Total (out of 9) Percentage
Data Deleted or Destroyed at End of Contract Period 6 66.6%
Non-Specified Security Obligation 7 77.8%
Encryption Level Specified 1 11.1%
NIST Level Specified 0 0.0%
Data Breach Notification Specified 1 11.1%
2. Student Reporting Functions a. Prevalence
Of the twenty responding districts, only four (20%) produced agreements suggesting that they outsource student reporting functions to third party vendors.150 These four districts
produced a combined total of five agreements from multiple vendors.151 The limited use of cloud services for student reporting functions suggests that districts continue to prefer that these services be performed internally. It is also possible that such agreements were provided, but because of their ambiguity or vagueness were included below as an unidentified function.152 A final possibility is that some districts simply failed to account for all of the third party services that they use when responding to our document request or did not understand their information technology infrastructure.
148
For example, Agreement Document No. 1 provides that the vendor will take “[r]easonable steps to safeguard . . . confidential information.” See Agreement Document No. 1 at 5. Agreement Document No. 2 provides that vendor will protect data in accordance with its own policies regarding confidential information. See Agreement Document No. 2 at 8. Agreement Document No. 4 imposes security measures that are “consistent with industry standards.”
See Agreement Document No. 4 at 4. Interestingly, specific security measures were listed in an Exhibit of the
agreement but were redacted by the district. See id. at 10–11. Similarly, Agreement Document No. 7 with the same district specifies that “commercially reasonable precautions” are taken to protect data. See Agreement Document No. 7 at 3. One agreement—Agreement Document No. 8—contains a data security provision that seems to protect only the vendor’s confidential information by specifying that the “[c]ustomer will use commercially reasonable efforts to prevent unauthorized access to or use of the [service].” See Agreement Document No. 8 at 2. Agreement Document No. 9 provides for numerous security requirements and guidelines, including “[k]ey baseline security requirements and that ‘all sensitive data [be] sent over SSL when travelling over external networks.’” See Agreement Document No. 9 at 9–14.
149
Agreement Document No. 7 stipulates that the service provider “immediately advises the licensee in writing upon reasonable suspicion or actual knowledge of a security threat.” See Agreement Document No. 7 at 3.
150
The four districts are: Jefferson County Public Schools (CO), Mercer Island School District, Providence Public School District, and Sublette County School District #9.
151
The agreements are on file with Fordham CLIP. 152
33 b. Contracts
All of the districts had fully executed contracts with the vendors; but, of the five student reporting agreements, one was incomplete.153 Only one of the agreements (20%) contained provisions giving the district a contractual right to audit and inspect the vendor’s compliance with the agreement transferring student information.154 This means that districts are handicapped in assuring the fair treatment of their student data.
c. Types of Student Identifying Data Transferred from Districts to Vendors The agreements for student reporting functions infrequently identified the student data being transferred to vendors. The findings are shown in the following table:
TYPE OF DATA TRANSFERRED
Type of Data Specified Total (out of 5) Percentage
Name 0 0.0% Address 0 0.0% Sex 0 0.0% ID 0 0.0% Age/Grade 0 0.0% Biometric 0 0.0% Medical/Health 0 0.0% Socio-Economic 0 0.0% Transaction Data 1 20%
Of the five student reporting agreements, only one (20%) specified that identifying data was transferred between the district and the vendor.155 In their specifications, this agreement referenced only one type of data—transaction data—as transferred.
This failure to specify the types of student data transferred presents a significant
transparency issue and is inconsistent with the FERPA mandate.156 This cannot be an accurate reflection of the actual data transferred because the purpose of these agreements is reporting on individual students.
d. Data Control: Sharing, Mining, and Redisclosure
School districts may disclose some student personally identifiable information without first obtaining parental consent on the basis of FERPA’s exceptions to its general consent
requirement.157 Because student reporting functions are services that school districts historically
153
The incomplete document was Agreement Document No. 14. Neither the service’s Privacy Policy nor its Terms of Use—both integrated with the agreement by reference—were provided. Fordham CLIP was able to retrieve these documents (both on file with Fordham CLIP) online on July 31, 2013, at 12:05 PM.
154
Agreement Document No. 12 provides that all data remains the property of the school district, which could also be construed as providing a right of audit or inspection. See Agreement Document No. 12 at 3.
155
Agreement Document No. 15 at 1, 3 (specifying that vendor has license “to use, reproduce, extract and otherwise process…Customer Data” [subject to certain limitations] and defining “Customer Data” as any education-related data that is inputted or submitted by the district or users of the service).
156
See 34 C.F.R. 99.35(a)(3)(A). 157
34
performed internally, districts would most likely not need parental consent under FERPA to transfer data to vendors who would perform those services.158 None of the student reporting agreements, however, referenced such qualifying functions for the disclosure of student information to the vendor. Districts would, though, still have to retain control over the student data. These findings with respect to key attributes of data control are illustrated in the following table: