Education Framework Blog

Focused on the Future of Education in America

Do You Think Student Data is Protected? Think Again!

As student data privacy continues its moment in the spotlight, a darker reality often exists behind the scenes: one where school districts treat information security, privacy and compliance as a reactionary afterthought; where data governance programs are not properly established or implemented; where security controls are lacking; and where third party vendors are not appropriately vetted for privacy assurances.

Despite this sounding like the making of a bad after school special, this is happening in schools and districts all across the nation. Too little is being done to protect student information, exposing our students and schools to unnecessary risk.

Case in point…

The Missouri State Auditor recently conducted a comprehensive analysis of a local school district to better understand their position when it comes to protecting student information. What they discovered was failure across the board.  

The Boonville R-1 School District Student Data Governance Audit was completed as part of the Cyber Aware School Audits Initiative and designed to assess the effectiveness of privacy and security controls, with a focus on identifying practices that improve the security of information school districts have on students and their families.  

The thorough audit was conducted in response to increasing concern for protecting the security and privacy of information schools maintain on students, coupled with the continued emergence of cyber threats.

Based on six core criteria, the audit was intended to evaluate 1.) The effectiveness of privacy plans and controls for safeguarding personally identifiable information (PII); 2.) The effectiveness of information security controls for protecting the confidentiality, integrity, and availability of systems; and 3.) The effectiveness of compliance.

Listed below are the findings from the audit, the associated risk for non-compliance, and recommendations for improvement provided by the Missouri State Auditor’s office:  


1.  DATA GOVERNANCE

 

ASSESSMENT: The district has not established a comprehensive data governance program, therefore being unable to ensure PII is adequately protected and safe from unauthorized access, misuse, or inadvertent disclosure.

 

RISK: Without a formal program, the district cannot ensure that PII is adequately protected and safe from unauthorized access, misuse, or inadvertent disclosure.

 

RECOMMENDATION: The district should establish and implement a formal data governance program encompassing the full life cycle of data, from acquisition to use to disposal.

 

2.  SECURITY CONTROLS

 

ASSESSMENT: The district has not implemented necessary security controls, leaving technology assets, including PII at risk of inappropriate access, use and disclosure.

 

RISK: Without documented and approved policies and procedures, management lacks assurance that security controls are appropriate and properly applied.

 

RECOMMENDATION: The district should formally appoint a security administrator, ensure passwords are periodically changed, establish access control policies and procedures, formally document responsibility for physical protection of technology resources, and fully document and periodically review security policies and procedures.

 

3.  USER ACCOUNTS

 

ASSESSMENT: The district has not fully established controls for creating and maintaining user accounts for accessing system resources.

 

RISK: Without appropriate account access policies and procedures, users may be granted inappropriate or unauthorized access, which can provide opportunities for misuse or inappropriate disclosure of sensitive data.

 

RECOMMENDATION: The district should establish and document formal policies and procedures, periodically monitor user accounts and user access to data to ensure rights remain appropriate.

 

4.  INCIDENT RESPONSE & CONTINUITY PLANNING

 

ASSESSMENT: The district has not taken all the necessary measures to protect data in the event of a breach or other disruptive incident. It does not have a complete incident response plan, has not adopted a formal data breach response policy, and has not fully documented and tested a continuity plan.

 

RISK: Without comprehensive incident response and breach-related policies, management may not be able to respond quickly and effectively. And without a tested and functional continuity plan, management has limited assurance the organization’s business functions and computer processing can be sustained.

 

RECOMMENDATION: The district should establish and document an incident response plan, formally document and adopt a comprehensive data breach response policy, to promote an appropriate response in the event of a breach, develop a continuity plan, formally assign responsibilities, and run periodically tests of the plan.

 

5.  SECURITY AWARENESS PROGRAM

 

ASSESSMENT: The district has not established a formal security and privacy awareness training program.

 

RISK: Without adequate training, users may not understand system security risks and their role in implementing related policies and controls to mitigate those risks.

 

RECOMMENDATION: The district should establish a formal security and privacy awareness training program, because those with proper security and privacy awareness training and clear communication of data and device use policies, can become the first line of defense against cybersecurity incidents.

