For years, Boston Public
Schools kept its email server inside a data center behind a locked door, a
key code and a security guard.
When the
district — along with the rest of the city — moved to Google Apps for
email and collaboration tools this past winter, many BPS stakeholders wondered
where their data was, who could see it and whether it was safe.
"When we
explained the security that cloud service providers have, compared to what we
can do on our own — because of economies of scale and because this is the
providers' business — they started to see that the technology provided by these
providers can be just as safe," says Mark Racine, CIO of the 128-school
district, which serves 57,000 students.
It's a
discussion that K–12 communities nationwide have been having as more districts
turn to cloud services, and for good reason. A December 2013 report by the Fordham Law School Center on Law
and Information Policy found that while more and more districts are taking
advantage of the cloud, many of their policies don't adhere to education
privacy laws.
In fact, fewer
than 7 percent of those studied prohibit service providers from selling or
marketing student data.
Plenty of
districts have carved out strategies to take advantage of the benefits of the
cloud without compromising the privacy of the data they're charged with
protecting, however.
"Student
privacy is at the front of everything that we do when we're looking at a
service or a contract," Racine says.
Weighing the Cloud
Cloud services fall into two categories, explains
Bob Moore, founder and chief consultant of RJM Strategies, an education
technology consultancy. Some have flexible contracts, allowing districts to
negotiate terms, while others, known as "freemium" or
"click-wrap" contracts, have set terms of service that users need to
click through and accept.
"It's kind
of a take-it-or-leave-it situation," says Moore, who also served as
project manager in developing the Protecting Privacy in Connected Learning Toolkit, a
free resource for educators on cloud privacy that the Consortium for School
Networking released in March.
The latter is
problematic because districts — especially smaller ones that don't have much
leverage to negotiate contracts because they don't spend as much as larger
districts — have little, if any, say in cloud practices. Yet the Family
Educational Rights and Privacy Act holds districts, not service providers,
accountable for protecting the privacy of the data uploaded to those services.
"That's a
fundamental flaw in the system," Moore says.
"If you over-legislate, it could create a chilling effect in the market, because vendors worry about breaking a law," Moore explains. "The last thing we want to do is stop innovation in the market and stop innovation in the classroom."
Read the Fine Print
Amid the legalese of a cloud
services agreement, one point caught the eye of Dr. Ramiro Zuniga, chief of
technology for the 15-school Port
Arthur (Texas) Independent School District. In terms of data
security, the contract said that the vendor would do what was "most
reasonable." It had "nothing about data encryption, nothing about
data redundancy," he says.Zuniga has learned the importance of reading cloud services agreements' fine print, but he doesn't stop there. He makes sure he knows someone on the vendor's staff who can explain the contract and take personal responsibility if there's a problem.
"It's not enough to call an 800 number," Zuniga says. "If I am going to enter into a contract with a vendor, I want a thorough understanding of what services they can or cannot provide — including their safeguards, what type of security measures they have, how many data centers they have and so on."
Racine leans heavily on BPS' legal department when reviewing cloud service contracts. Although the legal process can be time-consuming, "there's great value in taking your time when it comes to information security," he says.
Like BPS and Port Arthur ISD, Wisconsin's Tomah Area School District uses both public and private clouds, but it skews heavily toward keeping data in-house. Historically, that was because Director of Technological Infrastructure Paul P. Potter has a software engineering background, so building applications was less expensive than buying from vendors. But privacy concerns have only reinforced Potter's preference for in-house applications.
When he does turn to a public-cloud service, Potter has a list of questions he asks before signing an agreement. First, he confirms that the district, which operates 11 schools, has the legal right to give the vendor access to the data. Next, he makes sure that the vendor asks only for necessary information, and he pays close attention to the data he uploads. He also obtains written confirmation that the district's data will not be sold.
"You can have all the reassurances in the world," he says. "But once somebody has access to your data, you really have no control over whether it's been copied or who has access to it."
Show Them the Way
Although Boston's move to Google
Apps was praised, it also raised questions, particularly when Google's former
practice of scanning personal emails made headlines this past spring. But
Racine says such scrutiny is a good thing."Phishing scams and social hacking are real threats that we have to deal with daily, so I welcome the fact that people are thinking about the safety of our students' data," he says. "Any system, whether it's in-house or in the cloud — if it's housing sensitive information, it's only as secure as how the users use it."
With a service provider managing the email system, Racine and his staff have more time to educate users on data security. They also educate employees to use services that have been vetted by the IT and legal departments, rather than finding applications on their own.
Port Arthur ISD's instructional technologists train and provide guidelines to users regarding education privacy laws, but they also encourage teachers to use tools they find valuable.
"I think one of the worst things that I can do as the chief of technology is to tell my teachers, 'You may not choose your own product,' " Zuniga says.
It's a delicate balance, and districts need to determine what's right for them, Moore adds. "There's no 'easy' button for this or one simple thing you can do that just fixes this issue," he says. "You have to roll up your sleeves and work with it."
Private
Thoughts
District leaders can safeguard
the privacy of online data by doing the following:- Put someone in charge of privacy for
the district.
- Have vendors specify where and how
data will be stored, backed up and secured; who will have access to it
(vendor staff and third parties); and how and when it will be deleted.
- Ensure that contracts prohibit or
limit selling or marketing student information without parental consent.
- Require vendors to notify the
district if the data is breached.
- Post online the cloud services used
by the district, the types of data uploaded to them and the privacy
protections for that data.
- Create policies governing the use of
cloud services by staff.
- Pay attention not just to the data
uploaded to sites, but to the sites' practices as well. For instance, is a
tutorial website monitoring students' drills so it can pitch them targeted
ads for help in areas in which they are struggling?
25% The percentage
of districts that inform parents about their cloud service usage, despite the
fact that education privacy laws require parental consent before sharing
student information*
SOURCE: "Privacy
and Cloud Computing in Public Schools" (Fordham Law School Center on Law
and Information Policy, December 2013)
5 details to look for in a cloud
services agreement.
Melissa DelaneyPaul P. Potter, director of technological infrastructure for the Tomah Area School District in Wisconsin, suggests that K–12 IT leaders insist on the following stipulations before signing a cloud services agreement:
- Content, including backups, will be
deleted upon termination of the contract.
- No content will be shared with
another party without written consent from the school district.
- All passwords and backups are
encrypted.
- Changes to the agreement must be
agreed upon by the school district.
- Access to content will be limited to
cloud service employees performing required maintenance.
No comments:
Post a Comment