Parents and educators read about the latest security breaches every day in news headlines. These breaches are why protecting the privacy of student data is one of the most urgent challenges districts face.
In the past, security breaches have happened primarily to consumer organizations. Increasingly, education technology breaches are perpretrated as hackers find district information systems relatively easy to access. To protect their data, districts need a comprehensive data security policy that defines precisely the pieces of student data they keep and why they keep it. This includes a review of all third-party technology vendors. Districts need to understand the terms of each vendor’s privacy policy for every digital tool and online resource they use. It’s a huge task.
At a recent Tech & Learning Leadership Summit, district leaders shared the ways they’re keeping student data safe. These leaders believe it’s the responsibility of districts to be proactive about student data privacy issues. They say all districts should be educating parents and training teachers on the importance of student privacy and personally identifiable information (PII). Federal privacy laws apply to all states, and states are being proactive about creating legislation to protect student data.
KAREN FULLER, director, network infrastructure and communications, Cypress Fairbanks (TX) ISD:
“We started to take data privacy and security seriously about three years ago. Texas State Bill 820 defines what districts need to do to protect PII. Texas also developed a partnership with the Student Data Privacy Consortium, a group of schools and districts, trade organizations, policy makers, and vendors. As part of the partnership, vendors understand their common responsibilities across the state. At Cypress Fairbanks, we’ve established a process that limits information given to vendors. We also know how to identify data breaches, and how those breaches should be reported to the state. Districts should understand that teachers and administrators are your weakest link. They need training. One way to see exactly who needs training is to send out a phishing email.”
Check out the Cypress Fairbanks ISD cybersecurity webpage. It includes links to resources on student data privacy, cybersecurity awareness, cybersecurity current events, and an approved resources database.
PETE JUST, chief technology officer and chief operations officer, MSD of Wayne Township, Indianapolis, IN:
“The state of Indiana has developed grants and CyberSecurity initiatives for K–12 schools. It includes funding for a K12 Taskforce. There is a grant to establish managed security services, and a growing “CyberSec Resource Hub” for Indiana K–12 specific resources. We recently hosted a CyberSec Sim (Cybersecurity Simulation) at our statewide CoSN CTO Clinic with 150 tech leaders and we’re making the Sim available to use with their district teams.
“At the MSD of Wayne Township, we have a student data privacy agreement that we ask all data-related vendors to sign. We’ve done significant cybersecurity marketing and have run phishing campaigns (via InfoSec) with our staff for the past 18 months. These campaigns have improved the ‘water cooler conversations’ and end-user security compliance significantly. For the past two years we’ve also implemented a calendar of CyberSecurity reviews based on standards from the National Institute of Standards and Technology (NIST) that include penetration testing from different vendors.”
ELLEN MCDONNELL, assistant superintendent for curriculum, instruction, and technology, Tuckahoe (NY) Union Free School District:
“New York state has a new Data Privacy Law (Ed Law 2-d) which is changing the landscape of accountability and responsibility regarding not just student data, but staff data as well. Though the law has passed, regulations from the State Education Department are still in the works and we’re all in a holding pattern on specifics. In the meantime, we’re creating full lists of software used, including those free titles for teachers to use, redrafting our policies, and training our staff on cybersecurity.”
ANDREW WALLACE, director of technology, South Portland (ME) Schools:
“Maine’s Student Data Privacy Consortium is managed by the Maine Educational Technology Directors Association (METDA). We worked with a local law firm to create a common privacy agreement. Once one school gets a vendor partner to sign, any member school can use the agreement.”
District leaders find value in sharing their work with one another at Tech & Learning Leadership Summits. If you’re interested in participating in one of these events, you can read more about them at www.techlearning.com/news/tech-and-learning-leadership-summits.
Data Privacy Resources
Here are some resources to help launch or augment your district data security program:
The US Department of Education website features guidance and resources about data security for districts.
https://studentprivacy.ed.gov
All 50 states have introduced student privacy laws since 2013, although not all laws have been enacted. Forty-one states have passed 126 laws on student data privacy. Find where your state stands here.
www.ferpasherpa.org/state-laws
The Forum Guide to Education Data Privacy from the National Center for Education Statistics outlines how states and districts can support data best practices to protect the confidentiality of student data.
www.nces.ed.gov/pubs2016/NFES2016096.pdf
The Student Data Privacy Consortium (SDPC) is designed to address the day-to-day, real-world, multi-faceted issues that schools, states, territories, and vendors face when protecting learner information. SDPC’s vision is to develop common activities, artifacts, templates, tools, and effective practices.
https://privacy.a4l.org
National Conference of State Legislatures (NCSL) offers policy questions and approaches.
www.ncsl.org/research/education/student-data-privacy.aspx
Pledge commitments align with existing federal law and regulatory guidance regarding the collection and handling of student data and encourages vendors to articulate their practices clearly.
www.studentprivacypledge.org
The Future of Privacy Forum hosts events that are usually free.
www.privacycalendar.org
The CoSN website defines student data privacy as the use, collection, handling, and governance of students’ personally identifiable information (PII). This includes any and all information that can be used to identify, locate, or contact an individual student—such as name, address, student ID, and login information.
Common Sense Education has videos and articles about how parents and teachers can protect students’ data privacy. They also have an information security primer for evaluating edtech software.
