It’s not just for the students and teachers: Another perspective on privacy

Target was targeted. [image credit:]

A colleague of mine recently sent me a link about a Common Sense Media statement about the weak state of data privacy in schools. The main idea behind the statement (summarized here by NPR) is that schools are doing a less than stellar job protecting the privacy of their students’ data. This article piqued my interest since we here at AES have recently dealt with a few hacking/privacy issues. This recent issue has made me look at all of our policies and agreements around privacy and student/family data. As a result I’m starting the process of doing an informal security audit. So far I am finding the deeper I dig, the more areas there are to investigate. I am working through our business office, facilities management office, and of course the main tech office and beyond. There are so many systems here at AES that it will take some time to complete even this informal audit. I’m already feeling like I am going to need an 3rd party to complete a security audit.

The first place I looked is at our school information system, Veracross. Here’s a copy of the privacy agreement (a section of our contract with them)

6. Intellectual Property
B&C shall retain all right, title and interest in and to the B&C Technology and the System, and Client shall retain all right, title and interest in and to the Client Data.
7. Confidential Information
(a) Each party acknowledges that it will have access to certain confidential information of the other par- ty concerning the other party’s business, plans, Clients, resellers, technology, and products, and other information held in confidence by the other party (“Confidential Information”). Confidential Information will include all information in tangible or intangible form that is marked or designated as confidential or that, under the circumstances of its disclosure, should be considered confidential. Confidential Information will also include the Database, Client Data, and the B&C Technology. Each party agrees that it will not use in any way, for its own account or the account of any third party, except as expressly permitted by, or required to achieve the purposes of, this Agreement, nor disclose to any third party (except as required by law or to that party’s attorneys, accountants and other advisers as reasonably necessary), any of the other party’s Confidential Information and will take reasonable precautions to protect the confidentiality of such information that are at least as stringent as it takes to protect its own Confidential Information. Within 30 days after termination of this Agreement, each party shall return to the other party (or, at that party’s option, destroy) all Confidential Information of the other party then remaining in its possession.
(b) Information will not be deemed Confidential Information hereunder if such information: (i) is known to the receiving party prior to receipt from the disclosing party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (ii) becomes known (independently of disclosure by the disclosing party) to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the receiving party; or (iv) is independently developed by the receiving party. The receiving party may dis- close Confidential Information pursuant to the requirements of a governmental agency or by operation of law, provided that it gives the disclosing party reasonable prior written notice sufficient to permit the disclosing party to contest such disclosure.

Do you like the fine print? 🙂 It basically states that we agree to keep what we know about Veracross’s software and processes private and they agree to keep our data private. The main issue for me is, what happens if they don’t keep our data private? History shows that even major companies cannot keep their data private, right? I think the only thing going for Veracross and AES is that overall there is not a high demand for our data. Credit card information from Target is simply worth more on the black market.

Honestly data security is not something that I thought much about before signing a contract with Veracross. Yes, I did read the contract, but I never once asked them about the real world practices of their company that are in place to protect our students’ data. It’s something that I need to do for all of our systems, but it takes time. Once you start digging into these issues, you feel like you are going to need a personal data security specialist (and a lawyer) to complete the process! We cannot afford to ignore it however. As a school, we are, in the end, responsible for the data we maintain. So I suggest we need to expand the discussion beyond just personal privacy for students and teachers to the privacy of the data housed in our systems at school. This of course hits home to me as the Director of Technology at AES. Now that I have opened this can of worms I will have to deal with it. Looks like I have some work to do!

2 thoughts on “It’s not just for the students and teachers: Another perspective on privacy

  1. David,

    I think you are very brave! Can of worms for sure. Some times I do start to read the fine print and before long – I decide I can’t understand the legal vocabulary and I give up before getting to the bottom and I click, “Agree” or “Accept” with crossed fingers!
    And I think you are right that we should be grateful that most people are not interested in the kind of data our admin offices hold…. still…. I very much hope that you are able to persevere with your voyage of discovery as I am keen to hear what you find out!


  2. Hi David,

    Some might disagree about the value of the data that Veracross holds. Many international schools have some fairly affluent and/or influential families attending. It’s not unimaginable that either a) the family is very security conscious, or b) there are third parties who think their personal data might be valuable.

    I, for one, agree with you about the relative worth of school data but it’s good to raise the discussion at a larger institutional level as well as at a personal level.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s