School leaders can ensure top-notch privacy practices with targeted efforts
It would be hard to name an issue that has taken the education technology world by storm as has student data privacy over the past year. To address this issue, CoSN published our Protecting Student Privacy in Connected Learning toolkit in March to help districts navigate FERPA (Family Education Rights & Privacy Act) and COPPA (Children’s Online Privacy Protection Act).
During the 2014-2015 school year, the Toolkit will be expanded to include additional information on the Protection of Pupil Rights Amendment (PPRA) and the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule–rounding out the four federal privacy laws relevant to schools.
With all of the confusion and uncertainty regarding privacy, it can be difficult for school technology leaders to know what they can or should be doing. It would be easy to lose sight of some concrete steps they can be taking today to better ensure privacy of student data.
In a report released a few weeks ago titled Making Sense of Student Data Privacy, Bob Moore, a longtime district CTO and founder of RJM Strategies LLC, detailed several common sense steps every school district should take. You can download the full report at www.k12blueprint.com/privacy.
(Next page: 10 privacy steps for every district)
As schools prepare to go back in the fall, the following 10 steps lay out a great plan to get ahead of rising privacy concerns.
10 privacy steps every school district should take:
- Designate a Privacy Official – A senior district administrator must be designated as the person responsible for ensuring accountability for privacy laws and policies. This is a “divide and conquer” issue, but someone needs to be in charge.
- Seek legal counsel – Make sure that the legal counsel your district accesses understands education privacy laws and how they are applied to technology services. Do not wait until there is a pressing issue that must be addressed.
- Know the laws – Many organizations have and will be publishing privacy guidance for schools, such as the CoSN resource mentioned above. The U.S. Department of Education’s Privacy Technical Assistance Center is a must-know resource at: http://ptac.ed.gov/.
- Adopt school community norms and policies – Beyond the privacy laws, what does your school community really expect when it comes to privacy? Seek consensus regarding collecting, using and sharing student data.
- Implement workable processes – These are necessary processes for selecting instruction apps and online services. No one wants to slow innovation, but ensuring privacy requires some planning and adherence to processes. Once enacted, the processes should be reviewed regularly to ensure that they are workable and that they reflect current interpretations of privacy laws and policies.
- Leverage procurement – Every bid or contract has standard language around a wide range of legal issues. By adopting standard language related to privacy and security, you will make your task much easier. Unfortunately, many online services are offered via “click-wrap” agreements that are “take it or leave it.” You may have to look for alternative solutions if the privacy provisions of those services do not align with your expectations.
- Provide training – Staff need training so they will know what to do or why it is important. Annual training should be required of any school employee that is handling student data, adopting online education apps and contracting with service providers. Privacy laws represent legal requirements that must be taken seriously.
- Inform parents – Parents should be involved in the development of privacy norms and policies. Just as schools provide information about online safety and appropriate use, they must put significant effort into ensuring that parents understand the measures taken to protect student privacy.
- Make security a priority – Privacy starts with security. Secure the device, the network and the data center. Toughen password policies. Have regular security audits conducted by a third party expert.
- Review and adjust – Interpretations of privacy laws are changing and new laws may be added. School policies and practices will need updating and adjusted so that they reflect legal requirements. Processes can become burdensome, and when that happens, some people may want to skirt the process.
While there are no practical steps that can be taken to guarantee privacy of student data, by tackling the steps outlined above, schools will be well on their way to taking control of this issue and better ensuring student privacy.
As educational leaders, it is time to identify aspirational practices around privacy, not merely provide minimal legal compliance. Be a privacy leader.
Keith Krueger is CEO of the Consortium for School Networking (CoSN).