Protecting Student Data

Introduction

Enter most classrooms today and you will be greeted by an array of technology. Digital learning tools — computers. laptops, mobile devices, software programs, curriculum offerings, learning materials, websites, apps, online tutorials, games, and videos – are all being used to support students and maximize their learning. About two-thirds of teachers say they use digital learning tools every day and their role continues to grow.

The exciting opportunities resulting from technology use also present risks.

By collecting information about the user, these tools make it possible to personalize the learning experience, promote student engagement, build 21st-century skills and expand the classroom beyond the school day and school building.

However, the exciting opportunities resulting from technology use also present risks that must be managed by school systems. Protecting the privacy of the data – its collection, use, handling, disclosure and deletion of personally identifiable information — and ensuring its security–preventing unauthorized access to the data and preserving its confidentiality – are critical tasks.

The challenge for school systems is to balance the real benefits of digital learning tools with the necessity of protecting the privacy and security of student data.

Protecting Student Data: A School System Imperative

Making sure that privacy policies and practices relating to the system-wide use of technology are in place has become a critical responsibility for school systems. Over two-thirds of education IT leaders indicate that concerns around privacy and security are more important now then they have been in the past. The task is complex involving multiple stakeholders from almost all parts of school operations – student transportation, instruction, assessment, sports, counseling and community programs.

There are compelling reasons why strong student data protections at the district level are important. According to the US Department of Education’s (ED’s) Privacy Technical Assistance Center (PTAC), such a program can:

• Improve district decision-making and operations for data collection, disclosure, and use of student data
• Help districts meet legal and ethical requirements for protecting personally identifiable information
• Protect students from harm (e.g., identity theft, discrimination, predatory activity) as well as districts (e.g., loss of public confidence, the administrative burden of investigating a breach, alienating parents, financial loss)
• Strengthen communications and transparency with parents and students about data practices and security of their personal information
• Federal and state privacy laws are in place with requirements for both school districts and commercial providers. However, “compliance with regulation is generally considered to be the floor, not the ceiling”.
• Navigating the privacy landscape in a school system requires more than understanding the legal parameters. It involves strong leadership at the top of the district, clear business practices, effective data security processes and procedures, comprehensive professional development opportunities and outreach to the community.

A Roadmap to Protecting Student Data: Ten Considerations for a District

1. Establish a framework for managing student data

There is no need to go it alone. Whether a school system is beginning the data privacy journey or seeking to strengthen existing practices, there are resources to consult, review and adapt.

Consider the following:

• CoSN’s Protecting Privacy Toolkit
• PTAC’s Checklist for Developing School District Privacy Programs
• National Forum on Education Statistics Guide to Education Data Privacy
• The Trusted Learning Environment (TLE) Seal

2. Secure the commitment and ongoing support of district leadership

The districts’ executive leadership team headed by the superintendent will ultimately be responsible for the development and implementation of data privacy and security policies and practices, including budgeting for resources. A good starting point for a conversation with leadership is the Student Data Principles, developed by the Data Quality Campaign and a broad range of education groups.

3. Identify, develop and adopt necessary policies and procedures

Determine which policies and procedures are already in place. Adopt any additional policies and procedures necessary for the use of student data throughout the data life cycle, including consequences for non-compliance. Monitor and filter the network for security threats. Implement data loss prevention technology and strong access controls

4. Designate district staff with responsibility for data collection and use

Data collection is a shared responsibility within a district involving many different departments and staff within those departments. Be sure staff is assigned properly, knows their responsibilities and can access the tools necessary for success.

5. Train data users on relevant policies and procedures

In a rapidly changing environment, annual training should be required and customized for all school staff handling student data, recommending online education apps and contracting with service providers. Teachers need to understand why student data is collected and how it can be protected.

Teachers need to understand why student data is collected and how it can be protected.

6. Know the laws

Federal and state laws require school systems to keep student data secure and private, so it is critical to know the legal parameters. Make sure that the legal counsel used by your district has access to and understands education privacy laws and how they are applied to technology services.

7. Create strong business practices including vetting processes for contracts with private companies

Have in place a strong process for selecting instructional apps and online services. Understand the contract language offered by the provider and make sure it meets your privacy and security needs and concerns. Once the decision is made, communicate to parents, teachers, and students.

8. Develop a monitoring plan to ensure policies and procedures are being followed

Keep your school policies and practices updated to reflect new legal requirements at the federal and state level and emerging community norms. Perform regular audits of data privacy and security practices and publicly detail these measures.

9. Engage multiple stakeholders to effect change across teams

With shared responsibility across departments, it will be essential to bring the right people into the discussion at every step in the process and provide them with the resources necessary to ensure change.

10. Create a process for transparency with parents and students about privacy and involve them in the process

Develop an accessible communication plan for the collection, management and use of data in the community. Communicate this on a frequent basis. The infographics created by CoSN and National Public Relations Association (NSPRA) are useful tools to spread the word about privacy to district stakeholders.

Legal Framework

Federal and state laws define the legal framework governing student data privacy. The federal laws were enacted years ago at a time when technology use in school was limited. More recently states have enacted privacy laws that go beyond the federal requirements.

At the federal level, there are three major laws.

• Family Educational Rights and Privacy Act of 1974 (FERPA) is the key federal law regulating the management of student data privacy in school systems. It aims to protect the privacy of student education records (such as report cards, transcripts, disciplinary records, contact and family information, and class schedules) and gives parents rights with respect to their children’s education records. School systems must obtain written consent from parents before disclosing student records or personally identifiable information to a third party unless the use case falls within a permissible exception to the consent requirement. In addition, parents have the right to review their child’s educational record. The law does not contain specific protections against data breaches and hacking, an increasing threat to school districts in recent years.
• Protection of Pupil Rights Amendment of 1978 (PPRA) regulates the collection of information from students about sensitive subjects and the use of data for marketing. It requires school systems to obtain prior written consent from parents before administering a survey, analysis or evaluation that requires students to disclose sensitive personal information.
• Children’s Online Privacy Protection Act of 1998 (COPPA) is designed to protect the privacy of personal information collected directly from children under the age of 13. Websites, apps and online services must obtain verifiable parental consent and post a privacy policy before collecting, using or disclosing personal information of those under the age of 13.

State Legislation

State legislators have tried to fill some of the gaps in federal law by requiring more transparency, security, and enforcement, and the increased ability for parents and students to control their own data. At least 40 states have passed student privacy laws since 2014.

A recently released report card from the Parent’s Coalition for Student Privacy and the Network for Public Education grades all fifty states on their student privacy law with no state receiving an “A” grade.

Conclusion

Lightspeed Systems®: A Trusted Partner in Student Data Privacy

Ensuring student data privacy is a growing challenge for schools – and we are committed to helping you meet it both with the solutions we offer and with how we secure the data you entrust us with.

A partner you can trust

Lightspeed Systems is committed to protecting the data within our solutions. Because we focus on schools, our processes for how we protect your data are built from the ground up with student data privacy top of mind.

As a company, we are:

• Early adopters of the Student Privacy Pledge
• New York State Education Law 2-D Compliance
• California AD-1584 Compliance
• Texas House Bill 89 and Texas Senate Bill 252 Compliant

For Additional Information

The following resources provide additional information for those seeking a broader and deeper understanding of the issues involved in protecting student data.

Lightspeed Systems Privacy Documentation

• Privacy Policy
• Protecting Privacy Overview
• Compliance with New York State Education Law 2-D
• California AB-1584 Compliance
• Compliance with Texas House Bill 89 and Texas Senate Bill 252
• Privacy Shield Certification
• AWS GDPR Data Processing Addendum

Publications

• Linnette Attai, Student Data Privacy: Building a School Compliance Program
• Linnette Attai, Protecting Student Data Privacy: Classroom Fundamentals

Privacy Groups /Projects

• Data Quality Campaign
• Electronic Frontier Foundation
• Common Sense Privacy Program
• iSAFE
• Student Data Privacy Consortium
• Future of Privacy Forum
• The Privacy Technical Assistance Center (PTAC)

Frameworks

• CoSN’s Protecting Privacy in Connected Learning
• PTAC’s Checklist for Developing School District Privacy Programs
• National Forum on Education Statistics Guide to Education Data Privacy
• Trusted Learning Environment (TLE) Seal
• Student Data Principles

Understanding the Laws

• FERPA|SHERPA, resource center for federal and state privacy laws
• The Parent Coalition for Student Privacy, Network for Public Education and The 2019
  • State Student Privacy Report Card
• The Family Policy Compliance Office (FPCO) FERPA
• Complying with COPPA: Frequently Asked Questions
• An Overview of the Children’s Online Privacy Protection Act and the Family Educational Rights and Privacy Act, Harvard Law School’s Cyberlaw Clinic

Privacy Attitudes/Surveys

• Parents, Teens, and Online Privacy. Pew Research Center’s Internet Project
• Teens and Mobile Apps Privacy, Pew Research Center’s Internet Project
• Beyond One Classroom: Parental Support for Technology and Data Use in Schools, Future of Privacy Forum

Training, Education, and Communication

• CoSN’s Protecting Student Privacy in Connected Learning Facilitated Online Course
• PTAC Guidance Videos