Education Framework Blog

Focused on the Future of Education in America

Privacy Assessments Suck (...But They Don't Have To!)



If the title resonates with you, then it is likely that you have a role in ensuring the privacy and security of online technologies in the classroom. I’m also guessing that it’s a task that you secretly loathe.

Its okay, don’t feel bad. You’re not alone. Privacy assessments suck. They do. They really do.

They are long, painstaking and seemingly never ending. But they are necessary. 

And despite their ability to nearly bore us to tears, privacy assessments play an important and integral role in protecting student data. They hold the answers to the questions that we seek deep within their folds. 

It’s getting to that information that is the true challenge.

Privacy Assessments Take Time  

The process of assessing online technologies is not difficult, but it’s also not particularly easy. 

More than anything, it’s time-consuming. 

Conducting a thorough assessment of a single app or website can take upwards of 30 minutes or more. Multiply that by the hundreds or thousands of apps a school or district uses, and you have an unrealistically difficult and labor-intensive mission before you.

The current go-to method involves spending countless hours reading through privacy policies (end user license agreements, terms of service contracts, etc.) to determine whether they fit the safety and privacy standards of a state, school or district. 

Efforts like these demand time, time and more time. And that is one thing that educators and administrators are already running short of.

But the work doesn’t stop here. The assessment is only the beginning.

Privacy Assessments Require Ongoing Maintenance 

Once apps and websites have been approved for usage in the classroom, they need to be added to a school or district-wide approved usage list. Then, they must be continuously managed, monitored, and maintained to make sure nothing has changed since the original agreement. 

This task, alone, takes a considerable amount of time and resources. But  it is a particularly important step in the process because app and website providers have the right to change their terms of service at a moment’s notice. Not understanding and/or recognizing this could potentially put students and schools at risk.

Thorough privacy assessments tell us exactly what we need to know. They create a visual map of what is happening with the data. They hold the keys to the answers we seek regarding data collection, data integrity, data retention and data deletion. 

Privacy Assessments Bring Value

Love them or hate them, privacy assessments bring real value to schools and districts. When applied correctly, they provide clarity and understanding. 

Assessments are helpful in creating a big picture view of what’s really going on in the classroom. They provide insight and knowledge, and bring transparency to the decision-making process. This, in turn, is extremely useful in making school and district curriculum improvements.

Keeping data safe, secure and protected involves keeping a close eye on it – from the moment it is created, through its’ entire life cycle, until it is no longer needed and ultimately disposed. Knowing and understanding what is happening with the data is is your best bet at regulating and controlling it. 

Determining how to do this, especially when dealing with multiple vendors for varying lengths of time is another challenge that educators and administrators are having to address. 

So if privacy assessments are so important, how can we minimize the pain of conducting them?

Answer: the right tools.

Privacy Assessment Management Tools Help

The shift in technology usage in schools has prompted a change in the way schools operate. No longer is it just about finding the latest and greatest learning tools for use in the classroom, but understanding whether they are safe for use by students. 

But the process to determine this is neither simple nor efficient. 

That's why we exist. 

At Education Framework, we specialize in helping educators and administrators better manage their student privacy obligations. We develop solutions that provide insight, understanding and actionable data that, in turn, lead to safer technology purchasing decisions.

And best of all, we do the privacy assessments for you! Each and every one of them. So instead of focusing your time on reading endless terms of service agreements, you can shift your attention to improving the quality and safety of the online technologies used in your school or district. 

With our tools, you can conduct assessments in a fraction of the time, understand the safety and privacy of apps and websites, monitor policies for changes, share analytics with other education leaders on your team, and most importantly, make school and district-wide improvements based upon the information you have at the ready. 

Our Privacy Quality Scoring System helps educators and administrators know, at-a-glance, the safety and privacy of apps and websites, and then dig deeper to fully understand the reasoning behind the scores they were given. Our Policy Change Monitor lets you know if and when a privacy policy has changed, so you can act accordingly and ensure student data privacy is protected at all times. 

Tools like these are extremely helpful in proactively protecting student data. Designed to simplify and streamline the process, they bring efficiency, transparency and accountability to the conversation. They also save countless hours and resources.

Conclusion

Privacy assessments play an extremely important role in protecting student data, but they demand time, commitment and dedicated resources. When approached correctly, they provide answers that help educators and administrators make safer technology decisions. 

Those education leaders that take the time and conduct thorough privacy assessments have a greater, more comprehensive understanding of the health and safety of the online technologies used in their school, and are better positioned to make informed decisions about technology usage in the classroom.

Utilizing the right tools also helps... and will certainly make the process a whole lot easier, saving you both time and money!

So if you're looking to save yourself the hassle and eliminate the suck that goes with conducting endless privacy assessments, contact us...we're here to help!

Transparency and the Art of Protecting Student Privacy | SEEN Magazine

I have written a thought leadership piece for SEEN Magazine that discusses the importance of transparency in protecting student privacy. For sake of brevity, I have posted an edited version below that hits on the finer points.


School improvement efforts have driven data collection to new and alarming heights in recent years. Many argue that data is essential for improving students’ achievement in schools and preparing them for success in life, while others feel this holds true only if privacy, safety and security considerations are integrated from the start and implemented throughout.

Data, when collected and used correctly, brings value to schools and students; when amassed in a cloak of secrecy, without clear and discernible goals, screams trouble. Transparency plays an important role in protecting student privacy. For schools, focusing on areas of safety, security and trust are key to implementing effective student privacy initiatives.

Data Collection And Privacy

Schools today collect and use student data for various purposes. The general understanding is that data helps teachers and administrators make informed decisions based on empirical evidence. In a nutshell, data helps educators determine what is working and what is not.

Safeguarding student information starts with establishing clear lines of communication and employing transparency measures from the get-go. In order to eliminate confusion and foster greater support for the overall effort, it is vital that school and district leaders share what they are doing in a way that’s upfront, open and honest. Additionally, providing the proper services, support and training gives students, parents, and educators the tools, knowledge and skills they need to confidently handle this new responsibility.

Transparency And Accountability

Parental backlash is a real and pressing issue that educators are grappling with these days. Widespread concerns over the extensive amounts of data being collected in schools by private and public agencies have prompted many parents to speak out in opposition. While some are demanding to know what information is being collected from students, others are seeking a clearer understanding of the intent, its safety, and its security.

As parents press for greater transparency, and lawmakers push for greater accountability, school and district administrators, IT directors and school board members are finding themselves uncomfortably caught in the crosshairs. This is forcing education leaders across the nation to quickly and seriously reconsider their current approach to managing student privacy.

Safety and security

The conversation surrounding student privacy often comes down to safety. Parents need assurance that their children are safe while at school, both physically and virtually. They want a greater understanding of what is going on in the classroom, what digital tools are being used, what information is being collected from them, for what purposes and for how long.

Schools are no exception. Focus on physical protection of students has come to include digital security protection against cyber threats and intrusions. In response, schools and districts are reallocating resources to ensure adequate safety and security systems are in place.

Trust And Understanding

Trust plays a key role in managing student privacy because it is the proverbial glue that binds everyone and everything together. When supported by trust, successful privacy initiatives are engaging, empowering and effective.

Building trust starts with providing clearly defined goals and objectives that serve as a guide to understanding. In order to believe in the vision, participants need a comprehensive understanding of the big picture. Providing this offers a sense of ownership and some semblance of control.

Takeaways

Protecting student data is an ongoing and continual effort that demands attention, communication, collaboration, cooperation and understanding on broad and comprehensive levels. Taking precautionary steps in advance, openly communicating privacy plans and employing transparency and accountability measures from the start will help ensure privacy is protected and students are safe.



Is Your School or District Really Protecting Student Data Privacy? Here’s How to Tell.


For all the talk about student privacy – what it is, how to protect it, why it matters – there’s one question that receives precious little attention: How do you quantify student privacy? How do you measure it? How do you know that you’re actually protecting student data, and you’re doing it “right”?

 

There are various answers to that question, some obviously more quantitative than others. But what it comes down to is being knowledgeable about the online technologies your students are using in the classroom, understanding how third party vendors are utilizing the data they have access to, and having the ability to communicate this information in a clear and concise manner - to parents, teachers, administrators, board members and policy makers, alike.

 

This process starts with understanding what online technologies your students are using and whether or not they are safely protecting student data privacy.

 

Keep Tabs on Technology Usage in Schools

 

Today’s students use hundreds of different apps, websites and programs in school, and while the potential for growth and development is tremendous, keeping track of all this information can be a mountainous load of work.

 

Understanding whether an app or website is safe for students first involves knowing what the third party vendor does with the data they collect, how they store it, whether or not they share it, and ultimately how they plan to dispose of it.

 

This type of review needs to happen for each and every online technology (app, website, program…) suggested for use in the classroom before it is ever approved for use by students. And once it has been determined that it is safe for use in the classroom, continual monitoring is necessary so you know if and when privacy policies change - which they can, and often do.

 

Yet despite this being the cornerstone to protecting student privacy, it’s often viewed as a burdensome task that nobody wants to do. But the fact remains that in order to properly protect student data, somebody has to commit to proactively protecting it, in an ongoing, full-time, administrative capacity.  

 

Understanding that and focusing on a few key factors can help any school or district get ahead.

 

Know Where You Stand

 

Properly assessing online technologies, continuously vetting third party vendors, and giving educators the tools they need to make informed technology decisions are all efforts that minimize the risk of inadvertently exposing student data to misuse or abuse.

 

And while conducting a comprehensive audit of technology usage is a solid first step towards understanding the health and vitality of your privacy initiatives, creating an ongoing list of the apps and websites used in the classroom, keeping track of the online technologies used by students, and regularly monitoring them for changes are all proactive efforts to will help to better protect student data privacy.

 

The next step is to conduct a thorough privacy assessment for each online learning technology to establish a general understanding of the individual safety, security and privacy of the apps and websites currently in use. Those apps and websites that meet the necessary requirements can be approved for usage in the classroom, while those that fail to meet state, federal or district privacy requirements should either be removed or further assessed before they are allowed to be used by students. But it's worth noting that in certain instances, technologies that fall short of certain mandates may still be used in the classroom, they just need to have signed parental consent in order to do so legally. 


Considering the importance of parental approval, it’s wise for schools and districts to have defined method in place to distribute, collect, store and retrieve information in an orderly and timely manner. Knowing precisely what data is being used, by whom and for what purpose enables you see the big picture, to take charge of your privacy initiatives, and to establish control when and where it is most needed.

 

Regularly Monitor Online Technology Usage

 

Keeping up with the demands of student privacy can be a lot for schools to take on. Understanding the safety and privacy of online technologies is often a full-time job, in and of itself. So it’s important to remember that protecting student data privacy is an ongoing effort that requires regular checks and balances. Because companies often alter their contracts after the fact - leaving student data exposed for misuse or abuse - remembering to regularly monitor policies for changes is an important part of properly protecting student data.

 

One option is to implement solutions that utilize automation to do much of the work for you. By automating the privacy process, schools and districts can observe, monitor and adjust accordingly, making improvements based on real-time actionable data. Through the use of student privacy analytic tools, educators are better positioned to understand the safety and security of their student privacy efforts and can quickly and easily plan for change based on the information available.


A bit less formally, but no less importantly, there are some key qualities that define a truly proactive student privacy initiative —and if you want to know what kind of progress you’re making when it comes to protecting student privacy, looking for these qualities can be a good beginning.


Here are some ways you can tell that your organization has achieved a healthy measure of privacy protection:


1. You have a clearly defined, year-round strategy in place. 


Start by asking yourself this question: Is student privacy something you push hard for a week or two a year, but keep on the back burner for the rest of the time? Or do you have a full-time privacy plan in place that helps direct your privacy initiatives and drive successful outcomes?


How regularly do you review third party vendor contracts to ensure they haven’t changed their terms of service agreements? Is it something you address every so often, once or twice a year, or possibly not at all? Or do you have a system in place that monitors third party vendor contracts for changes on a regular on-going basis, enabling you to know immediately if and when a change occurs?


Answering questions like these, establishing plans and procedures, and communicating what is going to parents reveals much about a school or districts’ intentions, priorities, and potential protection level.


2. You engage parents in the privacy conversation.


Is parental engagement part of your plan? Do you have a way to communicate what apps and websites are being used by their children in the classroom? Do you have a way to obtain parental consent, particularly for those schools and districts with students 13 and under? And do you have a method in place to quickly and easily retrieve information at a moment’s notice when requested by a parent?


Providing a method to engage parents in the privacy conversation helps keep them current with what is happening in the classroom and informed about their child’s technology usage while at school.


Transparency and accountability measures, such as these, go a long way towards eliminating unnecessary worries and building trust with parents and schools.


3. You have formal structures in place to check for privacy. 


Remember the student privacy analytic tools I mentioned above? Well, having a program in place that keeps track of all the apps and websites used by students is a sound way to better understand the technology usage in the classroom.


Knowing the privacy of online learning technologies used by students in schools offers an added level of safety and security, and provides an extraordinary level of insight into the effectiveness of your technology initiatives.  


4. You have a formal method to obtain parental consent. 


In addition to having access to a library of apps and websites safe for use, educators often need a way to obtain parental consent when using certain technologies in the classroom. Of course this, along with all the other items listed above can be done manually, but for those education leaders that really want to get ahead, deploying a paperless, digital solution is really the most efficient and effective way to go.


By eliminating the paper pushing processes of the past, schools and districts now have a safe and sustainable method to obtain, store and retrieve parental consent with the click of a button. While utilizing paper forms is an acceptable method, online, paperless options are far less wasteful and easier keep track of. 


5. You know why student privacy matters. 


A final consideration: Do you know why protecting student privacy is so important? Do you have a clearly defined plan in place to protect your students and your school that breaks down exactly what you’re trying to achieve?


Having a clear sense of goals and expectations is critical to achieving successful privacy outcomes. Understanding what you want to do, how you plan to do it, and who is going to help you along the way are all hallmarks of a solid student privacy plan.


Bottom Line


Whether you working towards improving your current system, or are just looking for ways to affect change, start by answering these kinds of questions to ensure you are on the right track.


Establish a plan, be knowledgeable about the online technologies your students are using in the classroom, understand how third party vendors are utilizing the data they have access to, and have a way to quickly and easily communicate this information to parents in a clear and concise manner. Following these steps will help your school or district get ahead when it comes to protecting student privacy.


Does your student privacy initiative have the hallmarks of success? As a student data privacy advocate, I know that this is a topic many education leaders are wrestling with. I hope you find this quick checklist to be helpful!


Education Framework Joins SchoolMessenger Ecosystem Partner Program


We are happy to announce that we have joined the SchoolMessenger Ecosystem Partner Program.

To support schools and districts as they select and deploy web-based education products and services, West Corporation, a leading provider of technology-enabled communication services, announced four new partners in their SchoolMessenger Ecosystem Program. Education Framework's student data privacy and parental consent solution, EdProtect was among the listed, along with Hero by HeroK12, Professional Learning Maps and EduVision by JDL Horizons. 

The Ecosystem is built into SchoolMessenger Passport, West’s Education group’s free single sign-on product for districts. Introduced in fall 2015, SchoolMessenger Passport allows districts to provide teachers, staff, parents and students with quick and secure access to online learning applications, open educational resources (OER), and a variety of school management and administration software programs using single sign-on (SSO). That means each individual only has to remember one user ID and password to log into multiple district-approved educational resources, including SchoolMessenger products.

Both the free standard and paid premium versions of Passport include a catalog of “product connectors” that enable SSO to popular web-based services. Through the SchoolMessenger Ecosystem Program, companies can highlight additional services they can provide, such as allowing schools to use one-click account provisioning tools within the Passport catalog.


Author's Note: We are thrilled by this opportunity because it enables schools and districts to quickly and easily utilize the paperless parental consent and automated student data privacy services that we provide. Think of EdProtect as a "plug-in"  that extends the communication functionality of SchoolMessenger. 

The Importance of Automation in Protecting Student Data Privacy


If you visit Apple’s iPad in Education page one of the first things you’ll see is this: 

“The App Store features over 80,000 education apps — designed especially for iPad — that cover a wide range of subjects for every grade level and learning style.”

Over 80,000 apps.

Now, unless your district is the one district in the country with an IT department and teachers with a whole lot of time on their hands, your staff doesn’t have the time to go through each app and countless websites to ensure their student data privacy policies are up to your district’s requirements.

 A mish-mash of federal laws, state and local laws, industry standards and each app company writing their own rules make it even harder to know that what you’re agreeing to fulfills your present legal requirement.

Short of reading hundreds or even thousands of Terms of Services for each app and website your teachers use, you have no idea how apps are storing your data, what information they are collecting, when they delete it, or who has final say over the data.

It can take 20 minutes or more to read, complete and approve one policy for one app or website. 

Multiply that by the thousands of apps and websites a district with multiple schools over twelve grade levels can use and you can see how this can quickly turn into hundreds of hours of work. 

Add the task of monitoring policies for changes and reassessing approval when there is a change and the task becomes a full-time job. 

Finally, expecting that person to also keep up with changing legislation and understanding the nuances in legal language and it becomes impossible. 

The result right now is many districts just not doing the work, putting their student data at risk for abuse and their schools at risk for litigation.

Of course, there’s a smarter way: automation. 

By automating the approval process for student privacy, you free up hours of time while knowing the job is getting done correctly.

EdProtect by Education Framework is one such solution that automates the entire process for you, taking the guesswork out of managing student privacy. 

This approach ensures student data privacy compliance for you by analyzing the apps and websites your district uses and monitoring their privacy policies to see if they are aligned with the standards you set. 

When an app policy or the law changes, EdProtect lets you know in plain language if the app is no longer in compliance, giving you the opportunity to keep using the app or not.

What would need to be a full-time job to do well can be done by our software automatically in the background, alerting you only when you need to make a decision. 

With EdProtect, teachers, administrators, and parents know exactly how student data is being used in schools, ensuring complete compliance with all laws and peace of mind for all involved. 

As student data privacy become more and more both the expected standard and the legal requirement, automation of student data privacy policy management is the best and perhaps only way to ensure complete compliance, provide transparency for parents, and reduce the risk of fines from the misuse of student information.

Now is the time to make a commitment to protecting student data. 

Get started today with our FREE Policy Change Monitor, and learn more about how EdProtect makes protecting your students simple


Education Framework gets iKeepSafe FERPA Privacy Badge


Thrilled to share that iKeepSafe, a leading digital safety and privacy nonprofit organization, has awarded Education Framework with the FERPA Privacy Badge for our student data privacy and parental consent solution, EdProtect

The iKeepSafe FERPA Privacy Badge is the first independent assessment program for the Family Educational Rights and Privacy Act, and seeks to help educators and parents identify edtech services and tools that protect student data privacy. 

"Education Framework's primary mission is to help school districts protect the privacy of their student data, so it's very important that our solutions, themselves, are trusted by education leaders," said Jim Onstad, President & Co-Founder of Education Framework Inc. "Obtaining iKeepSafe's FERPA Badge assures our school and district partners that we are making every effort to align our services with federal education laws, keeping students safe." 

EdProtect is the third product to receive this symbol of distinction in student data privacy. For the evaluation, an independant privacy expert reviewed EdProtect, its privacy policy and practices, as well as its data security practices. 


Student Data Privacy Best Practices


Understanding that you need to do something and knowing what to do are two very different things. But simply breaking things down into smaller chunks often allows one to see more clearly, understand how the pieces fit together, and determine how to tackle each piece individually to achieve a positive end result. 

Today, we are utilizing this approach with regards to managing student data privacy. By breaking it down into simpler components, we are condensing a vast and often confusing array of information into a manageable set of guidelines for educators to follow. 

Based on best practice recommendations from the U.S. Department of Education Privacy Technical Assistance Center (PTAC) and other leading education organizations, we have assembled three easy-to-remember recommendations to help protect student privacy. They are as follows: 

1. Be Knowledgeable - Understand the privacy landscape and your legal obligations.

  • Know your student privacy laws. Federal laws include FERPA, COPPA and PPRA, but new state regulations are being implemented all across the nation, so it is important to know what is going on in your state. 
  • Create data inventories to fully understand the scope of information being collected and shared. 
  • Track which online and educational services are currently being used in your district.
  • Monitor privacy policies for changes.

2. Be Accountable Establish a data governance plan and guidelines to follow. 

  • Make a plan that addresses the full life cycle of data, from acquisition - to use - to disposal. Ensure the individual privacy and confidentiality of education records by defining rules.
  • Have policies and procedures in place to evaluate and approve online educational services. Determine who has purchasing authority and proactively define the scope and limitations of that authority. 
  • Use written contracts or legal agreements laying out security and data stewardship, data collection, data deletion, data use, data retention, data disclosure and data destruction provisions. 
  • Consider parental consent even in instances where federal law does not require. 

3. Be Transparent - Communicate your plan and engage parents in the privacy conversation. 

  • Post information about your student data policies, practices and usage on an easy-to-locate public webpage. Utilize parent-teacher dashboards, if possible. 
  • Be explicit about what information you collect about your students, and what that information is used for. 
  • Explain what, if any, personal information is shared with third party service providers, and how that information is safeguarded. 
  • Let parents know where they can get more information.

By following these recommendations, school and district administrators are taking necessary precautions to protect their students and their districts from harm. As mentioned in our previous blog entryPTAC has a wealth of resources available to help. They have even created a specific checklist for developing school district privacy programs. 


There are also automated student data privacy solutions available to help schools and districts proactively manage privacy obligations with transparency and accountability. Solutions like EdProtect take the guesswork out of managing student data privacy and offer an added layer of security, providing peace-of-mind for those tasked with protecting student information.  

Student Privacy 101: The low down on the laws of the land


Long gone are the days when protecting student information meant locking a filing cabinet. Today, with students using hundreds of different apps over the course of their education, software providers obscuring how they use data in complicated Terms of Service contracts, and an ever-shifting legal landscape, it can be extremely difficult for administrators, teachers and parents to know exactly what they need to do to protect their student data.

Over the next few posts we’ll be exploring the different factors affecting the world of student data. Our goal is to demystify the subject of student data privacy and help bring you up to speed so you can address this serious topic in your school district.

Today we’re starting by taking a current snapshot of the legal landscape. Federal laws like the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA) work to ensure student data is only used for authorized purposes; protects that data from further disclosure or other uses, like marketing or being resold to others; and mandates that it is destroyed when no longer needed for the authorized purpose.

While these laws lay a foundation for educators and online operators to follow, they don't necessarily cover all aspects of data collection and deletion. For this reason, many states are now creating their own, more specific student data privacy laws to define what is and what isn't acceptable when it comes to the collection of student information in their respective states. 

Over the past two years, nearly every state has introduced its own legislation addressing student data privacy. In 2014, California passed the Student Online Personal Information Protection Act (SOPIPA), the first of its kind, which has since been used as the model for much of the legislation being introduced by other states.

Many of these are focused on creating greater transparency and accountability for educational data, clarifying the data and privacy activities of third-party service providers, and giving parents the ability to have a say in the management of their children's privacy. They generally fall into two types of approaches: prohibitive rules that seek to limit or halt certain types of collection or uses; or governance rules that seek to establish procedures, roles and responsibilities. In addition, numerous bills have established fines and penalties for data misuse and breaches to ensure accountability.

However, for everyone with a stake in education - teachers, parents, school & district leaders, and state & federal policymakers - the new challenge is knowing what all this actually means and understanding how to properly implement an effective plan to manage student privacy. Thankfully, there are resources available to help. 

The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) is a terrific resource for understanding your legal requirements and what steps you need to take to establish compliance. The Privacy Toolkit in particular provides a useful centralized depository of materials to guide schools and districts looking to improve the security and privacy of their student data. 

In addition, groups like the Future of Privacy Forum (FPF) and the Software and Information Industry Association (SIIA) seek to create change from the industry side by encouraging members to sign the Student Privacy Pledge, committing to use student data in a responsible way. The pledge is intended to hold school service providers accountable and encourage effective communication with parents, teachers and education officials about how student information is used and safeguarded. 

Tools like EdProtect take it one step further and actually manage the process for you. Designed to protect students from data abuse, it ensures that schools and districts are in complete compliance with various federal and state regulations, engages parents in the privacy conversation, and lessens the risk of costly fines and penalties associated with the mismanagement of student information. Resources like this are crucial for helping administrators, IT staff and teachers proactively manage their student privacy obligations with transparency and accountability.

To learn how EdProtect makes your job easier, sign up for a free demonstration today.