 

6.   VENDOR MONITORING

 

ASSESSMENT: The district has not established a process for ensuring software acquired or outsourced from information technology vendors complies with data security principles. Additionally, the district is unable to locate a written contract with the vendor of one of its key systems.

 

RISK: Without an effective process for monitoring and managing risk and software acquisition or outsourcing, the district has less assurance in a vendor’s ability to deliver services effectively, securely and reliably, and to ensure that services meet current and future data privacy and security needs.

 

RECOMMENDATION: The district should develop procedures to formally monitor information technology vendors have access to, to ensure the district’s data is properly protected and the vendor acts in accordance with contract terms and conditions.


CONCLUSION 

While this audit casts a negative light on a single district, it illuminates the reality of what is really going on in schools and districts across the nation, and it shows the unfortunate truth of how student information is regularly exposed.

By establishing and implementing the proper plans and procedures, schools and districts that proactively protect student privacy are better poised for success. In contrast, assuming it will take care of itself is a recipe for disaster.

As technology usage advances in schools, increased risk of PII being compromised and exposed is a real and ever-present danger. The need to protect information against cyber threats and misuse is increasingly important, and school districts need to do more to ensure student information is safe, private, secure and protected.

Note: After failing on all six counts, the Boonville R-1 School District has addressed their areas of weakness and have issued an action response to remedy their shortcomings. Read the full audit here >>  

Secret to Student Privacy

In previous posts, I’ve shared tips to help you better understand the rules and laws governing student privacy. I’ve provided resources to guide and assist you in navigating the student privacy quagmire, and I’ve offered recommendations to help you proactively manage your student privacy obligations with transparency and accountability. Today I address the importance of educator buy-in; a key component to consider when creating, designing and implementing a successful student privacy program in your school or district.

Managing student privacy is no simple task. Implementing a successful student privacy initiative takes a lot of work. It involves considerable amounts of time, commitment, and resources - three things most schools and districts are already running short of. But despite any perceived limitations, it is vital that educators understand the importance of student privacy and make concerted efforts to ensure student information is safe, secure and protected.

Investing in protecting student privacy is a worthwhile endeavor.

It is important to give student privacy the attention that it rightfully deserves. This starts with fostering the belief that protecting student privacy is, indeed, a valid, pressing and necessary cause, worthy of our time and consideration. It involves cultivating a mindset where everyone understands that protecting student data is no single person or department’s responsibility – instead, it is everyone’s responsibility. It requires establishing clearly defined roles, and thoughtfully laid out plans that incorporate transparency and accountability measures into your everyday thinking. And it demands putting teachers on the front lines as the guardians of student information, while providing them with the support, training and tools they need to learn, grow and excel. Because without teacher understanding, support and essential buy-in, there is little likelihood of success.

Teacher empowerment is crucial to success.

Teachers play a critical role in implementing successful student privacy initiatives, no ifs, ands or buts about it. Teachers are the first touch point for parents and students. They are the ones with the greatest understanding of what’s really going on in the classroom; their fingers directly on the pulse of learning. They know which apps and websites are being used, who is using them, and how they are being used. They see first-hand who they help and who they hinder. And they understand, be it good, bad or ugly, the value that each piece of technology brings to the table. They are the ones with the knowledge. Yet, despite the value that teachers offer, they are often left out of the planning conversation. 

It's ironic that many decisions affecting technology usage in schools are often made outside of the classroom, at the administrative level, and absent of teacher input. But just as IT directors, school and district administrators, state and local policymakers, and even parents have a uniquely qualified perspective when it comes to protecting student privacy, teachers do too. Theirs, in particular, should be of legitimate concern, with administrators and policymakers giving weighty consideration to their point-of-view. Unfortunately, that is rarely the case. This discouraging disconnect is a weakness that jeopardizes privacy efforts in schools and districts across the nation.

Protecting student privacy is everyone’s responsibility.

It is time that we start looking at the big picture when it comes data use in our schools. We can no longer presume that someone else is taking responsibility for protecting student data, because more often than not, they're not. The sooner we all acknowledge that, the better we will be.

