Speaking Up About Data Privacy in Ed Tech

Tech Tactics in Education speaker Kevin Lewis on his journey from school security and IT support staffer to data privacy advocate — and his mission to bring greater transparency and accountability to ed tech privacy practices

With data breaches and tightening privacy regulations regularly impacting education institutions at all levels, it's unsurprising that campus administrators, data protection officers, and IT managers are looking more closely at the privacy policies and security practices of their technology vendors.

What is surprising: A large majority of those vendors actually want to hear from education users who find something in those policies they don't like, or need clarification on part of a vendor's privacy policy, said 1EdTech Data Privacy Officer Kevin Lewis, Sr.

Calling out a vendor about problematic or missing language in their privacy policy is not only OK, it is encouraged, Lewis told THE Journal.

Lewis is a featured panelist at November's 2023 Tech Tactics in Education conference in Orlando, where his session, "If You See Something Say Something: Data Privacy Vetting/Avoiding the 'Gotcha' Clauses in Data Privacy Guidelines," will focus on ways that school districts can achieve better data security and privacy policies from, and partnerships with, their vendors.

During a recent interview, Lewis explained how his unusual path to working in ed tech and, ultimately, data privacy played a big part in his bold, transparent approach in the development of 1EdTech's TrustEd Apps Seal of Data Privacy certification, and how that approach can save schools a lot of time and headaches.

THE Journal: Did you start your career in technology, or in education?

Kevin Lewis: I started my career — after serving in the Marine Corps in Operation Iraqi Freedom and Operation Enduring Freedom — working a lot of security jobs, starting with physical security, and then installing security equipment, and that grew into installing security equipment that was part of a larger network, including in all the school districts around Houston. That's how I started getting more technical and learning about networking and how all of those things work. Then when the Houston Independent School District went to 1:1 devices in their high schools, the district hired me as a customer support rep to manage the devices, handle the break-fix process, and so forth, as 65,000 high school students were each getting a laptop to take home.

THE: How many CSRs were there to handle all those new student devices? What was that like?

Lewis: One — they created one new position at each high school to do this, but they couldn't fill them all. They also created another new position to teach the teachers how to use the technology, and to encourage them to try different education technologies on their new laptops. That position was supposed to be filled by an educator, but it was not filled. So I ended up not only taking that customer support position, but I also took that educator or instructional technologist-type position where I was teaching the teachers.

THE: What kind of training prepared you for those roles?

Lewis: I've always been sort of tech savvy and my degree was in electronics and computer technology and then also a degree in technical management. But really I would say the biggest thing that helped me a lot in the training role was my karaoke skills. I had never spoken in front of a large group of people, so being able to stand in front of teachers and try to teach them — it was hard, I really shied away from it in the beginning. But eventually I thought, "I should just go for it, I've done karaoke all over the world in different countries … this can't be that much different from putting yourself out there singing karaoke." So karaoke was what really made me confident enough to go out there and work with all kinds of groups, students, and teachers, and to make things fun. I really put on a show when I present, and I make sure there's a lot of laughter in the room.

THE: How did that CSR role at Houston ISD lead to you working in data privacy? Did you have an interest in data privacy, or were you studying related topics?

Lewis: After the district noticed what I was doing, I joined their education technology team. Data privacy was never on my radar; it was never something that I even thought was a position, or a job that I could do. But one day, about eight of us ed tech specialists were sitting in our classroom, and our supervisor said that one team member who managed the data privacy work was leaving the district, and when she asked for a volunteer, I raised my hand. I wanted to see what I could do with data privacy and our schools — I had ideas for ways to raise awareness — and the rest is history.

We did truly amazing things with that data privacy program. We got kids involved, we got them excited. We partnered with external organizations like the Future of Privacy Forum to provide different incentives for kids, as well as educational and awareness videos called Think Privacy, to really embrace a culture of privacy, safety, and security. The students were deeply involved and it was very successful.

THE: At what point did you begin to communicate with vendors about their ed tech privacy policies? How that did that transpire?

Lewis: During my first couple of years at Houston ISD, we began reaching out to our suppliers of some of the free ed tech tools, asking them questions about their privacy policies, showing them different areas of vulnerabilities in their policies … it just evolved into more of a partnership. Now these were a free educational tools — they did not have to talk to us or take any of our suggestions, but they were happy to do so and they were grateful that we showed them the vulnerabilities.

We showed them language in the policies that didn't quite read well or translate well, and they showed us tons of gratitude. In a few instances, before we did anything with them, they might have an F rating, and after we reached out and they adjusted their policies or practices, they would come back very excited to say "thank you" and show us that they now have an A rating.

Some of the largest ed tech companies that are the most commonly used were surprisingly failing at this new rubric that we had and the program we were using to test their vulnerabilities — but we kept sharing those results and our feedback with the ed tech vendors. You would think they're so large that they couldn't get back to you in a timely manner but that wasn't usually the case; they often got back us very quickly, and they were very grateful.

