WHAT YOU DON T KNOW CAN HURT YOU Beatriz Arnillas, Houston ISD Omar Khan, Common Sense Media HISD DEEPER LEARNING CULTIVATOR SOCIAL AND EMOTIONAL LEARNING FACILITATOR PERSONALIZED LEARNING ARCHITECT LITERACY DEVELOPER LIFELONG LEARNER DATA DRIVEN
School Practice Challenges Balance innovation and security Managing opt-outs, parental consent/notification Ease of signup/self disclosure Maintaining a central list of vetted educational online services Vendors and Online Service Challenge High rate of change Free like a puppy Contracts vs. click-wrap Hard to understand, validate and negotiate Regulation Challenges Gaps in interpretation (e.g. Education Record, Student Data) Gaps in coverage (FERPA, COPPA, PPRA, HIPAA, School vs. Vendor) HISD DEEPER LEARNING CULTIVATOR SOCIAL AND EMOTIONAL LEARNING FACILITATOR PERSONALIZED LEARNING ARCHITECT LITERACY DEVELOPER LIFELONG LEARNER DATA DRIVEN
CLOUD COMPUTING Benefit Leverage Learning analytics/adaptive capabilities Risk student data could be collected and used for inappropriate purposes (e.g. targeted marketing) Users access services over the Internet Potential data breach, or accidental data disclosure by users Rapid provisioning and deployment of new services Free services Ease of signing up lends itself to unregulated/unapproved use Gray area for vendors as school officials Cloud services are updated regularly Control over changes Changes to privacy policies and terms of service with consent/review Privacy related bugs introduced through new features Economies of scale/shared infrastructure Risks of shared infrastructure/database (Developed by Jim Siegl, Fairfax Co. Public Schools) HISD GLOBAL GRADUATE 3
CLOUD MODELS Private: District hosted SIS, LMS Contracted: Microsoft Office 365, Google Apps, Textbooks, iready, or dedicated hosting Operating Systems, App Stores: Apple, Google, Microsoft School Free (and clear): No non-educational data collection Freemium +: Free for user/class use with fee for school/district use, or security (e.g. Edmodo, TypingClub) Free with a catch: Ads or data collection (data brokers) Identity Ecosystems: Sign-in with Facebook, Twitter, Google, Microsoft, Yahoo Extended Social Networks: Like buttons, social commenting End-User (Developed by Jim Siegl, Fairfax Co. Public Schools) HISD GLOBAL GRADUATE 4
HISD PRACTICES Educate Social Media Statement: https://goo.gl/el4gkj http://www.houstonisd.org/cybersafety Raise awareness using rubric www.houstonisd.org/edtech Manage (control) Google Domain O365 Domain Reduce options (supported apps) PD Partnerships Contracts and DSA Are We Overregulating Student Data Privacy? (Ed Surge) https://goo.gl/yjfpfe HISD GLOBAL GRADUATE 5
HISD RUBRIC Security: Encryption in Transit Privacy Policy and Terms of Use Account creation, data collected, data minimization, supportability, product ownership, account deletion practices Student Safety: Boundaries, Public Sharing, Contact & Privacy Controls Advertising: General and Behavioral HISD GLOBAL GRADUATE 6
DEVELOPING EFFORTS HISD GLOBAL GRADUATE 7
ROLL-OVER RATINGS AND RECOMMENDATION POP-UPS HISD GLOBAL GRADUATE
HOUSTON ISD CYBER SAFETY PAGE HISD GLOBAL GRADUATE
SUPPORTING APPS TO CONTROL APPS USAGE HISD GLOBAL GRADUATE
Student Privacy Ratings: The Need Privacy a growing challenge to Edtech adoption - 138 178 student privacy bills pending in 39 45 states - About a dozen active state bills based on CSM s SOPIPA covering large proportion of school kids - Risk of misguided legislation that doesn t address the real issues and stifles innovation Pressure from parents, schools, districts who want to protect kids privacy - We already serve both parents and teachers Vendor changes and responses - to press coverage, e.g. ClassDojo - with Privacy Pledges and certification solutions No existing privacy rubric on edtech products for use by districts, schools, vendors, parents - neither for education nor consumer 11
