by Daniel J. Solove
For any organization who doesn’t take privacy seriously, the demise of inBoom should be a loud wake up call. Funded by $100 million from the Gates Foundation, inBloom was a non-profit organization aiming to store student data so that school officials and teachers could use it to learn about their students and how to more effectively teach them and improve their performance in school. Who would have thought that a project with so much funding and promise would be shutting down just a few years after its creation? What went wrong?
The main instrument of inBloom’s death was privacy. Because inBloom involved so much student data, privacy concerns began to swirl about, and eventually turned into a tornado that resulted in a backlash inBloom was ill-prepared to handle. In light of the privacy concerns, school districts started to back out of using inBloom, and states began to pass legislation to restrict the sharing of student data.
With more privacy battles looming on the horizon, with mounting attacks and increasing state legislative activity in response to inBloom, the mighty dragon collapsed.
There is an important lesson here, and it is one that I think is being lost amid the discussion. The lesson is not that privacy legislation is evil and anti-innovation. Nor is it that crazy ill-founded concerns killed a good things. Nor is it that inBloom was a greedy gobbler of data and would have caused harm.
According to the statement by inBloom’s CEO: “It is a shame that the progress of this important innovation has been stalled because of generalized public concerns about data misuse, even though inBloom has world-class security and privacy protections that have raised the bar for school districts and the industry as a whole.” He also stated that inBloom “has been the subject of mischaracterizations and a lightning rod for misdirected criticism.”
But inBloom didn’t die because it was mistakenly singled out for attack. It died because of a more fundamental problem with education privacy. The problem is that education privacy is lagging so far behind other industries and is so poorly regulated and addressed. Any company trying to do business with K-12 schools where privacy is involved is like a company trying to build a world-class research facility in the middle of an untamed jungle.
There is no privacy infrastructure in K-12 schools. This is akin to there being no roads, no running water, no electricity, no police system, no fire protection, and no hospitals. The lack of this infrastructure is what doomed inBloom.
Unlike other industries, K-12 schools lack effective privacy regulation. The Family Educational Rights and Privacy Act (FERPA) is an outdated law that lacks a meaningful enforcement remedy, fails to address many key issues, and lacks much of a governance structure. Without a governance structure — a set of requirements for ensuring that institutions develop an effective privacy program — a privacy law is just empty words on a page. A governance structure involves having someone responsible for privacy — a Chief Privacy Officer or someone designated as a privacy point person who can coordinate a privacy program. There must be an assessment of privacy risks, someone who is responsible for data security, adequate policies that comply with the law, and training of personnel. For example, what good are policies if people don’t know they exist and have no idea what to do to follow them? People need to be trained! I discussed many other shortcomings of FERPA in an earlier post.
A 2009 study by Fordham Law School’s Center on Law and Information Policy found that “privacy protections for the longitudinal databases were lacking in the majority of states.” Even more strongly, the study characterized the privacy protections as “weak.” A more recent study by the same organization found that the contracts that K-12 school districts had with cloud service providers were derelict. Only 25% of school districts provide adequate notice to parents about the use of cloud services. About “20% of the responding districts had no policies addressing teacher use of information resources.” Only 25% of the agreements “gave districts the right to audit and inspect the vendor’s practices with respect to the transferred data.” None of the contracts “specifically prohibited the sale and marketing of children’s information.” And only one agreement “required the vendor to notify the district in the event of a data security breach.”
Schools lack officials who know about what key terms should be in such contracts. They lack officials who know how to vet third party vendors when it comes to privacy and data security. Without auditing of privacy risks, they lack an awareness of what data they are collecting and how the various personnel and departments in a school are using that data. They have no idea about all the various federal and state privacy laws that regulate them. School personnel have no training about when they must maintain the confidentiality of student data, when they can share that data, how they should protect the data, and what good data security practices they should be following.
Parents are naturally concerned when they hear about how little protection is being given to their children’s personal data. How does this affect companies like inBloom? When a school starts sharing data with inBloom and it raises questions and concerns, whom are parents to call? There are no privacy officers at schools who can answer these questions. There are no disclosures to parents explaining what is going on and how privacy and security will be protected. There is nothing to educate parents or to address fears and concerns.
Imagine a school with a healthy and sophisticated privacy program. There’s a privacy and security officer. These officials vet inBloom and publicize the results of their vetting process, explaining the risks and why they think that any concerns are appropriately dealt with. Parents are informed and feel confident that appropriate care and consideration were given before sharing data. These officials are available to answer questions that parents have. The key terms of the contract between inBloom and the school are disclosed to parents so they understand exactly what responsibilities and limitations inBloom has regarding their children’s data. Parents know definitively and exactly lines that cannot be crossed and what things data can be used for and what things it can’t be used for. And if the law provided effective enforcement, parents would know that if there was any misuse, there would be an investigation and potent sanctions for both the school and inBloom.
The above privacy regime would provide a lot more knowledge and confidence that personal data was being adequately protected.
The lesson in the inBloom demise is that the real problem is the lack of a privacy infrastructure at the K-12 level. This is essential because there is so much data about students, and a lot of it is sensitive data. Using this data can bring great benefits, but we need an appropriate infrastructure in which to use it. Otherwise, it’s like building a nuclear reactor on a fault line or near a tsunami zone . . . and we all know what happens next.
K-12 schools currently are woefully underfunded. I doubt that schools will soon have the funding to develop privacy programs. But there is hope. If companies want to do business with K-12 schools – if they want schools to share data and not have the pushback that inBloom received – then they need to find a way to help bring schools into the 21st Century when it comes to privacy. So if you build the facility in the jungle, you also need to build the roads, the electricity, the water, and so on. If you build a good privacy environment, organizations like inBloom might actually be able to bloom.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security