Kids and the cloud – who is protecting their privacy?

serversNew research for the Ponemon Institute for highlights some critical issues in the increasing use of cloud-based services to store and process the confidential personal information of people using public services.

On the one hand, schools are not immune from the need to modernise how they operate and reduce costs. According to the research, a strong majority of schools expect to deploy cloud email and document services in the foreseeable future. The data shows that the ease of administering the system and lower costs are key drivers to move to cloud, while just 11% of respondents say the move will help protect student privacy. One in four already use cloud email for students and one in five do so for staff.

Yet at the same time, they also object to data mining for profit by cloud providers and say that student profiling and ad serving should never be allowed in school-provided cloud services. Many schools also say parents should be able to opt their children out of data mining services.

The key point is made starkly clear: some schools admit they are tempted to trade student privacy for lower cost services.

This is both a a privacy issue, and a competition one. If schools were forbidden from using cloud services that mine the information uploaded, then the market would move to offer privacy-friendly services. As it is, like many other cloud services, a few massive companies are rapidly building significant market share and a huge amount of information about British kids.

These findings reflect much of our own experience when dealing with issues around children’s information in schools. The Government changed the law to give parents and children the right to not use biometric systems because of the privacy issues and the use of cloud services raises many of the same concerns. At a time when it is of serious importance to educate young people about the wider issues of privacy, this kind of attitude in schools is cause for concern. Equally, as our report on CCTV in schools found last year, there is surprisingly little oversight on individual schools when it comes to choosing this kind of service.

The idea that parents can opt-out from these services is going to be extremely tough to implement in reality, unless the school wants to have two different services running. The fact some schools felt that not giving an opt-out but ensuring the service providers fully disclose what they are doing to the data is enough is remarkable and very worrying.

While the response rate to the survey was not of academic standards, it is clear that these issues require extremely careful consideration before schools rush to implement services and risk compromising their students privacy with little or no parental input.



  1. sigma
    4th June 2013

    Yes, its’s a huge problem which schools don’t seem to understand – on a number of fronts.
    1. A number of schools nationally still use the free @talk21 (now operated by BTYahoo) accounts that were provided in the last century, and I’m aware of several locally that have been hacked in the recent spate of BTYahoo hackings. I don’t think any have notified the ICO even though very personal data about pupils and their families is likely to have been included. As part of the current T’s and C’s, these emails have their contents profiled by Yahoo, ditto those schools that have opted to use free Gmail or Hotmail accounts.
    2. Unencrypted personal data routinely being taken offsite.
    3. Schools that creat accounts for parents, for payments for example – without consent.
    4. Learning platforms/ pupil progress tracking systems.
    Why do most of these systems, even if they are hosted in the UK or EU (and many are not), seem to use Google Analytics or other third party analytics. Doesn’t anyone know how to analyse a server log any more?
    5. Lack of attention to Privacy Settings on browsers by school IT support staff.
    They generally leave the settings wide open, and then explicitly prevent pupils or staff from changing them.
    6. Schools that routinely allow their external support providers to take Sims servers offsite for maintenance – to who knows where – complete with Sims data intact or allow uncontrolled remote access.
    7. Well meaning teachers that use apps or online services where the T’s and C’s explicitly forbid the use by minors, have dire privacy practices, gift the rights of pupils creative or intellectual property, create accounts of third party websites without parents’ consent.
    I could go on.

  2. Links 4/6/2013: Honouring Atul Chitnis | Techrights
    4th June 2013

    […] Kids and the cloud – who is protecting their privacy? […]