America’s schools are awash in data, raising all manner of concerns about the privacy and security of students’ sensitive information.
But there’s one issue that has been mostly overlooked, according to the Center for Democracy & Technology, a Washington nonprofit focused on privacy and free speech:
Properly getting rid of student data when it’s no longer needed.
“Deleting data is much more complicated than one might think, with a number of important policy, legal, and technical considerations,” reads the group’s new report, titled “Balancing the Scale of Student Data Deletion and Retention and Education.”
Historically, schools have erred on the side of retaining most of the data they collect, CDT contends. That creates considerable risks, including increased potential for breaches or threat, as well as the possibility that data about a child collected for one purpose today may be used out of context, for a very different purpose, down the line.
Still, many schools, districts, and states have struggled to develop effective polices and implement strong technical practices around data retention and deletion, said Elizabeth Laird, the senior fellow for student privacy at the Center for Democracy & Technology. Many aren’t even able to fully account for the data they’re storing.
“Our expectation is that the capacity around this issue varies,” said Laird, who previously worked as the deputy assistant superintendent of data, assessment, and research for Washington, D.C.'s state education agency.
“Certainly, there are places where there hasn’t been much attention and focus on this, and the risk of deleting feels greater than the risk of retention,” she said in an interview. “That’s who we have in mind.”
To help, the report attempts to describe the patchwork legal framework that currently governs data retention and deletion in K-12. At the federal level, there’s the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act, both of generally require third-party operators contracting with schools to destroy personally identifiable information when it’s no longer needed for its original purpose. State laws, meanwhile, vary tremendously. And new consumer data-privacy protections are starting to advance the idea that people should be able to request that their data be deleted when certain conditions are met.
But big-picture, such laws represent a “minimum floor,” Laird said.
To go further, CDT suggests three steps for states and districts to follow:
- Create comprehensive inventories outlining all the data education agencies have, what format the information is in, where it is stored, how it used, and by whom.
- Develop clear policies that spell out such issues as how long each type of collected data should be retained, how such information should be deleted when it is no longer needed, and how permanent data will be archived. “There must be a single person who is ultimately responsible for the enforcement of the retention schedule,” the group’s report recommends. “This person should be a high-level employee, such as the Chief Information Security Officer or Chief Information Officer.” K-12 agencies should also create auditable “deletion trails” for all information, CDT suggests.
- Learn and employ technical best practices, including encryption of all data at all times and proper destruction of both hardware and digital information. The group also recommends that districts and states demand that third parties who collect and store student data provide formal “deletion certificates” describing what data the companies destroy, what methods they use, the date when it happens, and who was responsible.
Maryland digital-privacy lawyer Bradley Shear described the recommendations as “good first steps” that states and school districts should consider.
But turning them into a reality will be a challenge, said Shear, who since 2017 has been advocating for June 30th to become “National Student Data Deletion Day.” Many education agencies lack the resources and expertise to tackle what can quickly turn into complicated mess, he said.
“The back-end architecture of many of these systems were not designed to make data easy to delete. I’ve seen ludicrous vendor contracts with no sunset provisions on the information that is collected. It’s hard to get companies to amend their standard legal agreements,” Shear said.
“It’s not simple.”
And the report also avoids getting into detail on one of the thorniest dynamics in the retention-deletion debate, said Girard Kelly, counsel and director of the privacy review for Common Sense, a nonprofit that provides ratings and reviews of ed tech products.
Much of the information collected on behalf of schools is actually held by third-party companies and operators. And while those third parties typically have policies stating that they won’t retain personally identifiable student information after it’s no longer needed, Kelly said, they also typically seek to retain a version of those data in which identifying details about individual students have ostensibly been stripped out.
“Most vendors don’t really care about data deletion, because they only want to monetize de-identified data, which most policies allow for unlimited use,” he said.
The Center for Democracy & Technology recognizes this and calls for contractual limitations on such practices.
“It is important to place limits on the sharing and reuse of de-identified data,” the report says.
Image: Getty
See also: