Education Framework Blog

Focused on the Future of Education in America

Connecticut's new "Act Concerning Student Data Privacy " in effect October 1, 2016


Connecticut education leaders are in for big change come October when new student data privacy legislation goes in to effect in the state. 

"An Act Concerning Student Data Privacy" The "Act" (HB 5469, Public Act 16-189) - sets forth new privacy and contractual standards for how student information may be used in the state of Connecticut. 

Effective October 1, 2016, this act restricts how student information may be used by contractors and third party operators of websites, online services, & mobile applications (i.e. apps), and requires that parents are notified each time a school district enters into a contract that involves student data. 

Shipman & Goodwin LLP’s School Law Practice Group and Privacy and Data Protection Group collaborated to prepare an Alert to inform local and regional boards of education of the new requirements and to address what they anticipate will be commonly asked questions

The Alert does a great job of highlighting the many nuances of the law and clearly outlines the specific requirements for Boards of Education and Contractors, alike. 

Specifically, it includes a list of action items that boards of education should consider, including the following

  • Conduct an in-district inventory of all online technologies (internet websites, online services, and mobile applications) that teachers in the district are using in conjunction with the education of students;
  • Prepare a draft contract and student/parent notice of contracts that will be posted on the district’s website and sent electronically to students/parents;
  • Consider implementing a data privacy screening tool for potential vendors, which may or may not be included as part of a RFP. The screening tool can provide some assurances to boards of education that vendors are aware of the requirements and have taken action to comply with them;

For the full list of action items visit here >>

What does this mean for Connecticut education leaders and technology providers?

It means that the state of Connecticut is taking some truly unprecedented steps towards ensuring student data is private and protected, leading to greater transparency and accountability in the classroom. 

It means that many boards of education will have to modify their contracting processes and eventually adopt or revise policies and procedures to address the act’s requirements. 

And it means that the real work has just begun!

Under the new act, specific requirements exist for boards of education and operators in the state, including:

New requirements for boards of education:

1. contracts between such contractors and boards of education, SBE, or SDE are required to contain specific provisions relating to the use and security of student information; 

2. contractors are prohibited from using personally identifiable information (PII) from student records to engage in advertising or for any purposes other than those contractually authorized; and 

3. boards of education must notify students and parents within five business days of executing a contract with such contractors. 

New requirements for contracting operators:

1. requires such operators to maintain reasonable security practices to protect student information and delete student information upon student, parent, guardian, or board of education request; 

2. prohibits such operators from from engaging in targeted advertising, creating student profiles for purposes unrelated to school, or selling or disclosing student information, with some exceptions; and 

3. allows such operators to use student information and de-identified student information for purposes related to student learning or operational improvements.

Where to begin?

The first step is to determine whether your school or district plans to address this issue in-house, or is going to outsource this work. But regardless of who is doing the "work", it's time to get started and to know what is expected of you. 

  1. Conduct a comprehensive audit of all the online technologies currently being used in your district.
  2. Determine the safety, privacy and security of each online technology.
    1. Thoroughly read the privacy policies for each and every app & website being used in the classroom, and determine whether they meet state and district privacy requirements. 
    2. Be sure to address the following areas of concern: data collection, data usage, data deletion, data retention, data integrity. 
  3. Continually monitor privacy policies for changes.
  4. Determine a way to report your findings to parents, educators and administrators, alike.
_______________________________________________________________________

For school and district administrators looking for help with managing this process, be sure to check out Education Framework. 

Specializing in delivering superior student data privacy management solutions to schools and districts across the nation, Education Framework provides tools to help you get a handle on effectively and efficiently protecting student information.

Our automated privacy tools enable you to quickly and easily:

  1. Assess the safety and privacy of online technologies used in the classroom.
  2. Keep track of who is accessing student data and for what purposes.
  3. Communicate this information in a clear and concise way to parents. 

Best of all, these tools keep parents, educators, and administrators engaged, informed, and all communicating on the same page. 

SPECIAL PRICING FOR CT SCHOOLS & DISTRICTS >>>  

Now, through October 31, 2016, Connecticut schools and districts that request a quote will receive a 15% discount on Education Framework services. (minimums apply)

Please visit our website and sign up for a live demo today!


The Foundation of Protecting Student Privacy: Find a Way!

I recently came across a post by George Couros (@gcouros) that really struck a chord. 

It said:  "Somebody, somewhere, is doing the same thing you say you can't do. They are just finding a way."


This statement poignantly speaks the truth...especially when it comes to managing education technology and protecting student data privacy. 

It addresses the issue that times have changed and, so too, must our approach.

The associated article goes on to say that no longer is it acceptable to simply respond with: "This doesn't fit within our infrastructure." (a.k.a "no"), but, instead, to restructure the way that decisions are made for the organization by asking 4 simple questions:

1. What is best for the kids? 

2. How does this improve learning?

3. If we were to do ______________, what is the balance of risk vs. reward?

4. Is this serving the few or the majority?

Now let's consider these questions in terms of protecting student data privacy...

1. Does having a system in place to properly vet the apps and websites upfront help ensure that students, and their data, are safe, secure, private and protected? (i.e. Is this best for kids?) 

YES!

2. Does having the right technologies in the hands of students improve learning? 

YES!

3. If schools were to implement a procedure for protecting student data privacy, is there a balance of risk vs. reward?  

YES!

4. Does this sort of action affect the majority?  

YES!

When it comes to protecting student data privacy, it's important to seriously consider questions like these (among others) to determine whether the effort is worth the time and energy. 

And what is comes down to is that - yes! - investing in protecting student data privacy is a worthwhile effort, for the sake of the student and the school.  

And while this seems pretty logical and easy to understand, the reality is that many schools and districts are doing very little to, if nothing, to ensure student data privacy is protected. 

That's why I love this quote so much! It brilliantly addresses what it wrong with the system today. Some education leaders are willing to get to the source of the issue, while others, not-so-much.

The key point here is that in order to succeed, you must try, you must attempt, you must put one foot in front of the other. You must do something! 

And for every person that says it can't be done, someone, somewhere is doing it and proving that there is, in fact, a way. 

Find a way and making a difference!

(Beautifully, brilliantly said, George!)  

You can read his original post here >>

5 Great Questions to Ask to Help Protect Student Data Privacy

Technology has changed the way we teach, it has changed the way we communicate and it will continue to change the way we learn and grow.

But so has privacy.

No longer can we assume our children’s data is protected. We have to actually work to protect it. 

Protecting student data requires committing time, energy and resources towards the effort. It is an on-going and ever-evolving process that when applied correctly, provides real actionable insights.

Educators must remain vigilant in ensuring data privacy is protected, one app and website at a time. The sooner we acknowledge this, and act accordingly, the better off we will be.

The Digitalization of Education

The amount of online learning technologies available to students today is utterly astounding. Just look at iTunes, and you will see that they have literally tens of thousands of educational apps and websites available for immediate download.

Many of these technologies have true potential to make a difference and improve student outcomes. While others, if left unchecked, can pose real-life threats to students and schools.

It is now the responsibility of school and district leaders to determine which apps and websites are appropriate and safe for use in the classroom. But many are finding this to be quite a difficult task.

School and district leaders are adopting new learning technologies at breakneck speeds, and as a result, many are coming to the realization that not all apps and websites are created equal.

Thankfully, there are laws in place to help govern this process. However, the lack of accountability and enforcement is problematic. This kink in the system leaves many doors open to misuse and abuse, exposing students and schools to unnecessary risk.

This is a hard truth. And it needs to change.

Protecting student privacy is an on-going and ever-evolving process that demands time, attention and resources.

In order to protect student data, school leaders must proactively commit to protecting it.

It means reading through endless privacy policies, conducting privacy assessments for each and every online technology used in the classroom, and continuously monitoring those policies for changes.

It requires patience, and persistence, and time.

While this is becoming the new norm for educators and administrators, it is also a responsibility that many school and district leaders are struggling to get a handle on. Many are at a loss of where to even begin.

Protecting student privacy begins with knowledge and understanding.

Protecting student data starts with knowing what technologies are being used by students, understanding how each of the technologies are using the data, and acknowledging that you have control over which technologies make it into the hands of students.

No longer are we living in a time that it’s okay to blindly introduce new learning technologies into the classroom without first determining if they are safe to use. This means ensuring the data is secure and private for the life of its existence. So before an app or website should be approved, it needs to be thoroughly assessed.

Assessing online technologies takes a considerable amount of time and energy. However, when done correctly, assessments provide a wealth of knowledge and understanding about how the technology is being used.  

Knowledge is power. The more you get behind the data and understand what its intended use is, the better off you will be.

Protecting student privacy involves knowing what is going on with the data. 

Protecting student data starts with understanding the process, knowing what is expected of you, and asking the right questions. It also involves deciphering the data. 

Adopting new technologies typically begins with researching new apps and websites, determining their value, negotiating a deal, and ultimately signing a contract; creating a mutual legal agreement between buyer and seller laying out, in very specific terms, what is expected from both parties in black and white.

Good policies clearly define what is appropriate, and what is not when it comes to handling student information. And they include sound provisions to ensure student data is protected.

Privacy policies typically tell a story about the data. They contain nuggets of information that, when properly extracted and pieced together, reveal what is really going on with the data; how it is being used, by whom, for what purposes and for how long.

But getting to that information, making sense of it, and knowing how to keep track of it, is often far easier said than done. 

Assessing online technologies and reading through endless privacy policies is the kind of work that takes time, requires dedication and demands on-going attention. But when applied correctly, privacy assessments provide answers that help define what is really going on with the data.

Not sure of where to begin?

Start by taking stock of the learning technologies being used in your school, or district today. Determine which technologies are safe for use and which ones are not. Eliminate those that are risky or no longer needed. Monitor and repeat.

  • Conduct a technology audit.
  • Remove any technologies that are no longer in use, and eliminate any apps and website that might potentially pose threat or harm to students.
  • Monitor privacy policies for changes.
  • Repeat.

      Protecting student data privacy starts with asking the right questions.

When conducting privacy assessments, it is important to consider the following criteria: data privacy, data deletion, data security, data integrity, and data retention.

It also helps to  ask the right questions. 

Below, I have briefly outlined the 5 criteria that make up a privacy assessment. I have also included some great questions to ask when assessing online technologies for your school or district.

(While it's worth noting that these questions only represent a small sample of what really needs to be asked, they provide general guidance as to what you should be looking for.)


5 great questions to ask when assessing online technologies in school: 

1.       Data Privacy: The ability to keep track of data and understand what happens to it during its lifespan.

Ø  Example of a Data Privacy Question:


o   “What information is collected from students and for what purposes will it be used?”


2.       Data Deletion: The ability to remove data upon request.

                Ø  Example of a Data Deletion Question:

o   “Can parents review &/or delete the personal information collected from their children?”


3.       Data Security: The ability to protect the data from unwanted or unauthorized users.

Ø  Example of a Data Security Question:

o   “Are security policies and procedures in place to protect against risk? When student data is transferred, is it encrypted?”


4.       Data Integrity: The ability to maintain the accuracy & consistency of data over its entire life-cycle.

Ø  Example of a Data Integrity Question:

o   “Is student data backed up on a regular schedule?”


5.       Data Retention: The ability to understand that the data is only to be used for its intended educational purposes and should be otherwise disposed of when no longer needed. 

Ø  Example of a Data Retention Question:

o   “Will the data collected only be retained for as long as it serves an educational purpose?”


Protecting student privacy begins with knowing what is expected of you.

Designating someone to be responsible for reviewing privacy policies, conducting privacy assessments and monitoring policies for changes will help any school or district get ahead. 

In closing, I’ll leave you with some best practice recommendations for protecting student data privacy from The US Department of Education:

  •  When negotiating technology contracts, it’s important to pay close attention to the fine print.
  •  Make sure the agreement explicitly describes how the provider may use and share student data.
  •  Maintain awareness of other relevant federal, state, tribal, or local laws.
  •  Be aware of which online educational services are currently being used in your district.
  •  Have policies and procedures to evaluate and approve proposed online educational services.
  •  When possible, use a written contract or legal agreement.
  •  Know that extra steps are necessary when accepting Click-Wrap licenses for consumer apps.
  •  Be transparent with parents and students.
  •  Consider that parental consent may be appropriate.

Source: http://ptac.ed.gov/  

Privacy Assessments Suck (...But They Don't Have To!)



If the title resonates with you, then it is likely that you have a role in ensuring the privacy and security of online technologies in the classroom. I’m also guessing that it’s a task that you secretly loathe.

Its okay, don’t feel bad. You’re not alone. Privacy assessments suck. They do. They really do.

They are long, painstaking and seemingly never ending. But they are necessary. 

And despite their ability to nearly bore us to tears, privacy assessments play an important and integral role in protecting student data. They hold the answers to the questions that we seek deep within their folds. 

It’s getting to that information that is the true challenge.

Privacy Assessments Take Time  

The process of assessing online technologies is not difficult, but it’s also not particularly easy. 

More than anything, it’s time-consuming. 

Conducting a thorough assessment of a single app or website can take upwards of 30 minutes or more. Multiply that by the hundreds or thousands of apps a school or district uses, and you have an unrealistically difficult and labor-intensive mission before you.

The current go-to method involves spending countless hours reading through privacy policies (end user license agreements, terms of service contracts, etc.) to determine whether they fit the safety and privacy standards of a state, school or district. 

Efforts like these demand time, time and more time. And that is one thing that educators and administrators are already running short of.

But the work doesn’t stop here. The assessment is only the beginning.

Privacy Assessments Require Ongoing Maintenance 

Once apps and websites have been approved for usage in the classroom, they need to be added to a school or district-wide approved usage list. Then, they must be continuously managed, monitored, and maintained to make sure nothing has changed since the original agreement. 

This task, alone, takes a considerable amount of time and resources. But  it is a particularly important step in the process because app and website providers have the right to change their terms of service at a moment’s notice. Not understanding and/or recognizing this could potentially put students and schools at risk.

Thorough privacy assessments tell us exactly what we need to know. They create a visual map of what is happening with the data. They hold the keys to the answers we seek regarding data collection, data integrity, data retention and data deletion. 

Privacy Assessments Bring Value

Love them or hate them, privacy assessments bring real value to schools and districts. When applied correctly, they provide clarity and understanding. 

Assessments are helpful in creating a big picture view of what’s really going on in the classroom. They provide insight and knowledge, and bring transparency to the decision-making process. This, in turn, is extremely useful in making school and district curriculum improvements.

Keeping data safe, secure and protected involves keeping a close eye on it – from the moment it is created, through its’ entire life cycle, until it is no longer needed and ultimately disposed. Knowing and understanding what is happening with the data is is your best bet at regulating and controlling it. 

Determining how to do this, especially when dealing with multiple vendors for varying lengths of time is another challenge that educators and administrators are having to address. 

So if privacy assessments are so important, how can we minimize the pain of conducting them?

Answer: the right tools.

Privacy Assessment Management Tools Help

The shift in technology usage in schools has prompted a change in the way schools operate. No longer is it just about finding the latest and greatest learning tools for use in the classroom, but understanding whether they are safe for use by students. 

But the process to determine this is neither simple nor efficient. 

That's why we exist. 

At Education Framework, we specialize in helping educators and administrators better manage their student privacy obligations. We develop solutions that provide insight, understanding and actionable data that, in turn, lead to safer technology purchasing decisions.

And best of all, we do the privacy assessments for you! Each and every one of them. So instead of focusing your time on reading endless terms of service agreements, you can shift your attention to improving the quality and safety of the online technologies used in your school or district. 

With our tools, you can conduct assessments in a fraction of the time, understand the safety and privacy of apps and websites, monitor policies for changes, share analytics with other education leaders on your team, and most importantly, make school and district-wide improvements based upon the information you have at the ready. 

