Tony Inglese, Assistant Superintendent/ CIO, Batavia USD 101, IL; Bob Gravina, CIO, Poway Unified School District, CA; Robert Craven, Senior Director, Technology, Tustin Unified School District, CA.
More than 50 chief information officers and superintendents gathered at the Intercontinental Hotel in Atlanta, Ga. for two days in June to discuss, debate, and commiserate about the most provocative topic in education technology today—student data and what to do with it. From privacy to security to public relations, the next points highlight real strategies districts are using to grapple with this important but complicated issue.
1 Adam Seldow (Executive Director of Technology, Chesterfield County, VA) said their district is committed to being transparent about what data they send to the cloud and how they work to protect it. They created a section on their Anytime, Anywhere Learning Web site that displays each cloud-based app available on the students’ single, sign-on dashboard, the laws that the district must abide by when protecting student data, what bits of data are shared with each app, and what terms of service or privacy protect the data. Paul Barrette (Director of Technology, Smithfield Public Schools, RI Public Schools) said his district communicates with staff and parents about their Google Apps for Schools implementation, and they include links to the Google Terms of Service and security and privacy policies (http://goo.gl/WJIYQV). In addition, the Chesterfield County district has a contract with vendors that include data privacy protections. John Williams (Executive Director Technology and Information Services, Metro Nashville Public Schools, TN) said his district requires similar “data use and integrations” clauses to every software contract and has yet to receive any pushback from vendors.
Above: “Big data” gurus Parviz Peiravi and Joseph Opdahl help attendees drill down on the ins and outs of this often misunderstood term “Big data.” Below: Mike Watson, CIO, Tippecanoe Schools (IN) presents in the data and culture workgroup.
3 Another conversation point was helping teachers, staff, and parents understand how the data deluge can be used to inform teaching and learning. At Klein ISD, Karen Fuller (CTO, Klein ISD, TX) mentioned that their “data days” help principals not just review their data, but understand how to review this data with their teachers.
4 John Hutton and Phil Hintz (Gurnee School District 56, IL) discussed their district’s new incentive program that linked data analysis and collaboration with a monetary incentive. All employees, from bus drivers to principals, would receive a merit pay bonus if their district students demonstrated one year of growth in reading and mathematics. This motivation inspired all staff to take the time needed to better understand how to analyze the data, and the result was “the best year of learning we have ever experienced at D56,” said Hutton.
5 Greg DeYoung (CIO & Executive Director for Information Technology Services, Blue Valley School District, KS) discussed his district’s PLC model that encourages teachers to collect and evaluate formative and summative data to better understand the needs of students. They have also recently implemented a gifted student data system to assist teachers in identifying students with those needs.
Understanding the New FERPA Guidelines
For a second year, Richard Culatta, Director of the USDOE Office of Educational Technology, joined the SchoolCIO Summit to discuss big data and its potential impact for U.S. education. Below is an excerpt from the recently released guidelines, P rotecting Student Privacy While Using Online Educational Services: Requirements and B est Practices. To read the entire report go to www.techlearning.com/september14
1. Maintain Awareness of Other Relevant Federal, State, Tribal, or Local Laws
FERPA and PPRA are not the only laws that protect student information. Other federal, state, tribal, or local laws may apply to online educational services, and may limit the information that can be shared with providers. In particular, schools and districts should be aware of and consider the requirements of the Children’s Online Privacy and Protection Act (COPPA) before using online educational services for children under age 13.
2. Conduct an Inventory of Online Educational Services Being Used Within Your District
Not only will this help assess the scope and range of student information being shared with providers, but having a master list of online educational services will help school officials collaboratively evaluate which services are most effective, and help foster informed communication with parents.
3. Incorporate Policies to Evaluate and Approve Proposed Online Educational Services
Schools and districts should be clear with both teachers and administrators about how proposed online educational services can be approved. There should also be procedures in place to determine who has the authority to enter into agreements with providers.
4. Use Written Contracts or Legal Agreements
Having a written contract or legal agreement helps schools and districts maintain the required “direct control” over the use and maintenance of student data. Even when FERPA is not implicated, the Department recommends using written agreements as a best practice.
5. Create Extra Steps for Accepting Click-Wrap Licenses for Consumer Apps
The following steps are recommended before employing click-wrap consumer apps:
• Check amendment provisions.
• Print or save the terms of service (TOS).
• Limit authority for accepting TOS.
6. Be Transparent With Parents and Students
The Department encourages schools and districts to be as transparent as possible with parents and students about how the school or district collects, shares, protects, and uses student data.
7. Consider Obtaining Parental Consent
Even in instances where FERPA does not require parental consent, schools and districts should consider whether consent is appropriate. These are individual determinations that should be made on a case-by-case basis.
When Data Goes Bad
How Will You Handle a Data Breach?
One of your district employees mistakenly e-mailed a PDF file containing more than 500 students’ personal information to a student’s guardian. The file included students’ names, addresses, phone numbers, course enrollments, grades, school district identification numbers, and other transcript data. Your school district learned of the error when the recipient realized the file was sent by mistake and contacted the employee.
What would you do?
• Have a formal, written incident report form so all incidents contain the same information.
• Incorporate incident reporting procedures in a policy.
• Evaluate rules to ensure the appropriate actions are noted.
• Include a confidential disclaimer in e-mail signature.
• When an incident does happen, reflect and offer “training” for those involved to avert having the incident recur.
Offering a Parent Opt-out Request
Undoubtedly many parents are concerned about recent stories about the insecurity of online data. What if a group of parents in your district demand that their children be allowed to opt out of any system that captures their children’s personal data? This would essentially mean that their children could not participate in many activities that require online applications like Google Apps and your local student information system. You are asked to address the concerns of these parents.
What would you do?
• Create a forum for a community conversation.
• Remember that there are three components to school’s responsibility— data collection, data protection, and data distribution.
• Explain to parents exactly what data is collected and why. Help them understand the implication of not being able to collect the data. The definition of data is sometimes much narrower than they think.
• Understand that if a parent really wants to get off the grid, the school needs to accommodate that up to the limit required to meet legal and state requirements.
• Use these conversations as opportunities to educate parents and students.
What Will You Do If Your System Crashes?
• Do NOT let fear about what could go wrong prevent you from doing what the kids need.
• Respond to a data loss using the ROAR approach— Restore, Operate, Assess, and Rebuild.
• Keep change management logs.
• Focus on recovery first—not on how awful the disaster is. With strong leadership and a good plan people can be amazing in the face of disaster.
• Have tight internal processes.
• Develop a sophisticated data disaster and recovery plan (i.e., hardware, software, co-location, and procedures)
• Conduct quarterly drills.
• Partner with vendors to fix technical glitches.
• Conduct a major digital citizenship campaign. Students need to be on board.
• Pull parents in. Keep them informed and involved.
• Work closely with law enforcement on a proactive strategy related to student safety.
• Focus on consistent messaging about program strategy and execution.
• Create a culture in which failure can be acknowledged, celebrated, and learned from.