IT Trends | Roundtable
Keeping Student Data Private
Five CTOs discuss their data privacy concerns and reveal how they are working with teachers, students and the community to safeguard student information.
- By THE Journal Staff
We live in an era of Big Data and small devices. The combination of mobile computing and always-connected, cloud-based software creates enormous freedom for students and teachers — and enormous headaches for the technology officers tasked with managing it all. In an EdRoom roundtable co-hosted by THE Journal and CoSN, district-level tech leaders shared their concerns and offered some solutions to colleagues looking to make sure that private data stays private.
When it comes to privacy of student data, what are the issues that K-12 educators need to be concerned with?
Steve Young is the chief technology officer at Judson ISD in San Antonio, where he has served in that capacity since 2006. In 2011-2012 Young was selected as the chair of the Texas K-12 CTO Council, the first state chapter of CoSN. He is also the founder of the San Antonio Area Technology Directors group.
Steve Young: Privacy and confidentiality of data is a paramount issue, in and outside of K-12 education. Malicious and nonmalicious use of personal data can range from disturbing to outright criminal. We have seen Facebook use personal users' photos in advertising, and we have seen massive data breaches like the theft of identity information of over 110 million Target customers.
As districts, we are required to protect student data under the federal FERPA guidelines. But guidelines or not, we owe our students the right to privacy of their confidential information. What scares me as an IT administrator is that major multinational companies with large IT staffs and IT security specialists are experiencing breaches daily. Very few of us in K-12 education are lucky enough to even have a dedicated IT security staffer. That seems to make the challenge we face almost insurmountable. But this does not mean we should ignore our duties to our students. We need to be diligent in securing systems, educating our staff and students and selecting technologies and systems that are secure.
Selecting technologies raises what I see to be a larger issue. Every district staff member to some extent is now an IT staffer. Anyone can sign up for free, cloud-based Web software and potentially be sharing private student data in a matter of minutes, entirely bypassing an IT department or any approval process. A teacher might unknowingly sign up his students on a Web platform that does not comply with COPPA, with the best of intentions of trying something new out with his students. Or an office worker may mistakenly place a spreadsheet of FERPA-protected data into an online file-sharing service like Google Drive, Dropbox or Box and mistakenly share this data with persons not approved to access it. All of this only takes a few clicks and can be done by virtually anyone in any school.
One of the main ways to combat this is through education of staff. Districts need to leverage online training, newsletters and other opportunities to educate staff about the importance of protecting students and their data.
Jean Tower is currently the director of technology for the Public Schools of Northborough and Southborough, MA, a regional district of ten schools serving the two towns. She serves as a board member of MassCUE and is currently the president of the board of METAA (Massachusetts Educational Technology Administrators Association), the local CoSN chapter. Tower is CoSN's current Chair.
Jean Tower: Security of student data is more important than simply having a student database system that is secure. There are many ways information can leak out. Educators need guidelines that help them operationalize the sometimes vague ideas of privacy that many teachers have. For example, COPPA is a driver behind many Web 2.0 sites' terms of service requirement that users must be 13 or older to create an account. Yet many educators think it is okay to have elementary school students sign up for Evernote or Instagram or some other app that has great educational potential.
K-12 education needs to be concerned about data privacy and security at many levels, from the district level and enterprise software all the way down to the classroom level and apps that teachers are making uninformed decisions about using.
We need helpful tools that can guide district leaders through the process, helping them to pay attention to data issues and suggesting actual language to include in service contracts.
Curt Cearley serves as the director of technology services for Fayette County Schools in Georgia, a district of approximately 20,000 students in 24 schools.
Curt Cearly: We in the technology department and many others at the district level know about FERPA, HIPAA, COPPA, CIPA and the rest of the alphabet soup that guides our decisions at the enterprise level and drives our discussions with vendors, suppliers and others to ensure the greatest level of protection possible.
Easy guidelines, repeated warnings, training and education, and constant vigilance are necessary to protect students and their data at the enterprise level, the classroom level and the student/parent level. We provide our schools this table of some of the most frequently used applications with a review of their terms of service, age limits and parental permission requirements. We review it quarterly (about all we really have time for, which isn't a great solution) and update or add information for teachers and staff.
