Data privacy is frequently discussed at the intersection of internet companies, websites, app-builders, and the consumer. Visiting a website or using an application produces data. Data gives us insights into how the world works. But not all consumers are comfortable with companies, institutions, or other individuals collecting and using that data.

Even with all the noise and controversy about online privacy versus data, we are far from any kind of consensus, let alone an informed one. The field is just too new and evolving too rapidly.

The consumer/business interaction is not the only place where tons of data can be collected, however. As technology brings more and more of the operation of school districts and classroom activities online, volumes of data are generated. The value of this data could be high. Researchers can gain greater insights into behavior, and technology implementers can determine what works, what doesn’t, and how to make it better.

Legislators and school districts are attempting to get a handle on the implications of gathering and using data on this scale. The guiding legislation, at present, is the Family Educational Rights and Privacy Act, or FERPA. The Department of Education has issued a set of guidelines, based on FERPA, which can be found here.

The central thrust of these recommendation is to eliminate Personally Identifying Information (PII) to the extent possible. Exceptions are for obvious reasons such as logins and providing specific data to people who are authorized to receive it. Some legislators don’t believe this is enough and also want to restrict districts and vendors from using data gathered for commercial purposes.

Though these lines seem pretty clear, in practice they can be difficult. Many researchers do pure research but work for companies with clear commercial interests. Also, published research can be used by anyone. Pew Internet research is not collected for marketing purposes, but many marketers use Pew data.

There is also an issue with removing personally identifying information. It has an effect on the quality of the research itself. This study shows that the more care you take to ensure PII cannot be recovered from the dataset, the less scientifically valid the dataset itself becomes.

The future may change our practices and attitudes about data and privacy. At present, the best approach is to stay within the guidelines provided by the department of education. In addition, the Software & Information Industry Association has issued a set of best practices about data privacy in general. These include:

• Educational Purpose: School service providers collect, use, or share student personally identifiable information (or PII) only for educational and related purposes for which they were engaged or directed by the educational institution, in accordance with applicable state and federal laws.
• Transparency: School service providers disclose in contracts and/or privacy policies what types of student personally identifiable information are collected directly from students, and for what purposes this information is used or shared with third parties.
• Authorization: School service providers collect, use, or share student personally identifiable information only in accordance with the provisions of their privacy policies and contracts with the educational institutions they serve, or with the consent of students or parents as authorized by law, or as otherwise directed by the educational institution or required by law.
• Security: School service providers have in place security policies and procedures reasonably designed to protect personal student information against risks such as unauthorized access or use, or unintended or inappropriate destruction, modification, or disclosure.
• Data Breach Notification: School service providers have in place reasonable policies and procedures in the case of actual data breaches, including procedures to both notify educational institutions, and as appropriate, to coordinate with educational institutions to support their notification of affected individuals, students, and families when there is a substantial risk of harm from the breach or a legal duty to provide notification.