What’s wrong: Increasingly, education applications collect all kinds of data without the user being aware of it: keystrokes, time on task, browser searches, even location information. If those data aren’t included in the definition, you have no way of knowing what data are collected and how they are used.
What’s wrong: Many companies use de-identified student data, but removing a student’s name or school ID is not enough to prevent the data from being reconnected to the student. The company should specify exactly how it will de-identify the data, both basic student identification and demographic information, school location, or other items that could be used to identify the student.
What’s wrong: Using either data or metadata—the information about data, such as categories or time stamps—to create profiles of students or their parents would violate the Family Educational Rights and Privacy Act, and it should be explicitly barred.
What’s wrong: This can make any protections or restrictions on the data basically toothless. The school or district should keep control of the data and should get clear notice of any changes.
What’s wrong: The agreement should make it clear that the company can use the data only to provide the service; it should not keep student data after the district is no longer using the service or take away intellectual-property rights from teachers or schools creating content through the service.
What’s wrong: It seems pretty straightforward, but experts say schools often overlook age restrictions when the content seems suitable for young students. (Did you know YouTube is not intended for younger than 13?) It can be a clue that the app collects data or uses social media in ways that require parental consent.
A version of this article appeared in the March 29, 2017 edition of Education Week as Where Are the Red Flags on Privacy Agreements?