Our Privacy Quality Scoring System helps educators and administrators know, at-a-glance, the safety and privacy of apps and websites, and then dig deeper to fully understand the reasoning behind the scores they were given. Our Policy Change Monitor lets you know if and when a privacy policy has changed, so you can act accordingly and ensure student data privacy is protected at all times. 

Tools like these are extremely helpful in proactively protecting student data. Designed to simplify and streamline the process, they bring efficiency, transparency and accountability to the conversation. They also save countless hours and resources.

Conclusion

Privacy assessments play an extremely important role in protecting student data, but they demand time, commitment and dedicated resources. When approached correctly, they provide answers that help educators and administrators make safer technology decisions. 

Those education leaders that take the time and conduct thorough privacy assessments have a greater, more comprehensive understanding of the health and safety of the online technologies used in their school, and are better positioned to make informed decisions about technology usage in the classroom.

Utilizing the right tools also helps... and will certainly make the process a whole lot easier, saving you both time and money!

So if you're looking to save yourself the hassle and eliminate the suck that goes with conducting endless privacy assessments, contact us...we're here to help!

California Superintendents Tech for Schools Summit

Education Framework Inc. will be participating in the 2016 EdSurge California Superintendents Tech for Schools Summit
 
WHEN: Tuesday, July 26, 2016
7:30 am – 3:15 pm

WHERE: Computer History Museum
1401 N Shoreline Blvd.
Mountain View, CA 94043

The California Superintendents Summit is a state-wide event for senior education and IT administrators providing an inside track on emerging tech and trends. 

The focus of this particular event is on student data privacy (SOPIPA) and the Equity of Access with the new Williams Act Compliance, going digital and leaving no one behind, piloting products in schools and creating change around edtech.

Education Framework plans to share their student data privacy and parental consent solution, EdProtect, with interested attendees and discuss techniques that school and district leaders can use to simplify the student data privacy management process; saving time, money and increasing the safety and privacy of student data.

Interested in attending? Register here > (It's free for educators!) 

Bonus: There is also a welcome reception at Google the night before. 

WHERE: Google 
1345 Shorebird Way
Mountain View, CA 94043

WHEN: Monday, July 25, 2016
6:00 pm 

Hope to see you there!

What Is Student Data Privacy?


School and district leaders know they need to protect student data, but effectively adopting and implementing a student privacy plan that includes parent, educator, administrator and policymaker input and approval, is a lot easier said than done. Efforts like this require dedicated time, commitment, clearly defined roles, a concrete understanding of what student data privacy actually is, and if you're lucky, tools to help you get the job done right.


While there are a myriad of checklists, to-dos and best practice recommendations available to help educators and administrators up their game, there is still much uncertainty surrounding this issue. But it's no surprise considering that there is, ironically, no set definition for student data privacy. And despite it being a relatively self-explanatory term, it is still complex and more-often-than-not, fraught with confusion. 


To put it simply, student data privacy is the idea of safely, securely and privately introducing online technologies into the classroom - in the form of apps, websites, surveys, assessments, etc. - without risk of compromising personally identifiable student information (PII). But it also so much more than that. 


Student data is protected under federal law (COPPA, FERPA, PPRA) and requires thorough knowledge and understanding of data collection, data use, data retention, data deletion and data integrity for all online technologies used in a school or district. It means reading endless privacy policies to know precisely who has access to student data, for what purposes and for how long. And it demands ongoing maintenance and monitoring to ensure there haven’t been any changes to the privacy policies that could compromise PII.   

Knowledge is Power

Protecting student data privacy starts with knowing precisely what technologies are being used in the classroom. Conducting a comprehensive audit of the technologies currently in use is a necessary first step towards establishing a baseline understanding and gaining a big picture view of the technology usage in a school or district.

Once there is an understanding of what technology is being used in the classroom, the next step is to conduct a thorough privacy assessment for each and every online technology to ensure student data privacy is indeed private and protected. 

For many, this step can be quite daunting, especially when considering the sheer volume of online technologies available to schools today. But with the right tools, this process can be relatively straight-forward, simple and streamlined.

Education Framework Inc. tackles student data privacy with the goal of protecting student PII while providing a great resource for industry leaders to connect with parents and their communities.

The Rise of Student Data Privacy 

Student data privacy has been a rapidly growing administrative pain point over the past few years. The massive push for 1:1 and other digital learning initiatives are major factors in this, but the equally explosive growth of new learning technologies created by third party vendors has changed the way we view student privacy. No longer can we assume that student privacy is safe, secure and protected, especially when it can be accessed by so many different entities, at different capacities, for different periods of time. Because of this, it is imperative that education leaders establish user controls that determine precisely who has access to what student data, for what purposes and for how long.


Besides the exponential growth of technology in schools, it's worth noting that there are a few contributing factors that have led to the rise of student data privacy as an immediate and necessary need, all of which are tied to the increased usage of digital media and online technologies:


1. Parents are technologically savvy. Parents are technology users themselves, so naturally they’re becoming better acquainted with security and privacy issues, especially when it comes to online technologies and services they use every day.

Many parents, especially those that are actively involved in their child’s online usage at home, want to know precisely what technologies they are using in school. More importantly, they need reassurance that they’re child’s privacy is being considered and respected.

Parents want a window into their child’s technology usage in school. Providing a way to communicate this information in a clear and concise manner helps connect the dots and bring parents into the loop, engaging them in the privacy conversation. This approach goes a long way towards building trust, as it conveys that their point-of-view is valued.

