A Short And Incomplete List Of Actions That Would Improve Privacy

3 min read

In conversations about privacy in schools, it's easy to get mired in the details of what isn't working. The incomplete list below provides some starting points for making things better. This list isn't comprehensive by any means, but it's intended as a starting point for people looking to dig deeper. In an ideal world, we could round up funding to bring together a team of people for 2 two day work sessions (a total of four days) to begin working through this list. All work would be released under a Creative Commons Attribution Share-Alike license.

  1. For non-lawyers, finding and accessing the text of federal privacy laws can be a challenge. The ideal would be to create online versions of FERPA, PPRA, and COPPA that are collected in a single location, and are linkable at the paragraph (or subpoint) level. This would allow people to search, read, and link to specific sections.
  2. In December, 2013, the Fordham Center on Law and Information Policy released a study on privacy and cloud computing in public schools within the US. This report included a "Document Coding Checklist," included in the study as Appendix B (pdf download). The background knowledge and process required to use this matrix effectively could be documented. If step 1, above, is in place, we could link to the specific sections of privacy law addressed by the matrix.
  3. With the matrix defined in step 2, above, we evaluate publicly available terms of service and privacy policies of web sites and services marketed to schools.
  4. In addition to the matrix, we could use the rating criteria shared at http://tosdr.org to evaluate and document terms of service and privacy policies. These reviews could then be submitted to http://tosdr.org.
  5. Evaluate data collection and retention policies of content filtering companies. Given that both schools and libraries getting E-rate money are required to use content filters, we should have full disclosure of any data collected by filtering companies, how they use it, how they share it, and how long they retain it. Filtering companies - along with apps installed on mobile devices - are a great example of data black holes, where the terms of use and privacy policies are opaque and unclear.
  6. Create a data primer that breaks down the difference between personally identifiable information, other data that isn't tied directly to an identity but still can be used to infer a person's identity, displaying ads, using data to tune algorithms, and processing data but not showing ads against it. This data primer could also be used to help provide background information for the evaluation tools described in steps 2 and 4, above.
  7. Document and define what successful contract documentation looks like; ie, save copies of click-wrapped terms of service, etc. This would be a recommended organizational structure that districts could apply to ensure that they are tracking their contracts/obligations accurately.

As mentioned above, this list is incomplete. Please, feel free to add to it in the comments, or give me suggestions on Twitter.

In the absence of policy change around data collection at the federal or state level, and/or improvement from tech companies on respecting the rights of students and schools, the steps outlined here would empower school and district staff to make more precise demands - and more informed choices - when negotiating the terms under which information is handled. If the resources described in this post were created and available under a Creative Commons license, districts and schools could benefit from these resources at no cost.