The process of ending a relationship with an edtech vendor often presents a far greater challenge than initially anticipated, leaving school districts grappling with complex data security and legal compliance issues. While selecting and implementing new technology solutions is often straightforward, ensuring their safe and complete removal — and verifying the deletion of sensitive student data — is proving to be a surprisingly difficult and risky undertaking.
The Silent Treatment: Vendor Ghosting and Data Retention
Many districts are discovering that ending a contract with an edtech provider isn’t a clean break. A common problem is vendor “ghosting,” where support and communication abruptly cease, particularly when districts attempt to switch to alternative products. This lack of engagement makes it difficult to manage tool retirement and can delay critical data deletion processes. Steven Langford, CIO for Beaverton School District in Oregon, has formalized his “breakup” process because of this inconsistent engagement, retiring 59 tools since February, a process taking an average of 72 days— longer than the contractual 60-day requirement.
The Difficulties in Proving Data Deletion
Even when vendors respond to requests for data removal, districts face a deeper dilemma: how do you definitively prove that data no longer exists? Stacy Hawthorne, Chief Academic Officer at Learn21 and board chair of the Consortium for School Networking (CoSN), recalls a Colorado district struggling to obtain assurance from a vendor on data deletion. A vendor’s legal team admitted they couldn’t guarantee deletion, a stark illustration of the difficulty in proving a negative.
Laura Pollak, Supervisor of NASTECH data privacy and security service at Nassau BOCES in New York, regularly discovers vendors retaining unencrypted student data long after contracts have ended, sometimes even from trial users who never became customers. Some vendors mistakenly believe “obfuscation” is equivalent to deletion, or they are unable to fully remove data due to shared systems with other clients.
Todd Borland, Executive Director of Technology for Tulsa Union School District in Oklahoma, employs a tactic of sending files with dummy variables to verify deletion. While this provides some assurance, he acknowledges that verification ultimately depends on trusting the vendor’s word—especially considering the possibility of existing backups.
Contract Complications and Mergers
The situation becomes even more complex when companies are sold. Borland recalls contracts automatically renewing under new ownership unaware of prior agreements or district privacy standards, creating a “nightmare” scenario. Melissa Tebbenkamp, an independent consultant and former CIO, experienced a data breach involving a product her district hadn’t used in seven years, prompting her to design a formal offboarding process. However, even with these processes in place, she emphasizes that districts often have to “trust” vendors to fulfill their contractual obligations.
Prevention and Best Practices
Experts advocate for proactive measures to mitigate these challenges. A data privacy agreement before a partnership begins is crucial, offering leverage if deletion requirements aren’t met. Jun Kim, Director of Technology for Moore Public Schools in Oklahoma, emphasizes clear communication as a primary protection, suggesting that vendors should immediately inform districts of any product issues.
Hawthorne recommends incorporating communication into every step of the offboarding workflow, alerting teachers early, tracking tool usage, and publicizing the list of retired software. For districts like Beaverton, this helps ensure transparency and accountability.
The Legal Landscape and Future Directions
Current enforcement often lags behind technological advancements, leaving districts to interpret and shoulder the risk themselves. With the increasing volume of student data stored on private servers, there’s a growing demand for stronger vendor accountability, standardized data deletion certifications, and federal guidance on data retention periods.
Key Takeaways and Recommendations
Ultimately, managing edtech data deletion requires a proactive approach, prioritizing clear contracts, open communication, and ongoing verification.
- Prioritize strong data privacy agreements before partnerships begin.
- Formalize the offboarding process to ensure smooth transitions.
- Maintain clear communication channels with vendors throughout the entire process.
- Be prepared to verify data deletion through ongoing monitoring and verification techniques.
- Advocate for stronger vendor accountability and clearer regulatory guidance.
The edtech boom transformed education, but the responsibility for protecting student data extends far beyond initial implementation. As privacy regulations evolve, the ability for the edtech industry to responsibly and reliably delete data will become a critical measure of its maturity and trustworthiness
