Being a software provider in the educational market means having to address issues where the business practices of other companies in the market create a negative view of your company. Being a custodian of student data is one such issue. In our privacy statement (posted on our website), we state the following:
Connected does not share information with anyone not associated with the Connected service, except when required to by proper legal process (for example, Connected will cooperate with criminal investigations in the United States).
Connected is designed to share information among users, who in turn choose which other users they will share details with. A user (or an underage user’s parent) can restrict this information sharing in the Privacy Settings. Other users are individuals; Connected does not allow businesses to become users. Our user agreement does not require users to keep confidential the personal information they obtain about other users.
If Connected obtains information about a user who is under 18 from a school, that information will be shared with teachers, administrators, and other education-related employees of that school who are also users of Connected, regardless of the sharing restrictions set by the user or user’s parent, in order to fulfill the school’s educational mission.
However, in the past, data obtained about a child or their families, whether used in aggregate form or in specific detail was considered an integral part of the business model of some companies. Until the passage of federal legislation protecting the privacy of certain types of data, a company could freely market such data to other companies for their own marketing purposes. Now, laws significantly restrict what can be shared, but they do not prohibit all types of data sharing, and this is where some school officials have a valid reason to be concerned.
However, the COPPA (Children’s On-line Privacy Protection Act) among other laws, does require any company collecting data which can personally identify a child under the age of 13, to provide detailed information on the uses of such data to parents prior to the collection of any data. This disclosure should be available from the company to any school official that has concerns about the intended use of the data.
There are significant penalties which can be imposed by the Federal Trade Commission (FTC) on any company which does not abide by its disclosures.
This is all well and good, but what about what Connected.info does? Where do we stand?
First, on the issue of data sharing, we do fully support the right granted under the FERPA law for a parent to have access to any data captured by a school regarding their child(ren). In some cases, this may create unease for a school official. We work hard to make it possible for a parent to easily obtain access to that data on their child and then to own that data as part of what we call the child’s Electronic Student Record. But, once we give that access to a parent, the parent is then the owner of that data and we only act as a custodian of that data for them. Only in cases where we are required to cooperate with a criminal investigation would share that data without parental permission.
Sometimes, companies hide behind a Terms of Use document to gain permission on the part of a parent to use data the parent must grant access to. For example, a company’s terms of use document may call out the fact that from time to time data will be shared with other companies in order to enhance the user’s experience, etc. Since most Terms of Use are many pages long, it is unlikely that a user will read the Terms of Use carefully enough to understand the ramifications of that wording or realize that by agreeing to the terms of use, they have now granted the company the ability to share their data.
At Connected Information Systems, we believe that this is not a good business practice and our terms of use contain no such language in either our Terms of Use or Privacy Policy.
Another concern can be (and very well should be), what do we do to the school’s data. Do we change the data or access it in a way which may create a question about what is the real source of the data?
First, we only access data on a child on behalf of the school or a parent. Second, we create a copy of data contained in the school’s student management systems using a read-only process. We do not modify the school’s data, leaving the school’s data as the so called “system of record”. In other words, if there is ever a discrepency between data we have in Connected.info and the data in a school’s student management system(s), the school’s data is always the correct version.
Then, once we have made a copy of the data in Connected.info, we operate under a data sharing agreement with the school which, among other things, specifies that we will only allow access to that data to school users, i.e. teachers, until a parent has granted any other access, agreed to the terms of use document and granted access to their child’s information.
As parents ourselves, we believe in this as well as support the laws in place to protect a user’s privacy.