2. Technology forces transparency. One of the most unique ways the Internet has affected our society is the quick transmission of information. Education leaders have never been more powerful or in a better position to make informed decisions than they are today. 

With the right tools and approach, educators and administrators can discover safe learning technologies for students, measure growth, use actionable data to make classroom, school or district-wide improvements, and communicate with parents and communities in a way for all to understand. 

Student data privacy is about accurately and authentically conveying what technologies are being used so that stakeholders, community leaders, and parents can easily understand the health, safety and vitality of a school or districts' student privacy efforts. It is also about providing reassurance that students, schools and districts are safe from risk.

Transparency engages all interested parties and allows everyone to work together towards a greater good. Automated student privacy protection is one way for school and district leaders to adopt transparency measures and gain greater control of student privacy efforts, without heavily increasing the administrative workload. Utilizing tools that do much of the work for you - in an open and transparent way - are helpful in saving time and ensuring student privacy is, in fact, protected.

3. The right tools make things a whole lot easier. Knowledge is one of the most powerful benefits of the Internet age. Twenty-five years ago, when there was no Internet, student privacy was hardly a consideration. When technology usage started to go mainstream, particularly in schools across the country and around the globe, we simply couldn’t fathom where we’d be today. But with all this technological growth and opportunity has come an overwhelming need to increase privacy protections.

Educational development is no longer only about exploring and discovering the best learning solutions for students, but it’s also about finding technologies that are safe for use in the classroom. 

Automated solutions are the best way to capitalize on this theory, which is why Education Framework Inc. exists. We help position school and district leaders as experts in managing student data privacy by providing services that produce information at the ready. With over 1100 (and counting) online technologies assessed to date, we’re able to help educators, administrators and IT leaders make quick, yet safe and informed technology decisions for the classroom. All while minimizing the risk of exposing student information.

Food for Thought 

While there are plenty of factors that have led to student privacy’s rising value, these macro elements are the key reasons why protecting student data privacy is more relevant and important than ever before. 

Educators, administrators and IT leaders who establish themselves as pioneers in this space are positioning themselves to be helpful resources for their communities and models for other education leaders to follow. More importantly, those that take the necessary steps to ensure privacy is protected will be education leaders that parents will appreciate and trust.

Transparency and the Art of Protecting Student Privacy | SEEN Magazine

I have written a thought leadership piece for SEEN Magazine that discusses the importance of transparency in protecting student privacy. For sake of brevity, I have posted an edited version below that hits on the finer points.


School improvement efforts have driven data collection to new and alarming heights in recent years. Many argue that data is essential for improving students’ achievement in schools and preparing them for success in life, while others feel this holds true only if privacy, safety and security considerations are integrated from the start and implemented throughout.

Data, when collected and used correctly, brings value to schools and students; when amassed in a cloak of secrecy, without clear and discernible goals, screams trouble. Transparency plays an important role in protecting student privacy. For schools, focusing on areas of safety, security and trust are key to implementing effective student privacy initiatives.

Data Collection And Privacy

Schools today collect and use student data for various purposes. The general understanding is that data helps teachers and administrators make informed decisions based on empirical evidence. In a nutshell, data helps educators determine what is working and what is not.

Safeguarding student information starts with establishing clear lines of communication and employing transparency measures from the get-go. In order to eliminate confusion and foster greater support for the overall effort, it is vital that school and district leaders share what they are doing in a way that’s upfront, open and honest. Additionally, providing the proper services, support and training gives students, parents, and educators the tools, knowledge and skills they need to confidently handle this new responsibility.

Transparency And Accountability

Parental backlash is a real and pressing issue that educators are grappling with these days. Widespread concerns over the extensive amounts of data being collected in schools by private and public agencies have prompted many parents to speak out in opposition. While some are demanding to know what information is being collected from students, others are seeking a clearer understanding of the intent, its safety, and its security.

As parents press for greater transparency, and lawmakers push for greater accountability, school and district administrators, IT directors and school board members are finding themselves uncomfortably caught in the crosshairs. This is forcing education leaders across the nation to quickly and seriously reconsider their current approach to managing student privacy.

Safety and security

The conversation surrounding student privacy often comes down to safety. Parents need assurance that their children are safe while at school, both physically and virtually. They want a greater understanding of what is going on in the classroom, what digital tools are being used, what information is being collected from them, for what purposes and for how long.

Schools are no exception. Focus on physical protection of students has come to include digital security protection against cyber threats and intrusions. In response, schools and districts are reallocating resources to ensure adequate safety and security systems are in place.

Trust And Understanding

Trust plays a key role in managing student privacy because it is the proverbial glue that binds everyone and everything together. When supported by trust, successful privacy initiatives are engaging, empowering and effective.

Building trust starts with providing clearly defined goals and objectives that serve as a guide to understanding. In order to believe in the vision, participants need a comprehensive understanding of the big picture. Providing this offers a sense of ownership and some semblance of control.

Takeaways

Protecting student data is an ongoing and continual effort that demands attention, communication, collaboration, cooperation and understanding on broad and comprehensive levels. Taking precautionary steps in advance, openly communicating privacy plans and employing transparency and accountability measures from the start will help ensure privacy is protected and students are safe.



Is Your School or District Really Protecting Student Data Privacy? Here’s How to Tell.


