District begins to implement student privacy laws

Back to Article
Back to Article

District begins to implement student privacy laws

Bella Bobrow

Hang on for a minute...we're trying to find some more stories you might like.


Email This Story






The Ventura Unified School District has begun to implement several new, as well as existing, student privacy laws that will directly affect students, teachers, curriculum and technology at Foothill. The purpose of these laws is to protect student data and privacy, but they also raise questions and concerns about maintaining teacher autonomy and educational innovation.

……………..

The Ventura Unified School District has begun to implement several new, as well as existing, student privacy laws that will directly affect students, teachers, curriculum and technology at Foothill.

The purpose of these laws is to protect student data and privacy, but they also raise questions and concerns about maintaining teacher autonomy and educational innovation.

The laws include:

  • Assembly Bill 1584: Went into effect on Jan. 1, 2015. This California law regulates terms of an educational contract with a third-party and the terms that must be included. Student data must be the property of the school, and the third-party cannot sell it or use it for other purposes. Also includes a statute that states the school must comply with FERPA.

 

SOPIPA:

The Student Online Personal Information Protection Act (SOPIPA) went into effect on Jan 1, 2016. The law prohibits “an operator of an Internet Web site or online service from knowingly using, disclosing, compiling or allowing a 3rd party to use, disclose, or compile the personal information of a minor” for advertising purposes. The act applies to those who sell products for K-12 education purposes.

Credit: Christian Erickson/The Foothill Dragon Press

Credit: Christian Erickson/The Foothill Dragon Press

“It’s kind of daunting and I have to confess, I don’t even know where to start,” Chief Technology Officer Julie Judd said. “Because when I asked all of the schools to generate a list for me of all the websites and apps they use, it was roughly 1,000 or more. And, at which point I stuck them in a folder and said ‘I’m not going to deal with this today.’ But, that’s our next task is to figure out, how are we going to proceed?”

According to Foothill Technology Coordinator Wendy Dowler, any time a student has to enter an email address to make an account, they are entering their data.

Google Drive products, Google Classrooms, and Edmodo are compliant with SOPIPA. Other tools that teachers and students use, such as Prezi and Piktochart, may not be compliant. Online digital tools may become compliant with more time and pressure from schools and districts.

“If you think about Brown vs. Board of Education in 1954, but we have the Civil Rights Act in the 1960s [and the] Civil Rights Movement, but why is that? People were out of compliance with the law and the law was ten years prior. It takes a long time for people to get in compliance with the law,” Dowler said.

Social Sciences teacher Cherie Eulau hopes the law will change the actions of companies, but isn’t sure what will happen.

“I think since California is such a big state, we might force some of these companies to become compliant,” she said.

“On the other hand, these are companies, for-profit companies – they’re trying to make money. One way they can do that is to gather information. I think we also have to keep in mind that if we crack down on all of this, is that going to stifle innovation? […] or maybe app designers will design it to be compliant.”

School district attorney Anthony Ramos said that because some companies’ business models rely on the collection of student data, they are unenthusiastic about changing their policies.

The way Turnitin makes its money is by making sure that all the data from the papers that students turn in is included in the cloud […]. And so the bigger their database, the better marketing they can do to other districts saying ‘Hey, our database is much bigger than ‘Don’tturnitin’ over there,’” Ramos said.

“If you shut that down, what’s going to happen? Their whole business model is out the door,” Ramos continued. “So they’re reluctant to actually want to do it.”

Although Google is compliant with SOPIPA according to the district, Dowler is not sure about their privacy standards.

 

 

“You want to talk about the thing that is known for violating privacy of people? It’s Google, which I think is really interesting. You know, the one that is known for violating privacy the most is the one we’re using the most,” she said.

Because Foothill uses Google Apps for Education (GAFE), Judd said student data is more protected.

“Under Google Apps for Education, I’m sure they’re still harvesting some stuff, but not much. You’re actually more protected if you use Google Apps for Education than by using a personal [email]” Judd said. “If [the email address] is under venturaedu.org, Google Apps for Education is compliant. I can’t speak to the Foothill emails, your domain, because I am not in charge of it.”

Kristen Pelfrey, Education in the Digital Age teacher, said that the new laws might cause disappointment among students when certain educational programs cannot be used.

“I think as with any laws there are really strengths and there are always going to be some things that people are going to be upset about. For example, I know that there are some programs that kids love and they are educational and they are exciting and they are relevant, immediate and interesting. And all of those things are good but if they are not compliant then, if we are going by the letter of the law, that’s what we have to do.

