According to EdWeek, US K–12 schools have experienced 425 publicly-reported cybersecurity incidents since January 2016. But the real number is probably much higher. Why? Because students have clean data, or unblemished credit reports, and pristine Social Security numbers that cybercriminals can’t wait to exploit.
Schools and districts are collecting, managing and analyzing more data now than ever before, data that can be utilized for improving K-12 decision-making, customizing instruction to each student and flagging when one student needs extra attention or assistance. That same data can also be misused, manipulated or unintentionally exposed.
It is critical to build a a culture of data privacy in schools and districts. Administrators must consider what privacy policies, staff training and safe destruction protocols are in place. Understanding and modifying employees’ and students’ attitudes toward data privacy takes time. Schools should take steps to develop a strong, measurable privacy and security plan that ensures the privacy of student data. The following steps can assist organizations establish and enforce privacy policies, train staff on privacy procedures and ensure that all data is collected and shared safely.
Develop a Privacy and Security Plan
Organizational culture starts from the top. Senior leadership’s support and willingness to invest time, resources, and political will in privacy initiatives are critical to success. Leaders must identify student data privacy priorities, the potential impact of privacy breaches and how your school or district could implement such mitigation strategies.
Teachers, administrators, and support staff have access to highly confidential student data housed online. Because they don’t know enough about cybersecurity, they can inadvertently allow for a breach. Integrate high-quality, job-embedded, and timely privacy and cybersecurity training for all school employees. New employees should be required to complete training before being granted access to systems containing personal information and should be required to attend continuing privacy training annually. Ideally, privacy and cybersecurity training should be comprehensive and incorporated throughout the year.
As privacy and data protection regulations evolve, schools need to think about how they reduce and manage risk, to ensure that student data in their custody is secure.
Designing and building an inventory of all personal data processing activities within your district is an essential first step. If you don’t know the type of data you collect and how it’s shared, processed and stored, how can you know whether you are complying with the privacy requirements that impact your district? Establish a baseline of all technology used in classrooms, school and district offices. Develop an accurate picture of what technology is in use throughout the district, then conduct a privacy evaluation for each online technology to ensure student data is private and protected.
Data Destruction Schedule
It can be hard to fully comprehend the scale of the average school district’s data footprint. Between local hard drives to mobile devices and the cloud, every bit of that data needs to be managed securely and compliantly – not just in storage and transit, but also at the end of its lifecycle.
In an age of increasingly smart, interconnected technology, it is crucial to develop a data destruction schedule. Without a plan in place, your institution might get accused of violating the Family Educational Rights and Privacy Act, or FERPA, which protects student education records in both K-12 and higher education. Schools can proactively take action by working with a data privacy expert to develop a safe data destruction schedule for purging old records.
FERPA also gives parents rights over their child’s educational records, for example to access the records and limit their disclosure. Schools should ensure that these FERPA requirements have been adequately operationalized.
There is no shortage of laws governing student privacy. It is critically important for leadership to immerse themselves in these regulations in order to be able to set the policies and expectations and create the boundaries of risk for their technology teams and others in the districts.
The law requires boards of education to enter into contracts with vendors to whom student data will be disclosed, and lays down terms that the contract must include to ensure that the data is safeguarded and remains under the control of the school and parents, including control of deletion. Further, a board must make information about its vendor contracts available to parents online and is subject to further transparency obligations in the event of a data breach.
While the technology and data collected throughout school systems across the state are being used in effective ways, there is cause for concern about student privacy. The end goal of Connecticut’s law is to make sure data is secure and ensure students and parents know if their data has been compromised. Contact Vancord to schedule privacy awareness training and data privacy risk assessments.