Major deficiencies have been uncovered in how school districts across the United States are handling the personal information of students shared with third-party Cloud computing service providers, according to new research.

A report by Fordham University’s Center on Law and Information Policy (CLIP) in New York found that 95% of school districts were now using Cloud computing services.

But of the school districts using the Cloud, only 25% informed parents of their use of Cloud services and 20% failed to have any policies governing their use of Cloud services.

“School districts throughout the country are embracing the use of Cloud computing services for important educational goals, but have not kept pace with appropriate safeguards for the personal data of school children,” said head of the research team and Fordham Law School Professor Joel Reidenberg in a statement.

The study correlates with a survey of Australian independent schools taken on this website last November, which found that more than 80% of the respondents were not ready for the new Privacy Laws in Australia that come into effect on March 12.

The key areas where schools used the Cloud according to the US research included:

• Data Analytics functions that aggregated and analysed student data.
• Student reporting services to provide metrics of student progress and attendance.
• Guidance function services to assist in tracking student planning.
• Special school functions to assist in a school district’s activities, such as transport planning and payment mechanisms for student lunch programs.
• Hosting, maintenance and back-up functions including website and data hosting.
• Classroom functions that provide online learning, collaboration and individual assessment tools.

The study showed a large percentage of the schools surveyed did not comply with the US Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student records.

For instance, 78% of the school districts disclosed that they used student data for Data Analytics without notifying parents, while only 11% of school districts who used student data for Data Analytics obtained parental consent to do so.

FERPA has many of the same protections as Australia’s new Privacy Laws, such as requiring schools to obtain parental consent before disclosing personal information about a student to a third-party (such as a Cloud computing service).

The Australian Privacy Laws will require schools to disclose whether they share any student information to third-parties and to be liable for any privacy breaches by overseas recipients (such as Cloud services) that they disclose information to.

Under the new Privacy Laws, organisations are required to:

• Only use personal information for the primary purpose for which it was collected and not for a secondary purpose unless prior consent has been granted.
• Take steps to ensure overseas recipients of information (such as an overseas-based Cloud service provider) do not breach Australian Privacy Laws.
• Disclose whether personal information is being disclosed to any overseas recipients, including Cloud service providers located outside Australia.

The study of 54 school districts across the US found that 33% did not have agreements with third-party analytics services providers to destroy data after it was no longer needed – as required by US and also Australian law.

The research also found that only 13% of school districts having written agreements with third-party web hosting and back-up Cloud computing firms had the right to audit and inspect the vendor’s practices with respect to student data.

Such is the extent of personal student information held by several major service providers on the Cloud, the study noted the web-based student information system PowerSchool’s claim to hold personal information on 12 million students in the US.

Another company that provides a data analytics platform – Panorama Education – holds information on one million students across 4000 schools.