Judd said that she is not planning on blocking websites through the school filter that are not SOPIPA compliant.

“I am not going to pull the carpet out from anybody. Now, if there’s something that’s egregious, that’s a horrible violation, that is putting our students at risk, in any way, shape or form, then I would get on that,” Judd said. “But I’m pretty confident none of our teachers are doing anything that egregious intentionally for sure.”

 

Responsibility of teachers to be aware:

Dowler said that for teachers “it’s just being aware, and that’s it.”

“It’s up to the teachers to let me know that they think it may or may not be compliant. It’s my job to let the district know. So, it’s the district’s job to go around and contact these businesses,” Dowler said.

Credit: Christian Erickson/The Foothill Dragon Press

Credit: Christian Erickson/The Foothill Dragon Press

Judd agrees that the burden of the responsibility for SOPIPA should not be on the teachers, but that since teachers have been given presentations on the privacy laws, they are now aware of them.

“There are no cops out there looking for teachers who have inadvertently chosen to use a tool that is noncompliant. What we’re trying to do is raise awareness so that said teacher would look at this app and go, ‘Oh, they’re asking for student name and email and stuff, I should read the privacy policy,’” Judd said.

“Or, ask for help: ‘I’m really interested in this Julie, can you check?’ I get emails every day: ‘Can you check on this please and let me know what you think?’ ‘Sure.’ And I typically will either say, ‘Yeah, looks good.’ or ‘Mhmm, no. But let me contact the company and see if we can do something.’”

Judd said that she doesn’t want the teachers doing the work.

“They have lots to do, and that’s my job. But, on the other hand, once we do a presentation like this, they can no longer rationalize ignorance, or have plausible deniability, two of my favorite phrases,” Judd said, referring to the student privacy presentation she had given to staff that day.

Dowler used the example of online flashcard and study tool website StudyBlue as one website that is not SOPIPA compliant.

“For example, I really like StudyBlue and right now, StudyBlue garners information left and right. So, I would have to ask the district to contact StudyBlue to make sure that they get in compliance because it’s something that I’d like to continue using. I think it’s a great student resource. They just need to make sure that they get in compliance,” Dowler said.

“We should be careful in looking into what we’re using just to make sure that any third party information or any student privacy information isn’t being sold to third parties, but that’s not really the teacher’s job to do that. That’s the websites and the app, the people who create the app, that’s their job to make sure that they’re in compliance with the laws,” Dowler said.

Teachers at Foothill have been advised to check websites before using them in the classroom by the district, and that they should be on the lookout for SOPIPA compliant websites and applications.

Pelfrey found a solution to advise educational programs to become SOPIPA compliant.

“I email companies to see if they are SOPIPA compliant and if I see some terrific programs, I email them and say ‘Look, this is a great program. What are you doing about SOPIPA?’ because I’d really like to use it with my kids,” Pelfrey said.

Staff have been alerted of the new policies and have attended meetings that discuss them.

“Mrs. Pelfrey has kinda taken a lead with Mrs. Dowler on it. […] We’ve talked about it at a few different staff meetings along the way. Especially coming into the school year this year because we knew it was coming,” EDA teacher Conni Carr said.

Staff have differing views on the new laws. Social science teacher and D-Tech Coordinator Kurt Miller says he’s “a little bit split, to be honest.”

 

[soundcloud url=”https://api.soundcloud.com/tracks/249932343″ params=”color=ff0000&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]

 

“Of course, I believe in student privacy, but at the same time it may mean that we’re giving up certain student tools that could be really useful, just because a company might not be able to update their privacy rules in time for the law to be in place. We may lose out on some very valuable applications online.”

Social Sciences teacher Cherie Eulau said she’s “concerned” but “not overly concerned” about the effect it will have on the Foothill campus.

“I understand the concern, but don’t stifle innovation. This is the new frontier of education. I’m worried that it will have a stifling effect. I’m just hopeful that since makers of these kinds of things are innovative that they will find a workaround.”

Until then, some teachers will continue to work with the resources they have.

For Eulau, “in some ways, it’s just easier to beg for forgiveness than ask for permission.”

“Right now, I’ll say that I’ll continue to operate as I have […] but I can’t spend a lot of time really truly obsessing over it because I have a lot of other stuff to do,” Miller said.

Dowler understands why people are nervous but thinks that they don’t need to because “our school would not come crashing down.”

