Security

Schools Share Strong Measures That Protect Student Data

A proliferation of digital resources has put student data at risk. Schools are taking proactive steps to guard it.

Calvin Hennick is a freelance journalist who specializes in business and technology writing. He is a contributor to the CDW family of technology magazines.

At the beginning of the COVID-19 pandemic, Jun Kim, technology director for Moore Public Schools in Oklahoma, watched as teachers began expanding their use of free digital resources. He understood that instructors were racing to bridge the gap between school and home to keep student learning on track, but in the back of his mind, a question lingered: What impact would these new resources have on student data privacy?

“We were trying to do the right thing, and we had to get these resources out there, but nothing is truly free,” Kim says. “Teachers might be able to use an application at no cost, but what information is being pulled in exchange for that access?”

It’s a question that has vexed IT and educational leaders at K–12 schools for years — but increasingly so since the unexpected explosion of digital learning that accompanied the COVID-19 pandemic and the shift to remote learning in the spring of 2020. Districts are taking a harder look at the privacy policies of the applications they use, and taking more proactive steps to safeguard student data.

Click the banner for customized content and expert insights when you sign up to become an Insider.

In 2017, the Consortium for School Networking launched its Trusted Learning Environment initiative, giving districts the opportunity to demonstrate that they have taken strong and measurable steps to ensure student data privacy. To date, 17 school districts across the country have received the seal, but many more are in the process of pursuing it.

CoSN CEO Keith Krueger notes that the TLE seal requires school districts to put 25 different practices into place, including vetting processes for vendors, ongoing staff training and regular security and data privacy audits.

“These practices are not something a technology leader alone can accomplish,” he says. “You have to work with finance, you have to work with the technology and learning department, the superintendent has to be supportive — it’s a complicated enterprise.”

Evaluating Technology and Vendors with Student Data Privacy in Mind

“We saw a big influx of technologies during the pandemic that were perhaps not designed for classrooms, and with that came a lot of questions,” says Linnette Attai, project director for the TLE program. “Frankly, districts didn’t have a lot of time to make this pivot to online learning. Student data privacy is critically important, and this is hard work for districts.”

Without a framework in place to address student data privacy, Attai says districts tend to view each new technology tool as a challenge. “Where we see districts struggle is when the leadership is not strong on privacy and security,” she says. “When leadership is not engaged, then we tend to see weakness across the board.”

Kim says that Moore Public Schools has been slowly adopting TLE-recommended tools and practices. Particularly important, he says, is an effort to vet all new tech applications.

Student data privacy is critically important, and this is hard work for districts.”

Linnette Attai Project Director, CoSN Privacy Initiative and Trusted Learning Environment Program

“The first question is, does it meet the curricular needs of the district?” Kim says. “The second question is about interoperability: Does the tool meet our single sign-on standards so we can manage it effectively? And then the final part is about data privacy. That’s where we really get into whether the application meets the data privacy standards that we have established.”

In some cases, Kim says, the district has asked vendors to sign an addendum agreeing to follow the district’s data privacy requirements. “I haven’t had one company say no.”

In addition to adopting and following best practices, districts can lean on a variety of tech solutions to enhance their security and privacy posture, including cloud access security brokers, phishing awareness training, data encryption, and identity and access management tools.

Moore Public Schools trains teachers to avoid phishing attacks and also requires multifactor authentication for user accounts that have access to sensitive student data.

Implementing Cybersecurity Improvements for Students and Staff

Rockingham County Public Schools in Virginia began pursuing TLE certification in 2019 and achieved it in June 2021. But the pandemic and the switch to remote instruction presented a “seismic shift” in how schools used and thought about digital resources, says Kevin Perkins, technology director for the district.

FIND OUT MORE: How did one rural Virginia school earn its TLE Seal?

“We were already using a lot of digital resources, but when you think about the changing educational model that provides instruction to children who are not physically in your classroom, you are forced to use digital tools to provide that instruction,” Perkins says. “Now, you need to ask, what do we have to put in place to provide virtual instruction and keep student data safe?”

Rockingham school officials took several crucial steps. They provided additional cybersecurity awareness training to staff, with an emphasis on phishing. They also created a data privacy agreement for vendors, focused on the sharing of student data. “We want to ensure that we have awareness of and control over student data shared with any vendor,” Perkins says.

Perkins and his team also implemented a system through which teachers can request digital resources. As part of a new workflow, when educators want to start using a new resource, they put in a request, and the IT department then vets any new technologies to ensure they are safe.

Mike Van Vuren, interim deputy superintendent for curriculum and technology at Bozeman School District 7 in Montana (a TLE district), says that remote learning presented a host of new challenges to student data privacy — from parents and siblings observing remote lessons to students’ inappropriate use of chat boxes, as well as securing platforms outside of the school walls.

number of K–12 data breaches found between July 2016 and May 2020

The district kept tabs on students’ online behavior by requiring them to access all digital resources, including third-party resources through the district’s learning management system. The district also ramped up professional development for teachers on how to provide online instruction and other procedures.

“One practice that we shared was that if somebody entered the room, students could disable their video,” Van Vuren says. “We also provided PD about what third-party apps and platforms can and cannot do, and what they should and should not be used for.”

Take Action to Protect Student Data Privacy in Your District

The National Association of Secondary School Principals recommends the following action steps for school and district leaders looking to improve their student data privacy efforts:

Develop clear policies about what student information is collected, how that data is secured and stored, and to whom the data is disclosed. Also, determine each party’s responsibilities in the event of a data breach.
Implement data security practices that include appropriate retention periods, as well as proper data deletion and disposal.
Identify a district privacy officer responsible for monitoring and complying with federal, state and district policies on data privacy.
Implement procurement processes that ensure all proposed technology solutions undergo an internal vetting and approval process.
Deliver annual privacy training for all school and district employees who have access to personally identifiable student data.
Ensure that all contracts with third-party vendors that collect or access student data specifically address the allowable uses of that data. Contracts should also prohibit the commercial use of student data.

Photography by Shane Bevel