For all the talk about student privacy – what it is, how to protect it, why it matters – there’s one question that receives precious little attention: How do you quantify student privacy? How do you measure it? How do you know that you’re actually protecting student data, and you’re doing it “right”?

 

There are various answers to that question, some obviously more quantitative than others. But what it comes down to is being knowledgeable about the online technologies your students are using in the classroom, understanding how third party vendors are utilizing the data they have access to, and having the ability to communicate this information in a clear and concise manner - to parents, teachers, administrators, board members and policy makers, alike.

 

This process starts with understanding what online technologies your students are using and whether or not they are safely protecting student data privacy.

 

Keep Tabs on Technology Usage in Schools

 

Today’s students use hundreds of different apps, websites and programs in school, and while the potential for growth and development is tremendous, keeping track of all this information can be a mountainous load of work.

 

Understanding whether an app or website is safe for students first involves knowing what the third party vendor does with the data they collect, how they store it, whether or not they share it, and ultimately how they plan to dispose of it.

 

This type of review needs to happen for each and every online technology (app, website, program…) suggested for use in the classroom before it is ever approved for use by students. And once it has been determined that it is safe for use in the classroom, continual monitoring is necessary so you know if and when privacy policies change - which they can, and often do.

 

Yet despite this being the cornerstone to protecting student privacy, it’s often viewed as a burdensome task that nobody wants to do. But the fact remains that in order to properly protect student data, somebody has to commit to proactively protecting it, in an ongoing, full-time, administrative capacity.  

 

Understanding that and focusing on a few key factors can help any school or district get ahead.

 

Know Where You Stand

 

Properly assessing online technologies, continuously vetting third party vendors, and giving educators the tools they need to make informed technology decisions are all efforts that minimize the risk of inadvertently exposing student data to misuse or abuse.

 

And while conducting a comprehensive audit of technology usage is a solid first step towards understanding the health and vitality of your privacy initiatives, creating an ongoing list of the apps and websites used in the classroom, keeping track of the online technologies used by students, and regularly monitoring them for changes are all proactive efforts to will help to better protect student data privacy.

 

The next step is to conduct a thorough privacy assessment for each online learning technology to establish a general understanding of the individual safety, security and privacy of the apps and websites currently in use. Those apps and websites that meet the necessary requirements can be approved for usage in the classroom, while those that fail to meet state, federal or district privacy requirements should either be removed or further assessed before they are allowed to be used by students. But it's worth noting that in certain instances, technologies that fall short of certain mandates may still be used in the classroom, they just need to have signed parental consent in order to do so legally. 


Considering the importance of parental approval, it’s wise for schools and districts to have defined method in place to distribute, collect, store and retrieve information in an orderly and timely manner. Knowing precisely what data is being used, by whom and for what purpose enables you see the big picture, to take charge of your privacy initiatives, and to establish control when and where it is most needed.

 

Regularly Monitor Online Technology Usage

 

Keeping up with the demands of student privacy can be a lot for schools to take on. Understanding the safety and privacy of online technologies is often a full-time job, in and of itself. So it’s important to remember that protecting student data privacy is an ongoing effort that requires regular checks and balances. Because companies often alter their contracts after the fact - leaving student data exposed for misuse or abuse - remembering to regularly monitor policies for changes is an important part of properly protecting student data.

 

One option is to implement solutions that utilize automation to do much of the work for you. By automating the privacy process, schools and districts can observe, monitor and adjust accordingly, making improvements based on real-time actionable data. Through the use of student privacy analytic tools, educators are better positioned to understand the safety and security of their student privacy efforts and can quickly and easily plan for change based on the information available.


A bit less formally, but no less importantly, there are some key qualities that define a truly proactive student privacy initiative —and if you want to know what kind of progress you’re making when it comes to protecting student privacy, looking for these qualities can be a good beginning.


Here are some ways you can tell that your organization has achieved a healthy measure of privacy protection:


1. You have a clearly defined, year-round strategy in place. 


Start by asking yourself this question: Is student privacy something you push hard for a week or two a year, but keep on the back burner for the rest of the time? Or do you have a full-time privacy plan in place that helps direct your privacy initiatives and drive successful outcomes?


How regularly do you review third party vendor contracts to ensure they haven’t changed their terms of service agreements? Is it something you address every so often, once or twice a year, or possibly not at all? Or do you have a system in place that monitors third party vendor contracts for changes on a regular on-going basis, enabling you to know immediately if and when a change occurs?


Answering questions like these, establishing plans and procedures, and communicating what is going to parents reveals much about a school or districts’ intentions, priorities, and potential protection level.


2. You engage parents in the privacy conversation.


Is parental engagement part of your plan? Do you have a way to communicate what apps and websites are being used by their children in the classroom? Do you have a way to obtain parental consent, particularly for those schools and districts with students 13 and under? And do you have a method in place to quickly and easily retrieve information at a moment’s notice when requested by a parent?


Providing a method to engage parents in the privacy conversation helps keep them current with what is happening in the classroom and informed about their child’s technology usage while at school.


Transparency and accountability measures, such as these, go a long way towards eliminating unnecessary worries and building trust with parents and schools.


3. You have formal structures in place to check for privacy. 


Remember the student privacy analytic tools I mentioned above? Well, having a program in place that keeps track of all the apps and websites used by students is a sound way to better understand the technology usage in the classroom.


