Security

CITE 2023: Protect Student Data Privacy with Ed Tech Policies

K–12 IT leaders underscore the importance of data privacy agreements and processes for implementing new tech products in classrooms.

Rebecca Torchia

Twitter

Rebecca Torchia is a web editor for EdTech: Focus on K–12. Previously, she has produced podcasts and written for several publications in Maryland, Washington, D.C., and her hometown of Pittsburgh.

IT departments are taking a closer look at the way educational technology is collecting and using student data. However, not everyone in education is aware of the risks associated with data collection, and it can be hard to convey why it’s important to use tech with restrictions or caution.

“One of the problems is translating to the general populace why it’s important to protect student data,” Christine Jones, coordinator of educational technology for Palmdale School District, said in her CITE 2023 session Tuesday. “That’s not your data to share; that’s the students’ data to share.”

Beyond that, there are laws at the state and federal level that require schools to safeguard student data.

“FERPA is specific to education, and it’s a legal obligation” of the local education agency, said CITE Contracts Specialist Erin Clancy. She talked about the Family Educational Rights and Privacy Act and other laws in a Thursday CITE 2023 session.

The speakers shared how data privacy agreements come into play, what schools should require in such contracts and how they can make sure the agreements are signed before allowing new technologies.

Click the banner below to explore ed tech solutions for your K–12 schools.

Create a Process to Improve K–12 Student Data Privacy

Schools must create a process for implementing new technology, especially applications, to ensure data security.

Jones noted that project management can lapse when it comes to getting new apps into a school. Too often, she noted, a teacher requests a new application and talks directly to administrators about it. The administrators talk to the secretaries who, upon finding money in the budget for the tech, move the request along to purchasing. The purchasing team, assuming all necessary parties have reviewed and approved the request, purchases the new tool.

This leaves out the IT department, which sometimes only finds out about the new tech when a teacher calls about a problem with it.

Christine Jones, Coordinator of Educational Technology for Palmdale School District, shares a visual example of a technology acquisition process with gaps. Photo by Rebecca Torchia

To make sure this omission didn’t happen again, Palmdale School District’s technology department worked to build a process that keeps its team in the loop. Creating this process meant laying down ground rules for the introduction of new technology.

One of the primary requirements for new technology is getting vendors to sign National Data Privacy Agreements. These documents were “community developed and designed to streamline application contracting and set common expectations between schools/districts and marketplace providers,” according to the Student Data Privacy Consortium. As the popularity of these agreements has grown, states have started to adopt their own versions.

Without an approved and signed NDPA, Palmdale School District won’t implement technology. On a large scale, this type of pressure is changing how companies do business. They’re figuring out that schools won’t buy the tech if they don’t sign, Jones said.

“They want our money, but we won’t give it to them until they agree to protect student data the way they should protect student data,” she said.

Palmdale School District’s IT team also determined that vendors need to carry at least $1 million in liability insurance, and they no longer allow one-off uses of applications. “Why are you buying it for one teacher but not for everybody? This is where equity comes in,” Jones said.

Communicate Student Data Privacy Processes and Risks

Support from administrators has helped Palmdale School District successfully implement this process. Jones said that she has communicated the importance of protecting student data privacy to principals and other administrators.

Clearly communicating the risks of a data breach has gotten the IT team the support it needs from admins. Now, these admins help to hold the line when educators make new app requests.

She also worked to communicate the process to educators directly. If teachers want to use an app, they can first go to a list on the district’s website to see if there is already a signed NDPA on file. Educators can also see if an existing application in the school’s ecosystem can meet their needs.

The process took Palmdale School District two years to implement, and stakeholders have been refining it for two or three years since it’s been in effect. But having firm rules and multiple channels of communication keeps everyone on the same page, which keeps student data private and secure.

Negotiate Contracts with Educational Technology Vendors

CITE Contracts Specialist Erin Clancy shared her experiences negotiating contracts on behalf of school districts, noting best practices for local education agencies to keep in mind when reviewing National Data Privacy Agreements.

She added that vendor-created contracts need to be reviewed thoroughly before they’re signed. “It’s not because vendors are trying to get one past you,” Clancy added. More often, “vendors didn’t set out to be in that educational space, and they aren’t aware of the new laws and obligations that go along with being in schools.”

Some things schools should look out for in these contracts include:

Are there hidden changes in the contract?
Are Exhibits A and B complete?
Is the vendor’s email address in Exhibit E?
If there’s an Exhibit H, is it attached to a vendor-specific DPA?

Bookmark this page to stay up to date with our CITE 2023 conference coverage and join the conversation on X (formerly Twitter) when you follow @EdTech_K12 and use the hashtag #CITE2023.