91制片厂视频
IT Infrastructure & Management

Student Data Privacy and Security: Red Flags in Terms-of-Service Agreements

Here's advice for teachers and school district leaders on some commonly used terms to look out for in the terms-of-service agreements on educational applications.

Student Data Privacy and Security: Red Flags in Terms-of-Service Agreements


Have you ever looked closely at your favorite app鈥檚 terms-of-service agreement? The pages of often-dense legalese can make it tempting to simply scroll to the bottom and click 鈥淥K,鈥 but for educators and education leaders, some of that jargon should raise red flags with regard to students鈥 privacy and security. Here are a few commonly used provisions and why they should give users pause.


Related story:




Terms-of-Service Agreement



"Data covered under this agreement include only user information knowingly provided while using this service."
What鈥檚 wrong: Increasingly, education applications collect all kinds of data without the user being aware of it: keystrokes, time on task, browser searches, even location information. If those data aren鈥檛 included in the definition, you have no way of knowing what data are collected and how they are used.



"Provider may use de-identified data for product development, research, or other purposes. De-identified data will have all names and ID numbers removed."
What鈥檚 wrong: Many companies use de-identified student data, but removing a student鈥檚 name or school ID is not enough to prevent the data from being reconnected to the student. The company should specify exactly how it will de-identify the data, both basic student identification and demographic information, school location, or other items that could be used to identify the student.



"Provider may use data to market or advertise to students or their parents." Or it might say, "Provider may mine data for advertising."
What鈥檚 wrong: Using either data or metadata鈥攖he information about data, such as categories or time stamps鈥攖o create profiles of students or their parents would violate the Family 91制片厂视频al Rights and Privacy Act, and it should be explicitly barred.



"Provider may modify the terms of this agreement at any time without notice to or consent from the [school/district]," or any term including "without providing notice to users."
What鈥檚 wrong: This can make any protections or restrictions on the data basically toothless. The school or district should keep control of the data and should get clear notice of any changes.



"Providing data or user content through this service grants provider an irrevocable right to license, distribute, transmit, or publicly display data or user content."
What鈥檚 wrong: The agreement should make it clear that the company can use the data only to provide the service; it should not keep student data after the district is no longer using the service or take away intellectual-property rights from teachers or schools creating content through the service.



"This service is not intended for children under age 13."
What鈥檚 wrong: It seems pretty straightforward, but experts say schools often overlook age restrictions when the content seems suitable for young students. (Did you know YouTube is not intended for younger than 13?) It can be a clue that the app collects data or uses social media in ways that require parental consent.


Source: U.S. Department of 91制片厂视频鈥檚 Privacy Technical Assistance Center


Related Tags:
Data Privacy

A version of this article appeared in the March 29, 2017 edition of 91制片厂视频 Week as Where Are the Red Flags on Privacy Agreements?