Steve Smith, founder of the Student Data Privacy Consortium, says schools have an obligation to protect students’ information online.

Sep 25 2023

Student Data Privacy Pioneer Says K–12 Schools Must Do Better

Many schools share confidential student information, Steve Smith warns.

When Steve Smith took the job of CIO at Cambridge Public Schools in Massachusetts, little did he know that he would become a trailblazer. In the 27 years he has spent leading technology in New England schools, the founder of the Student Data Privacy Consortium has probably become best known nationwide as a student privacy crusader.

Smith spoke to EdTech about his district’s student data privacy journey and how schools can easily shore up data privacy to stop staff from inadvertently oversharing student data.

EDTECH: How did you get involved in protecting student data privacy for your district?

Steve Smith: It was not until I came to Cambridge 16 years ago that I was even aware of privacy concerns. In 2007-2008, we were trying to get devices to staff and students and weren’t really thinking about privacy. But the Cambridge parents were starting to ask, “What’s going on with our children’s data that’s going up to these applications in the cloud?”

That’s when we started building processes within Cambridge to vet applications and having hard conversations with technology vendors. It was a whole new world. I literally spent two to three years talking to tech vendors about their privacy policies to see if they would meet Cambridge's obligations under the Family Educational Rights and Privacy Act (FERPA), which was not to disclose student data and have it misused.

EDTECH: How did the Student Data Privacy Consortium come about?

SMITH: Instead of us vetting every vendor’s privacy policies, we knew what we were looking for and developed our own data privacy agreement. We started asking vendors to sign our agreement. We were one of the first districts in the country to do that, so you can imagine the reaction from the vendors. Then we started to build awareness in Massachusetts and expanded the practice across the state, so that other districts could use our data privacy agreement without having one-off conversations with vendors.

This allowed us to tell vendors, “Look, if you want to do business in the state of Massachusetts, it’s no longer just one district, and these are the terms for data privacy.”

EDTECH: What came next?

SMITH: Having districts in Massachusetts work together was better than working alone, but we still weren’t having as big an impact across the country and on the marketplace as we wanted to.

That’s when I partnered with Access 4 Learning Community, a standards body, and created the Student Data Privacy Consortium in 2015 to replicate what we were doing in Massachusetts across the country.

Instead of each state having unique data privacy agreements, there is now a national data privacy agreement that’s used across 34 states. When vendors get it, they’ve seen it before. They know what it’s asking.

RELATED: Avoid these pitfalls when implementing online education software.

EDTECH: Give us an example of what the privacy agreement says.

SMITH: For schools to use ed tech apps, vendors need access to student records to provide that service. The data privacy agreement allows the district to meet its obligation under FERPA of only sharing student data with school officials.

We can, for example, designate an online typing program as a school official, but it would need a student’s name, ID, teacher and grade, etc., to provide the services. The school can designate the provider as a school official as long as we have control over the provider, and we have control over the provider through the data privacy agreement.

The agreement says the provider can only use the data for the purposes that it was shared for; the provider can’t sell the data and can’t reuse it for commercial purposes and other similar controls.

Steve Smith
We have an obligation to protect students physically and while they are online. We must make sure we’re not allowing their identities to be stolen before they are even out of K–12."

Steve Smith Chief Information Officer at Cambridge Public Schools and Founder of the Student Data Privacy Consortium

EDTECH: You’ve accomplished a lot in the eight years since you started the consortium. Is there more to do?

SMITH: I do feel really proud about how much we have accomplished over the past eight years. However, when I travel around the country, there is still a lack of awareness in many places. As successful as we’ve been, there’s still a lot of work to do to really shore this up across the country.

EDTECH: What do you think is preventing schools from making student data privacy a top priority?

SMITH: There just aren’t enough resources and manpower and time to do everything that’s required. There are so many small school districts that don’t have the resources.

Until it comes to be raised as an issue, either through community awareness, parents speaking up, or a state law or an incident that has happened, a lot of districts without resources just are not going to address it. There are too many other priorities that they’re worried about.

EDTECH: What do you tell people when you present on this topic?

SMITH: You can buy tons of student data online. We have an obligation to protect students physically and while they are online. We must make sure we’re not allowing their identities to be stolen before they are even out of K–12. 

The consortium has tried to make it easier. Our goal is to get these very useful applications into the hands of teachers and in front of students quickly and safely, knowing that they’ve been vetted and that privacy has been addressed.

LEARN MORE: See how this Illinois district won the Trusted Learning Environment Seal.

EDTECH: What about apps that teachers find and use on their own?

SMITH: It could come back on the teacher for having improperly shared certain data with a vendor via an app. So, districts must build awareness among teachers to really create a secure environment.

Teachers, meanwhile, must realize that the district is helping them by vetting these apps. It takes the burden off them if it turns out that the vendor is doing things they shouldn’t be doing with the data.

EDTECH: Any other tips that schools should know about creating a more secure environment?

SMITH: Microsoft and Google make it easy to share information, but what some schools don’t know is that without a security wrapper monitoring those tools, they are probably sharing a lot of student data publicly, or to more people than they should. I recommend a security wrapper to make sure that no student-level data is being inappropriately shared.

WATCH NOW: Advanced Google tools help protect student data from being shared publicly.

EDTECH: How can school staff get started on their student data privacy journeys?

SMITH: Start by visiting the school district’s policies around tools and ensuring that you’ve got the right policies in place. And be patient. It is a multiyear process to go from an unaware district to a district where the culture is changed to respect the privacy of students.

EDTECH: What kind of impact do you think your work has made on ed tech?

SMITH: Streamlining those privacy obligations has really had a huge impact on the whole ed tech marketplace. Now schools are having real conversations about what’s expected, and vendors that want to do the right thing know that they must make changes to their applications and their policies.

Photography by Ken Richardson

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT