Over the two decades that Rose Muller has been working in school technology, the challenge of maintaining student and staff data security has grown beyond a level that IT departments alone can meet. The entire school community now needs to be enlisted in the effort to keep sensitive information safe, she says.
“The IT staff used to be able to police information security, making sure technologies were in place to protect the network infrastructure and enforcing access and password policies,” says Muller, the technology director of Bristol Warren Regional School District, which has six schools serving about 3,500 students in Bristol and Warren, R.I. “But as we implement more educational technology and services that gather sensitive data, we have to make sure that everybody in our community is aware of security issues for themselves and our children.”
One guide for the district’s efforts to maintain information security is the Data and Privacy Dashboard of the Future Ready Schools Framework created by the Alliance for Excellent Education. The FRS Framework is dedicated to helping schools use technology and data to improve education while ensuring the safety of sensitive data, says FRS Director of Innovation Thomas Murray. There are four elements to the Data and Privacy section of the framework, addressing how a district should build data and data systems; data policies, procedures and practices; data-informed decision-making; and data-literate education professionals.
Schools have to negotiate several layers of privacy regulations, starting with the Family Educational Rights and Privacy Act at the federal level and moving through state laws and local policies, says Murray — and the stakes are high for a false step.
“You can have all the right policies in place, and one error can put your district in the national news — and, more important, put student and staff information at risk,” Murray says.
While security technologies can reduce the risk of network intrusions from the outside, the security of sensitive information is largely dependent on human decisions. District officials need to understand the privacy laws and regulations that apply to them and put policies in place to comply with them. After that, the challenge is to match practice to policies by providing training for staff and having conversations with students about digital citizenship, including privacy protection, Murray says.
“Everyone in the school community has to be aware of what information can be shared and with whom, and administrators must know how all the information gathered is tracked and acted upon,” he says.
Bristol Warren follows industry-standard best practices to protect human resources and financial data as well as user privacy, and those practices receive regular outside audits, Muller says. Raising staff and student awareness in the less regulated arena of educational technologies is more complicated, especially as the district implements an expanding one-to-one program.
Privacy protection and digital citizenship are prominent professional development topics for the district’s teachers, who take the conversation back to students in their classrooms, says Director of Educational Technology Thomas Driscoll. Library media specialists also regularly present Common Sense Media’s K–12 Digital Citizenship Curriculum, which covers data privacy and cyberbullying but is not related to FRS.
Driscoll also vets all the learning technologies that come into the district and rejects products with inadequate privacy policies. The district tries to strike a delicate balance between promoting creativity and guarding privacy in the technologies it implements, he says. “Some tools are really engaging, but they have to be smart about how they treat data as well,” Driscoll says. “We and the vendors are collecting a lot of useful data. We have to make sure that data is being used to improve student experiences, not to compromise their privacy.”
In Talladega County, Ala., where nearly 7,600 students in the district’s 17 schools participate in a one-to-one program, protecting data privacy is always a concern for Craig Bates. As the district’s coordinator of instructional technology, he is on the front line of privacy defense, providing information about dangers and best practices, and vetting technologies.
“The big challenge is the education of adults, teachers and administrators, so that they’re aware of laws and best practices,” says Bates. “You can put policies in place, but there’s no software or other tool that can enforce them. Education is the best defense because that’s what can lead to everyone being diligent.”
Talladega County Schools protects its network with firewalls and intrusion protection solutions, as well as with authentication software that controls access and user permissions. The IT staff closely manages vendors and requires a memorandum of agreement regarding data use. Plus, any application that requires significant data sharing has to be approved at the district level. The district could lock down sensitive data further by restricting access to more applications, but that runs contrary to the educational mission, says Bates.
“I want people to trust that we’ll use data responsibly, but we are not a bank,” Bates says. “Our needs are different, and our security measures can’t be the same. We can’t get in the way of learning and helping children become curious and innovative.”
Raytown Quality Schools in Raytown, Mo., is one of the districts that helped launch the Consortium for School Networking’s Trusted Learning Environment Seal initiative, which supports the use of best practices in data privacy protection and making those measures transparent to the community at large. The TLE Seal caps a decade-long effort to maintain a culture of data security awareness at Raytown Schools, says Director of Instructional Technology Melissa Tebbenkamp.
“We want to make sure everyone understands the importance of data privacy,” says Tebbenkamp, whose district serves 9,100 students in 18 schools. “We look at the entire data lifecycle. And we only want to generate and consume data we have a compelling use for.”
The culture of privacy protection awareness in the district is bolstered by a “hefty” data governance manual and an approval procedure that evaluates any software used in the district from the aspect of data security, says Tebbenkamp. The district negotiates stringent data protection agreements with vendors and is willing to walk away from tools that don’t meet its privacy standards, she says. The biggest challenges often involve free applications, where the district has less bargaining power, she adds.
Building a culture of data security takes time, cautions Tebbenkamp. Students must learn to be safe consumers of information as well.
“For several years, districts across the country have made physical security a priority, and we have to do as much for data security,” Tebbenkamp says. “A lapse in data security can impact a student or staff member for the rest of their life.”