It’s important that everybody with a stake in education – students, parents, teachers, administrators and policymakers, come together to ensure concrete efforts are in place to protect student privacy. This means properly vetting apps and websites before they are approved for usage in the classroom. It means thoroughly reading privacy policies, understanding what information is being collected from students, and knowing exactly how the data is being used. It also means staying current with local, state and federal laws and regulations, and establishing clearly defined objectives that outline what is acceptable in your state, school or district, and what is not. Communicating this information clearly is key to minimizing confusion.

It’s also important that schools and districts engage participants from the onset by providing clearly defined plans and procedures. This fosters unequivocal understanding of the vision from the start, and minimizes any confusion or misinterpretation throughout its application. Providing regular communication, like posting real-time updates via an easy-to-access school or district website engages parents, teachers and administrators in the privacy conversation and ensures privacy efforts are being addressed at each and every level. Through the creation of easy-to-read guidelines and clearly defined protocols, schools and districts empower their thought leaders to share in the privacy responsibility.

The importance of educator buy-in

A successful student data privacy initiative is built upon a foundation of trust and communication, with integrity, transparency and accountability at its core. It requires dedicated time, energy and resources to thrive and succeed. But in order to function properly, it also needs educator advocacy. 

Giving teachers a say in this matter goes a long way towards making inroads to change. It helps them be a part of the solution, instead of a source of the problem. But in order to do this effectively, teachers need the necessary tools to help them learn, improve and prosper; ones that allow them to make thoughtful, calculated decisions based on empirical data. It’s really that simple.

The secret to properly protecting student privacy is putting teachers in the driver’s seat. This ensures that privacy is being considered from the boardroom to the classroom, with the student at the center of the discussion. It's time for schools and districts to reevaluate the role that teachers play in safeguarding student data and empower them to be the gatekeepers.  The sooner this occurs, the better off we will be. 

Do you agree? I'd love to hear your thoughts! I encourage you to post your comments below.

2016: The Year of Student Privacy


If we had to use one word to sum up the current state of student privacy, we would have to go with “complexity.” Technology has become more and more entwined in our schools and into students’ lives; pilot programs like iPads will soon become standard at every school and grade level. Elementary school children who used to learn the Three Rs are now learning things like programming, robotics and engineering. Rote memorization has been replaced with gamified learning. And what would be early-adopter technology for this year’s kindergartner, like wearable tech and virtual reality, may be a standard educational tool by time she becomes a sixth grader.

While technology will always move faster than legislation, all levels of government are feverously working to spell out the rules for how we treat student data. As with any legislation, there are many different interest groups with different ideologies and priorities. A simple question like “Who is responsible for student data?” will be answered very differently by state legislators, local school boards, teachers, parents and technology companies; each wants control while shielding themselves from any liability.

And liability is a reality. Right now your student data is at risk with grave consequences. We live in an age where Fortune 500 companies are routinely hacked, exposing the sensitive data of millions of customers for all to see and steal with the click of a mouse. If all the resources of companies like Target, Sony and Home Depot can’t protect their data, what hope does the average overworked, underfunded school district IT department have? Not only do they need to protect from outside threats (or mischievous students); they need to protect the data from their software vendors who may want to collect it for marketing purposes. Short of reading hundreds of ever-changing Terms of Services for every app and software your district uses, you have no idea how your vendors use the data they collect, where they store it, when they delete it, who has final control over it or perhaps even how to access it. 

Because of all this complexity, we believe this is the year student data becomes one of the most important issues facing a school district. The choices schools, legislators and technology companies make over the next 12 months may end up being the foundation for what is considered standard in student privacy.

We created EdProtect to give schools the choice of the highest level of student data privacy possible. Because we’re not just developers; we’re parents. We’re as excited by all the new technology in schools as anyone, and wholeheartedly believe in the power of technology to help our kids learn. But we’re also increasingly concerned about the security of student data. And we’re not alone: 87% of parents surveyed are worried their child’s information can be stolen, with 85% responding that their willingness to support technology in schools must be coupled with efforts to ensure security.

Whether you are ready or not, this is the year your school needs to make a commitment to protecting student data. Learn more about how our tools make ensuring student privacy simple and sign up for a free demonstration today.

