After the widespread technology boom in education, district leaders and teachers are inundated with a seemingly infinite number of applications for digital learning. IT professionals are now casting all eyes to the safety and security of student data collected by the growing list of new resources, as district systems full of sensitive data become more vulnerable to cyberattacks and data breaches. Since 2018, the number of reported cyber incidents in schools has increased from 400 to over 1,300, according to a 2021 report by the Cybersecurity and Infrastructure Security Agency.
The urgency is evident as more states pass laws to protect districts and student data privacy, adding more requirements for district IT teams to manage. With the building pressure surrounding student data privacy, it’s crucial for IT professionals to have the resources and network to ensure data is protected.
In a recent discussion hosted by Lightspeed Systems®, leading voices in student data privacy—Kevin Lewis, Data Privacy Officer from 1EdTech Consortium, Jim Siegl, Senior Technologist at the Future of Privacy Forum and former Technology Architect for the Fairfax County Public School District in Virginia, and Jim Farmer, Chief Technology Officer at Fayette County Public Schools (FCPS) in Georgia—gathered to provide insights in effective protection of student data.
The following are three action items districts can take for effective student data privacy protection:
1. Make student data protection a district-wide priority and effort
District technology teams are often infiltrated with new applications on their networks and requests for even more applications to be vetted. With the large task of securing student data privacy on an abundance of applications, the panel discussed the power in a “district-wide awareness and action” approach to student data privacy protection.
In this approach, Jim Farmer explained how members of the FCPS district gathers as a “data governance council,” consisting of voices from across the district to raise awareness, education, and explanations on student data privacy protections within the organization.
“We had to raise the level of [awareness] of everyone at the table so they could go back and work with their departments and disseminate the information and awareness that we’re doing because we are tackling things like vetting of apps, password policies, security procedures, and data cataloging,” shares Farmer. “Just about anybody in your district is going to have access to information or student data. So, it can’t just be a technology initiative. It has to be done as a team and has to be taken on as one of the most important things.”
Diving in deeper, the panelists highlighted communications and education that enable district-wide personnel to be part of the app vetting process themselves. Jim Siegl, from the Future of Privacy Forum, shared a mnemonic of considerations when opening up conversations on the app vetting process for educators: ITPASSES – interoperability, training, privacy, accessibility, security, safety, effectiveness, and sustainability.
“These are all part of the conversations we would have as a district, and as educators, and technologists,” says Siegl. “It was a very inclusive way of bringing people into the conversation to talk about this. It’s more than just a privacy checklist or a privacy gateway. It was how are we bringing this particular education tool into the district to support student learning and make it sustainable, private, and secure.”
To support educators in his district, Farmer provides a rubric outline to enable them to be an active part of the vetting process. “When they go to a conference, they usually find all these wonderful apps they want to come back and use,” shares Farmer. “We’ve given them a rubric that they can pre-vet these apps and determine if this is something that’s going to fit and work, as opposed to coming back and downloading 5 to 10 new things they just saw over the last few days at a conference, and that has helped with awareness and education.”
Finally, the panel shared the need to work with edtech partners about safeguarding district data. “Make sure you work with the partners that you have, because there’s already a relationship there,” said Lewis. “Having these important discussions about privacy, about security, about your concerns as a district … because they’re the ones that can make it happen.”
2. Stay connected within the edtech network of organizations for continuous learning and leverage helpful resources
As the need for effective student data privacy protection grows, new regulations pass, and protocols change, the panel stressed the importance of leveraging the wealth of knowledge among the edtech network and resources available through them. Organizations like 1EdTech (formerly IMS Global), Consortium for School Networking (CoSN), and International Society for Technology in Education (ISTE) provide members with resources, networking, and support for IT professionals seeking assistance with student data privacy. Farmer highlighted the Annual Horizon Report by CoSN for education and awareness on key issues in edtech, like data privacy.
Kevin Lewis, from 1EdTech, shared the ways his organization is helping districts protect student data. In collaboration with K-12, higher education organizations, state departments of education, and other edtech providers, 1EdTech created a rubric for app vetting. “It was meant to give schools who want to vet their applications a quick snapshot into what that supplier’s doing and how transparent they are with their policies,” Lewis shares.
For assistance at the state level, Farmer recommended Cybersecurity and Infrastructure Security Agency (CISA) and state departments of education. Through recent expansions, districts can utilize CISA’s contacts for guidance and assistance in student data privacy protection.
3. Have a system in place to track and monitor applications on the district network and their student data privacy policies
In today’s learning landscape, the volume of threats, an abundance of new applications, more devices in the hands of students, and increased parent awareness all contribute to the need for district IT leaders to take ownership, including having visibility at all times of technology active used on devices and network across the district. As a CTO, Farmer recalls running a snapshot of one week in his district and finding over 4,500 apps in use.