The rapid deployment of educational technology, paired with an increase in the number of states passing data privacy laws, leaves many district administrators and technology leaders with a daunting question about protecting student and staff information: Where do we start?
In many cases, this conversation is happening after the technology is deployed. Many leaders are concerned about what new legislation may mean for their districts.
But there are crucial steps to take to get a better handle on the status quo of data privacy in your schools and to develop a data governance strategy.
Technology Planning Starts with an Assessment
A free security assessment is the first step to determining whether vulnerabilities exist. Expert staff work with you to examine your district’s data security status quo, provide guidance on what should be happening and identify any weak points.
It also is important to have clear designations and parameters governing what devices may be used, what data may be collected and shared, who can access the data and how they access it. An assessment can provide a framework so that IT leaders can start to have these conversations in their districts.
Make Sure Faculty and Staff Know the Laws
There are plenty of them. Since 2013, 39 states and the District of Columbia have passed more than 110 laws addressing student privacy, Amelia Vance, director of education privacy at the Future of Privacy Forum, recently told EdTech.
“Those laws dramatically changed how districts, how ed tech companies, are dealing with this issue, and their awareness that it is an issue, that it is something they really need to pay attention to,” Vance said.
Consult with an expert for guidance on where to find information on the relevant data privacy laws in your area. When I’m working with customers, I often look up specific schools and the related data privacy laws. While I can’t offer legal advice, I point clients to resources where they can get more information.
Develop a Data Privacy Strategy
The work to protect data privacy doesn’t end, so have a plan to continually assess your organization’s data privacy needs. Review the plan regularly to ensure it is up to date.
To start, make sure you know the basics about how your organization collects, stores and shares data.
Questions you and your team should start asking include: What data is collected? Where and how is it collected? Who has access to the data, and should those with access actually have it? How long is data stored, and how is it destroyed? Make sure you have parameters in place for authenticating the identities of everyone granted access to sensitive information.
Also, develop strategies that address any data that may be collected through Internet of Things devices. As I’ve said before, more devices also mean more opportunities for cyberattacks. Proactive steps used to secure other technology, such as limiting bandwidth access and ensuring devices are properly patched and segmented, will help.
Teach Educators and Students to Be Responsible Data Guardians
Many vulnerabilities to data privacy are user based. Make sure teachers and students know what they need to do to safeguard their own data. Make sure they understand best practices for downloading software, sharing information and generally keeping data safe. In the end, data privacy should be a collective effort.
As of July 2, there have been 491 cybersecurity incidents in K–12 schools since January 2016, according to The K–12 Cybersecurity Resource Center. Proper planning, education and strategy will not only ensure that members of your school community are good data stewards, but also reduce the chances that the next cybersecurity incident affects you.
This article is part of the "Connect IT: Bridging the Gap Between Education and Technology" series. Please join the discussion on Twitter by using the #ConnectIT hashtag.