Prioritizing Privacy: Managing Tracking Technologies
- By Linnette Attai
When doing the work to protect student data privacy, a school district's first priority is often to focus on the most sensitive information, such as Social Security numbers, financial information or health data, and ensure that information is adequately protected. Once that work is complete, districts are able to address appropriate protection measures for other important data, including student contact information, grades, test scores and more. It is an almost never-ending funnel of information to cover, and it often cannot all be addressed at once.
Given the already wide array of responsibilities that school systems face and the limited resources they possess, it is critical to prioritize the work based on a threat matrix, as previously discussed by CoSN.
Not to be forgotten in all of this, however, is data that are passively collected through tracking technologies used by various applications, including the school system website. Common situations that involve the use of tracking technologies include serving the website content to a user, understanding how a website is used, understanding if a website or application is functioning properly, providing users with the ability to easily interact with social media through a website or other online platform, as well as serving advertising.
All tracking technologies have privacy implications. Whether those implications would be problematic for your school system often depends on what third parties are used to perform those functions, how they are configured and if the user is an adult or a student.
The first step in understanding if your tracking technologies are being used in ways that are appropriate and aligned with your legal responsibilities is to know what is being done and by whom. Doing so will help you make smart decisions about what third parties to permit and how to keep control over your data ecosystem. To get started, download the CoSN (the Consortium for School Networking) District Application Inventory Worksheet and take an inventory of not only the third parties operating on your website, but all of your key district applications.
With your inventory in hand, consider whether all of the tracking technologies are permitted by current privacy laws and your district policies. It's often easiest to start this work by examining your school system website. What third parties are operating on your site? What is the purpose for each, and what data are they collecting to do the work? Are they doing something more with the data than providing the service to your district? If so, can they be configured differently to address the issue or not? Answering these questions will empower you to make well-informed decisions about what should be on your website.
We have found value in using selective third-party applications integrated into our website. We try to stay aware of what tracking elements are captured by the products, but that requires due diligence to understand. It's a significant undertaking, but we are constantly improving. We work diligently to review our third-party integrations and to inform our visitors about them and about the data they may capture. – Louis McDonald, Director, Technology Services, Fauquier County Public Schools
Many districts rely on the hosting provider or developer to manage their websites, but remember that they are also your third-party service provider. While they may be able to provide you with answers to some of your questions about the tracking technologies that are being used, they do not own or operate the site – you do, and what ends up on the site is your responsibility.
Once you've successfully managed this work on your own website, you will be better informed and better equipped to examine how other technology providers are operating, improving the maturity of your district's privacy program as you go.
For more information on tracking technologies and how to manage your school system website, check out these resources from CoSN.
Linnette Attai is project director for the CoSN Protecting Privacy in Connected Learning Initiative and the Trusted Learning Environment Seal Program. She is also president of PlayWell, LLC compliance consulting.