“This is a big confusing world to navigate and that’s why so people are really nervous and anxiety ridden. […] We shouldn’t be spending our time worrying about it.”

 

AB 1584:

Another law the district has been implementing is AB 1584, which regulates terms of an educational contract with a third-party and qualifications that must be met. For example, the third-party must agree to not reveal student data.

There are nine total requirements. Some of them include:

  • A statement that the pupil records are the property of, and under the control of, the local educational agency
  • A description of how the pupils may control and maintain the possession of their own personally generated content, and how they may transfer it to a personal account
  • A prohibition against the third party using any information in the pupil record than what was permitted in the contract
  • A description of how the parents, legal guardian or pupil will be informed if there is a data breach
  • A prohibition of using pupil records to engage in targeted advertising
  • A description of how the district and third party will ensure compliance with FERPA

Judd said that contracts under this law include direct contracts that the district has with specific companies, as well as End User Licence Agreements (EULAs) that students agree to when signing up for a website.

Credit: Bethany Fankhauser/The Foothill Dragon Press

Credit: Bethany Fankhauser/The Foothill Dragon Press

“We enter into a lot of agreements and user licence agreements, EULAs [that say] ‘click here to accept the terms of the software we’re going to use,’ and that onus goes all the way down to you [the student], but you as students aren’t legally old enough to sign a contract, so you should not, under the purposes of education in the school, be accepting a EULA, unless you’re 18 or older,” Judd said.

Judd said in December that the district had 20 contracts that she has not signed because of specific wording needing to be AB 1584 compliant.

“We have spent this entire last year wrapping our brains around AB 1584 because we have 20 pending contracts, I have been sitting on 6 myself for the last 2 or 3 months trying to work with these vendors to get their stuff compliant,” Judd said. “Because I can’t approve them until I know for a fact that AB 1584 language has been satisfied and that what they say they’re going to do is what they’re going to do.”

One particular website that the district stopped using in schools is Turnitin. In an email from Ventura Unified Assistant Superintendent Jennifer Robles to district principals, Robles said that “the service agreement/contract does not comply with student data privacy protection requirements.”

We are negotiating with representatives from the company, but do not have a valid agreement at this time.  Therefore, we have asked to have Turn It In cease providing service to ECHS, FTHS, PHS, VHS and VACE as of Monday, January 25 at 5pm,” Robles wrote. “This decision does not affect BHS at this time because the program was in place before the legal requirements changed. However, we will not be able to continue the program at BHS next year unless the service agreement/contract comes into compliance.”

Judd said Ventura Unified is potentially ahead of other districts in implementing privacy laws, because of her involvement in the California Education Technology Partnership Education (CEPTA), which has a relationship with the lobbying group “Capitol Advisor’s Group” that informs them of new laws and how they might affect education. Both the Chief Technology Officer of Simi Valley and of Ventura County Office of Education are also in CEPTA, so “Ventura County is well represented at the state level in all of these leading edge things.”

“We’re on the front edge. And I’m very proud of that. It’s painful, but you know, when you’re in front, you can somehow help pave the path, otherwise if you’re not in front, you have to deal with the path that somebody else paved that could be bad,” Judd said.

 

Potential of being sued:

Though Judd said that the primary responsibility for SOPIPA and COPPA falls on the businesses themselves, she said that Ventura Unified could be sued if they are in contracts with businesses that are not SOPIPA or COPPA-compliant.

“Because we’re endorsing it, ‘we’ being the teacher and or the district. And if the teacher endorses it, thereby saying the district endorses it, because they are our employee and representing us,” Judd said.

“It’s a real buzzkill. It just is. Because people buy stuff, they want to use it, and I’ve been sitting on a couple vendors because they’re not compliant. Now, I have reached out to the companies and they’re working with their legal department, but you know, that takes time because, like all of us, there’s other things going,” she said.

Ramos compared not being AB 1584 compliant to speeding on a highway.

“Say you’re driving, and you’re just going with the flow of traffic, and the flow of traffic happens to be 80 mph, but you’re not going any faster than anybody else,” Ramos said. “You’re still breaking the law.”

Although there haven’t been any cases regarding the new privacy legislation, Ramos thinks there might be. In 2013, an attorney sued numerous schools districts on behalf of the public for not providing 200 minutes of Physical Education (PE) weekly, the state requirement. Ramos said that  is possible that a similar “enterprising attorney” could sue a school district that is out of compliance with the new student privacy legislation.

