In a presentation on student data privacy for Tech & Learning’s recent virtual leadership summit, Ivy Nelson, education technology manager for Belton (MO) School District #124, shared that of the free apps her district was using, only one-third were FERPA and COPPA compliant. This places the district at risk for violations of federal and state student data privacy laws, in addition to any litigation that might incur from students’ parents for data breaches.
Watch the full presentation here:
Monitoring, reviewing, and approving apps for use is a huge task for districts, but an important one as the landscape is constantly shifting with new regulations. District IT professionals must ensure they are compliant with all data privacy laws.
One issue that requires constant monitoring and staff development is terms of service. When a user “clicks through” their acceptance of terms of service on any app, this has the same effect as a legally binding contract. Many free apps do not have the built-in data protections required by privacy laws and puts the district and student data at risk.
All apps and digital resources approved for use by a district should undergo a defined approval process. The best way to do this, Nelson advises, is to establish a data governance policy.
Designing a Data Governance Policy
Everyone in a district is responsible for student data privacy; it is not the sole responsibility of the IT department. Creating a data governance policy is a labor-intensive task, says Nelson, “But a little pain now will save a lot of pain later.”
Districts that are successful in protecting student data exhibit leadership from the top. Here are some of Nelson’s recommendations to get started:
- Involve leadership by getting them to acknowledge the need.
- Designate an Information Security Officer (ISO) who is the individual responsible for polices relating to data use and privacy.
- Bring the right people to the table.
- Determine which policies and procedures are already in place.
- Adopt additional policies and procedures as needed.
- Train data users on relevant policies and procedures.
- Think about how best to communicate about privacy to parents and students.
- Develop a monitoring plan to ensure policies and procedures are being followed.
Strategies and Tactics for Implementing Data Governance Plans
Karen Fuller, director of infrastructure, communications, and networks for Cypress-Fairbanks (TX) ISD, was co-presenter of the session.
As the third-largest district in Texas, Fuller and her team have taken additional steps to ensure they maximize cybersecurity while protecting student data privacy. As with many fast-growing districts, Cypress-Fairbanks has an ongoing cybersecurity challenge, particularly in the new normal of remote and hybrid learning models.
Fuller recently oversaw a two-week implementation of a 1:1 program that required the immediate distribution of 117,000 devices to K-12 students and an aggressive focus on data privacy evaluation.
Managing Data Security
The Trusted Learning Environment Seal is a mark of distinction for school systems signaling that strong and measurable steps have been undertaken to help ensure the privacy of student data. Fuller says that earning the seal takes some time, but it is a sign of the district’s commitment to protecting student privacy.
Annual cybersecurity training is now required by Texas state law HB 3834 for all district staff. The district experienced a data breach of payroll information prior to staff training, which provided a real-life example of the importance of protecting data. Fuller and her team have undergone extensive staff development, believing that the more personally relevant they can make the training, the better compliance they’ll have throughout the district.
Fuller participates in the Texas K-12 CTO Council, which sponsors TXSPA, the state affiliate of the National Student Data Privacy Consortium (SDPC). The SDPC helps establish common data privacy agreements unique to the jurisdiction of each state. Districts using this common agreement do not have to negotiate separately with every edtech vendor about permissions and privacy. Vendors doing business with member districts must sign this agreement. Using the agreement mitigates some risk for districts.
Data breach insurance discounts are available to Cypress-Fairbanks because of these practices they have implemented, Fuller said.
Fuller concluded her presentation by emphasizing the importance of staff training again. “This is how we protect ourselves and the district,” she said.