The focus on student privacy has grown in recent years and for good reason. As consumers, we want to know that the banks, retailers and other organizations that we do business with aren’t misusing or reselling our data. The same goes for schools, which have always gathered, stored and shared student data. Unlike paper, which can be locked in a file, digital data is generally more prone to misuse by “bad actors” that may steal it and use it illegally.
But where the banking industry has built up a level of confidence for consumers who log into their accounts online or via an app and know that those institutions won’t misuse their data, school districts are still working to establish this level of trust and confidence. Most understand the responsibility that they have to keep their students’ data secure, but they don’t always recognize that security must also ensure privacy. For example, a district may have an extremely secure system, but it could be unknowingly misusing and/or sharing data inappropriately (e.g., with outside vendors or partners).
It’s also important that districts distinguish between information security and cybersecurity. The former is focused on high-level, overall protection of information and ensures that information systems aren’t used in an unauthorized manner. It includes the policies and procedures related to security.
Cybersecurity, on the other hand, relates to the technical, hands-on aspect of protecting and preventing damage to electronic resources. Where cybersecurity is certainly part of information security, the latter also includes application security and protection of the infrastructure itself.
Confidentiality, Integrity & Availability (CIA Triad): 4 Good Starting Points
When creating what we refer to as the “confidentiality, integrity and availability” (CIA) triad, districts must factor in the myriad different aspects of security. Here are four ways to get started down the right path:
- Reduce the number of applications in use on campus. Rather than letting teachers and administrators find and use applications on their own, develop a process for “approving” applications for use within the district. This will help reduce the number of disparate solutions that are being used and give IT and other stakeholders more control over what kind of data is being shared and who has access to it. Give users access to a list of approved applications and make it easy for them to find, implement and begin using those solutions.
- Work with vendors that understand the value of privacy and security. They say you’re only as strong as your weakest link, and this definitely holds true in the technology space. Your technology partners should share your vigilance for protecting the privacy of your students’ data. If they don’t, then find another partner. For example, as a fully unified school-home communications platform, ParentSquare is only accessible with a username and password. The platform stores and protects account information on a secured server behind a firewall and uses encryption/security software to safeguard the confidentiality of any personal information that it collects.
- Make it real for teachers, students, and parents. People will take both security and privacy to heart when they can relate to the potential threats and the damage that they can inflict. For example, when we’re trying to impress upon our staff the significance of password clarity, using different passwords for different sites, and using multifactor authentication wherever possible, we’ll use an example like a retail credit card breach to support our points. We’re all consumers and know that using the same login and password across dozens of sites is a bad idea. We try to explain it to them in ways that make the situation more personal; that helps bridge that gap a bit.
- Get your leadership involved. Make sure your leadership understands that it’s ultimately accountable for everything that happens within its school district—security and privacy included. If there's a major incident of any kind in a school district, it's the superintendent who will be on the news trying to address and explain it. Also, leadership can play a key role in establishing the risk tolerance for their districts and helping everyone better understand that privacy, security, and data aren’t just “techie things.”
Start Small and Continue to Build
As much as everyone has been talking about privacy and security in recent years, there’s still a large percentage of small districts around the country that aren’t thinking about it because they’ve yet to experience a data breach, no one in their community has expressed concern, or they live in a state without a state law mandating they take proactive measures.
We talk to a lot of districts that don’t realize how much data is being shared with vendors and outside parties. Other schools feel like they just don't have the capacity or the resources to handle the issue properly, so security and privacy get tabled for another day. It’s important to keep in mind that all districts house information which is highly valuable to bad actors. No district is immune from attack. For all school districts, no matter their size, location, technological skills, or budget, it's a matter of when a security incident or data breach occurs, not if.
For districts that don't know where to start, reach out to your peers and other organizations. CoSN, with resources such as the Trusted Learning Environment, along with the Student Data Privacy Consortium (SDPC) are good starting points.
Using these resources, you can start with just one or two initiatives and gradually begin building the framework for a privacy program in your district.