Student Data Privacy and Your School District
January 23rd, 2018
Best practices for preventing the misuse of student and faculty personally identifiable information (PII)
Take a look at these headlines:
Data Breach Exposes Hundreds of Student Records: The personal information of Palo Alto High School students was published via a website that allowed students to see class ranking, grade-point averages and identification numbers.1 (October 2017)
Texas school district data breach affected nearly 23,000 students, faculty members2 (January 2017)
And this one from earlier this month:
The Regina Public School Division is addressing policy gaps after a teacher uploaded more than 2,000 documents, many containing students’ information, to a public website. (January 2018)
Keep your student and faculty information safe and secure
Student data privacy concerns center on the misuse of personally identifiable information (PII). This concern has become a very important issue to superintendents across the US as school districts decide how to keep student data safe in an ever-changing digital world.
So how do you prevent your school district from becoming one of the above headlines? Start with this list of 10 best practices to keep your student and faculty information safe and secure.
- Support your district’s IT Administrator. Ultimately the responsibility of data protection falls on the district’s IT administrator. However, you should not assume that your IT admin has it all handled. In fairness, any IT admin has his/her hands full of many different duties and responsibilities, and may not be fully aware or on top of student data privacy — because this stuff moves FAST! As a superintendent, make trainings and continuing education on privacy available to your tech team. Hold regular conversations about what is being done to protect your district’s data and prevent misuse or leaks of information. Review standards, protocols and how you will enforce your policies throughout your schools.
- Don’t let the responsibility of PII fall on only one person’s shoulders. Appoint a group or committee to stay abreast of the laws and regulations relevant to your state and school district. This group’s goal should be one step ahead and be proactive rather than reactive.
- Create clear policies, practices and procedures. Clearly identify whom should have access to information, and what type. Decide how data is managed throughout its lifecycle — from acquisition to termination.
- Use encryption. Encrypt stored and transmitted information so that if it were to be intercepted by a 3rd party, it would not be usable.4
- Consider using an IAM. According to CSO (a news, analysis and research on security and risk management company), identity and access management (IAM) products provide IT managers with tools and technologies for controlling user access to critical information within an organization.5 IAMs work with the less is more principal in that the less amount of people with access to information is better because it will decrease the chances of a data breach. IAMs help to make sure that only the authorized parties have access to PII data.
- Background check your vendors. Just like you’d check the background of a potential employee before hiring him/her, you should employ the same concept when selecting a vendors to work with. Some K-12 educational technology vendors are taking their commitment to privacy a step further and signing the Student Privacy Pledge. According to their website: “The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA) introduced a Student Privacy Pledge to safeguard student privacy regarding the collection, maintenance, and use of student personal information.”6
- Use unique user IDs. Create IDs that cannot be easily tied to an individual student, parent or faculty member.
- Don’t throw in the kitchen sink. Make sure you only give vendors the information that they will need to get the job done. For example, you don’t have to give the school photography company your student’s addresses or phone numbers. A textbook vendor doesn’t need to know your parent’s email addresses.
- Be prepared. Why do we have fire drills? So our teachers, students and staff can get out of a building safely, should a fire really happen. Use this example when thinking about your a privacy breach. If you go through all of the “what ifs” as a team before, then if you are actually faced with a breach, you will know what to do. Don’t know where to start? This resource from the US Department of Education’s Privacy Technical Assistance Center (PTAC) has a data breach response checklist to help.
- Be mindful. Most times common sense is the answer. Check and balance to make sure that your district is following best practices and that staff is aware and mindful of protecting the privacy of students whenever they use technology.
Bonus Tip for Safeguarding Student Data
Train your teachers. Technology tools and apps have made it possible for teachers to customize learning, collaborate, create, and share ideas online. Teachers must be trained on the importance of protecting students data while they help them learn. Bring in a speaker during a staff development day, provide access to articles and provide hands on training.
More resources:
New York State: Student Data Privacy
Seal of Approval for Schools
1. Noguchi, S. (2017, October 9). Data Breach Exposes Hundreds of Student Records. Retrieved January 11, 2018, from http://www.govtech.com/security/Data-Breach-Exposes-Hundreds-of-Student-Records.html
↩
2. Lestch, C. (2015, January 5). Texas school district data breach affected nearly 23,000 students, faculty members. Retrieved January 11, 2018, from http://edscoop.com/texas-school-district-data-breach-affected-nearly-23-000-students-faculty-members ↩
3. Ashley Martin, Regina Leader-Post (2018, January 10). Regina Public investigated after teacher breached students’ privacy. Retrieved January 11, 2018, from http://leaderpost.com/news/local-news/regina-public-investigated-after-teacher-breached-students-privacy↩
4. E School News. Six things schools can do to ensure student data privacy. (2016, October 18). Retrieved January 11, 2018, from https://www.eschoolnews.com/2016/10/19/6-things-schools-can-ensure-student-data-privacy/
↩
5. Martin, J. A. (2017, December 13). What is identity management? IAM definition, uses, and solutions. Retrieved January 11, 2018, from https://www.csoonline.com/article/2120384/identity-management/what-is-identity-management-iam-definition-uses-and-solutions.html
↩