Your 2019 Student Data Checklist
By Bill Miles | February 1, 2019
Almost every week, there seems to be a new story about a data breach. Or, seems like there’s a new law that has just been enacted that places additional requirements on schools (here is a comprehensive list). If you are responsible for the privacy and security of student data at your school, we’re well aware that this is becoming an increasingly complex job! We’re here to help.
Given the pace of developments, I suggest that schools check in on the key areas of student data privacy at least twice a year.
Here is a quick checklist to get you started:
1 – What websites, digital services and apps is your school using?
Focus on platforms that securely integrate with your student data (through access to your Student Information System) or those in which the students and teachers interact directly. Many EdTech companies target teachers and coaches directly, so it is very important to sit with them and learn what tools they are using on a day-to-day basis. The goal here is develop a comprehensive list of all the different tools that may potentially be relying on user data.
2 – What kind of data is collected by these websites, services and apps?
Focus on data that is given specific or unique protection under the law. For example, do these technologies collect information that would allow a person not associated with the school to identify students (i.e. personally identifiable data)? Is the school supplying “directory information” or data beyond that? (Note that Directory Information can be shared without parental consent.) If data is shared beyond the school, under what exception?
In light of recent events, double check if you collect data of residents of the European Union, including parents, students, professors, donors. If so, the GDPR may apply to your school. Read our previous blog on GDPR.
3 – Review the terms and conditions of these websites, services and apps.
While the terms and conditions of these technologies can be incredibly long and tedious to read, it is important to look for key provisions. These include:
- School maintains ownership of data
- Prohibition to use the data collected for targeted advertising
- Prohibition to sell or provide the data collected to any third party, without the school’s explicit permission
- Prohibition to use data collected to amass a profile of a student
- Right to request the data be deleted or amended
- Prompt notification if an unauthorized disclosure
- Provisions that address the data upon termination of the agreement.
4 – What steps are websites, services and apps taking to ensure that the school’s data is secure?
It’s all well and good to ensure you know what data the third party is collecting and that their terms and conditions satisfy your school’s requirements, but if the data can be easily hacked or lost into the internet, all that work will be for naught. This means that data security is the next important area of inquiry.
- The Education Privacy Resource Center provides an excellent list of 7 questions to ask a vendor regarding data security.
- The US Department of Education also provides this guidance.
5 – Review your parental permission forms and update with any changes.
Schools provide parents notice of their privacy policies and offer their parents an opportunity to opt out of the disclosure of information about their student. In recent years, this practice has become more complicated. Schools define directory information differently. While most schools provide one “opt out” option for parents, many are also offering 2 or 3 options for different cases. One example is to offer a total opt out of all disclosures and a “no media” option that prohibits the school from using the student’s image and information on the website or social media (external disclosure) but allows internal disclosure within the school (yearbook, school newspaper, programs…etc.). Finally, consider how your school is enforcing these parental preferences. For example, where can the teachers and coaches see these preferences? What about the yearbook and newspaper teams? How is your website managed?
6 – Review the school’s internal policies and programs regarding use of technology, privacy and digital citizenship.
This is a fast growing body of information. In terms of teacher and staff training, only Utah requires teacher training, but many schools and districts are beginning to host regular information sessions and workshops on the topic. (YouTube trainings are especially well done and very watchable. There are many other great resources for teacher and staff training at the Department of Education website, as well as at the Student Data Privacy Consortium site. As far as digital citizenship materials for students, Common Sense Media is an excellent source for developing a program for students of all ages.
This article is partially adapted from an excellent article intended for parents written by the team at The Education Privacy Resource Center.
For any questions, please contact firstname.lastname@example.org.