We have been working diligently with our customers in the K12 community to help them understand and meet data privacy obligations as schools increasingly move to innovative cloud-based services. A recently published study by the Fordham Center for Law and Information Policy makes it clear that there is still much work to be done. The positive reactions to the study and its recommendations– from school leaders, parent groups, industry groups and policy makers— suggests there is a unique opportunity for these groups to work together to solve many of the issues highlighted in the study. In particular, the study demonstrates that our industry needs to step up and be a better partner with schools by being more transparent about how we handle their data and by agreeing to clear restrictions on how we will use their data, including agreeing not use such data for advertising, sales or marketing purposes.
Those common sense recommendations are just part of the improved transparency related to use of student and institution data that our industry owes its customers in the education community. Without these critical steps from industry, schools will continue to struggle to meet regulatory requirements and more importantly, parent expectations related to the stewardship of student data.
We firmly believe that new generations of cloud-based technology offer great potential in schools, from lowering costs to providing anytime-anywhere learning opportunities to readying students for jobs where an increasing number of cloud technologies will be in use. As Professor Reidenberg’s work illustrates, there are a wide range of cloud technologies being deployed in schools today, replacing many of the common tools or programs that were run “on premises” in the recent past (or even done “offline”). The study data in the report supports what we know anecdotally: Cloud services offer attractive benefits and are being rapidly deployed in schools to support a number of distinct functions, from data analytics to student reporting to basic productivity functions such as email, data storage and document editing.
But one of the more troubling findings is that the cloud contracts the Fordham research team analyzed often lacked basic terms related to the handling and protection of student data accessible by the service provider. In summarizing that finding, the report noted:
[M]ore often than not, districts are passive parties to cloud service contracts; service providers draft terms and conditions and districts have neither the expertise nor ability to negotiate over those terms.
The report highlights the responsibility of service providers to “pay closer attention to privacy issues and obligations” and “treat districts fairly and to effectively safeguard student information.” It makes recommendations aimed at service providers, including requiring contracts to prohibit sales and marketing uses of student data without express parental consent, as well as requiring the service provider to disclose clearly any commercial use of student data.
Microsoft firmly believes advertising and marketing uses of student data should not be permitted by service providers. Further, contracts with schools should state these concepts in clear and unambiguous terms.
We welcome calls for an industry-wide discussion aimed at creating more consistent and uniform commitments by technology vendors who sell their products, services and devices into the education market. As an industry, we must help schools meet their obligations as stewards of student and institution data. The Fordham report gives everyone more context for that discussion and will help guide schools, vendors, parents and the government toward a safer and more secure computing environment that will benefit families and provide peace of mind as schools move more and more student data to the cloud.