Being mindful guardians of the data entrusted to us (teachers, administrators, staff) is an imperative. Selecting enterprise solutions that help us be protective of that data is an essential first step. Digital citizenship and an awareness of the "footprint" we (teachers, students, staff, parents) create is an imperative. Teaching and training all who work with students, parents, faculty and staff is an essential first step in that imperative.
Melissa Tebbenkamp is in her eighth year as the director of instructional technology for Raytown Quality Schools. She is a founding member and past chair of the Missouri state chapter of the Consortium for School Networking (CoSN).
Melissa Tebbenkamp: In addition to those mentioned above, a consideration that districts continue to struggle with educating staff on is adhering to policy when it comes to protecting the student information and refraining from unapproved online resources.
We have guidelines and policy in place that explicitly state that all student information should be kept private and secure, including encrypting information that may be on a mobile device or online storage. However, we still risk incidents each year where a laptop is stolen or USB drive lost that has FERPA-protected information that is not encrypted. Student information is stored on online file-sharing. I have found that the best approach in our district has been a "hit the pavement" approach where administrators personally connect with teachers and educate them on the "why we shouldn't/can't" and let the word spread from there.
Another major concern we have been facing are sites that explicitly state that by signing students up for accounts, the teacher/district is taking on the responsibility of compliance with COPPA. Educating our teachers about privacy policies and terms of service is imperative. The documents are long, and nobody wants to take the time to read all the legal jargon. However, it is important to understand the terms for each resource used. It is also difficult to keep a current, comprehensive list of approved/unapproved resources. Therefore, we must trust our teachers to make wise decisions about their chosen resources and provide them with the education and resources to help them make the best decision.
Lenny Schad is currently CTIO for the nation's seventh-largest school district, Houston ISD. His first book, Bring Your Own Learning: Transform Instruction with any Device, is scheduled to be published this month.
Lenny Schad: I will add a couple things: 1) We need consistency in the legal opinions regarding COPPA and FERPA as they relate to the K-12 space. The application of each act is different with each attorney, and therefore different within each district. Adherence to these acts is critical and should not be invented by each individual school system. If we could get a consistent opinion for each act, application and adherence would be a lot easier. 2) One of the areas I am most concerened with regarding data security is second-party data mining. There is not a school system in the country that does not have sensitive data in the cloud. How can we ensure that our data being stored in the cloud is not being mined by second parties, and if it is, what data is being mined and where is it going?
What practices are your district staff following and what technologies are they using to protect the privacy of student data?
Young: We obviously employ many standard security technologies, such as firewalls, Web filtering, virus scanning at several points, e-mail filtering and restrictive access to install software. All of these help against malicious attacks, but less so with inadvertent sharing of private data. That will best be prevented through user vigilance and education.
Tower: Steve, you raise a growing issue, especially challenging when educators jump in to sites without awareness of or adherence to regulationss and district policies. But even with sites that have been approved, there is always a possibility of data being stolen or leaked. I also believe that we have to treat all student data as seriously as if it were credit card information. I have heard teachers opine that nothing they are giving these sites is "worth" stealing or hacking.
In my district we use Google Apps. This makes collaboration and sharing quite easy for students and teachers alike. But we find we have to be very diligent about educating teachers about information that is okay to put in a Google doc and what is not. That's one very small example of the kind of issues we are dealing with every day.
Cearly: As we adopt more and more applications for portable technologies (phones, tablets, readers, etc.), we know less and less about those application developers, their intentions and their security. This makes not only students, but the adults in the district vulnerable. I'm not naive enough to believe that everyone is going to carefully look through the EULA or the terms of service and ask the tough questions of the application developer for something that was found to help resolve a particular curricular issue or assist students in grasping a concept.
At the district, we do the best we can to help solve those issues before they come up. We are working hard toward appropriate rather than acceptable use agreements. We provide a wide variety of digital citizenship resources to help keep that at the forefront of what we do online. We stress data privacy with teachers and administrators monthly. We ensure the hardware and software are in place to protect the network, data and users. Here is the scope and sequence for K-8. Here are some additional resources we use for digital citizenship for parents and students.
Tebbenkamp: One way we help extend the education of our teachers is by including privacy and security in our digital citizenship and technology curriculum starting in elementary schools. We begin at second grade teaching students to not give their personal information online, even when signing up for a Web site. We also teach students about privacy policies and COPPA.
We do have policies in place that state that only district sponsored/hosted/approved sites and social media can be used with students. We have a process in place to have Web sites and software approved. However, there are always a few teachers who inadvertently do not follow policy. We constantly speak individually with our teacher leaders to guide best practices and promote the district resources provided.
No matter how much you educate and secure your information, there is always a risk of a security breach. Several years ago we had a breach of information. This eye-opening event stressed that your greatest risk is the human element. After that event, our district began a practice of having cybercrime and data breach insurance.
Schad: Incorporating digital citizenship into your PD and curriculum is the only way to begin the behavior change required in the area of data privacy. However, the focus cannot be just on teachers and students. Your digital citizenship program must extend to the community, particularly parents. There are great resources available to school systems free of charge so once again don't feel like you have to reinvent the wheel.
Tower: Common Sense Media is a great resource for digital citizenship materials.
In your district, do you allow student use of consumer cloud computing applications, contracted cloud computing applications or both?
Young: At Judson ISD we are using contracted cloud services. We have certainly not perfected the adoption of these. And many educational software cloud providers seem mystified when you start questioning them about their policies and how they store and share data. I think that will start to change with schools' awareness of the issues, thanks to resources and toolkits from organizations such as CoSN. Recently we have used this list of cloud questions to start our discussions with providers. It is not comprehensive, and I think I will be combining this with some of CoSN's resources for an even more comprehensive list.
Schad: In HISD we use both consumer and contracted cloud applications. As issues continue to arise with consumer cloud applications related to data privacy, our policies will need constant review. Regarding contracted cloud computing, we are developing verbiage that will be included in any evaluations and will be a key element in the approval process. To develop the verbiage, we are using the same resource mentioned in Steve's response as well as reaching out to other school systems and agencies.
Tebbenkamp: Raytown does not allow student use of consumer cloud computing. We are currently using Google Apps for Education for second grade, one middle school and one high school. We will launch Google Apps districtwide for the 2014-2015 school year.
We understand that there will always be some form of data mining (such as tracking activity) that will take place when using cloud services,. However, we look to ensure that students' protected information stays protected. We provide minimal student information to such services, using a random student number for the student login. We look to ensure that student information will not be sold or shared with third parties, and that the contracted provider complies with COPPA.
It is hard to negotiate with "free" contracted services. However, when we use paid contracted services, we require that the company abide by our privacy procedures and maintain compliance with data security procedures, including notifying us when one of their employees who has access to our data has been separated from the company. (They must also ensure that they have reset passwords and terminated that person's access to our data.) This is just a beginning, but even this level of negotiation has been difficult.
Cearly: We contract cloud services in several areas. We are a Google Apps for Education district, and our five high schools all participate in the Microsoft IT Academy (which includes extensive Office 365 use). We do transition our high school senior's e-mail accounts to Gmail during the 100 days after graduation. That is the only allowed consumer application for students. We do allow faculty and staff to access their private consumer accounts, but constantly encourage faculty and staff to not mix personal and professional applications.
The GAfE policies were pretty straightforward when we ponied up the first five-year agreement, and so far we've been very pleased with how they do things for us with both faculty/staff/employee accounts and student accounts. Additionally, we've found that your really can't beat the collaborative pieces that go with it. We've also been happy with what the MSITA does, although we find them a bit harder to work with and a bit more demanding of our time for the care and feeding of 365. Google understood our concerns, worked with us extensively, made some modifications and provided some assurances that MSITA hasn't been willing to do.
Tower: We certainly use some contracted cloud computing applications. We are a GAfE district and we use content management systems and learning management systems that allow student and parent logins. We look for agreements that specify that we absolutely own the data, that the provider does not have any rights to it, and that they have robust security and privacy assurances.
Does your district have any policies or procedures in place specifically about cloud-based services that involve sharing private student data among schools and/or districts?
Young: We do not specifically have rules for this (which does not mean we do not look at this when considering services).
Schad: We are in the process of developing these.
