Data privacy concern - New Hampshire School Districts

I’m posting on behalf of New Hampshire’s K-12 school districts, where I am CTO of one of our larger districts and a co-founder / Executive Board member of our state CoSN affiliate. Coincidentally, my first career was in GIS, with a master’s from the Geomatics program at Purdue, and have great respect for Trimble as a company. I am posting because we are between a rock and a hard place regarding using this great tool, because of Trimble’s unwillingness to sign our data privacy agreement to agree to comply with our 2018 state data privacy law.

The crux of the matter is this: the majority of our students in NH use Chromebooks and are interested in the web version of SketchUp for Schools. Our state law requires that any vendor receiving student PII (this includes first name, last name, or email address) to comply with our minimum security standards. [NOTE that a new rule allows vendors with SOC2, ISO 27001, or similar security certifications as a substitute for the minimum standards checklist]

SketchUp has thus far claimed that they do not store student PII because they use only Google or Microsoft logins. We have confirmed that with a Microsoft Azure SAML 2.0 integration, we can control the information that is sent back to the vendor, thus preventing first/last/email from being provided to the vendor. However, most districts use Google with students, and they do NOT offer the same controls over “login with Google”.

Although our first priority is to have SketchUp as an approved vendor, we would absolutely love to have a conversation with someone technical who can prove to us that no student PII is stored in SketchUp.

New Hampshire’s consortium approach to student data privacy is leading the way in the nation on this issue, and we are poised to overtake California within a few weeks on the number of data privacy agreements we have signed with our valuable vendor partners (free and paid). Many other states are watching how we handle what is one of the most strict student data privacy laws in the nation, and we are trying to work closely with vendors to give our parents confidence that we are prioritizing student data privacy. We have signed data privacy agreements with hundreds of vendors; vendors who refuse to sign will not be permitted to operate in most of our districts. https://sdpc.a4l.org/view_alliance.php?state=NH

Many thanks,
Pam McLeod, CETL
Concord NH School District

2 Likes

I’ve done quite a lot of work on SketchUp for Schools and I think it’s alright if I clarify that although the on-device application does make some use of student data, it retrieves said data from Google/Microsoft on its own without passing through our servers. Hence the claim that Trimble does not receive and does not store PII. In this case, the “vendor” setting in Azure probably refers to the modeling software running in the student’s own web browser, not Trimble’s remote identity services.

I personally believe we do our best to stay aware of student privacy and design towards it at every juncture, mainly by keeping things client-side whenever possible.

Alas, I absolutely do not have the authority to assert our compliance with specific regulations or otherwise agree to anything remotely legally binding. The best I can offer is a recommendation to reach out to @Tori_SU.

1 Like

Thanks for the reply @samsartor! We would love to have a conversation with @Tori_SU - can someone privately give me the contact information? I’m at pmcleod@sau8.org .

Hi Pam, thanks for reaching out to us. I’ll send you a private email!

Tori,
I am looking to see if SketchUp would sign off on the New York State Bill of Rights.
Can you send me an email so we can talk please?

Lucas Manny
l_manny@saratogaschools.org