THE: So how did you go from working in a district to building a data privacy rubric at 1EdTech?

Lewis: After two years or so with Houston ISD, I joined 1EdTech, which at the time was called IMS Global. I asked what they were doing in the data privacy realm. They were familiar with me and my work with Houston ISD from presenting at conferences. They were beginning to work on a data privacy rubric and certification, but in its early stages it was nothing like the program we'd built at Houston. And that's what I wanted to bring to 1EdTech: collaboration, open transparency, and privacy. That's exactly what [1EdTech CEO] Rob Abel and [Vice President] Lisa Mattson allowed me to do here — bring our program concepts from Houston here on a much larger scale.

To begin with, we reached out to all of 1EdTech's school district members and every supplier; we put together a task force to develop a set of criteria that we now call "expectations," to sort of soften that language with suppliers to better promote that collaboration and communication between suppliers and schools.

The intent was to start with something small, as we realized things were getting out of hand and overwhelming for suppliers and schools, with everyone sending questionnaires and data-sharing agreements and not knowing what to ask and the weight of the questions that they were asking. The result was a sort of cover-yourself rubric that makes it easier for schools to get a good look at what a supplier is doing, if they're competent in their data privacy and security posture, if they understand privacy … this also made it easier for suppliers to comply with what their customers were asking for — and to identify what was missing that was getting them shelved by schools that wouldn't be customers.

THE: How big was the task force, and how long did it take to get to a basic data privacy rubric? Was it very complicated?

Lewis: It was a blend of K–12 and higher ed tech suppliers, leaders from state departments of education, plus anyone and everyone who had a foot in the education space and were members of IMS Global/1EdTech — they all had a hand in the creation of that rubric. It took three years to finally get a rubric adopted widely by a lot of our schools and their suppliers.

Since its launch, it's blown up tremendously to where schools are requiring a lot of other suppliers to have been vetted by our data privacy rubric or the schools are solely leaning on those reviews or scores from 1EdTech to make their procurement decisions.

We've also seen many of our schools ask their tech vendors to work with us to improve their privacy policies or security practices. This is something we help all our member schools with and what we will delve into during the Tech Tactics in Education session.

The core of our process, our primary message to schools is, "If you see something in a rubric, if there's an e-mail somewhere in that privacy policy, if you see something that you don't like or you don't understand, then absolutely reach out to that supplier, no matter how small of a district you are, reach out to the vendor, because there's work that can be done there."

THE: Can you give a little overview of how that process works and how 1EdTech helps schools work with vendors to improve or tailor their privacy policy?

Lewis: A lot of our member schools are now reaching out to their suppliers and asking about a negative privacy review, or asking about an area in the supplier's privacy practices that the school wants to see them improve, or meet the expectations across the board. The school will reach out to that supplier if they have a contact, and then they will connect me with them. And then it becomes the school working with the supplier with the third party, 1EdTech, in the middle, sort of guiding that conversation — making sure that the supplier is represented with their best foot forward.

This is not a "Hey, we found this, we got you! Why are you doing this!" It's more of a partnership, a collaboration. We approach them in the spirit of asking them to assist us in our efforts to put out the most accurate and trusted review possible of their ed tech product. That is always our goal: the most accurate and trusted review possible.

THE: How do your collaborations with suppliers and schools on improving their privacy policies impact the suppliers? 

Lewis: When we have the right contact person at a supplier, and can reach a decision-maker who can assist us in actually making changes to their privacy policy, implementing privacy practices and principles, it does make a difference usually for the supplier. The privacy policies often miss a lot of concerns that schools and privacy advocates have. Internally, they may be doing all those things, and they are doing a great job, it just doesn't always get translated into their privacy policies or terms and conditions.

When we assist suppliers, we are in effect making sure their policy and terms will not land them on a Do Not Use list. Most schools will see something of concern in a privacy policy — or not see something they require to use a tech solution — and they will usually not say anything, they just put that supplier on a blacklist and will not use them.

We encourage them to speak up, to reach out to the supplier or to us, and then we can help them. There's probably 100 other schools that have looked at that supplier's policy, didn't love it, and moved on from that supplier. But if a school reaches out and we collaborate and make those changes and improvements, then any other school coming after — that's eventually 100 other schools now looking at the privacy practices and not deciding to go the other way.

Lewis' session is scheduled for 2 p.m. ET on Nov. 8, 2023, at the 2023 Tech Tactics in Education conference in Orlando. Additional panelists include Monica Watts, Senior Director of Learning Innovation at 1EdTech; Scott Clark, Director of Media and Instructional Technology at School District of Osceola County; and Krissy Mollo, Coordinator of Teaching and Learning Applications at Volusia County Schools. Register and learn more at TechTacticsInEducation.com.