Is your school innovative in your uses of technology? Do you rejoice at pockets of teachers employing the latest web apps effectively, igniting student learning and making a difference in their classrooms? Have you asked how many of those applications are actively sharing your students’ information?
At the Midwest Education Technology Community (METC) Conference this past week, ISTE Board President Bill Bass shared this cautionary tweet:
In our approach to technology-enabled learning, we’ve often overstepped ideas of safety (along with much of Western society) with an understandable interest to provide engaging learning experiences for students. Walking the practice of immediate adoption back to a place where we innovate within safe boundaries is an increasingly important task of school leaders.
Three first steps for leaders
Because no change happens quickly, consider these three first steps as a way to begin the journey.
1) Promote the cause of student data as a child safety issue
Protection of any kind involves some degree of inconvenience. Seat belts, helmets, you name it – the safety mechanisms of the physical world needed intentional marketing plans and sometimes laws before they were adopted. Protecting students’ data is the same.
- Describe to your staff how child accounts are valuable to bad actors who would steal identities
- Present how costly a breach is – both in terms of time as well as public funding that’s much better spent on student-facing programs. School data is often less protected than corporate data, which sets up a school for greater chance of target status.
- Talk through how passwords (especially passwords shared among systems) can lead an attacker from a person’s email directly into the school’s Student Information System. Promote adopting a password manager like LastPass while you do so, and consider preventing adults from saving passwords in their browsers, a practice that puts student data at risk.
2) Publish and model an adoption process
If no application adoption process exists, no controls exist. If no controls exist, there’s no sense of what’s actually happening with student data. Step 2 is to get that process in place.
- Create a process to approve apps, extensions, and add-ons. Include a close review of the terms of service for each. Missouri law will soon likely mandate the disclosure of technology contracts, requiring schools to disclose what applications they use, what data is collected, and how data is used.
- Archive decisions from that process on a website in order to let others know what’s been approved. Regional School District 12 has an excellent example of such a site.
- Block all apps, extensions, and add-ons not included on that list. G-Suite directions here.
- Support the process, coaching staff members to appreciate the necessary delays such a process might cause.
3) Get visibility on all school-owned accounts and secure them
If you have no sense of how many school accounts your staff or students may be managing, ask someone in technology to map that out for you. As much as possible, centralize those identities and enforce the most reasonable security measures possible around that single set of credentials.
- Map how accounts are shared among applications
- Centralize management of accounts wherever possible. This Identity As A Servicepresentation by Marques Stewart is a good primer and story of how Achievement First moved through the process of centralizing and securing identities.
- Automate account creation and deletion to remove human error and provide quick access to approved applications. Jeff Puls, Chief Technology Officer for the Clayton School District, walks through his district’s automation processes in detail in his presentation, “Security, Productivity, and Transparency through Automation”.
- Run regular reports to ensure that data across systems is in sync
Securing student safety fuels innovation
While these three steps aren’t the only measures a school leader should consider, they do represent a strong forward motion towards protecting digital student safety. In the long run, they deflect the distractions that breaches and cyberattacks might bring. Without distractions, educators and education leaders devote their energies where they matter: instructional innovation that sparks student learning.
