Student data privacy is a hot-button issue. In the last five years, according to Amelia Vance, director of education privacy & policy counsel at the Future of Privacy Forum (FPF), over 600 bills on the topic have been introduced and 125 new laws have passed in about 40 states. “Unfortunately, the vast majority of those laws came with no resources, funding, or support to implement them. I give a lot of credit to the leading district CIOs and CTOs who have stepped up and fulfilled the promise of the laws,” says Vance, who also runs FERPA|Sherpa, the Education Privacy Resource Center that has loads of resources online.
Vance encourages district leaders to start by training every person in your district who has access to information about the importance of privacy and protecting that information. “Most of the issues that arise are because of human error,” she says. “Email attachments that shouldn’t be sent out get sent; web pages go live that shouldn’t; people forget to lock their computer.” Recently, she heard about a district that posted its school safety plans online before the school board meeting; no one noticed they included the private medical information of students and teachers who would need assistance in a school safety emergency.
In 2019, a lot of general privacy laws may pass that will unintentionally apply to schools. Vance suggests keeping an eye on any privacy bills that come up in your state because they may accidentally cover you and give you additional responsibilities. She says you can keep updated by Googling your state + consumer privacy act. You can also bookmark the FPF and FERPA|Sherpa websites, as they’ll be keeping track of the news.
Here’s a look at how a handful of chief information officers are keeping their students safe online.
1. Educate yourself
“I spend a lot of time learning from the Privacy Technical Assistance Center and the Family Policy Compliance Office of the USDOE. Too many people are unfamiliar with these amazing free resources, which include approachable guides for educators and families. They even have a phone number for questions, and—lo and behold—real live humans answer it!
“South Portland (ME) Schools was an early member of the Student Data Privacy Consortium. This organization helps with the tedious, time-consuming, and tricky work of developing contracts with vendors that respect and ensure student data privacy.
“Everyone in the district can play a role in protecting student data privacy: staff, students, and parents. We remix elements of the CommonSense Media digital citizenship programs with our own curriculum. We’re proud to have a school recognized as a Common Sense-certified School for the past four years, something that is possible only with the participation of all stakeholders.
“I frequently visit well-established district sites that have done some of the heavy lifting to vet software and apps and have solid processes and policies already in place. Tops on my list are Cambridge (MA) Public Schools and Denver (CO) Public Schools.
“One thing I do not do is spend a lot of time listening to those who spin student data privacy horror stories. Understanding what can go wrong when privacy is breached is healthy; being scared into inaction by extreme and unlikely catastrophes stifles innovation and the positive use of educational technology.”—Andy Wallace, director of technology, South Portland (ME) Schools
2. Develop a multi-faceted approach
“At Beaverton (OR) School District, like many districts around the country, we take student data privacy very seriously and are working on a number of improvements to address student data privacy and security. We have a multi-faceted approach covering staff awareness, governance systems, and changing the way we work with vendors.
“Student data privacy is linked very closely with cybersecurity and we are in the midst of a year-long staff awareness campaign to help staff understand the importance of our student, staff, and organizational data and the ways in which they can help improve our security. For example, we have shared information to help staff spot phishing emails, which are designed for attackers to get into our systems to compromise and steal our data. We are also changing our password policies and training to make sure staff lock their workstations while not in use to protect access to systems and data.
“We are working with a multi-department team to implement data governance systems. We have many apps used across the district and sometimes, student data can be entered into apps we might not know about or have the opportunity to engage in a conversation with the vendors. We are implementing a process to inform staff of district-vetted apps with regards to data privacy and security and will also create a public portal for parents.
“Finally, with vendors, we, along with many other districts around the country, have joined the Student Data Privacy Consortium. We volunteered to engage in legal and purchasing review of the Student Data Privacy Agreement from the consortium to ensure the agreement is aligned to Oregon statutes. The Oregon agreement was then made public for all districts in Oregon to use a common privacy agreement with vendors. The advantage to this is twofold: The districts get a contract to use and the vendors—once they review and sign the agreement for one district—know the agreement will work for others.”—Steven Langford, CIO, Beaverton (OR) School District
3. Form collaborative partnerships
“Westwood (MA) Public Schools is a member of The Education Cooperative (TEC), an educational collaborative that serves 16 districts in Massachusetts. In the spring of 2017, the TEC member districts identified student data privacy as a need that could be best supported by the collective resources of the cooperative. As a result, the TEC Student Data Privacy Alliance (TEC SDPA) was formed. The main benefits of this alliance include:
- Engagement of a lawyer to create a standard vendor contract, customized for the needs of all member districts.
