Student data privacy is a hot-button issue. In the last five years, according to Amelia Vance, director of education privacy & policy counsel at the Future of Privacy Forum (FPF), over 600 bills on the topic have been introduced and 125 new laws have passed in about 40 states. “Unfortunately, the vast majority of those laws came with no resources, funding, or support to implement them. I give a lot of credit to the leading district CIOs and CTOs who have stepped up and fulfilled the promise of the laws,” says Vance, who also runs FERPA|Sherpa, the Education Privacy Resource Center that has loads of resources online.
Vance encourages district leaders to start by training every person in your district who has access to information about the importance of privacy and protecting that information. “Most of the issues that arise are because of human error,” she says. “Email attachments that shouldn’t be sent out get sent; web pages go live that shouldn’t; people forget to lock their computer.” Recently, she heard about a district that posted its school safety plans online before the school board meeting; no one noticed they included the private medical information of students and teachers who would need assistance in a school safety emergency.
In 2019, a lot of general privacy laws may pass that will unintentionally apply to schools. Vance suggests keeping an eye on any privacy bills that come up in your state because they may accidentally cover you and give you additional responsibilities. She says you can keep updated by Googling your state + consumer privacy act. You can also bookmark the FPF and FERPA|Sherpa websites, as they’ll be keeping track of the news.
Here’s a look at how a handful of chief information officers are keeping their students safe online.
1. Educate yourself
“I spend a lot of time learning from the Privacy Technical Assistance Center and the Family Policy Compliance Office of the USDOE. Too many people are unfamiliar with these amazing free resources, which include approachable guides for educators and families. They even have a phone number for questions, and—lo and behold—real live humans answer it!
“South Portland (ME) Schools was an early member of the Student Data Privacy Consortium. This organization helps with the tedious, time-consuming, and tricky work of developing contracts with vendors that respect and ensure student data privacy.
“Everyone in the district can play a role in protecting student data privacy: staff, students, and parents. We remix elements of the CommonSense Media digital citizenship programs with our own curriculum. We’re proud to have a school recognized as a Common Sense-certified School for the past four years, something that is possible only with the participation of all stakeholders.
“I frequently visit well-established district sites that have done some of the heavy lifting to vet software and apps and have solid processes and policies already in place. Tops on my list are Cambridge (MA) Public Schools and Denver (CO) Public Schools.
“One thing I do not do is spend a lot of time listening to those who spin student data privacy horror stories. Understanding what can go wrong when privacy is breached is healthy; being scared into inaction by extreme and unlikely catastrophes stifles innovation and the positive use of educational technology.”—Andy Wallace, director of technology, South Portland (ME) Schools
2. Develop a multi-faceted approach
“At Beaverton (OR) School District, like many districts around the country, we take student data privacy very seriously and are working on a number of improvements to address student data privacy and security. We have a multi-faceted approach covering staff awareness, governance systems, and changing the way we work with vendors.
“Student data privacy is linked very closely with cybersecurity and we are in the midst of a year-long staff awareness campaign to help staff understand the importance of our student, staff, and organizational data and the ways in which they can help improve our security. For example, we have shared information to help staff spot phishing emails, which are designed for attackers to get into our systems to compromise and steal our data. We are also changing our password policies and training to make sure staff lock their workstations while not in use to protect access to systems and data.
“We are working with a multi-department team to implement data governance systems. We have many apps used across the district and sometimes, student data can be entered into apps we might not know about or have the opportunity to engage in a conversation with the vendors. We are implementing a process to inform staff of district-vetted apps with regards to data privacy and security and will also create a public portal for parents.
“Finally, with vendors, we, along with many other districts around the country, have joined the Student Data Privacy Consortium. We volunteered to engage in legal and purchasing review of the Student Data Privacy Agreement from the consortium to ensure the agreement is aligned to Oregon statutes. The Oregon agreement was then made public for all districts in Oregon to use a common privacy agreement with vendors. The advantage to this is twofold: The districts get a contract to use and the vendors—once they review and sign the agreement for one district—know the agreement will work for others.”—Steven Langford, CIO, Beaverton (OR) School District