Source: 
School leaders don’t have to wait for new laws to protect their students’ privacy. Here are seven key questions to help accomplish that goal.
By Jim Marshall, CEO, Promethean
As a growing number of software applications collect and store student information in the cloud, concerns have mounted about what will happen to this information—and how it might be used.
Joining the call for stricter rules governing student data use, President Obama is pushing for legislation known as the Student Digital Privacy Act. The measure would require ed-tech companies to use the data they collect about students only for educational purposes—to “teach our children, not to market to our children,” he has said.
That’s a commendable goal, and it’s one that most people would agree on. But enforcing that goal through legislation is a tricky proposition. Even the most well-meaning laws often come with unintended consequences, and some organizations that are strong advocates for student data privacy—such as the Software and Information Industry Association (SIIA)—are on record as saying they are unsure Obama’s proposal is the best way to accomplish this. What’s more, given the current political climate in Washington, who knows how long it might take for a legislative solution to the problem.
While lawmakers grapple with how best to protect student data privacy, school leaders don’t have to wait. There are several steps you can take right now to protect the privacy of student data, such as carefully vetting your ed-tech vendors and holding them accountable in your contracts with them.
With that in mind, here are seven questions to ask your vendors or potential vendors.
1. If their software is free, how do they make money?
If an app or program is completely free, then you are the product. That’s not necessarily a bad thing, as there are several ways that ed-tech companies can make money from you in legitimate ways.
For instance, at Promethean we offer a free, cloud-based application, called ClassFlow, that helps educators teach in technology-rich classrooms, no matter what devices their students are using. While the app is free for teachers, we also sell an enterprise version for districts, complete with analytics tools that give administrators real-time insight into their students’ progress.We use the free version as a way to let teachers try our software, and we hope that administrators will see the program’s value and invest in the enterprise version. But we have a clear business model for making money beyond the free app in a way that does not market to students. That’s something you’ll want to make sure your other vendors have as well.
2. Have they signed the SIIA Student Privacy Pledge?
Last fall, SIIA and the Future of Privacy Forum unveiled a voluntary pledge intended to safeguard student privacy.Ed-tech companies signing the pledge promise to (1) never sell student information or target ads based on student behavior; (2) use student data only for authorized educational purposes; (3) not change their data privacy policies without giving stakeholders notice and choice; (4) enforce strict limits on the retention of student data; (5) allow parents to access, and correct errors in, their children’s information; (6) maintain comprehensive data security standards; and (7) be transparent about how they collect and use student data, among other things.
As of early March, there were 120 signatories, including Promethean. Although there are no formal penalties for signers who violate the pledge, the ill will and bad press from doing so likely would be enough of a deterrent to hold them to their promise.
3. How are they using student data, and can you get this in writing?
Asking vendors to certify in writing that they are only using data for educational purposes could give you legal recourse to sue if they break their promise, which is another way to protect your students.
4. What policies do they have in place for securing student data?
For instance, how do they store user passwords and transmit information? Some ed-tech companies have done poorly in this area, storing passwords in plain text or sending unencrypted data back and forth—and that’s not acceptable. The onus of protecting the integrity of student data is on the vendor. Any educational software should have basic data security measures in place. If it doesn’t, then you should not work with that vendor.
5. Have they had a security audit?
A computer security audit tests for vulnerabilities in an app or program. Have the ed-tech companies you are working with done any penetration testing on their app, either themselves or by a third-party security auditor? If so, when is the last time this was done—and what were the results?
6. Can you request a copy of your schools’ data?
Having access to your data enables you to see what student information your vendors are collecting and storing, so you can make sure they are collecting only what is needed to improve education.If you ask for a copy of your data, will vendors comply with this request? You might have to pay a fee for this service, but it’s a good idea to build this capability into your contracts with vendors, if possible, as yet another way to protect your students.
7. What will they do with your data once the relationship is over?
If a teacher stops her account, or when students leave your district, or when your contract or subscription with a vendor ends, what happens to the data? If this information is no longer needed, it should be destroyed within an agreed-upon period of time.
Asking these questions when making district-level software purchases is a good first step to safeguarding student privacy. But you also need clear policies in place to prevent teachers and students from downloading unauthorized apps and tools—and you need to educate teachers and students about this issue.Taken together, these measures can safeguard the privacy of student information as effectively, or better, than any federal legislation can.
Jim Marshall is the CEO of Promethean, which provides hardware, software, and professional services to help personalize instruction.