based ed tech decision-making at the district level to foster the legal, technical, and other expert oversight necessary in this complex space without stifling capacity for local experimentation;
Examining the adoption of user-friendly labeling of cloud-based ed tech products to increase transparency and encourage compliance with parental consent and other legal requirements; and
Adopting FIPPs (Fair Information Practice Principles) and other best practice standards by industry providers to increase data security and protection.
Critically, any such recommendations must preserve room for future development as the student privacy and ed tech picture continues to evolve. The authors also recognize that the proposed practices are in flux and have to be read as a supplement rather than a substitute for careful consideration of more fundamental reform of the current student privacy framework.