Feb 22 2022

The Checklist: 5 Steps to Secure Student Data

Schools that lack strong data privacy policies, particularly for information stored in the cloud, can boost their cybersecurity using this checklist.

Cloud technologies are growing in popularity in K–12 school districts, with IT decision-makers adopting collaboration tools, Software as a Service applications and cloud-based backups. Among IT decision-makers surveyed, 93 percent use Google WorkspaceMicrosoft 365 or a combination of the collaboration platforms in their districts, according to “What You Don’t Know Can Hurt You,” a report by Edweek Research Center and ManagedMethods.

However, despite the widespread use of cloud tools in K–12 education, only 23 percent of respondents are “very concerned” about data breaches or leaks, the report stated. “I’m not sure this problem of data privacy has been completely understood,” says ManagedMethods CEO Charlie Sander. Collaboration tools make file and information sharing very easy, and they store a massive amount of data.

Not only that, but SaaS applications and other online curriculum tools can store a wealth of student data as well, adds Andy Lombardo, technology director at Tennessee’s Maryville City Schools. “The amount of data that gets shared in there, just like in the collaboration platforms, is staggering,” he says.

School leaders need to be sure this data is properly secured. Here are steps for schools that want to strengthen their student data privacy.

FEATURED: Schools use strong measures to protect student data.

Steps for Stronger Data Security in K–12 Schools

1. Make Admins Aware of Data Security’s Importance

The first step is making sure administrators and top-level decision-makers are aware of the importance of securing data. “It has to do with how people perceive data privacy,” Lombardo says. “Until there’s been some kind of compromise, it doesn’t seem real.” K–12 IT professionals can bring attention to the risks by reminding district leaders that there is a shared responsibility with vendors to keep data safe. Laying out the potential consequences of a data breach — such as bad press or harm to students and teachers — can also raise support for stronger protections.

2. Implement Data Privacy Policies and Provide Resources

Once administrators are aware of the importance of data privacy, they can create policies to maintain the safety of data within the district. These polices should cover who can share what information, who can access certain resources and more. “If you put a policy in place, you have to provide the resources to enforce it, be they internal resources or external,” Sander says.

3. Identify Where Student and School Data Are Stored

The next step is identifying where all the district’s data assets are stored. This includes data in the cloud and data on-premises. Look at what data is stored there, how sensitive it is and who has access to it.

READ MORE: Cloud technology continues to trend in K–12 education.

“We’ve gone through audits looking at things that vendors want, and there might be a reading program for kindergarten through third grade that’s requesting data down to the level of the stepparent’s cellphone number,” Lombardo says. “In a lot of cases, the vendor will ask for all the data and hope that you give it to them.”

4. Identify Vulnerabilities

Once districts have identified where data is stored and what that data looks like, they need to identify where there are risks and vulnerabilities. “There are multiple ways that data can leak out of a platform,” Sander says. “Certainly, you see in the news the hacking and ransomware stories, but what doesn’t make the news is inadvertent sharing — in many cases, from the inside — with people who shouldn’t see certain files or email attachments.”

5. Make Plans for Data Privacy Remediation

Identification is the first step in solving the data security puzzle, but the bulk of the work may need to be done in remediation. School leaders should consider everything from training users in basic security hygiene to the implementation of data loss prevention systems.

ManagedMethods has “made it as easy as possible for a school to set up policies around data protection and data sharing,” Sander says. The company has tools to keep vulnerable data safe, including a tool that allows IT teams to remotely access users’ inboxes and delete risky files, whether it’s a mass phishing email or an attachment that went to the wrong recipient.

Schools should also establish data sharing agreements with vendors up front. These agreements lay out clear guidelines for what vendors can do with data, how long they’ll hold on to it and the conditions under which they’ll destroy it.

Traditionally, Lombardo says, administrators are concerned with data privacy measures like the Family Educational Rights and Privacy Act, but “the bar for FERPA is really low. Basically, you only have to notify your families of your data policies.” Having up-to-date data security policies in place can help district administrators shift their focus to cybersecurity that better suits the modern classroom.


5 Steps to Securing Student Data Checklist

eclipse_images/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT