Choose Privacy Week 2016 – Educational records: More than just grades and detentions in an era of data-driven education
by Kyle Jones
Records define us–partially. They enclose data and information that reveal our past, present, and increasingly our future. But they are never perfect representations of who we are as individuals, nor are they able to capture the richness of our relationships with others. So, we are naturally wary of their contents, who has access to them, and the risks their disclosure creates. Because of these reasons and others, we want those in charge of these identifiable records to treat us fairly by giving us the opportunity to access, review, and request changes to their contents in order to reflect truths about our life, not harmful or misleading falsehoods. In educational contexts, these expectations may not be met as what has traditionally been considered to be an “educational record” takes on new characteristics and import in data-driven schools, colleges, and universities.
Increasingly, primary, secondary, and post-secondary educational institutions are adopting new systems and developing advanced technical infrastructures to capitalize on emerging flows of student data and information. These flows include, among other things, information students disclose willingly to their schools. But they are increasingly capturing the so-called “data exhaust” students create as they interact with information systems of all stripes. Every click, mouse movement, login and logout event, and form submitted creates analyzable data that captures student behaviors; so, too, do the RFID signals emitted by student ID cards and the metadata attached to WiFi access point logs when students connect. Simply put: When students use any type of data-based school system, they create analyzable data; and much of that data is increasingly tied to them as individuals.
The aims of analyzing student data are admirable. Educational actors–from teachers to administrators, advisors to technologists–often argue that data analytics practices will reap actionable information that can improve learning outcomes; they may also uncover new income by identifying poorly performing programs and replacing them with those who use resources more efficiently and effectively. Using data to accomplish these goals is especially important given that schools at all levels are facing tightening budgets and increased public scrutiny. However, we should be concerned about how new ways of documenting student life in very granular, comprehensive ways becomes a part of their educational record, regardless of whether or not the ends seem worthwhile.
We may believe that the educational records of the students we instruct and serve are relatively benign. Surely, they include a profile of who students are, where they live, and how to contact them; they also keep an audit trail of courses they’ve taken and grades they’ve earned. But based the definition stated in the Family Educational Rights and Privacy Act (FERPA) of 1974, they include much, much more. According to the federal law, an educational record is that which contains information directly related to a student and is maintained by the educational institution (20 U.S.C § 1232g 4.A.; see part 4.B. for exemptions). The information may exist in a physical file drawer, or it may have been born digital in application files or system logs. As long as the data and information identifies a particular student, it is subsumed into her educational record. Importantly, students–and their legal guardians until the students reaches 18–have the legal right to inspect and review their educational records, and educational institutions must provide students or their guardians access within 45 days of their request.
When schools abide by the legal definition of an educational record, they seem to maximize student privacy rights. Students can seek to discover what kinds of log data, for instance, is kept about them. To this point, nearly 2,800 students at Stanford University sought access to their admissions records by expressing their FERPA rights. What was returned to at least one student was pages upon pages of a system log detailing when she opened campus doors with her student ID card. But not all schools have Stanford’s resources to enable audits of myriad systems for identifiable student data and information. So, it may not even be possible for students to access aspects of their record, even if the definition is inclusive of such information.
Other schools may interpret FERPA’s definition with a narrow focus, for instance to include only traditional academic information. In practice, this may serve to more clearly define what about a student’s record is educational in nature and what is related to the “business” of running a school. One result may be that students feel better informed about what their records contain. But, in this case most personally identifiable data exhaust would fall outside of the boundaries that enable students to review how their school is using such data, in effect limiting their legal privacy rights. This is especially problematic when schools enter into contracts with third-party vendors, yet provide students and guardians little recourse to see or limit what those vendors do with the data. In 2013, related concerns among parents and legislators culminated in insurmountable pressures for inBloom, a student data aggregation company.
Knowing that the definition of an educational record directly affects student privacy rights is necessary for understanding what privacy principles schools should develop into policy. The following principles may provide guidance here:
If it is the case that not all data is accessible for students to review, then schools should be transparent about this limitation.
Schools should actively seek to resolve impediments that limit access to personally identifiable data and information, especially when there is clear evidence that the data flow has or may negatively affect student privacy.
3) Value Justifications
Given the sensitivity of emerging data flows and the ways in which they can record and provide insight into student life, schools should be able to justify the value of such flows in terms of the ways they will benefit student learning outcomes.
A student’s educational record follows her throughout her academic tenure and into her professional career. As such, it informs many decisions made about her and impacts how others judge her. It is one of the more important collections of documents, files, and data about a person, and it deserves the greatest of protections. Therefore, it is of significant consequence that the right to access, review, and request amendments to educational records be maximized and respected–regardless of the social and technical burdens schools encounter while doing so.
