Leaking and the New National Student Privacy Consortium

Kenna McHugh

There’s school physical security, and then there’s digital security and data privacy. A new sort of security happens when schools form a cooperative to share best practices and gain strength in the open commercial markets. Such is the case with the work of Steve Smith and the National Student Privacy Consortium. Smith, the Chief Information Officer for Cambridge Public Schools in Massachusetts, has been on a journey to help schools with security.

Leaking Data

“Schools and districts have come a long way in putting in advanced infrastructure to support learning. Along with that, some budgets have grown, at least, to the extent that they have modern security protections in place, like at their endpoints and firewalls,” Smith said. “The area that I think is of most concern is what happens in the classroom with the exposure to so many applications, and lack of understanding of where student data is going as students interact with these applications. That’s the area that I’ve been putting a lot of energy into, addressing those here in Cambridge and then across Massachusetts and now across the nation. I’ve been developing models and systems that districts can use to get a handle on how they contract with vendors to ensure that no student data is leaking out.”

Smith believes that most schools across the country aren’t thinking about data leaks. “The majority of the schools are small, like, ninety-percent are less than 1000 students. They don’t have the capacity and the resources to consider security as more technology comes in that teachers and students are excited about. There’s a wealth of apps and tools out there, new ones every day. Students and teachers are being innovative and with all good intention, enhancing learning, but are not aware as to where the data is going when the students are logging in somewhere. Many of those are probably very valid companies and applications, but some  aren’t.

Probably more than half of them are free applications and free applications are free for a reason. They have a business model and the majority of the time it has something to do with the data they’re capturing from the student. So, there is a big exposure, I think, across the country, of student data leaking out for purposes other than just improving their education.” It’s true that there are companies out there that have alternative purposes for providing free applications and, without reading the fine print, sometimes students’ privacy is being jeopardized. Steve thought the concept of “hijackers” or “boogeymen” to be appropriate.

The solution, according to Smith, is that “An education piece about security  has to happen in all districts, both at the administration level and then down to the teacher level, and down to the entire school community, about why student data privacy is important and where some of the potential exposures are. Not to be emailing student-level data over the commercial internet, for example.”

“We only use applications that have been completely vetted, so we do not use Dropbox, for instance, because of their terms. They don’t have an education version that can be compliant. There are terms of service in their privacy statement that we cannot agree to for student level data.”

About the National Student Privacy Consortium

While Smith started with developing Cambridge’s online tools to manage their contracting process with vendors,
it continued in sophistication from there and went national. Now in Cambridge, any new application is vetted for curriculum alignment, then a quick technical review, and last, for privacy and terms of service. This last, a common set of legal terms, is useful for all schools.

“Many years ago we used to spend time reading ‘terms of service’ statements, and just realized that there is a large amount of time that it takes to do that so we began to develop our own standard Student Data Privacy contract language that we would use and send out to vendors. That’s what we do today, we get past the first two steps (curriculum alignment and technical), and then it’s kind of an automated workflow through this online application, and the vendor gets an email with our standard Student Data Privacy contract and a couple other documents saying teachers want to do this application, here are our expectations for protecting student data.

Sometimes we get that back, signed, right away and sometimes there are a lot of questions and I explain the situation to the vendors and why we’re asking for those particular clauses and things. In some cases, it ends up in a much longer negotiation back and forth between legal departments on the wording of those contracts.”

Over the last five or six years, Smith has had to answer a lot of questions because they were one of the first districts to start doing standard terms. One day he realized how crazy it was for every school and district everywhere to be having to create their own terms and giving push-back
to vendors. Across the whole nation, that would be a ton of wasted effort. He said
his district first partnered with Boston schools and then quickly opened it
up to any district in Massachusetts,
which created the Massachusetts Student
Privacy Alliance.

“Then we took it a step further and created the National Student Privacy Consortium  (https://secure2.cpsd.us/mspa/) where we are replicating that process in other states. Currently there are sixteen states that have created alliances much like Massachusetts and they are getting vendors involved. Now the consortium is made up of districts, states and vendors because we don’t want it to be us against them, vendors have just as much interest in solving this issue as we do,” stated Smith.

Today, New Zealand and Australia are starting their own alliances because they have the same problem. Smith believes that California has probably now surpassed Massachusetts because they vetted a statewide model contract in January 2017.



Steve Smith bio data:

Steve Smith

Chief Information Officer
Cambridge Public Schools, Cambridge, MA