Jun 13 2019

How K–12 Schools Can Safeguard Student Data Beyond Graduation

District privacy protection remains a top priority even after students move on.

So, what happens to the pile of data high school students leave behind when they graduate? Federal, state and district mandates dictate graduates’ data receive the same oversight and privacy protection required throughout their K–12 education. 

Districts must comply with strict protocols for data destruction related to graduates and safely retain the rest, even as maintaining the privacy and security of sensitive information has grown more complex with the proliferation of applications and devices.

“We have to look at all systems and data sets individually to make sure we don’t purge data the district or the student will need,” says Melissa Tebbenkamp, director of instructional technology at Raytown Quality Schools in Missouri. 

RQS waits until summer school is over to deactivate and purge graduates’ email accounts and server file storage

The state of Missouri stipulates the types of data that must be secured in a permanent record, as well as the required data format for retention. RQS scans paper records and uses Laserfiche software for formatting and privacy protections, says Tebbenkamp. All permanent records are kept in secure onsite storage and backed up to the cloud. 

Purging unwanted graduate data and creating compliant, useful permanent records are part of a continuing focus on data governance in RQS, which has earned the Consortium for School Networking’s Trusted Learning Environment seal, awarded to districts that meet strict data privacy standards. 

“You can’t protect data after students graduate if you don’t know what data you’ve been collecting and where it is,” Tebbenkamp says. “That’s not just for grads, that’s for all our students.”


K–12 Schools Should Craft Vendor Contracts Carefully

As data privacy becomes more complicated, a focus on vendor agreements is crucial, says Dan Layton, CTO of Zionsville Community Schools in Indiana, a district with about 7,000 students. 

“We have changed a lot of the language in contracts in recent years,” says Layton, whose district also earned a CoSN TLE seal. “You have to know who controls the data in any application, make sure it’s not shared with anyone else, understand what happens with a student’s data when their time with us is over and what happens to data at the conclusion of the contract.”

As a result, ZCS teachers can no longer just install an app without it being vetted by IT to ensure that the vendor complies with the district’s data governance policy.

When students graduate or transfer out of ZCS, they can access their Microsoft Office 365 accounts for 30 days, and their data remains active in the district’s Enterprise Office 365 for another 30 days. 

After that, most of the data is destroyed. Information that must be retained by federal or state law is stored on the district’s PowerSchool student information system server and backed up to the cloud, says Layton.

“We keep as little information as possible, just what’s legally required,” he says.

MORE FROM EDTECH: Check out how K–12 IT leaders can advise on data privacy.

School Districts Keep a Firm Grasp on Data Access

To maximize control over sensitive data, California’s Fresno Unified School District built its own on-premises student information system, backed up to an offsite facility owned by the district, says CTO Kurt Madden. 

“Privacy is one major reason we have never moved our SIS to the cloud, despite the size of the district and the amount of data we deal with,” he says.


The number of student privacy laws passed in 39 states since 2013

Source: ferpasherpa.org, State Student Privacy Laws, June 12, 2019

The system resides on a secure Microsoft SQL database server and is designed to be password protected and date sensitive. 

Once graduation has passed, students must make formal requests for their own information, and access is limited to specific district staff members. FUSD never collects Social Security numbers or financial data and, after graduation, only retains the information required by the state of California, says Madden. 

The district also conducts frequent teacher and staff training in data privacy practices, because breaches are as likely to be the result of human missteps as they are technical failures, he says.

“Security and privacy are ongoing battles for every district, both before and after a student graduates,” Madden says.

LuckyStep48/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT