Protecting Your Child’s Privacy

A Parent’s Guide to Protecting Your Child’s Privacy

The problem with having your child’s data shared.

“Nearly everything children do at school can be — and often is — recorded and tracked, and parents don’t always know what information is being collected, where it’s going, or how it’s being used. When you were a student, routine things like attendance and grades were recorded on paper and didn’t go beyond the school house walls. The data being collected today is very different; hidden algorithms and software can track everything a child does from micro-movements, mood, facial expression, time spent on each page, what she types and how fast…This is often referred to as meta data.

In most states, the data are fed into a massive database, known as a “statewide longitudinal data system (SLDS)”. Once the data is in the state SLDS it can be further shared, to companies, other state agencies, individuals and researchers, without parent or guardian consent.

Sales of educational technology software for kids in kindergarten through high school reached nearly $8 billion last year, according to the Software and Information Industry Association.

One of the biggest players is the field is Knewton. It analyzes student data that it collects by keeping track of nearly every click and keystroke your child makes during digital lessons.” Knewton claims to collect 5-to million data points per day on your child.

“In the past, (schools) would have never had this data, but now that it’s electronic, we can correlate data in a way that we never ever had the opportunity to do before.”

Grades and standardized test scores (like PARCC) also get fed into this large state SLDS data base that tracks and categorizes your child. The assumptions and correlations made as a results of these measures can be particularly dangerous when the tests are not valid, reliable and are biased.  

TS Gold is an assessment that collects sensitive information on our toddlers in pre-school and also in kindergarten. The data gathered measures a child’s social-emotional skills and developmental abilities, and the data is stored in a cloud, shared outside the classroom.

Generalizations made during the stages of child development can be inaccurate, particularly when limited to the kind of data that can never capture individual intricacies or the beauty and complexity of the human being. The primary concern, is that connecting all those data points creates a “profiles” the student that will follow him into adulthood. With the introduction of digital badges, this information is designed to follow the lifetime of a child from preschool through college, leading to college and career tracking that may limit his or her education choices and job opportunities in the future.

See what a day in the life of a data mined student looks like with the Market Place Quantified Student infographic

Marketplace does a good job of explaining data collection at their site: A day in the life of a data mined kid.  

  • Why privacy and security are important:
  • Privacy: Do you know who has access to your child’s information? There’s a lot of talk about how children’s information, their data or records, are protected by a law called FERPA. What parents need to know is that FERPA (since it was weakened) allows for your child’s personal information to be shared. Personal identifiable information like your child’s name, address, phone, weight, pictures, video, psychological profile, discipline records, health records, special education records, disability status, family information, income status (anything in your child’s education record) can be shared outside of the school, with companies, researchers, state and federal agencies, without your consent or knowledge.
  • Security: How safe is the information is when it is stored (at rest) or shared (in transit)? Essentially, how hard (or easy) would it be for a hacker to get access to your child’s information? There are different levels of security, and not all data is encrypted when it is stored and when it is being transferred to other parties.
  • Please make the highlighted information below a link here. “To learn more about the current laws and how to protect your child’s privacy and security click here.” We’re working on passing laws to protect children’s private information from being shared or sold. We hope you will join us.

There are 3 Federal laws meant to protect children’s privacy: COPPA PPRA FERPA

COPPA applies to websites and online services that collect, use, or disclose personal information from children under the age of 13. The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Schools may in some cases, consent in place of a parent,; schools can act “as an agent for the parent.” Internet operators covered by the COPPA Rule must:

  1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
  2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
  3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  4. Provide parents access to their child’s personal information to review and/or have the information deleted;
  5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

PPRA law states that parents must provide informed before their child participates in a a survey, analysis, or evaluation that concerns one or more of the following eight protected areas:

  • political affiliations or beliefs of the student or the student’s parent;
  • mental or psychological problems of the student or the student’s family;
  • sex behavior or attitudes;
  • illegal, anti-social, self-incriminating, or demeaning behavior;
  • critical appraisals of other individuals with whom respondents have close family relationships;
  • legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
  • religious practices, affiliations, or beliefs of the student or student’s parent; or,
  • income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).

PPRA also concerns marketing surveys and other areas of student privacy, parental access to information, and the administration of certain physical examinations to minors. The rights under PPRA transfer from the parents to a student who is 18 years old or an emancipated minor under State law. See PPRA FAQs here.

FERPA gives custodial and noncustodial parents alike certain rights with respect to their children’s education records, unless a school is provided with evidence that there is a court order or State law that specifically provides to the contrary. Otherwise, both custodial and noncustodial parents have the right to access their children’s education records, the right to seek to have the records amended, the right to consent to disclosure of personally identifiable information from the records (except in certain circumstances specified in the FERPA regulations, some of which are discussed below), and the right to file a complaint with the Department.

Sharing personally identifiable information from a student’s education record

Disclosing a student’s education records without consent to a “school official” is allowed if the school has determined that the official has a “legitimate educational interest” in obtaining access to the information for the school. Schools or state education agencies may determine volunteers, companies, other agencies as “authorized school officials” and may share pii data, without parental notification or consent.

Directory Information: FERPA permits a school to disclose personally identifiable information from a student’s education records without parental consent. “Directory information” is defined as information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Directory information could include, but is not limited to: information such as the student’s name, address, e-mail address, telephone listing, date and place of birth, video, photographs, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, the most recent previous educational agency or institution attended, grade level (such as 11th grade or junior year), and enrollment status (full-time or part-time). Parents may opt their children out of the directory information at the beginning of each school year.

Five steps to protecting your child’s privacy and securing your child’s education:

1.–Secure the data:  3 tips to check if the sites your kids visit are secure, storing their information safely.

