Study: Student Data Not Safe in the Cloud

A student reads a book in Chinese at a Los Angeles public school.

Photo by ROBYN BECK/AFP/Getty Images

It used to be that failing a math test in the fourth grade wouldn’t haunt you long after you graduated (even if it might get you grounded). No longer.  

American schools are migrating online, providing parents with real-time academic results. The cloud services that remotely host this information about educational achievement are also increasingly being used to store sensitive student details like names, religion, and health status. But according to a new study from the Center on Law and Information Policy at Fordham Law School, schools are failing to read the terms and conditions and providing troves of student data to third-party vendors without sufficient safeguards or adequate parental consent.

The report looked at Web service contracts in small, medium, and large school districts. Of the 54 school districts examined, almost 95 percent used cloud services, but many failed to inform parents of the full breadth of information being outsourced. Furthermore, very few of the schools’ contracts explicitly restricted the marketing of student information. This despite using third parties to store potentially delicate information, such as which students qualify for free lunch.

The school districts also seemed clueless as to the details of the contracts they’d signed. The Fordham researchers had considerable difficultly tracking down school personnel who were familiar with the district’s outsourcing policy, documentation was poorly maintained, and less than half of districts contacted complied with the open public record request in the time period required by law.

In response, the Software and Information Industry Association said in a statement that the report failed to account that the law had created strong business practices to keep students data safe: “School service providers know that if they do not protect student information entrusted to them, they will lose their customers and face legal repercussions.”

But according to the Fordham study, many of the agreements failed to meet a number of Federal privacy benchmarks. One-third of data analytics contracts did not comply with the Family Educational Rights and Privacy Act’s requirement that data be deleted after it is no longer needed for the purposes for which it was provided. Few agreements specified a level of encryption, and even fewer required the vendor to tell the schools if there was a data breach.

Khaliah Barnes of the Electronic Privacy Information Center told me that although FERPA provided a number of privacy protections for students online, subsequent regulations from the U.S. Department of Education in 2008 and 2011 had weakened the act.

Barnes added that Fordham’s findings confirmed what EPIC has been hearing from parents and students—they feel like they’re losing control. “We’ve seen an increase in student information collection and dissemination, but a decrease in privacy protection,” she said.

The report comes amid a parent-led backlash against the use of third-party vendors for storing student information. In November, the Chicago school system, the nation’s third largest, rejected the controversial student data management nonprofit, InBloom, deciding instead to build its own platform. According to Education Week, InBloom began promisingly, with million-dollar grants from the Carnegie Corporation of New York and the Bill and Melinda Gates Foundation. But after parents became concerned by plans to compile students’ information into one huge database for school-related businesses, InBloom has been dropped by numerous states. In New York, a law suit has been launched to prevent the New York State Education Department from partnering with the service.

Karen Sprowal, one of the plaintiffs in the New York case, said in a statement: “Ever since I’ve heard about InBloom Inc. I’ve been unable to rest easy. … Any information that is let loose on the Internet can never be retrieved, and any breach or misuse of this data could harm [my child’s] prospects for life, by impairing his ability to be admitted to college or get a good job.”