Your K12 Edtech Privacy Questions Answered

As a privacy advocate, it is my mission to help Instructure hold itself to the highest legal and ethical privacy standards. At Instructure, we are privileged to provide our services to students and educators worldwide, and I believe it is our duty to treat the school, student, and educator data entrusted to us as stewards.

This year at InstCon, I was fortunate enough to share our privacy mission with thousands of educators in the Instructure community. To recap my session, I’m sharing some FAQs about privacy in K12 edtech:

What is Privacy & why is it important?

In a general sense, privacy is the right to be left alone, or freedom from interference or intrusion. Information privacy is the right to have some control over how your personal information is collected and used. Here at Instructure, we believe that data privacy is a fundamental right and one we strive to protect in all we do. Overall, privacy policies should create a solid foundation that allows people to share their personal information because they trust it will be protected.

However, we can’t begin to discuss edtech privacy laws without first acknowledging the special privacy protections our K12 students require. Students, especially younger children, are not yet equipped to weigh the potential benefits and risks of data loss. From our perspective, student data is even more sensitive than general personal data, and our privacy program is designed to support student success, giving them agency over their information and education.

With the understanding that today’s students have access to more technology tools than ever before, privacy must remain at the core of all edtech. 

What privacy challenges exist within K-12 edtech ecosystems?

The edtech ecosystem refers to all of the tools and systems used by a school. Here are some of the challenges associated with today’s K12 technology landscape:

• The number of tools used: When thinking about the sheer number of technology tools used by a school today, it can be overwhelming. These can be everything from YouTube, to learning management systems, social media platforms, mobile apps, online learning platforms, assessment tools, study tools, etc. It becomes even more complex when you think about the way these tools touch, overlap, interact with one another, and share personal data.
• Lack of resources to review tools: Some schools are fortunate enough to have a robust IT department that is trained to review and evaluate the tools within its edtech ecosystem. However, smaller and more rural schools often don’t have dedicated review resources or processes, leaving teachers and administrators to their own devices when selecting learning tools.
• Lack of transparency for users: Arguably the most difficult part of reviewing edtech tools is sifting through the legal and technical jargon to properly evaluate each tool’s privacy policy and what that means for your teachers and students. Without a trained privacy or IT expert, it can be difficult to ensure the terms of service align with district policies. 

What are the main federal privacy laws that apply to education?

The United States takes a sectoral approach to legislating privacy. So, what does that mean? It means that depending on how the data is defined and what area those data are collected in, may affect the laws that apply to that data. For student data, there are many laws, but here’s a quick overview of the core federal laws that every edtech organization should adhere to:

• The Family Educational Rights & Privacy Act (FERPA): This is the primary law we are all used to hearing about. It’s applicable to any school that receives federal funding, which includes most educational institutions, both private and public. FERPA specifically applies to education records; these are records that directly relate to a student and are maintained by an educational agency. This act gives parents and students certain rights relating to the educational records and personally identifiable information of that student. Under FERPA, schools can outsource certain services that they would otherwise perform themselves. This permits schools to leverage edtech services and share education records and personally identifiable information with them.
• The Children’s Online Privacy Protection Act (COPPA): The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The act was designed to protect children under age 13, while accounting for the dynamic nature of the internet.
• The Protection of Pupil Rights Amendment (PPRA): This provides parents and students (18 years or older or emancipated) certain rights when a school conducts student surveys, collects and uses information for marketing purposes, and administers certain physical exams to students.

How might edtech privacy be expected to change in the future?

I’ve been in the privacy industry for 17 years now, and in that time, I have seen many changes take place. Here are a few emerging trends I am seeing that are starting to take shape:

• No matter how fast privacy law moves, technology moves faster. Therefore, when people and organizations say that they comply with the law, that should be the least they can do. Edtech providers should aim to go above and beyond what the law requires to protect educators and students. 
• The FTC will continue to increase enforcement and oversight. The FTC recently published a memo stating its intentions to increase its enforcement activities under COPPA due to its concerns about students being surveilled because of the rise of education technology products. This is a great step forward to ensure that the tools students are using refrain from selling student data and advertising to students.
• Transparency and trust will continue to be core corporate values. As we partner with schools and districts around the world to support teaching and learning, we’ve made it a habit to openly share what we are doing to protect student data. It’s my hope that all technology providers, but especially edtech providers, adopt this practice.

What questions should schools be asking edtech providers?

To help you evaluate edtech tools and applications, I’m sharing five questions to ask (as seen in EdTech Magazine) during the privacy review process:

1. What personal information does the app/tool collect?
2. What rights do users have to their data?
3. What interactions within the app/tool are visible to other users?
4. Does the app/tool include advertisements or tracking that might compromise sensitive information?
5. Is parental consent required?

There are many more, but these five questions are essential to get you started. 

How does Instructure uphold privacy?

At Instructure, we're committed to protecting the information we receive by ensuring it's used only to support students, institutions, and education. We're guided by five key principles: transparency, accountability, integrity, security, and confidentiality. For more information about our policies, and for additional resources, check out our privacy page. 

When used correctly, data can help people and institutions make better-informed decisions, and  Instructure wants to be part of the larger data privacy conversation so we can grow and learn at the same time. We will continue to gain, and then share, insights with the larger education community on how to utilize data appropriately. 

Like other meaningful projects, protecting data and your personal information needs to be done as a team. We want to work with you so we can learn from each other. That way, we can face and understand more about these ever-evolving challenges, together.

I invite you to watch my full InstCon session for more privacy resources and best practices. If you have any feedback, questions, or comments, after watching, please feel free to contact me at privacy@instructure.com.

[WATCH THE FULL SESSION]