Student Data Privacy Tips

As school resumes around the country, student data privacy becomes a primary concern for all administrators and IT leaders. Protecting student data is certainly a top priority, but managing how and where student data is collected, shared, and disseminated can be extremely difficult. It’s easy to overlook federal and regional mandates, easier still to overlook parent and student rights when it comes to data sharing.

So, the question is: How can we make it easy for school districts to protect student data?

The easier it is to protect their data, the more likely it is that schools will be capable of doing so to a degree above and beyond basic compliance. It’s not that schools are negligent or lazy about protecting student data; it’s that there are so many other responsibilities resting on the shoulders of education leaders that it all becomes overwhelming. As student data privacy is so technical in nature, it can often be something that is overlooked without anyone even realizing it.

Student Data Security Problems

Unknown App Usage – One of the biggest challenges associated with protecting student data is in how to control who has access to the data and who has the ability to share it. For example, a teacher might sign up to use an app in the classroom and share student data necessary to use the app. But if that app has not been vetted and approved by the school, then the entire school may be at risk of a data breach should the app have security flaws that go undetected because the administration never knew that the app was in use.

Rogue Apps – Even when the use of an app is approved by the school, districts must be able to track each vendor. It’s not easy to track vendors, let alone understand what they do with the student data they obtain, how they store that data, and whether or not they share it with others. And what happens if the app is no longer in use? Does the provider have suitable data destruction policies?

Federal and State Compliance Requirements – Schools must adhere to specific guidance requirements to comply with federal, state, and local regulations. While these regulatory mandates are the least restrictive in terms of protecting student data, they cannot be ignored.

Best Practices for Student Data Privacy

Managing the safety and privacy of student data requires ongoing monitoring and comprehensive, district-wide policies concerning who can share what information with whom. Depending on the contract with your edtech vendor, your data may be left at risk long after students leave your school. These best practices can help to ensure that your schools are doing all they can to protect student data:

1) Establish student data privacy policies to which all employees in the district must adhere. This should include restrictions on independently sourced apps and edtech solutions, specific permission requirements to share student data, and a system for managing vendors and vendor data privacy policies.

2) Communicate clearly with parents. Under FERPA, schools are allowed to share the following data without direct permission: a student’s name, address, telephone number, date and place of birth, honors and awards, and attendance dates. However, parents are allowed to opt out of that. Most schools do not make a concerted effort to communicate parent rights in this area, which can cause aggravation and mistrust. Clear communication policies should be in place that instruct parents about their rights to restrict the data that is shared about their students. Schools should also make it easy for parents to communicate the desire to opt-out.

3) Develop a cybersecurity strategy that protects your students, teachers, and school from the barrage of cyberattacks that have escalated in the last few years. Firewalls, layers of security, regular monitoring, and off-site back up should all be the norm, as should the training of all employees, to help them recognize cyber threats.

4) Hold vendors to strict security standards and vet them carefully. You should be willing to forego working with an edtech vendor that can’t demonstrate the ability to protect student data. Your policies should ensure that the least amount of student roster data required is provided for any app the district implements, and the policy should restrict or prevent third parties from having direct access to your data without strict oversight.

5) Partner with Lumen™ Touch to meet your student data privacy needs. Bright PASSPORT governs how schools share personally identifiable information (PII), such as student roster data. Rather than allow teachers or school districts to implement apps for their classrooms, Bright PASSPORT provides districts with a library of approved apps that have been properly vetted to meet the required security standards. Learn more.

Does Your School Need a Cybersecurity Audit?

In order to know where you need to make improvements to your cybersecurity strategy, you need to know where your weaknesses are. That’s why Lumen Touch is offering a brand new service for schools: Bright LITE

Our customized service offering provides individuals and organizations with the information and education to efficiently evaluate both the risks and opportunities they face. 

Let Lumen Touch help you be more secure with Bright PASSPORT and Bright LITE. To learn more, get in touch.

Download the Bright LITE brochure (PDF)

The Challenge of Protecting Student Data

One of the many challenges that has been highlighted in great detail by the pandemic is the gaps we have in our education system – from inequitable access to WiFi and laptops to protecting student data when students are working from a variety of different locations outside of the school building. Protecting student data is a top priority for Lumen™ Touch.

At the end of the day, I want to assure you that we adhere strictly to the student privacy pledge and reinforce to you that no one gets access to your data. We think it is very important to understand that we go far and beyond to ensure that the integrity of your system and data remain intact at all times.

Dr. John Vandewalle, CEO

How Lumen Touch Protects Student Data

Since last spring, when schools closed and students moved to online learning, there has been a rapid increase in demand for technology. We saw everything from Zoom bombs to phishing attacks that played on the emotions of people terrified about COVID-19. Ransomware continues to increase in both volume and complexity, but Lumen Touch is committed to staying a step ahead wherever possible. This is why we:

  • Follow industry best practices for the services provided
  • Maintain updates and configurations of all services
  • Isolate risk and standardization when determining the design and configurations of our services
  • Work under the assumption that all networks are potentially hostile (This includes other servers in the local network and clients across the web)
  • Explicitly banned the use of defaulted trust between services
  • Enforce access rules and firewalls among all systems

Lumen Touch Is More than an EdTech Platform; We Are Your Managed IT Partner

In addition to providing comprehensive solutions for delivering education, health, and safety for all of your students, Lumen Touch remains busy in the background, too.

24/7 Monitoring: We monitor your site remotely 24/7/365, providing sophisticated threat detection to block potential threats. We also use a variety of tools to help prevent malware and ransomware threats from breaching your system, including a tool, Fail2Ban, that monitors for malicious login attempts.

Nightly Remote Backups: We perform nightly backups of your data, using AES 256 encryption. In addition to a master Lumen Touch encryption key, each backup also has an individual client key. The backups are stored securely in the US outside of your region – this protects your data in the case of localized weather catastrophes that affect local data centers.

Restoration and Recovery: No matter how much technology we employ, human error accounts for a great number of threats to network security. It only takes one employee clicking on a link or downloading a file that contains a virus or malware for a threat to permeate your IT infrastructure. Our disaster recovery service ensures that if the worst happens, you’ll be up and running again within 1-4 hours, restored from the previous night’s backup and with minimal downtime.

Technology will continue to be an important part of education as we move forward. Because of that, student data security must be a top priority for schools and the edtech providers with whom they partner.

If you’d like to learn more about how we help you protect your student data while empowering students, teachers, and administrators with powerful edtech, get in touch.