Privacy | Feature

10 Steps That Protect the Privacy of Student Data

CoSN is now offering a free toolkit to help districts navigate the tricky issue of data privacy. Lesson number one: Complying with FERPA and COPPA is just the beginning.

You can see more great feature articles in the latest issue of our monthly digital edition.

Over the past year, data privacy has become a top concern of parents and policymakers. Lead news stories on national security surveillance and the theft of department store credit card information have heightened awareness of the issue and escalated the debate on the political right and left. In education, concerns about privacy were a contributing factor to the failure of the inBloom effort.

In this context, education leaders must be ready to explain why they collect data and how they are ensuring the protection of student information. While much of the current discussion is about compliance with federal laws such as the Family Education Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA), mere compliance is the minimum effort required by school systems.

When FERPA was enacted in 1974, no one could have imagined the implications for privacy in a world dominated by the Internet, cloud services, online learning and mobile apps. Even since COPPA took effect in 2000, the world of education technology has changed radically. Education leaders want to act in the best interests of the students and families that they serve, but applying laws enacted from an earlier time is incredibly difficult. Coupled with the growing realization of the value of data for both educational and commercial purposes, school leaders can sometimes find themselves at odds with the service providers on which they depend for valuable educational tools.

Why We Collect Data

Educators and policymakers increasingly realize the promise of using student data to make informed decisions on issues from classroom instructional practices to investment in education programs. By collecting data about student use, online services can offer a much more personalized experience. Balancing the benefits of these technology advances with the need to protect student privacy and data is a major challenge. It is critical that education, industry and policy leaders find ways to ensure student privacy while continuing to encourage innovative uses of technology and student data. Equally important is communicating to all our stakeholders about the data being collected and the purpose of its collection.

School system technology leaders need information and guidance intended specifically for them and developed by those with a deep understanding of education technology issues. The Consortium for School Networking (CoSN), in partnership with Harvard Law School’s Cyberlaw Clinic based at the Berkman Center for Internet and Society, has recently released the free Protecting Privacy in Connected Learning Toolkit, a step-by-step guide to navigating the complexity of FERPA, COPPA and related privacy issues. Of course, considering the highly technical nature of privacy laws and policies, school leaders should always seek advice of legal counsel regarding such issues.

Understanding Legal Compliance

Navigating through privacy issues and FERPA and COPPA compliance can quickly become confusing for school system leaders, and the CoSN Toolkit is organized as a step-by-step flowchart. It not only addresses FERPA and COPPA compliance issues, but suggests practices that reach beyond compliance.

Embedded in the toolkit’s decision tree are definitions, checklists, examples and key questions to ask along the way. The toolkit offers a detailed definition of terms such as “education record” and “school official,” and suggests contract terms and security questions for service providers. Also included are explanations of issues related to metadata, data de-identification and “click-wrap” agreements, which are common to free online services. The toolkit also offers a set of helpful Internet links to privacy-related resources.

As the interpretation of privacy laws evolves along with privacy laws themselves and the technology services they seek to govern, the CoSN Protecting Privacy in Connected Learning Toolkit will evolve as well, with information forthcoming on compliance with other federal student privacy protection laws.

Beyond Compliance to Aspirational Practice

If mere compliance is insufficient, what should responsible school systems be doing when it comes to privacy? In a new report underwritten by Intel, Bob Moore, director of CoSN’s Privacy Project and founder of RJM Strategies, suggests 10 steps that every school district should take to better ensure the privacy of student data:

1) Designate a privacy official. Decide who in the district is responsible for privacy. A senior administrator should be designated as the person responsible for coordinating efforts to ensure compliance with privacy laws and policies.

2) Seek legal counsel. All schools have access to the services of legal counsel. Regardless of how your school receives those services, make sure your counsel understands the privacy laws and how they are applied to technology services.

3) Know the laws. This is not easy, but it is essential. In addition to the CoSN Toolkit and resources from the U.S. Department of Education, many other organizations have developed or will be developing privacy-related materials. Don’t forget about state laws or proposed state laws.

4) Adopt school community norms and policies. FERPA and COPPA are the bare minimum when it comes to protecting privacy. There must be consensus among your stakeholders regarding collecting, using and sharing student data. Without consensus, it’s impossible to adopt enforceable policies.

5) Implement workable processes. If your school is going to be serious about privacy, there must be processes with checks and balances for accountability. No one wants to create roadblocks to innovation, but ensuring privacy requires proactive planning and disciplined action on the part of school staff. Compliance with privacy laws suggests some specific processes for schools, and they should be reviewed regularly to ensure that they are workable and reflect current interpretations.

6) Leverage procurement. Every school RFP, bid and contract (or service agreement) has standard language dealing with a wide range of legal issues such as indemnity, liability, payment and severability. By adopting standard language related to privacy and security, you will make your task much easier. Many online services are offered via click-wrap agreements that are “take it or leave it.” It may be necessary to ask staff to look for alternative solutions if the privacy provisions do not align with your expectations.

7) Provide training. Unless you train your staff, they will not know what to do or why it is important. Annual privacy training should be required for any school employee who is handling student data, adopting online education apps or procuring and contracting with service providers. Privacy laws represent legal requirements that need to be taken seriously.

8) Inform parents. Parents should be involved in the development of privacy norms and should provide policy input. Just as schools provide significant information about online safety and appropriate use, they should put significant effort into making sure that parents understand the measures that educators are taking to protect student privacy.

9) Make security a priority. The importance of security to ensuring privacy cannot be overstated. Secure the device, the network and the data center. Toughen password policies. Have regular security audits conducted by a third-party expert. Make sure that RFPs, bids and contracts have clear and enforceable security provisions for your online service providers.

10) Review and adjust. Interpretations of privacy laws are changing, and new laws may be added. School policies and practices will need updating and adjustment so that they reflect legal requirements. Processes can become burdensome and when that happens, some people may want to skirt the process. Seek input from those involved to ensure that the processes are not hindering teaching and learning.

Most importantly, get started now before the privacy questions create a firestorm in your community. Be a privacy leader.