Protecting personal student information is a top priority for school administrators, but districts are also striving to be transparent with students and parents on how they use and protect that information.
Many K–12 schools are developing proactive strategies for collecting and sharing student information and outlining the steps teams are taking to keep that data safe from unwanted intrusions. While no school administrators enjoy waking up to reports of personal student data having been compromised online, they also should feel comfortable when students or parents want to know how student information is being used.
Kathleen Styles, chief privacy officer for the U.S. Department of Education, advocates a strategy that goes beyond simply putting the right security technology in place: “We try very hard to take into account the benefits the data can bring as well as the need to ensure privacy,” she says. “It’s all about being proactive and trying to plan for the use of data, and part of that needs to be transparency.”
Data governance at the district level is an important place to start. Districts can start by having a written data governance plan that recognizes the wide variety of data sources. This can include policies about how that data can be used, such as what information — if any — will be given to online vendors, or processes for formalizing contracts regarding that use.
While students and parents do not want their information to be compromised, they also need to know what the school district may be doing with it intentionally, even when scrubbed of personally identifiable information. Some districts are even trying to better understand just what data they have. That might include creating an inventory of collected data and posting it to a district website as another step in establishing greater transparency, or including information about what data schools or the district routinely collects, how it is protected and what it is used for.
The U.S. Department of Education’s Privacy Technical Assistance Center recently released a list of best practices to help school districts achieve transparency with data and adhere to federal regulations such as the Family Educational Rights and Privacy Act.
Ultimately, all of these steps should go far in reassuring students and parents when it comes to how data is managed, and provide a baseline to compare against irregularities.
Districts also can plan ahead and set notification procedures for instances when a breach may occur. While laws vary from state to state, many areas do not require educational institutions to notify parents when a breach occurs.
According to the National Conference of State Legislators, 32 states have introduced or are considering security breach notification bills this year. Even though the laws have not yet changed, school districts can act like there is a law in place even if one does not exist.
If a breach occurs, some districts still plan to inform students and parents what information was compromised as well as the steps the district will take to ensure that such a breach does not take place again.
Once schools and districts build in proper governance and transparency around their data systems, broader technical challenges may seem relatively easy in comparison. Sometimes the most difficult tasks in cybersecurity have nothing to do with the technology.