 

[soundcloud url=”https://api.soundcloud.com/tracks/249931279″ params=”color=ff0000&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]

 

Ramos said he would not advise a school district to take that risk, even though it might be difficult in the beginning.

“You have to follow the law. Some [school districts] are doing it, some are not. But if you’re not and you get caught, you still gotta pay the ticket,” Ramos said.

 

Potential workarounds:

One potential solution might be giving students a non-identifying email that would not include any student data.

Judd, however, said that there are problems with doing this.

“And theoretically, that might work except for it has to be a valid email address, two: If you read SOPIPA carefully, it doesn’t matter what login you use, the website, the onus is back on the website operator, they cannot create any web profiles that are advertising on that website to go with the student,” she said.

“If you say ‘Mr. Li’s Language Arts class’ and all of a sudden things start popping up, then that’s not compliant. So again, it all comes down to the terms of service and privacy policy and how it works.”

Judd said there are also potential problems with having teachers upload the data themselves to the websites on their own accounts.

“Let’s talk about Turnitin right? Have the students email their papers through Google because we’ve got it set up that way to the teacher and let the teacher upload them all that way, obviously into Turnitin,” she said.

“That could become a union issue because now we’ve just dumped a ton of extra work on the teachers to do all the work that is intended for the students to do. So on top of all these laws, we’ve got contracts, employee contracts we have to honor.”

 

District has yet to approve software acquisition rubric, some teachers find process “heavy handed”:

Judd has created a software acquisition rubric, embedded below, to be used at the district and school level. The rubric has not yet been approved by the district. It includes identifying the need for software, securing funding, creating an implementation plan and obtaining approval by a “Change Control Board within the Informational Technology Department.”

“I think it’s prudent for software to be utilized intentionally […] You don’t just want to go, ‘Oh I went to this conference and saw this really cool thing.’ Right? Well what made it cool? How does it align to your curriculum? Be intentional about it,” Judd said.

“I see that at two levels: district level when we decide curriculum overarchingly K-12 for everybody, and then I see that at a school level where a group of teachers decide they want to use this piece of software. Well, why? How does it meet your needs? I have this software rubric that walks them through many different areas of software to determine it’s viability.”

Judd stated that the rubric would only apply to large pieces of software that are used throughout the district. She gave the example of a districtwide typing program.

“Like, we’re going to purchase software. That’s like the big software. AB 1584 software that I have to go into a contract [with] and use it across the district.”

However, the rubric states that the process would apply to “all software applications and online resource purchases as well as free software.”

 

 

In a follow-up email to the Dragon Press, Judd clarified her definition of “software.”

“Software is defined as software that is being chosen and endorsed as primary or supplemental curriculum. It should include websites and apps for applications but this is a new process due to the privacy laws,” Judd wrote.

The school board has not approved the rubric, which Judd attributes to a “turnover in the executive cabinet.”

“That was just a draft. It has yet to be approved by the district. I have not been able to get anybody to have that conversation with me. So, I am very frustrated.”

“Right we have a new [superintendent], we have a new assistant [superintendent] of HR. […] So there’s been a lot of turnover.”

In March of 2015, a Google form survey was given to teachers to gauge the level of concern over the possible creation of a Change Control Board and a software acquisition rubric. The comments were anonymous to allow teachers to speak freely. The survey was voluntary, unofficial, and had 19 respondents.

Teachers called the process “heavy-handed,” “unnecessary,” and “a nightmare.”

One teacher wrote that “this is micro­managing and completely undermines me as a teacher and my professional ability to choose for myself what aps are appropriate for my teaching content.”

“Not once in the process does it even mention the teacher role, which I quite frankly find disrespectful. To not even recognize the teachers are the leaders in innovation, finding technology resources and the funds to pay for them is absurd,” another said.

Another teacher saw value in trying to be sure money is spent well.

“I appreciate the concept of trying to guarantee that software purchased is appropriate and adequate. Getting value for money spent is important. To spend money, we (at Foothill) usually get input/approval anyway for major pieces of software,” they wrote.

“Asking each teacher to go through that massive rubric and expecting every piece of software used to meet those level 4 expectations is not realistic… I feel a policy like this will actually encourage teachers to use less technology in their classes.”

The district continues to implement these laws, process contracts and distinguish the privacy requirements of individual companies.

Thinglink Credit: Chloe Hilles/The Foothill Dragon Press

Background Photo Credit: Carrie Coonan/The Foothill Dragon Press

What do you think?