America鈥檚 schools are awash in data, raising all manner of concerns about the privacy and security of students鈥 sensitive information.
But there鈥檚 one issue that has been mostly overlooked, according to the Center for Democracy & Technology, a Washington nonprofit focused on privacy and free speech:
Properly getting rid of student data when it鈥檚 no longer needed.
鈥淒eleting data is much more complicated than one might think, with a number of important policy, legal, and technical considerations,鈥 reads the group鈥檚 new report, titled 鈥溾
Historically, schools have erred on the side of retaining most of the data they collect, CDT contends. That creates considerable risks, including increased potential for breaches or threat, as well as the possibility that data about a child collected for one purpose today may be used out of context, for a very different purpose, down the line.
Still, many schools, districts, and states have struggled to develop effective polices and implement strong technical practices around data retention and deletion, said Elizabeth Laird, the senior fellow for student privacy at the Center for Democracy & Technology. Many aren鈥檛 even able to fully account for the data they鈥檙e storing.
鈥淥ur expectation is that the capacity around this issue varies,鈥 said Laird, who previously worked as the deputy assistant superintendent of data, assessment, and research for Washington, D.C.'s state education agency.
鈥淐ertainly, there are places where there hasn鈥檛 been much attention and focus on this, and the risk of deleting feels greater than the risk of retention,鈥 she said in an interview. 鈥淭hat鈥檚 who we have in mind.鈥
To help, the report attempts to describe the patchwork legal framework that currently governs data retention and deletion in K-12. At the federal level, there鈥檚 the Family Educational Rights and Privacy Act and the Children鈥檚 Online Privacy Protection Act, both of generally require third-party operators contracting with schools to destroy personally identifiable information when it鈥檚 no longer needed for its original purpose. State laws, meanwhile, vary tremendously. And new consumer data-privacy protections are starting to advance the idea that people should be able to request that their data be deleted when certain conditions are met.
But big-picture, such laws represent a 鈥渕inimum floor,鈥 Laird said.
To go further, CDT suggests three steps for states and districts to follow:
- Create comprehensive inventories outlining all the data education agencies have, what format the information is in, where it is stored, how it used, and by whom.
- Develop clear policies that spell out such issues as how long each type of collected data should be retained, how such information should be deleted when it is no longer needed, and how permanent data will be archived. 鈥淭here must be a single person who is ultimately responsible for the enforcement of the retention schedule,鈥 the group鈥檚 report recommends. 鈥淭his person should be a high-level employee, such as the Chief Information Security Officer or Chief Information Officer.鈥 K-12 agencies should also create auditable 鈥渄eletion trails鈥 for all information, CDT suggests.
- Learn and employ technical best practices, including encryption of all data at all times and proper destruction of both hardware and digital information. The group also recommends that districts and states demand that third parties who collect and store student data provide formal 鈥渄eletion certificates鈥 describing what data the companies destroy, what methods they use, the date when it happens, and who was responsible.
Maryland digital-privacy lawyer Bradley Shear described the recommendations as 鈥済ood first steps鈥 that states and school districts should consider.
But turning them into a reality will be a challenge, said Shear, who since 2017 has been advocating for June 30th to become 鈥溾 Many education agencies lack the resources and expertise to tackle what can quickly turn into complicated mess, he said.
鈥淭he back-end architecture of many of these systems were not designed to make data easy to delete. I鈥檝e seen ludicrous vendor contracts with no sunset provisions on the information that is collected. It鈥檚 hard to get companies to amend their standard legal agreements,鈥 Shear said.
鈥淚t鈥檚 not simple.鈥
And the report also avoids getting into detail on one of the thorniest dynamics in the retention-deletion debate, said Girard Kelly, counsel and director of the privacy review for , a nonprofit that provides ratings and reviews of ed tech products.
Much of the information collected on behalf of schools is actually held by third-party companies and operators. And while those third parties typically have policies stating that they won鈥檛 retain personally identifiable student information after it鈥檚 no longer needed, Kelly said, they also typically seek to retain a version of those data in which identifying details about individual students have ostensibly been stripped out.
鈥淢ost vendors don鈥檛 really care about data deletion, because they only want to monetize de-identified data, which most policies allow for unlimited use,鈥 he said.
The Center for Democracy & Technology recognizes this and calls for contractual limitations on such practices.
鈥淚t is important to place limits on the sharing and reuse of de-identified data,鈥 the report says.
Image: Getty
See also: