Jan 24 2018
Data Management

FETC 2018: 5 Tips to Protect Personally Identifiable Information in Schools

K–12 IT leaders can keep their students’ data protected without limiting innovation.

For Fulton County Schools, a 90-mile-long and incredibly diverse school district near Atlanta, a rollout of one-to-one devices at middle and high schools meant dispersing a wide variety of tools — from Chromebooks to tablets — that fit each school’s specific need. The scale and variety of operating systems created a unique challenge.

“It’s a cornucopia of security exposures,” said Serena E. Sacks, CIO of FCS, in a session at the Future of Education Technology Conference on Jan. 24 in Orlando, Fla. “Technology alone can’t protect our students and our data.”

While Sacks noted that next-generation security solutions can do some heavy lifting with protecting data, data privacy comes down to user behaviors.

With the alphabet soup of federal privacy regulations and increased collection of data by tech tools, protecting students’ personally identifiable information (PII) may seem like a daunting process.

Sacks and Linnette Attai, president of PlayWell, LLC, a compliance consulting organization that helps businesses and schools navigate the required protections for student data, offered up tips for keeping data private.

SIGN UP: Get more news from the EdTech newsletter in your inbox every two weeks!

1. Understand That Data Privacy is Ongoing

Safeguarding student data is not a simple process. As schools introduce new tools and work with new vendors, concerns for privacy will always be fluid.

“It’s an ongoing muscle you need to build,” said Attai. “As school systems, you are obligated to protect students. In today’s world that obligation extends to their data.”

2. Develop Basic Data Governance Best Practices

To make sure that your school district is complying with federal regulations and community expectations of data privacy, Attai noted that leaders have to create a plan for data governance.

To promote data privacy, districts should follow these guidelines:

  • Be transparent about what data is being collected.
  • Have a purpose for the data collected.
  • Don’t collect data that you don’t need. For example, in a lot of cases, Attai said schools don’t actually need social security numbers.
  • Use data only for your purpose.
  • Create reasonable and appropriate security policies for data. For example, a grade doesn’t need the same protections as a social security number.

3. Identify What PII Is and Know the Exceptions

One of the biggest K–12 privacy regulations, the Family Educational Rights and Privacy Act (FERPA) requires that school districts need to keep PII safe and get parental consent to share it with technology vendors.

But, what exactly is PII? Attai said that FERPA’s definition of PII is incredibly broad, requiring protections on everything from names and emails to birthdays.

Directory information, info contained in a student’s record that in most cases would not be considered harmful if disclosed, is an exception to FERPA and only requires that schools let parents have the option to opt their student out.

“What you have to do as a school system is define what you consider to be directory information,” said Attai. District leaders should share that definition with parents, she said, and explain how they intend to use the info.

When contracting with a tech vendor, Attai noted that districts must also identify the minimally required PII the vendor needs for students to use a tool.

Uncertain about what you need to keep protected? Check out our explainer of federal privacy regulations.

4. Lay the Groundwork for Compliance with Teachers

In spite of a district’s best efforts, unknowing educators might make use of online educational tools without considering privacy ramifications.

Attai and Sacks agreed that school leaders can keep data private without stifling innovative use of new apps and tools.

For example, Attai suggested that districts require educators who want to use a new tool to print out the tool’s terms of use and answer a questionnaire that addresses the privacy concerns of the tool.

“This serves as kind of an ‘aha moment’ for teachers,” said Attai.

5. Build Policies Around Digital Citizenship

Digital citizenship lessons for students and teachers can be incredibly helpful to support data privacy initiatives. When rolling out its new tech, Sacks said that Fulton County Schools not only required that students have digital citizenship lessons, but also offered some to parents.

Her district also wove in mandatory security lessons for educators, including some on FERPA regulations.

EdTech will provide live coverage of the event, so stay tuned for articles. Follow our FETC 2018 posts on our conference landing page.


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.