K12 educators are largely unaware of the threat issues surrounding them. Teachers, millions of them, bring apps into their classrooms every day to make learning more fun and engaging which potentially make their student’s data vulnerable. District leaders and IT departments are beginning to think deeply about student data privacy and the safety and security of the applications being deployed in their schools. Vetting of the apps is the key concern. There is no lack of organizations with websites popping up that rate new education apps along with reviews. These often include how an app complies with any COPPA (Children's Online Privacy Protection Act) or PPRA (Protection of Pupil Rights Amendment) regulations.

This is clearly better than nothing and these organizations are attempting to fill a needed void of oversight in this brave new digital education world. However, on the broad spectrum, many schools are still using tools and cloud based sharing apps which are not in fact safe for student data. Take for example Dropbox. This widely popular sharing app does not have an education version that can be compliant for most school districts. There are terms of service in their privacy statement which are too broad. Or, the voice recording and sharing tool Vocaroo, who openly uses cookies to track users, yet some schools are using it in their classrooms.

Kevin Lewis who was formerly an Education Technology Specialist within Houston ISD and is now the project manager at IMS Global Learning Consortium who is heading their Student Data Privacy, Safety and Security initiative spoke with the Learning Counsel about the work being done to secure a student’s education. “Many districts use the PPRA or COPPA ratings,” stated Kevin. “Up to now, those various ratings sites are all they really have to go off of, or checking what another district is using. It’s a little like the wild west still. We’re trying to provide a standard and some stability.”

What Kevin explained is that a some of these rating systems aren’t as effective as they need to be because they don’t dive as deep into the actual practices of the vendors; the companies that are putting out these educational applications. “Districts are asking for a better way. Several brought up wanting to join some sort of task force or group that can help them develop a rubric for vetting the applications themselves, something that’s neither long nor expensive. I know the Learning Counsel even stepped up with a group within their KnowStory platform, the Security and Infrastructure Group, to begin the conversation about this.”

The discussions and chatter coming from so many districts made it clear that at a national level school districts need a standard. “What is being asked,” stated Kevin, “is a one-stop-shop type of place where they can talk to different members and different districts and organizations to develop a single-rubric, a single vetting process so they can really stand by it and trust it.”

Kevin feels that what he is now doing with IMS Global will fill that void. It can be THE standard. “We still need all the input and conversations to happen, to discuss the issues and bring to the table all the ways of viewing where data is leaking out, where policies need to be written. All the groups, cohorts and coalitions are valuable and will help what we are going to formalize at IMS Global.”

Kevin explained that what IMS Global is doing is not going to focus on data sharing agreement contract language. He said it’s going to focus on the actual vetting of the application. What questions need to be asked and answered when it comes to vetting an application. For example, what types of data is shared? Who is it shared with? How’s it shared? “All of those questions that are important to districts will be asked and will be answered and the goal is to get it into the hands of the application vendors themselves to start developing their products around district’s needs.”

It is going to be a game changer in Kevin’s mind because it will get everything built with compliance in mind before the new product is being sold to school districts. It flips the system back on itself and makes it work. “We’re telling them, ‘okay, this is your product here, and this is what the districts are saying your product needs to be, to be more effective in the industry, to give more districts access to your product, here are the questions that we want answered.’”

Members of the security task force are not just K-12 and Higher Ed leadership, they are vendors as well. Vendors are in the conversation also as it changes the way they will develop their products. They are getting a voice about what is acceptable for student use in the classroom. The end game will help everyone in the industry to streamline and put attention on better support to the teaching and learning.

Kevin spoke further of what the education community is doing to support all the work in coming up with security and a student data privacy agreement. “The KnowStory Security Group has that extra layer of expertise. We can only get so many members in our task force. Our reach is only so far. So, we try to reach out to other districts, but it still doesn’t reach as far as we would like. Being a member of KnowStory, you get access to a lot more experts in this industry and you get a lot more feedback from experts in the industry even if they’re not linked to the IMS Global task force. This outside group of experts can give their input and help gear that standard.”

All of this, noted Kevin, is sort of high policy level work. He pointed out that at Classroom level with teachers and students, they will continue to innovate and bring in new apps and solutions for learning. This is currently, mostly, up to the responsibility of the teacher to be smart. Students will follow the lead of the teacher for the most part. “A teacher may check if an app is trusted by the district or someone who is in the district,” stated Kevin. “But truthfully, they usually just go ahead with it without asking any questions. Unknowingly, some teachers are leaking out student data. This is why our work is so important to get standardized.”

The KnowStory Security and Infrastructure Group will be sharing its findings, so far, at the Learning Counsel Gathering in Lake Las Vegas on November 1^st – 3^rd.

IMS Global will be providing regular updates about what the task force is finding and the standards themselves at their quarterly meetings, the Learning Impact Leadership Institute and monthly newsletter to members.