Data-driven decision making has been a growing theme in education as much as business. As concerns about student progress and proficiency increase, and measurements of all sorts work towards making student growth more transparent, the amount of data on each child that calls our schools part of her community proliferates.
But in a culture where consumers increasingly hand out their personal data without a short second of reflection, why should we care about the trove of data currently compiled on our kids?
Simply put, as school leaders we have a moral and legal imperative.
In this article, I’d like to outline each of those imperatives and detail six guiding questions that we are asking ourselves and our schools. The lines between digital and face-to-face existence continue to blur, and the data that govern our digital lives has moved from an ancillary topic to a focal point of international policy.
The Why
Our Moral Imperative
As data proliferates, technologies are increasingly used to distribute customized advertisements and whole narratives to individuals on a large scale. This focused delivery of information endangers civil discourse and gives rise to the growing scale of “fake news”. The data of children, whose opinions and values are still largely in flux, ought to be protected with special care, and families informed of ways to build within their children the ability to judge the media fed to them hours each day.
Our Legal Imperative
Three important legal guideposts for US policy are FERPA, COPPA, and California’s SOPIPA. The thrust of each of these acts was neatly summarized in an open letter to the edtech industry by Jim Steyer, CEO of Common Sense Media. Jim writes,
“We propose three basic principles that attempt to balance the tremendous opportunity provided by educational technology with the need to foster a trusted learning environment …
- Students’ personal information shall be used solely for educational purposes.
- Students’ personal information or online activity shall not be used to target advertising to students or families.
- Schools and education technology providers shall adopt appropriate data security, retention, and destruction policies.”
While school leaders ought to familiarize themselves in greater detail with the provisions of FERPA, COPPA, and SOPIPA, Jim’s principles outline the spirit of all three laws. Students’ right to privacy ought to be retained and protected, and it is the job of both vendors and schools to hold each other accountable for the protection of this data. In the next section, we’ll address what questions we can ask ourselves in order to begin delivering on these imperatives.
Resources:
For more information on the above, please check out …
- The Ferpa Sherpa for resources that inform technology decisions with an eye towards meeting FERPA requirements
- The Electronic Privacy Information Center’s (EPIC) approachable outline of COPPA
- Common Sense Media’s description of how SOPIPA affects decisions made by teachers in their own classrooms
- Blog post by leader of the Arbinger Institute entitled, “How Truth Can Prevail in a World of Fake News”
The How
We have begun asking ourselves a number of questions around data and security more and more regularly when working with schools. I’ve cut to the chase a bit and have limited these to the top 3 questions a school leader ought to be asking and the top 3 questions IT leaders serving schools ought to be asking.
Questions for School Leaders
To what degree is IT connected to the curriculum approval process?
In a recent keynote presentation to Missouri school IT leaders, Lenny Schad, CIO for Houston ISD, flagged the relationship of IT and Academics as one of the most strategic collaborative relationships to get right in a school system. As curriculum is increasingly delivered through digital means, technical missteps don’t just impact devices, they impede learning.
Because of this danger to the learning process school leaders ought to be asking,
- Have we asked IT about how this curriculum will impact our other systems?
- What security practices are in place on the vendor’s side?
- Who is the owner of vetting our contracts with curriculum and application vendors? Does that person understand the privacy language and technology terms set forth in that contract?
How often is my staff trained on best practices around data security, and how effective has that training been?
Staff ought to be briefed on the following topics, with clear policies and procedures for each one:
- Physical security of devices
- Password best practices and district requirements
- Procedures that govern “free” apps that teachers and staff members would like to try
- Phishing practices and implications if a computer is successfully breached
These topics are often uncomfortable conversations because, when implemented properly, many of them slow down teacher and staff workflows. But the fallout from a breach or the impact to a child when her data is used against her is more than enough reason to put up with momentary inconvenience as we protect the people in our care.
To what degree is data privacy woven into the digital citizenship curricula our students complete?
As soon as a child is given access to a device, we have the ability to impart practical lessons about protecting oneself, discoursing civilly online, sifting truth from error, and more. Are you able to present a plan that has been executed with fidelity in your district?
Resources:
There are a number of wonderful resources around the topics above. Ones I can quickly recommend include:
- Common Sense Media’s EdTech Product Privacy Evaluations, a collection of contractual agreements that have been vetted for privacy concerns by school IT professionals around the US:
- The Privacy Technical Assistance Center (PTAC) Toolkit, which outlines impacts of data breaches and how we can protect against them:
- Common Sense Media’s K12 Digital Citizenship curriculum, a free, accessible curriculum that also includes a certification process for your school
Questions for IT Leaders
What controls exist around student and staff accounts as they are onboarded, managed, and deleted?
What policies and processes are in place that govern access to resources where personally identifiable information (PII) exists?
What plans and processes are in place that will guide action when a security breach occurs?
Resources:
These three questions, and many more, are addressed in a number of places. Sources that come to mind include:
- If you are on Google, become familiar with the built-in reports area of the Google Admin Console, or investigate an audit tool like GAT or SysCloud.
- A thorough collection of data privacy recommendations, including webinars, are available on CoSN’s Trusted Learning Environment (TLE) resources page. The TLE is also a certification process that can bring recognition to the work you are doing on data privacy in your school.
- A summary of the Missouri State Auditor’s Cyber Aware School Audits is publicly available and includes many valuable insights to typical audit requirements.
The Beginning
The work around data privacy and protections for our students is just beginning. The imperatives and remediation steps are the tip of the iceberg, as we have focused in this article more on the people than the technology.
As mentioned in an earlier post this month, “The primary challenge we face in using technology effectively is human.” In light of the themes mentioned above, we might say “using technology securely” as well. It’s a work that is very much worth it, however, and I am glad to be a small part of protecting our schools.
