K–12 schools are subject to a number of data privacy laws, including the Family Educational Rights and Privacy Act, the Children's Online Privacy Protection Act and even the Health Insurance Portability and Accountability Act.
While technology is an important part of these regulations, Denise Musselwhite, technology director for Trinity Preparatory School in Florida, and Lindsay George, chief information officer at Miami Country Day School, said K–12 IT members should be taking on an advisory position, not a leadership role, in data privacy.
“People in our roles need to be consulting with somebody else at their schools to tell them what they should be worried about” said Musselwhite in a Jan. 27 workshop at the Future of Education Technology Conference. “We are not equipped to figure out what exactly we are supposed to be worrying about. As a technology professional at your school, it is not your job.”
While IT members should not be the ones solely making privacy decisions, there are areas where they can — and should — be offering input to help.
Educate Administrators on Privacy Best Practices and Principles
In some K–12 schools, administrators may not be aware of helpful technology principles that could help inform privacy decisions. For example, K–12 IT leaders may want to suggest installing desktop management software that utilizes the “principle of least privilege.”
Access to private information is usually limited to a handful of authorized IT members, administrators and trusted faculty.
While keeping the number of people viewing private information small can be a good idea, it can also prove counterproductive if those with access are able to see more information than they need to.
A desktop management solution would limit users’ access based on their specific needs. This would decrease the likelihood of staff members accidentally compromising data they should not have been accessing in the first place.
“Offering the least privilege necessary is important,” said George. “People in your schools who have access to privileged information will tell you themselves, ‘I do not want to have access to that data, because if I click on a phishing email and that information is compromised, then suddenly it’s my fault.’”
Learn from Industry Frameworks Beyond Education
One of the best ways IT members can help their schools is by learning how other industries protect their data, said Musselwhite.
Musselwhite and George highlighted three distinct frameworks IT leaders can use to help navigate privacy protocols with their administrators: the National Institute of Standards and Technology’s privacy framework, the Information Systems Audit and Control Association’s privacy principles, and the International Organization for Standardization’s data privacy standards.
Musselwhite and George also encouraged IT leaders to go beyond studying frameworks online and invite professionals in relevant fields to help answer some of the more difficult questions around data privacy.
“I implore you to tell the decision-makers at your schools that they need to invest in a legal professional or a cybersecurity insurance professional, and to include you in the meeting so that they can tell you what it is you should be concerned about.”