- Support of an experienced administrative specialist serving as a main point of contact to research, review, and acquire privacy contracts with vendors.
- Access to expert legal counsel to provide us with guidance and support when needed.
“The latest version of the TEC privacy contract is constructed such that when a service provider signs an agreement, all member TEC districts will be able to sign on to the same contract as well. This eliminates the need to have separate contracts between the service providers and individual districts. Early indications suggest that this model is much more favorably received by the service providers.
“The TEC SDPA is essentially a local branch of the Massachusetts Student Privacy Alliance (MSPA), an alliance that started in Cambridge, Mass., and has gained national recognition for its pioneering work in student data privacy. Among other things, this partnership gives TEC access to MSPA’s website, tools, and expertise.”—Steve Ouellette, director of technology, learning, and innovation, Westwood (MA) Public Schools
4. Educate your entire staff
“In Green Bay Area (WI) Public Schools, we have built a process for teachers to request media resources to use in the classroom. First, we verify with Teaching & Learning that the content is relevant and supplemental to the work done in the classroom. Our technology resource coordination team reviews the technical specifications and analyzes how our students interact with the resource. Is PII (personally identifiable information) being disclosed? If so, our department of technology contacts the media resource creator and requests that they sign our FERPA non-disclosure agreement, assuring us that they will follow our model terms of student data privacy and security.
“Depending on the outcome of our interaction with the solution provider, the resource is added to our Green List (teachers may use with students), Yellow List (use with caution by perhaps anonymizing students), or Red List (we recommend that teachers not use the resource in the classroom). You can find our Green List here.
“If Teaching & Learning wants to purchase a district-wide resource that involves technology, we send out a pre-screen document that explores which types of data are exchanged with the system and how it’s exchanged way before the resource gets into the hands of educators to test/review it. If the resource does not pass data privacy/security muster, it does not move forward in the review process.
“Our procurement process includes student data privacy language in the RFP (request for proposal). We make sure data privacy/security agreements are signed by our solution providers before we make the purchase. We belong to the Student Data Privacy Consortium and are active in monthly planning and execution calls.
“Each week, we send a memo to our entire staff called the Friday Fast Five. At least one point of the five includes a student data privacy message or reminder. We have branded it with this logo.
“I work directly with the solution providers to assist them in understanding the importance of their responsibilities in serving as a ‘school official’ and why we need assurances on how they will keep our data safe. Nobody wants to be that vendor or that school district whose data gets breached. As partners, districts and solution providers need to stick together. It’s the expectation of our communities.”—Diane W. Doersch, chief technology & information officer, Green Bay Area (WI) Public Schools
5. Work closely with vendors
“Two years ago, Milford (MA) Public Schools had no network to speak of and even fewer computers available to students. Today, we have a gigabit wireless network deployed at our elementary, middle, and high schools, and this fall we deployed 3,000 Chromebooks to our students and 450 Dell laptops to our teachers and administrators. Given today’s realities, going digital was the clear choice. With that came the need for increased data safety.
“We started by having frank conversations with vendors of our student information system, special education products, and other data vendors housing information.
“We discussed the following:
- Who will own and possess our student data? Also, how will subcontractors handle the data?
- How and where will the data be stored?
- Will the vendor use the student data for comparisons or marketing?
- Is the data de-identified?
- What measures are taken so the data will be secure?
- What will happen to the data if a student leaves our institution or we cease using the vendor?
“Once we launched our digital learning initiative, we installed a new firewall and building switches and virus checker on the network. We created a network loop and connected all fiber thought one district firewall. We ensured that all vendors we work with are encrypting any personal information held electronically. We also disabled any ‘auto-complete’ settings.”—Matthew Joseph, director of IT, digital learning and innovation, Milford (MA) Public Schools