Preserving the Privacy of Student Data in Unexpected Situations

We’ve touched on student data privacy before, but it’s a topic we will probably return to frequently. The issue is a growing area of concern for anyone working in the education technology sector, as illustrated by this article in yesterday’s New York Times. Most companies working in the education technology sector are not bad actors. The people working in these companies generally see themselves as good people doing good work, and the companies themselves are generally working from a mission statement to make society better.

But with data privacy, good intentions are rarely enough. As the New York Times article points out, even large companies with a commitment to security can find themselves with vulnerabilities. Data security is a constantly evolving field, and it’s important to take keep protection updated.

Security is not the only vulnerability. Even the best intentioned company can fail, and whatever data they have collected can easily transfer to someone eles. A large recent example is the ConnectEDU case. The company had accumulated data on nearly 20 million students. This data was protected by the ConnectEDUs security and privacy policies. One of those policies was that students would have the opportunity to scrub the data before it was transferred into other hands.

However, when the company went bankrupt, this did not happen. The FTC got involved and addressed concerns to the bankruptcy judge, and the bankruptcy judge did in fact order the company to scrub the data. But at this point, there were no employees left at ConnectEDU to carry out the order.

There are two major efforts right now to ensure better data privacy for students. One is the student data privacy pledge, which has been signed by 109 companies (as of today, February 9th, 2015). The pledge is certainly a move in the right direction. Certainly, the signatories are committed to the principle. There is even good reason to think that, by signing the pledge, the companies become legally accountable to the FTC.

The other effort is the proposed Student Data Privacy Act. While we don’t know the full details of the act yet, we do know that it is likely to be more enforceable than a pledge. If another ConnectEDU case arises, or any other complex legal creates unexpected consequences, it seems likely that the legislation will offer better protection than the pledge.