As school resumes around the country, student data privacy becomes a primary concern for all administrators and IT leaders. Protecting student data is certainly a top priority, but managing how and where student data is collected, shared, and disseminated can be extremely difficult. It’s easy to overlook federal and regional mandates, easier still to overlook parent and student rights when it comes to data sharing.
So, the question is: How can we make it easy for school districts to protect student data?
The easier it is to protect their data, the more likely it is that schools will be capable of doing so to a degree above and beyond basic compliance. It’s not that schools are negligent or lazy about protecting student data; it’s that there are so many other responsibilities resting on the shoulders of education leaders that it all becomes overwhelming. As student data privacy is so technical in nature, it can often be something that is overlooked without anyone even realizing it.
Student Data Security Problems
Unknown App Usage – One of the biggest challenges associated with protecting student data is in how to control who has access to the data and who has the ability to share it. For example, a teacher might sign up to use an app in the classroom and share student data necessary to use the app. But if that app has not been vetted and approved by the school, then the entire school may be at risk of a data breach should the app have security flaws that go undetected because the administration never knew that the app was in use.
Rogue Apps – Even when the use of an app is approved by the school, districts must be able to track each vendor. It’s not easy to track vendors, let alone understand what they do with the student data they obtain, how they store that data, and whether or not they share it with others. And what happens if the app is no longer in use? Does the provider have suitable data destruction policies?
Federal and State Compliance Requirements – Schools must adhere to specific guidance requirements to comply with federal, state, and local regulations. While these regulatory mandates are the least restrictive in terms of protecting student data, they cannot be ignored.
Best Practices for Student Data Privacy
Managing the safety and privacy of student data requires ongoing monitoring and comprehensive, district-wide policies concerning who can share what information with whom. Depending on the contract with your edtech vendor, your data may be left at risk long after students leave your school. These best practices can help to ensure that your schools are doing all they can to protect student data:
1) Establish student data privacy policies to which all employees in the district must adhere. This should include restrictions on independently sourced apps and edtech solutions, specific permission requirements to share student data, and a system for managing vendors and vendor data privacy policies.
2) Communicate clearly with parents. Under FERPA, schools are allowed to share the following data without direct permission: a student’s name, address, telephone number, date and place of birth, honors and awards, and attendance dates. However, parents are allowed to opt out of that. Most schools do not make a concerted effort to communicate parent rights in this area, which can cause aggravation and mistrust. Clear communication policies should be in place that instruct parents about their rights to restrict the data that is shared about their students. Schools should also make it easy for parents to communicate the desire to opt-out.
3) Develop a cybersecurity strategy that protects your students, teachers, and school from the barrage of cyberattacks that have escalated in the last few years. Firewalls, layers of security, regular monitoring, and off-site back up should all be the norm, as should the training of all employees, to help them recognize cyber threats.
4) Hold vendors to strict security standards and vet them carefully. You should be willing to forego working with an edtech vendor that can’t demonstrate the ability to protect student data. Your policies should ensure that the least amount of student roster data required is provided for any app the district implements, and the policy should restrict or prevent third parties from having direct access to your data without strict oversight.
5) Partner with Lumen™ Touch to meet your student data privacy needs. Bright PASSPORT governs how schools share personally identifiable information (PII), such as student roster data. Rather than allow teachers or school districts to implement apps for their classrooms, Bright PASSPORT provides districts with a library of approved apps that have been properly vetted to meet the required security standards. Learn more.
Does Your School Need a Cybersecurity Audit?
In order to know where you need to make improvements to your cybersecurity strategy, you need to know where your weaknesses are. That’s why Lumen Touch is offering a brand new service for schools: Bright LITE.
Our customized service offering provides individuals and organizations with the information and education to efficiently evaluate both the risks and opportunities they face.
Let Lumen Touch help you be more secure with Bright PASSPORT and Bright LITE. To learn more, get in touch.
Download the Bright LITE brochure (PDF)