Education Framework Blog

Focused on the Future of Education in America

EdPrivacy by Education Framework Recognized For Efforts in Protecting Student Data Privacy

FOR IMMEDIATE RELEASE:

EdPrivacy by Education Framework Recognized for Efforts in Protecting Student Data Privacy

BEND, Oregon - April 25, 2018 - Bend-based enterprise software development company, Education Framework, has been recognized for their ongoing effort to protect student data privacy in school districts across the country. The National School Boards Association (NSBA) recently named Education Framework a 2018 Technology Innovation Showcase Company, highlighting how new approaches in technology advance K-12 education and inspire school leaders to explore and embrace innovative solutions. Additionally, their online student data privacy management service, EdPrivacy by Education Framework, was named a “Cool Tool” in The EdTech Awards by EdTech Digest as the Best Security and Privacy Solution for 2018.

EdPrivacy by Education Framework is a comprehensive online student data privacy management solution for US K-12 school districts. It streamlines the privacy management process and helps ensure that third party online technologies (apps/websites) are respecting and protecting personally identifiable student information (Pii).

The NSBA Innovation Showcase highlights companies based on innovative approaches to challenges across the K-12 curriculum, administrative operations and communication channels. As one of the chosen solutions, EdPrivacy by Education Framework will be featured in NSBA’s magazine for school leaders, American School Board Journal, and participate in a webinar hosted by NSBA’s National Connection program in the coming months.

The EdTech Awards recognize the biggest names in education technology – and those who soon will be. Victor Rivero, editor-in-chief of EdTech Digest, overseeing The EdTech Awards, said: “The innovators, leaders, and trendsetters represented here are dauntless, dedicated, and determined in their work. Thus, we very proudly recognize, acknowledge, honor, and celebrate the biggest names in edtech – and newer talents shaping the future of edtech.”

"We are extremely proud of the recognition.” said Jim Onstad, President & Co-Founder of Education Framework. “As parents of school-aged children and student privacy advocates, this effort is near and dear to us. This [recognition] further supports our mission to protect the privacy of every student in America, and is testament to our efforts, our team and our collective vision.”

About EdPrivacy by Education Framework

EdPrivacy by Education Framework is the world’s first online student data privacy management system designed to help K-12 school districts proactively protect student Pii. With over 5500 vetted technologies available for immediate review to partner districts, the EdPrivacy service is a comprehensive database of information that simplifies and streamlines the privacy management process. Helping educators and administrators better understand the privacy and safety of the online technologies used in their districts, EdPrivacy actively engages parents in the privacy conversation and manages the privacy process with transparency and accountability. Education Framework is headquartered in Bend, Oregon. To learn more or to request a demo, visit EducationFramework.com.

Contact

For Education Framework Katie Onstad, 541-915-8840 katie@educationframework.com

###

What Is Student Data Privacy?


School and district leaders know they need to protect student data, but effectively adopting and implementing a student privacy plan that includes parent, educator, administrator and policymaker input and approval, is a lot easier said than done. Efforts like this require dedicated time, commitment, clearly defined roles, a concrete understanding of what student data privacy actually is, and if you're lucky, tools to help you get the job done right.


While there are a myriad of checklists, to-dos and best practice recommendations available to help educators and administrators up their game, there is still much uncertainty surrounding this issue. But it's no surprise considering that there is, ironically, no set definition for student data privacy. And despite it being a relatively self-explanatory term, it is still complex and more-often-than-not, fraught with confusion. 


To put it simply, student data privacy is the idea of safely, securely and privately introducing online technologies into the classroom - in the form of apps, websites, surveys, assessments, etc. - without risk of compromising personally identifiable student information (PII). But it also so much more than that. 


Student data is protected under federal law (COPPA, FERPA, PPRA) and requires thorough knowledge and understanding of data collection, data use, data retention, data deletion and data integrity for all online technologies used in a school or district. It means reading endless privacy policies to know precisely who has access to student data, for what purposes and for how long. And it demands ongoing maintenance and monitoring to ensure there haven’t been any changes to the privacy policies that could compromise PII.   

Knowledge is Power

Protecting student data privacy starts with knowing precisely what technologies are being used in the classroom. Conducting a comprehensive audit of the technologies currently in use is a necessary first step towards establishing a baseline understanding and gaining a big picture view of the technology usage in a school or district.