District-Driven Common Sense Privacy Ratings Initiative Goal: Provide a clear privacy rating to inform districts, schools, teachers and parents about an app s privacy and data security policies on Graphite In collaboration with major school districts and key thought leaders and privacy experts, we are developing a comprehensive privacy checklist and process - Detailed info to districts to make decisions based on their own policies - Districts to share key info to support each other - Houston ISD and Fairfax, VA key players Working with vendors to secure support and compliance Creative Commons licensed to spur adoption Representing ~3M students Beta Testing March-August - Presentations to SIIA, Council of Chief School Superintendents, Council of Great City Schools, Texas COSN, ISTE, privacy/security experts and others to gather input and build base of support - Many vendors to go through 12 12
Common Sense Comprehensive Privacy Evaluation An open source rubric protected under Creative Commons license Five Key Checklist Elements: A. PRIVACY B. SECURITY C. SAFETY & SOCIAL MEDIA D. ADVERTISING & CONSUMERISM E. LEGAL COMPLIANCE (COPPA, FERPA) Access: Send an email to ewilkeyoh@commonsense.org or omar@commonsense.org with your username on Graphite and we will enable for you 13
Common Sense Comprehensive Privacy Evaluation: Step 1 STEP 1 STEP 1a Archive Policy in Database STEP 1b (ongoing) Check links against most recent database version STEP 1c Transparent Map Policy Terms to Evaluation Sections Map Policy Terms to Changed Sections Not Transparent Term may change Vendor/District Common Sense Kicks off process with entry of key info Teachers/Students/Schools Common Sense Community Completes Transparency Evaluation, addresses issues to vendor for response in time frame. Common Sense Community Updated Privacy Policy forces a revision putting the current rating on hold. STEP 2 Steps can be done simultaneously ( e.g. Step 1 and Step 5) although it is preferable to start with Step 1 14
Common Sense Comprehensive Privacy Evaluation: Steps 2-6 STEP 2 C H E C K L I S T C H E C K L I S T If we or districts are satisfied, rating is given based on evaluation after Step 3, 4 or 5 STEP 3 STEP 4 as needed STEP 5 as needed F U L L R E V I E W F U L L R E V I E W STEP 6 Privacy Review & Rating Published on Graphite Live Rating via Graphite API No Issues Found Think Twice Not Safe Vendor Common Sense Community Fills out evaluation on Graphite for their product, a well- explained checklist. Can be done together with Step 1 or afterwards. Common Sense Community Manually reviews info before it goes live. Checks if any District review/issues w/ App. Contact vendor as needed. Common Sense approves publication of rating. Reviewing District (as needed) Takes the App from prioritized pool and performs full review or as requested by community. Uses District Handbook. District CIO Staff Third Party Co. (as needed) For enterprise apps, 3 rd party review paid directly to firm..? - If App passes the District Review it would receive a badge of some sort - Other certifications can also be included 15
Common Sense Privacy Ratings Launch Timeline Developer/District Pilot Program Pressure test rubric checklist and with vendors and districts entering data on Graphite. NOT public (behind private vendor/selected district logins) Q2/3 15 Q3 15 Announce with key partners at ISTE Build district review model and rate up to 1,000 Apps Q4 15 Q1 16 Public Launch Q2 2016 Questions? Want to Join? ewilkey@commonsense.org or omar@commonsense.org or mlorion@commonsense.org 16
FUTURE OF PRIVACY FORUM Brenda Leong, Senior Counsel and Director of Operations Email info@futureofprivacy.org or bleong@futureofprivacy.org www.futureofprivacy.org www.ferpasherpa.org or www.studentprivacypledge.org Follow on: https://www.facebook.com/futureofprivacy @futureofprivacy @ferpasherpa @julespolonetsky
NEXT STEPS HISD GLOBAL GRADUATE
HISD GLOBAL GRADUATE 19
HISD GLOBAL GRADUATE 20
HISD GLOBAL GRADUATE 21
HISD GLOBAL GRADUATE 22