2.–Ask to see the data. If you want to see what data the state has stored on your child, use this template letter created by the Parent Coalition for Student Data Privacy-to request your child’s data is the state data base (SLDS). Send SLDS data requests to your district, they will verify you are the parent and forward your request to the state.

Under FERPA, a school must provide a parent with an opportunity to inspect and review his or her child’s education records within 45 days following its receipt of a request. A school is required to provide a parent with copies of education records, or make other arrangements, if a failure to do so would effectively prevent the parent from obtaining access to the records.

This site explains your rights under FERPA. You can contact the Family Policy Compliance Office, FPCO if you feel your child’s privacy under FERPA or PPRA have not been protected.

If your child is under 13 years old, and engaging in online activity for school, logging onto sites for testing, homework, surveys, curriculum or apps, your school should be asking for parent consent under COPPA law. Ask your school if they are aware of COPPA and if they have READ the terms of service and privacy policy of the online sites and applications your child is logging onto. Many times the privacy policy will state that children under the age of 13 must get verified parent consent before logging onto their site.

3.–OPT OUT of DATA.

Opt out of Directory information: Directory information allows sharing of much more than just your child’s phone number. Parents can use this form to opt your child out of directory information.

PARCC and CMAS: These online tests collect meta data and share data with state and federal agencies and with vendors. Colorado law HB15-1323 states parents can choose to opt their child out of these tests with no penalty.  This law also states that schools, in collaboration with parents, may choose paper pencil versions of the tests, rather than online.

TS GOLD: In the case of kindergarten, parents CAN have their children opted out of these data collecting assessments. However, pre-school children have a different situation. The Colorado Department of Education has stated that families whose preschoolers are “funded through the Colorado Preschool Program (CPP) or preschool special education, families may not opt out of the assessment. Participation in CPP and preschool special education is voluntary, and child assessment is an expectation for all families who wish to participate in these services.” We don’t think this selective targeted data mining of children based on income is fair and we want to help. Please let us know if you are in this situation and would like to opt your child out of TS Gold preschool assessments.

4.– Ask to see the contracts.  Parents should ask their school for a list of the online vendors and classroom apps that the school uses and also ask for a copy of the contracts /data sharing agreements with these vendors. (This is your right under FERPA). Ask your school what data is collected, its purpose, who it is shared with. Ask if you can see the data, look for errors and make corrections. Ask how the school stores the data, (is it encrypted?) When does your school delete data? (How long is stored?) Download and print this handy guide: Questions to ask your school about data collection

5.–Ask your legislators, your school administrators and board members to support strong data privacy and transparency legislation. True data privacy and transparency will tell parents what data points are collected (referred to as data elements). The big companies don’t want to tell you this, so they hope you settle for “types” of information. The difference is simple: do you want to know if someone has shared your child’s medical record, their discipline record, and their income status (that would be data points) or would you settle for “educational records”?

Privacy legislation should contain these 5 principles and schools and companies should also abide by this proposed Student Privacy Bill of Rights:

In line with the President’s Consumer Privacy Bill of Rights, which is largely based on the well-established Fair Information Practices (FIPs), schools, districts, and EdTech and other cloud-based service providers should adhere to the following practices when collecting student data. These rights should transfer from parents or legal guardians to students once the student is eighteen or attending college.

  1. Access and Amendment: Students have the right to access and amend their erroneous, misleading, or otherwise inappropriate records, regardless of who collects or maintains the information.
  • There are gaps in current laws and proposed frameworks concerning students’ access and amendment to their data. Schools, companies, government agencies, and other entities that collect any student information should provide student access to this information. This includes access to any automated decision-making rule-based systems (i.e, personalized learning algorithms) and behavioral information.
  1. Focused collection: Students have the right to reasonably limit student data that companies and schools collect and retain.
  • EdTech companies should collect only as much student data as they need to complete specified purposes. “Educational purposes” and “educational quality” are frequent examples of broad and fluid purposes that grant EdTech carte blanche to collect troves of student data. A more focused collection would, for example, specify that the collection is necessary to “improve fifth grade reading skills” or “enhance college-level physics courses.” In focusing student data collection for specific purposes, schools and companies should consider the sensitivity of the data and the associated privacy risks.
  1. Respect for Context: Students have the right to expect that companies and schools will collect, use, and disclose student information solely in ways that are compatible with the context in which students provide data.
  • Schools and companies should never repurpose student data without express written student consent. This includes using student data to serve generalized or targeted advertisements. The Education Department’s guidance states that federal student privacy laws do not prohibit schools or districts “from allowing a provider acting as a school official from serving ads to all students in email or other online services.” This allows service providers to repurpose the information. Schools provide private companies access to student data to help enhance education quality. When companies use this access for general marketing purposes, they have repurposed the student data and turned the classroom into a marketplace.
  1. Security: Students have the right to secure and responsible data practices.
  • Amid recent, large-scale student data breaches, schools and companies must increase their data safeguards to ward against “unauthorized access, use, destruction, or modification; and improper disclosure” as described in the CPBR. Companies should immediately notify schools, students, and appropriate law enforcement of any breach. And schools should immediately notify students when there is a breach. Schools should refrain from collecting information if they cannot adequately protect it. Securing student information also entails deleting and de-identifying information after it has been used for its initial and primary purposes (no secondary uses allowed!).
  1. Transparency: Students have the right to clear and accessible information privacy and security practices.
  • Schools and companies should publish the types of information they collect, the purposes for which the information will be used, and the security practices in place. Schools and companies should also publish algorithms behind their decision-making.
  1. Accountability: Students should have the right to hold schools and private companies handling student data accountable for adhering to the Student Privacy Bill of Rights.
  • Schools and companies should be accountable to enforcement authorities and students for violating these practices.