Dr. Jones is a recent doctoral graduate of UW-Madison’s School of Library and Information Studies. His research focuses on understanding student privacy problems in relationship to learning analytics in order to develop ethical frameworks and information policy for educational institutions. In the Fall semester, Dr. Jones will join the faculty as an assistant professor in the School of Informatics and Computing at Indiana University-Indianapolis (IUPUI). Should you like to contact Dr. Jones, you can reach him on Twitter at @thecorkboard.
by Connie Williams
Teaching students about online privacy seemed so easy in the old days: don’t tell anyone your password, never meet up with anyone you ‘meet’ on the internet and don’t give out private information. The definition of ‘private information’ consisted of making sure teens never told anyone their full name, address, and other identifying information. Social media, the center of teen living today, embraces, and encourages sharing private information within an ever changing landscape. Any teacher or school librarian who walks into a classroom today and asks students which social media they use will get answers like Snapchat, Instagram, Kik, or Twitter. Ask again in a week or two, and it will be different. I’ve discovered that location matters: a favorite app on the east coast is often disdained on the west. The app geography changes on a daily basis. Yet even as apps change with regularity, there are universal norms that our students must know about their online presence: what you post can describe you, once a post leaves your device it is no longer in your control, and there is indeed, a digital footprint that gets left behind.
What this means for children and teens is that their online lives can follow them through their offline lives. If they post provocative things or mean things or negative things, they will be perceived by their online friends as those things; even if they are none of those things in their offline lives. One of the hardest ideas for teens to grasp sometimes is the idea that they are often creating a ‘body of work’ that can define them to others.
In an informal survey I gave to about 150 9th grade students, I asked if there were any posts that they regretted posting. Most students said they had no regrets, but those who said “yes” pointed to the posts they made before or during 6th grade. These are students for whom their 6th grade silliness impacts a much wider world than when photos were taken and pasted in a photo book that gets placed on their shelves. How do we help them figure this out before unintentional consequences follow them through their online lives?
In my survey I also asked the students if they had changed privacy settings on their social media, if they were concerned with ‘third party’ access to their data, and if they could estimate about how many people probably see their posts on different apps after they’ve posted. The results showed that nearly all had changed the privacy settings on all their social media, most were concerned with third party access, and estimates on how many people saw their posts varied widely, with one student remarking that “all 850 of my followers can see everything I post.” Why did most change their privacy settings? “So that people wouldn’t stalk me” or “I only want the people I know and trust to see my posts.” “Third Party” was a term that not many understood – and this is a clue to us that we might want to include this concept in our teaching. Some students changed their privacy settings because parents asked them to: “Mom didn’t want me to put myself out there to everyone,” but most changed them on their own. This implies that most teens do understand at least a ‘big picture’ of social media- enough that they are taking their privacy seriously, even if they don’t always understand how that works in a more discrete way.
There are several students in these classes who participate in very little social media or none at all. Gaming attracts some students but many teens do not equate gaming with social media and while they may change privacy settings on social media, many don’t change them for their gaming apps. Some teens use Facebook with their families, but keep instagram and other “instant” apps for their friends.
Based on my student survey I learned that it is important that we spend time in school to create a set of institutional –and social – norms for civility online starting in the earliest grades. Teaching children to look both ways when crossing the street and holding our hands until we are certain that they understand the rules, is the survival mode that we use to protect our children while they are too little to understand that cars drive fast, often can’t see them, might not be able to stop in time if they run out in front of them.
Now that toddlers have online social lives via their parents, it is important that we begin thinking about how we will allow our growing children online access while still keeping them protected. While online security is not a typical survival necessity, it is one that can impact our children. As adults, the information we share about our children with our own friends and families is the first step to modeling positive online behavior. Setting up norms that children learn to follow and understand – ‘hand holding’ – will allow parents and educators to loosen that grip, enabling them to expand their access as they grow and demonstrate their abilities to participate positively. At school, consistent instruction through the grades, expecting certain online behaviors, including those that protect privacy, will help to ensure that students are able to identify risky behavior and will feel compelled to avoid or report dangerous or inappropriate situations. This instruction becomes a natural part of our interactions with students and includes direct instruction – “today we’re going to talk about creating strong passwords” as well as subtle direction: “students, when you add your comments to the wiki tonight, remember the class norms for discourse online.” Infused throughout a student’s day, online norms keep the conversation open, allows for practice [and mistakes to happen] and develops a wider set of expectations across a community as well as just within school.