Tebbenkamp: Our district has a policy in place regarding all social media and collaborative sites (user-generated media). Our policy restricts use to district approved media sites. At this time, we do not have any approved services that share student data (outside of what the state requires for reporting purposes). All Raytown technology polices can be found here.
Tower: We do not yet have a formal policy on this, but are looking for exemplary policies to help us in crafting our own.
Does your district have any policies or procedures in place specifically to address student data privacy when using mobile devices to connect to cloud-based applications?
Young: We do not have any rules specific to devices.
Tebbenkamp: We have an internal procedure that instructs staff to ensure confidentiality of student information on any mobile device, including laptops, cell phones and tablets. This includes ensuring that the device is password protected, as well as encrypting any document that is in transit (such as on a USB drive). Our procedures prohibit protected student data on personal devices.
Schad: HISD does have policies in place as it relates to mobile devices used on school premises. However, the policies need to be modified to include not only acceptable use of the device, but acceptable use of the device accessing cloud based solutions. That work is underway.
Cearly: I often feel I'm playing whack-a-mole in this area. It seems as we attempt to codify through policy and procedure, something new pops up that doesn't quite fit into the niche.
We have policies that broadly cover student and staff data privacy and security, but nothing specific to mobile devices. We've tried to cover the vulnerabilities by being very broad, and are constantly running up against those who don't understand the risks. We've tried to make it as simple as possible by asking folks to consider a series of questions, such as, "If you were sitting at Starbucks using this device, would you access your bank account?" or "If you were sitting in the airport using a public network, would you do this with your personal information?" We've also done a ton of work to help folks (both staff and students) understand the differences between security on the wired network and our wireless network.
Tower: So true, Curt. It is such a moving target. And, sadly, in answer to your questions, I think many of my teachers and administrators would think nothing of accessing their private financial accounts from a public access point! We need to do lots more education on this.
What PD/training have you conducted around student data privacy and the use of technology-based data systems?
Cearly: And here is where things get really complex. Although I'm the director of tech services, the director of school improvement and professional learning has dominion over the content provided in professional learning. Much of what we ask in terms of privacy, data protection and data systems is omitted, or relegated to the last portion of any PLU. It may or may not get covered. I do have control over PL content we provide counselors, registrars, and administrators, so we hit that group pretty hard. In some schools it filters down to the teachers, and in others it doesn't.
For each of those over whom we hold sway, we ensure they are schooled in the alphabet soup, give them a healthy dose of responsible use and EULAs, ensure they understand that communication and collaboration with parents will serve them better than simply relying on a response to a handbook or code of conduct and stress how important it is for students to learn early how to protect themselves online. We keep resources in front of them through e-mailing, online communities of practice, and Web sites. I welcome any suggestions on what else to do or how to improve what we're doing.
Tebbenkamp: Each year we have distributed — through building leadership and/or digital resources — a basic overview of technology policies and procedures. This year, we produced a (10-minute-long) sketch animation of technology policies and procedures and required all staff to verify that they viewed the video and read the policies.
Every summer, the district holds a voluntary curriculum summit for teachers. There are focused technology sessions during this summit that allow for enrichment on district technology resources. In addition, new teachers receive a 90-minute technology orientation that reviews common systems and district policy regarding technology use and student data protection.
Next year, all certificated staff will be enrolled in an online course for instructional technology. This nine-part course will be an at-your-own-pace PD that teachers will be required to complete. This course will cover computer basics, technology integration, district-specific applications, student safety/district policies and procedures, and federal regulations. The assessment questions for the legal section are designed to "teach" each component. This section will cover CIPA, COPPA, FERPA and HIPAA as well as district policy and best practices in securing student data.
Schad: For our one-to-one high school campuses (PowerUP campuses) we have worked jointly with curriculum, PD, school leadership and instructional tech to create an integraded PD program. We are taking what was done with the PowerUp model and developing summer training for all campuses.
Tower: My perspective is that this has to become a shared initiative involving the curriculum and instruction department, administrators and all teacher leaders. It has to be woven into all of our professional learning. When we teach about Web posting and content, curriculum mapping, teaching in a 21st century classroom, looking at student work, analyzing data ... in all of these instances (and more) there must be time devoted to student data privacy and security.
We are not there yet.