Student Privacy 101: The low down on the laws of the land


Long gone are the days when protecting student information meant locking a filing cabinet. Today, with students using hundreds of different apps over the course of their education, software providers obscuring how they use data in complicated Terms of Service contracts, and an ever-shifting legal landscape, it can be extremely difficult for administrators, teachers and parents to know exactly what they need to do to protect their student data.

Over the next few posts we’ll be exploring the different factors affecting the world of student data. Our goal is to demystify the subject of student data privacy and help bring you up to speed so you can address this serious topic in your school district.

Today we’re starting by taking a current snapshot of the legal landscape. Federal laws like the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA) work to ensure student data is only used for authorized purposes; protects that data from further disclosure or other uses, like marketing or being resold to others; and mandates that it is destroyed when no longer needed for the authorized purpose.

While these laws lay a foundation for educators and online operators to follow, they don't necessarily cover all aspects of data collection and deletion. For this reason, many states are now creating their own, more specific student data privacy laws to define what is and what isn't acceptable when it comes to the collection of student information in their respective states. 

Over the past two years, nearly every state has introduced its own legislation addressing student data privacy. In 2014, California passed the Student Online Personal Information Protection Act (SOPIPA), the first of its kind, which has since been used as the model for much of the legislation being introduced by other states.

Many of these are focused on creating greater transparency and accountability for educational data, clarifying the data and privacy activities of third-party service providers, and giving parents the ability to have a say in the management of their children's privacy. They generally fall into two types of approaches: prohibitive rules that seek to limit or halt certain types of collection or uses; or governance rules that seek to establish procedures, roles and responsibilities. In addition, numerous bills have established fines and penalties for data misuse and breaches to ensure accountability.

However, for everyone with a stake in education - teachers, parents, school & district leaders, and state & federal policymakers - the new challenge is knowing what all this actually means and understanding how to properly implement an effective plan to manage student privacy. Thankfully, there are resources available to help. 

The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) is a terrific resource for understanding your legal requirements and what steps you need to take to establish compliance. The Privacy Toolkit in particular provides a useful centralized depository of materials to guide schools and districts looking to improve the security and privacy of their student data. 

In addition, groups like the Future of Privacy Forum (FPF) and the Software and Information Industry Association (SIIA) seek to create change from the industry side by encouraging members to sign the Student Privacy Pledge, committing to use student data in a responsible way. The pledge is intended to hold school service providers accountable and encourage effective communication with parents, teachers and education officials about how student information is used and safeguarded. 

Tools like EdProtect take it one step further and actually manage the process for you. Designed to protect students from data abuse, it ensures that schools and districts are in complete compliance with various federal and state regulations, engages parents in the privacy conversation, and lessens the risk of costly fines and penalties associated with the mismanagement of student information. Resources like this are crucial for helping administrators, IT staff and teachers proactively manage their student privacy obligations with transparency and accountability.

To learn how EdProtect makes your job easier, sign up for a free demonstration today.

K-12 Data Privacy & Training - Is there a missing link?

Education Week released an interesting piece on the need for improved training when managing student privacy. 

Entitled Why K-12 Data Privacy Training Needs to Improve, the article addresses a valid concern for many.


...(despite) bills at both the state and federal levels raising awareness of the need to better protect and secure student data, attention to training is still limited. Experts say greater emphasis should be placed on educating the educators, especially given the privacy threats that can come from using online homework portals, digital grade books, or student email programs.

Read full article here > 

Student Data Privacy Automation Session at GaETC 2015

Be sure to join us in Atlanta at the Georgia Educational Technology Conference (GaETC) where we are hosting a session to help school and district administrators better understand student data privacy management and the importance of automation.
 
Avoiding the Mess: The Importance of Automation in Student Data Privacy
Participants will learn how automating the process leverages computing power to decrease costs and increase the safety & privacy of student information.


Day: Thursday, Nov. 5, 2015
Time: 9:45am - 10:40 am
Room: German 1-2
Capacity: 110

Interested in attending? GaETC registration information here

Also, please plan to stop by Booth 420 to discuss how to set up a student privacy assessment for your school or district.