It is gratifying to see the advice that teens give to those younger than themselves. When asked “What message would you give to younger teens about privacy online?” our survey answers included: “That it never goes away,” “Don’t send anything you don’t want to get out,” “Anything you put on private is not actually on private,” “Don’t trust the privacy, anyone can see your information,” and the ever popular “Don’t post something that you wouldn’t want your grandma to see.”
While most students are not as skeptical as the one who advised: “Don’t trust any of it,” social media is the currency for teen culture and communication. Helping them to see that the portfolio of their online life can be a useful, proactive, productive, and positive view to their online friends, potential employers, and prospective colleges and can help them put their social media lives into perspective. As educators, if we create the environment for open discussion and provide district-wide expectations for positive online behaviors from the very earliest ages, then students can navigate their online lives with open eyes to the good – and the not so good – interactions that the internet provides.
Connie Williams is a National Board Certified Teacher Librarian currently working at Petaluma High School in Petaluma, CA. She is Past President of the California School Library Association and a member of the State Library Services Advisory Board.
By Michael Robinson
Chair, ALA-IFC Privacy Subcommittee
(Note: This is the first post in a week-long online forum discussing how librarians, educators, and society can respect and defend students’ and minors’ privacy. Stop by chooseprivacyweek.org each day to read each contributor’s article and check out our page of resources on student and minors’ privacy.)
Last year when writing about Choose Privacy Week I said that it feels like online privacy has taken a step closer to center stage in libraryland. This year I think it has joined the center stage at least in terms of intellectual freedom and library technology issues. At the recent Public Library Association conference in Denver, the two sessions focused on intellectual freedom were both on privacy topics. At our state library conference earlier this year in Fairbanks, I participated on a panel session entitled To Serve and Protect: Intellectual Freedom and Privacy Issues in School Libraries. The session was well attended with a lively discussion among the panelists and the audience. Before the session the panelists were a little concerned that we had devised only seven questions to guide the discussion. It turned out that we only had time for two questions (one on the privacy expectations of students) because the discussion was so rich. Almost everyone in the audience had a story or a question or a point of view that they wanted to share.
My hope is that this year’s Choose Privacy Week will elicit a similar level of discussion. If the roster of bloggers we have lined up for this week is any indication, I am sure that it will. The ease with which we were able to recruit high-calibre writers on a range of topics was due to this year’s theme (“Respect Me, Respect My Privacy”) focusing on library privacy issues for students and minors. This is a complex theme that requires thoughtful consideration.
Students and minors that use the library face all of the potential threats to the privacy of their reading habits and intellectual activities that adult patrons face–government surveillance, commercial tracking, data sharing, library metrics, etc. Students also face an environment where the educational establishment (teachers, school administrators, commercial service providers) is working to create a system of continuous assessment and oversight to track almost all aspects of the student’s online educational activities. Many schools are inviting parents and guardians to participate in this oversight. Parents can login to a school website to see what their student is having for lunch, if they are completing their homework assignments, etc. It is a logical next step to include library usage in this parental oversight. At least one school district has already done so by providing a portal where parents can see the book that their child has checked out from the library.
Libraries have traditionally protected patron privacy by creating policies and practices that rely on First Amendment rights (free inquiry as a component of free speech) and 4th Amendment rights (right to be free from unreasonable search and seizure) as well as applicable state laws on the confidentiality of library records. In the case of students and minors, these protections are somewhat undermined by federal legislation (FERPA and COPPA) which give educators broad leeway in their use of educational records for internal purposes (like assessment) and give parents oversight of their child’s educational records and online activities when they are minors. The age of the minor has a bearing on this as well. There are basic constitutional rights that all minors have (equal protection, due process) but other rights (such as free speech) are acquired progressively as they age and mature. The courts have recognized the need for minors to develop their intellect through free expression and free inquiry as they become adults.
Many school libraries have privacy policies regarding access to library records that are focused on the use of physical books which is commendable. But these policies are inadequate to deal with the threats to privacy in an age when vendors can track how fast people read an e-book or if they even finish it. It is imperative that we carve out a place in the online world for some inquiry that is free from tracking or surveillance. This is especially true for children as they mature into young adults who are establishing their own identity and worldview.
A good first step to defending the privacy rights of students is to make a delineation between educational records and library records. Content specifically included in the curriculum through assigned reading or classroom activities should be considered educational records subject to tracking and assessment. Content accessed by the student as part of free inquiry for research topics or personal interest should be considered library records that are exempted from tracking and assessment.
Michael Robinson is an Associate Professor at the Consortium Library, University of Alaska – Anchorage. In addition to serving as chair of the ALA-IFC Privacy Subcommittee, he serves as chair of the Alaska Library Association’s Intellectual Freedom Committee.