Knowing the privacy of online learning technologies used by students in schools offers an added level of safety and security, and provides an extraordinary level of insight into the effectiveness of your technology initiatives.  


4. You have a formal method to obtain parental consent. 


In addition to having access to a library of apps and websites safe for use, educators often need a way to obtain parental consent when using certain technologies in the classroom. Of course this, along with all the other items listed above can be done manually, but for those education leaders that really want to get ahead, deploying a paperless, digital solution is really the most efficient and effective way to go.


By eliminating the paper pushing processes of the past, schools and districts now have a safe and sustainable method to obtain, store and retrieve parental consent with the click of a button. While utilizing paper forms is an acceptable method, online, paperless options are far less wasteful and easier keep track of. 


5. You know why student privacy matters. 


A final consideration: Do you know why protecting student privacy is so important? Do you have a clearly defined plan in place to protect your students and your school that breaks down exactly what you’re trying to achieve?


Having a clear sense of goals and expectations is critical to achieving successful privacy outcomes. Understanding what you want to do, how you plan to do it, and who is going to help you along the way are all hallmarks of a solid student privacy plan.


Bottom Line


Whether you working towards improving your current system, or are just looking for ways to affect change, start by answering these kinds of questions to ensure you are on the right track.


Establish a plan, be knowledgeable about the online technologies your students are using in the classroom, understand how third party vendors are utilizing the data they have access to, and have a way to quickly and easily communicate this information to parents in a clear and concise manner. Following these steps will help your school or district get ahead when it comes to protecting student privacy.


Does your student privacy initiative have the hallmarks of success? As a student data privacy advocate, I know that this is a topic many education leaders are wrestling with. I hope you find this quick checklist to be helpful!


Do You Think Student Data is Protected? Think Again!

As student data privacy continues its moment in the spotlight, a darker reality often exists behind the scenes: one where school districts treat information security, privacy and compliance as a reactionary afterthought; where data governance programs are not properly established or implemented; where security controls are lacking; and where third party vendors are not appropriately vetted for privacy assurances.

Despite this sounding like the making of a bad after school special, this is happening in schools and districts all across the nation. Too little is being done to protect student information, exposing our students and schools to unnecessary risk.

Case in point…

The Missouri State Auditor recently conducted a comprehensive analysis of a local school district to better understand their position when it comes to protecting student information. What they discovered was failure across the board.  

The Boonville R-1 School District Student Data Governance Audit was completed as part of the Cyber Aware School Audits Initiative and designed to assess the effectiveness of privacy and security controls, with a focus on identifying practices that improve the security of information school districts have on students and their families.  

The thorough audit was conducted in response to increasing concern for protecting the security and privacy of information schools maintain on students, coupled with the continued emergence of cyber threats.

Based on six core criteria, the audit was intended to evaluate 1.) The effectiveness of privacy plans and controls for safeguarding personally identifiable information (PII); 2.) The effectiveness of information security controls for protecting the confidentiality, integrity, and availability of systems; and 3.) The effectiveness of compliance.

Listed below are the findings from the audit, the associated risk for non-compliance, and recommendations for improvement provided by the Missouri State Auditor’s office:  


1.  DATA GOVERNANCE

 

ASSESSMENT: The district has not established a comprehensive data governance program, therefore being unable to ensure PII is adequately protected and safe from unauthorized access, misuse, or inadvertent disclosure.

 

RISK: Without a formal program, the district cannot ensure that PII is adequately protected and safe from unauthorized access, misuse, or inadvertent disclosure.

 

RECOMMENDATION: The district should establish and implement a formal data governance program encompassing the full life cycle of data, from acquisition to use to disposal.

 

2.  SECURITY CONTROLS

 

ASSESSMENT: The district has not implemented necessary security controls, leaving technology assets, including PII at risk of inappropriate access, use and disclosure.

 

RISK: Without documented and approved policies and procedures, management lacks assurance that security controls are appropriate and properly applied.

 

RECOMMENDATION: The district should formally appoint a security administrator, ensure passwords are periodically changed, establish access control policies and procedures, formally document responsibility for physical protection of technology resources, and fully document and periodically review security policies and procedures.

 

3.  USER ACCOUNTS

 

ASSESSMENT: The district has not fully established controls for creating and maintaining user accounts for accessing system resources.

 

RISK: Without appropriate account access policies and procedures, users may be granted inappropriate or unauthorized access, which can provide opportunities for misuse or inappropriate disclosure of sensitive data.

 

RECOMMENDATION: The district should establish and document formal policies and procedures, periodically monitor user accounts and user access to data to ensure rights remain appropriate.

 

4.  INCIDENT RESPONSE & CONTINUITY PLANNING

 

ASSESSMENT: The district has not taken all the necessary measures to protect data in the event of a breach or other disruptive incident. It does not have a complete incident response plan, has not adopted a formal data breach response policy, and has not fully documented and tested a continuity plan.

 

RISK: Without comprehensive incident response and breach-related policies, management may not be able to respond quickly and effectively. And without a tested and functional continuity plan, management has limited assurance the organization’s business functions and computer processing can be sustained.

 

RECOMMENDATION: The district should establish and document an incident response plan, formally document and adopt a comprehensive data breach response policy, to promote an appropriate response in the event of a breach, develop a continuity plan, formally assign responsibilities, and run periodically tests of the plan.

 

5.  SECURITY AWARENESS PROGRAM

 

ASSESSMENT: The district has not established a formal security and privacy awareness training program.