Student Data, a Top Concern of School Districts

Nice piece in SEEN (SouthEast Education Network) Magazine highlighting Education Framework's student privacy & parental consent solution, EdProtect:

The digital transformation of our schools has dramatically altered the landscape of education and resulted in an unprecedented rise in the collection and use of student data. Today’s classrooms use cloud-based content and teaching systems as well as tens of thousands of learning apps delivered by individual vendors; districts employ learning management systems, student information systems and multiple SaaS systems.

Each of these systems collects and uses student data, and many share and disseminate data in order to function. All of this student data being collected has created some very serious privacy concerns, and states are scrambling to keep a handle on the problem. District superintendents and their staffs are now the guardians of their students’ data. The search is on for tools and resources that can help them with this new responsibility.

Through a suite of software tools for school districts, Education Framework is making data privacy manageable, transparent and simple for some of America’s smartest school districts. Their student privacy and parental consent solution, EdProtect, will analyze every potential app and website before they ever make it to the classroom. Staff will receive an easy-to-understand score that shows at a glance how safe their student data is. And administrators will be secure in the knowledge that they are proactively protecting students and shielding their district from harm.

Read more here >>

Data Quality Campaign EdData Privacy Update: 7/2/2015

Rachel Anderson does a great job of breaking it down...

So far in 2015, 46 states have considered 182 bills addressing student data privacy. And 12 states have so far passed 24 new laws.

  • States continue to think a lot about the data that is collected from students based on their use of an online website or application. Arkansas, Georgia, Maryland, New Hampshire, and Oregon have now passed a law based on California’s SOPIPA language from 2014 to prohibit online service providers from using student data for commercial or secondary purposes while allowing data use for program improvement. Maine, Nevada, Virginia, and Washington have passed new laws based on a similar model that Microsoft put together with the principles from industry’s Student Privacy Pledge.
  • In 2014, nine states passed laws that gave school districts new or expanded responsibilities around student data privacy and security. This year, many states are thinking about the supports and guidance districts will need from the state in order to fulfill their new roles.
    • North Dakota now requires data sharing approval by the school board and implements data governance, transparency, and supports including data use training.
    • Virginia has a new law to direct the state to develop a model data security plan for districts and to designate a chief data security officer to assist local school divisions with the development or implementation of data use and security policies.
    • Nevada passed a law that instructs the state to develop a security policy for districts to follow.
  • A critical part of states’ work to safeguard student data is to provide transparency and build trust with educators and the public that education data are being used to support students and improve education in the state.

  • Read full article here.

    Oregon Company Chosen as Finalists in International Pitch Fest

    Edtech Start-up Develops Student Privacy & Parental Consent Solution for Schools

    Education Framework Inc. earned a top spot in the final round of the ISTE Ed Tech Start-up Pitch Fest 2015. The Bend-based company presented their student privacy and parental consent solution, EdProtect, to a crowd of conference attendees and industry judges at the annual International Society for Technology in Education (ISTE) conference in Philadelphia. They were chosen as top finalists along with three other companies, Mathspace, Cogent and Zyrobotics, to present in the final round tomorrow at 11:30am (EST). Awards will be presented to the “Most Innovative” and the “Most Likely to Succeed” product or service.

    ISTE has partnered with Edmix.com to organize and manage ISTE Pitch Fest 2015. Edmix helps educators build links into the digital industry through a series of edtech programs and competitions designed to recognize excellence.

    ISTE welcomed applications from all across the globe. Ideas and start-up businesses were encouraged to apply, whether at the concept state, in pilot-mode, or already in the early stages of start-up. The finalists were chosen from more than 100 applicants.

    Education Framework has created software that protects student data privacy. EdProtect is the first-ever, online student data privacy and parental consent manager for schools. It assesses the safety of apps and websites used in the classroom, engages parents, teachers, and administrators in the privacy conversation, and manages the entire process with transparency and accountability.

    About Education Framework Inc.: Education Framework is an Ed Tech start-up, based in Bend, OR. The company develops enterprise compliance software for U.S. K-12 schools. Education Framework offers a unique next-gen strategic approach to managing student privacy. They can scale from small schools and districts, to state departments of education. For more information, please visit www.educationframework.com.