LIVE @ ISTE 2024: Exclusive Coverage

An IT director outlines three ways school districts can more effectively safeguard their students’ data and adhere to data privacy laws.

3 ways to strengthen your student data privacy compliance strategy

An IT director outlines three ways school districts can more effectively safeguard their students’ data

Cyberattacks and data breaches are infiltrating K-12 communities. To proactively thwart these attempts to steal student data, states such as New York are passing legislation that requires school districts to adhere to stipulated student data privacy compliance regulations.

With so much on their plates already, creating, implementing, and monitoring an effective data privacy compliance strategy is a time-consuming and stress-filled task for most school district leaders.

As the Director of Instructional Technology at a New York school district, I have been leading our data compliance efforts, and I very much understand the significant challenges schools are facing. To help other districts navigate this unpredictable landscape, I have put together the following recommendations:

1. Continuously monitor what your students and teachers are using on their school devices.

With so many free apps and web-based learning tools available, it is extremely difficult for school leaders to track what their students are using if they do not have direct visibility into their students’ and staff’s application usage data. In some instances, teachers are providing their students’ names and dates of birth to access these free resources without realizing the ramifications sharing that information could have on their students’ data privacy.

At my own district, Fayetteville-Manlius School District, we have a rule in place that teachers are not supposed to begin any new software program until they vet it with a member of our instructional technology staff. Despite this policy, I have discovered through CatchOn, a data analytics and data privacy monitoring solution we use, that some educators are continuing to introduce new online tools without notifying our instructional technology team. Even though my team reminds our staff of this policy during our yearly trainings, and the teachers agree to abide by it, I can see through CatchOn that there are products being used that have not been approved and/or vetted.

“I regularly check my CatchOn dashboard to monitor the trending apps being used in the district,” said Chiesa. “Unsurprisingly, there are products being used by teachers and students that are not approved and/or haven’t been vetted, even though our staff has said they would let us know when they wanted to use something and get permission.”

Bottom line:

It’s critical that district leaders keep an eye on what apps and online tools are being used by students and teachers–and not through word of mouth or a survey. You need to actually see what is being used. Some of my colleagues have mentioned that they get this information through their filter, but a filter has so many other functions that it is difficult to track down what apps are being used by whom.

If a program experiences a breach, I can quickly use CatchOn to sort which students have been using that app, see when they used it, and identify how often they used it. Additionally, CatchOn’s IMS Global and Student Data Privacy Consortium data privacy badges add an additional level of assurance and validity regarding the digital tools being used, which is especially valuable for our parent community.

2. Create an organized system for posting and updating approved applications and vendor contracts.

With so many applications being used in their classrooms, it is essential for districts to create an effective tracking system for their edtech tools. Within my district, we are using data analytics to house and track all this critical information because we like having all our approved applications in one place.  Every new software purchase is entered into CatchOn―how much we paid for it, when we purchased it, the renewal date, and the contract. I like being able to quickly see how much we paid for a tool or if we have the contract yet.

Regularly updating the list of approved apps students can use and communicating that list to teachers, students, stakeholders, and parents is also very important. We generate our approved apps and have them posted in multiple places, including on our district website and within our learning management system, which parents have access to.

Bottom line: School districts need to find an effective method of organizing, posting, and updating their approved applications and vendor contracts. And they need to put a system in place to make sure the information does not become stagnant and is regularly updated.

3. Be proactive in your compliance efforts.

Although many states have yet to pass student data privacy legislation, school districts need to be proactive with their compliance efforts and ask questions. Ed Law 2-d was a challenge for everybody in New York, including me, but I’ve really learned a lot through this process.  It’s concerning how long some vendors are keeping their customers’ data–even years after their contract has ended. Also, we are now asking our vendors what security training they provide to their employees who manage their servers.

Districts also need to attain a keen understanding of what software is being used by their students in the event of a breach on the vendor’s side. For example, we had an instance where there was a product that was not approved by our district, and that company had a breach. I reached out to the teachers to confirm it was not being used, and the teachers said they did not use it.  I then checked our district’s analytics, and I could see that there were some individuals using it. Having that visibility is so important because there are always going to be breaches and there are always going to be individuals who may not remember the software they were using.

Bottom line: Districts need to be proactive and diligent about protecting our students.  All districts need to be prepared for an education security breach. They need to know how long companies are holding their data, especially after the district has ended its contract. I don’t see vendors putting that information in their terms of service, so districts need to ask those questions.

With cybersecurity threats and data breaches on the rise, districts need to evaluate their current compliance practices to help safeguard their students’ data. Using a data privacy monitoring tool quickly gives district leaders the visibility, security reviews, and insights needed to strengthen and streamline their data privacy strategies.

Sign up for our K-12 newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

Want to share a great resource? Let us know at

New Resource Center
Explore the latest information we’ve curated to help educators understand and embrace the ever-evolving science of reading.
Get Free Access Today!

"*" indicates required fields

Email Newsletters:

By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

eSchool News uses cookies to improve your experience. Visit our Privacy Policy for more information.