 

RISK: Without adequate training, users may not understand system security risks and their role in implementing related policies and controls to mitigate those risks.

 

RECOMMENDATION: The district should establish a formal security and privacy awareness training program, because those with proper security and privacy awareness training and clear communication of data and device use policies, can become the first line of defense against cybersecurity incidents.

 

6.   VENDOR MONITORING

 

ASSESSMENT: The district has not established a process for ensuring software acquired or outsourced from information technology vendors complies with data security principles. Additionally, the district is unable to locate a written contract with the vendor of one of its key systems.

 

RISK: Without an effective process for monitoring and managing risk and software acquisition or outsourcing, the district has less assurance in a vendor’s ability to deliver services effectively, securely and reliably, and to ensure that services meet current and future data privacy and security needs.

 

RECOMMENDATION: The district should develop procedures to formally monitor information technology vendors have access to, to ensure the district’s data is properly protected and the vendor acts in accordance with contract terms and conditions.


CONCLUSION 

While this audit casts a negative light on a single district, it illuminates the reality of what is really going on in schools and districts across the nation, and it shows the unfortunate truth of how student information is regularly exposed.

By establishing and implementing the proper plans and procedures, schools and districts that proactively protect student privacy are better poised for success. In contrast, assuming it will take care of itself is a recipe for disaster.

As technology usage advances in schools, increased risk of PII being compromised and exposed is a real and ever-present danger. The need to protect information against cyber threats and misuse is increasingly important, and school districts need to do more to ensure student information is safe, private, secure and protected.

Note: After failing on all six counts, the Boonville R-1 School District has addressed their areas of weakness and have issued an action response to remedy their shortcomings. Read the full audit here >>  

EdProtect by Education Framework [VIDEO]


At Education Framework, we specialize in developing student data privacy and paperless consent services for U.S. K-12 schools and districts. 

Because we believe that every student has a right to privacy while using online learning technologies in school.

We believe that school and district leaders need a safe and secure method to manage the privacy and parental consent process. And that parents have a right to know what technologies their children are using in the classroom.

Everything we do is with the intent of improving systems, simplifying processes, minimizing waste and most importantly, protecting students.

Because we believe in a simpler way.

At Education Framework, we develop 21st Century consent & student data privacy solutions that provide safety, security and peace-of-mind for parents, students, schools and districts alike. 

Our solutions provide knowledge and understanding to help educators make informed decisions about technology usage in the classroom.

EdProtect, an all-in-one student data privacy & paperless consent manager simplifies and streamlines the process from end-to-end, providing comprehensive safety and protection for schools and districts across the nation. It also helps you to better understand the health and safety of your student privacy initiatives.

EdProtect enables you to quickly and easily determine the safety of apps and websites used in your district. It allows you to track and monitor technology usage in the classroom, set parameters, establish privacy guidelines for your staff to follow, and communicate information in a clear and concise manner. 

EdProtect also helps you to track, organize and store responses in a systematic way. And it allows for easy recovery of information when requested. 

It eliminates wasteful paper permissions of the past, and it ensures schools are compliant with Federal regulations of the present, like COPPA & FERPA.

EdProtect rates, reviews, and assesses the safety and privacy of each and every app & website used in your school or district. And it continuously monitors privacy policies so you know immediately if and when a change occurs. 

EdProtect opens lines of communication between parents, teachers and administrators, and it provides transparency and accountability for schools looking to establish greater controls. 

EdProtect is really designed to do it all... for you!

It’s a student privacy manager and a communication tool, in one.

It engages parents. It empowers teachers. And it acts as a governance tool for administrators and IT leaders looking to establish guidelines that align with school & district privacy initiatives.

It’s an easy-to-use, ultra-secure and cost-effective solution that helps educators make informed decisions about technology usage in the classroom.

Through the use of privacy analytics, EdProtect offers a window into the health and vitality of your school or district's student privacy efforts.

It produces actionable data to make continuous improvements. 

It brings parents into the privacy conversation. It clearly communicates what apps and websites are being used by their children in the classroom. And it allows you to obtain consent when necessary.

EdProtect provides a level of control and understanding unparalleled to any other service of its kind on the market. 

One feature that makes it so great is the Privacy Quality Scoring System.

This 5-point rating system helps teachers and administrators know at-a-glance the safety and privacy of the apps and websites use in school. 

The scoring system provides a quick glance number rating, but it also provides a detailed description, so you know  EXACTLY why it scored the way it did.

All scoring is done internally by Education Framework staff, so you don’t have to think about reading the privacy policies for each and every app and website used in your school or district. 

EdProtect gives educators the knowledge they need to make informed decisions.

By utilizing this approach, schools and districts eliminate the risk of inadvertently adopting unsafe technologies in the classroom...and putting schools, districts and students in jeopardy. It also minimizes the bottleneck that often occurs when waiting for technology approvals.

EdProtect manages the process for you from start to finish. 

It is a streamlined and sustainable solution that saves time and money, not to mention countless headaches.

It provides safety, security and peace-of-mind when utilizing online technologies in schools, and helps educators, administrators and parents gain a better understanding of technology usage by students in schools. 

Please visit our website where you can learn more about our services. Read our blog (which you are, so thank you!). And sign up for a free live demo to see if EdProtect is right for you.

WWW.EDUCATIONFRAMEWORK.COM