0314 Protecting student data

0314 Protecting student data

Forecast for schools: Cloudy with a chance of data breach?

By Jennifer Wohlleb
Staff Writer

At the state level, Kentucky schools have been fortunate in their secure and relatively painless entry into the world of cloud computing with the Department of Education’s move of the MUNIS accounting system and Infinite Campus attendance program to the cloud several years ago. But as smaller cloud-based services, from file sharing to data storage, become more common down to the classroom level, districts need to make sure they are taking the right steps to protect student privacy.

Cloud computing allows computer users to store data on a network of remote servers hosted on the Internet rather than storing it on a local server or computer. That data may then be accessed from almost anywhere a person has a Web-capable device and Internet access.

A recent national study by Fordham University Law School found that while schools are rapidly adopting cloud computing services, they are transferring increasing amounts of student information to third-party providers without requiring basic privacy protections such as strong data security measures and limitations on commercial data mining. (See chart for findings from the study)

“If districts are starting to get involved with things locally for unique services we do not provide at the state level, they are actually exporting student data from Infinite Campus into something else that we’re not involved with, what are the kinds of questions they should ask?” said David Couch, head of the state education department’s Office of Knowledge, Information and Data Services.

He said the No. 1 question district personnel should ask is, is their technology staff involved?

“Here is an error I see – and having been in this role for over 20 years and I see it here – if the technology staff is not doing the work or it’s not coming out of their budget, there is a tendency not to include them, and that is very problematic,” he said, adding legal and program staff should be included as well.

“When Kentucky became the first and largest deployment of LiveEDU to Microsoft, we went to our legal staff and worked with the department as well as the vendor partner about the kinds of things that needed to be in that contract because we knew once we did it, other states would soon be following, which they did, and we would be using that model for other things,” Couch said.

Other questions districts should ask
What are the benefits of cloud computing? Couch said it’s hard to beat its efficiency from a cost and staffing standpoint.

“We realized early on  we were not a 24/7 organization, and districts are not 24/7,” he said. “Cloud-based providers are 24/7. They provide a level of redundancy that you can’t provide. Previously when that server got stolen out of the district office, the person coming in stealing it wasn’t really after the data, they just wanted the server, but a lot of districts didn’t have backups or they had never tested them.”

Round-the-clock virtual security is also something the cloud provides that districts cannot.
“Think about a school district, if someone was trying to get into their servers – they go home at 6 p.m. – who’s watching those?” Couch asked.

Where is the data physically being stored? While cloud computing offers layers of security, it is still important to know where your data is being kept. “You have to be comfortable where it physically is,” Couch said. “ … a big part of this conversation is, ‘Tell me about your redundancies.’ And if that (main site) is wiped out and our data is backed up at a second site, when can we get to it? This other site, how quickly can you be up and operational? And if the building is safe but the employees have no way to get there (during an emergency), how good is that?”

Is it a public or private cloud? For example, Amazon.com’s cloud service that offers storage for music and other types of files is a public cloud, versus the private cloud on which KDE has MUNIS and its other cloud-based systems.

“A public cloud will generally have an end-user license agreement that you get to agree to, so you have very little input into the type of contract you are entering into, and what happens to your data,” said Robert

Hackworth, KDE’s operations manager in the office of Knowledge, Information and Data Services. “What you really want to look for is a cloud provider who will enter into an actual contract with you and you can specify, ‘my data will not be shared with someone else, I will not be contacted by anyone else, my child’s data will not be exposed to anyone.’”

Who else can see it? How much control do we have over our data in the cloud environment?

“Part of your legal agreements and terms and conditions you set up with these companies is to make sure you, as an organization, have exclusive data ownership, that there is nobody else that has access to that data, that they can share that data with. That you retain all the rights,” said Chuck Austin, KDE’s security program manager in the office of Knowledge, Information and Data Services.

Asking questions in the beginning can avoid a lot of problems later.

“What I would recommend for our districts, when they are asking a provider to store their data, is asking them if they can meet federally mandated requirements of FERPA and HIPAA (federal education and health care privacy acts, respectively) that sort of thing,” Hackworth said. “If they can’t do that, that’s the canary in the coal mine. If they can’t do that, then that’s a problem.”

– For more information, click these links:

 
Cloud computing budgets to grow substantially

Key findings of Fordham University Law School’s national study of public schools, cloud computing and data privacy

• Ninety-five percent of districts rely on cloud services for a diverse range of functions, including data mining related to student performance, support for classroom activities, student guidance, data hosting, and special services such as cafeteria payments and transportation planning.

• Cloud services are poorly understood, nontransparent and weakly governed, with only 25 percent of districts informing parents of cloud services. Twenty percent of districts do not have policies for the use of online services, and a sizeable plurality of districts have rampant gaps in their contract documentation, including missing privacy policies.

• Districts give up control of student information when using cloud services, with fewer than 25 percent of the agreements specifying the purpose for disclosures of student information. Fewer than 7 percent of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.

• An overwhelming majority of cloud service contracts do not address parental notice, consent or access to student information. Some services even require parents to activate accounts and consent to privacy policies that may contradict those in the district’s agreement with the vendor. FERPA and COPPA (Children’s Online Privacy Protection Act), however, contain requirements related to parental notice, consent and access to student information.

• School district cloud service agreements generally do not provide for data security and even frequently allow vendors to retain student information in perpetuity. Yet, basic norms of information privacy require data security.
 
Click here for the full report.

View text-based website