Once there is an understanding of what technology is being used in the classroom, the next step is to conduct a thorough privacy assessment for each and every online technology to ensure student data privacy is indeed private and protected. 

For many, this step can be quite daunting, especially when considering the sheer volume of online technologies available to schools today. But with the right tools, this process can be relatively straight-forward, simple and streamlined.

Education Framework Inc. tackles student data privacy with the goal of protecting student PII while providing a great resource for industry leaders to connect with parents and their communities.

The Rise of Student Data Privacy 

Student data privacy has been a rapidly growing administrative pain point over the past few years. The massive push for 1:1 and other digital learning initiatives are major factors in this, but the equally explosive growth of new learning technologies created by third party vendors has changed the way we view student privacy. No longer can we assume that student privacy is safe, secure and protected, especially when it can be accessed by so many different entities, at different capacities, for different periods of time. Because of this, it is imperative that education leaders establish user controls that determine precisely who has access to what student data, for what purposes and for how long.


Besides the exponential growth of technology in schools, it's worth noting that there are a few contributing factors that have led to the rise of student data privacy as an immediate and necessary need, all of which are tied to the increased usage of digital media and online technologies:


1. Parents are technologically savvy. Parents are technology users themselves, so naturally they’re becoming better acquainted with security and privacy issues, especially when it comes to online technologies and services they use every day.

Many parents, especially those that are actively involved in their child’s online usage at home, want to know precisely what technologies they are using in school. More importantly, they need reassurance that they’re child’s privacy is being considered and respected.

Parents want a window into their child’s technology usage in school. Providing a way to communicate this information in a clear and concise manner helps connect the dots and bring parents into the loop, engaging them in the privacy conversation. This approach goes a long way towards building trust, as it conveys that their point-of-view is valued.

2. Technology forces transparency. One of the most unique ways the Internet has affected our society is the quick transmission of information. Education leaders have never been more powerful or in a better position to make informed decisions than they are today. 

With the right tools and approach, educators and administrators can discover safe learning technologies for students, measure growth, use actionable data to make classroom, school or district-wide improvements, and communicate with parents and communities in a way for all to understand. 

Student data privacy is about accurately and authentically conveying what technologies are being used so that stakeholders, community leaders, and parents can easily understand the health, safety and vitality of a school or districts' student privacy efforts. It is also about providing reassurance that students, schools and districts are safe from risk.

Transparency engages all interested parties and allows everyone to work together towards a greater good. Automated student privacy protection is one way for school and district leaders to adopt transparency measures and gain greater control of student privacy efforts, without heavily increasing the administrative workload. Utilizing tools that do much of the work for you - in an open and transparent way - are helpful in saving time and ensuring student privacy is, in fact, protected.

3. The right tools make things a whole lot easier. Knowledge is one of the most powerful benefits of the Internet age. Twenty-five years ago, when there was no Internet, student privacy was hardly a consideration. When technology usage started to go mainstream, particularly in schools across the country and around the globe, we simply couldn’t fathom where we’d be today. But with all this technological growth and opportunity has come an overwhelming need to increase privacy protections.

Educational development is no longer only about exploring and discovering the best learning solutions for students, but it’s also about finding technologies that are safe for use in the classroom. 

Automated solutions are the best way to capitalize on this theory, which is why Education Framework Inc. exists. We help position school and district leaders as experts in managing student data privacy by providing services that produce information at the ready. With over 1100 (and counting) online technologies assessed to date, we’re able to help educators, administrators and IT leaders make quick, yet safe and informed technology decisions for the classroom. All while minimizing the risk of exposing student information.

Food for Thought 

While there are plenty of factors that have led to student privacy’s rising value, these macro elements are the key reasons why protecting student data privacy is more relevant and important than ever before. 

Educators, administrators and IT leaders who establish themselves as pioneers in this space are positioning themselves to be helpful resources for their communities and models for other education leaders to follow. More importantly, those that take the necessary steps to ensure privacy is protected will be education leaders that parents will appreciate and trust.

Is Your School or District Really Protecting Student Data Privacy? Here’s How to Tell.


For all the talk about student privacy – what it is, how to protect it, why it matters – there’s one question that receives precious little attention: How do you quantify student privacy? How do you measure it? How do you know that you’re actually protecting student data, and you’re doing it “right”?

 

There are various answers to that question, some obviously more quantitative than others. But what it comes down to is being knowledgeable about the online technologies your students are using in the classroom, understanding how third party vendors are utilizing the data they have access to, and having the ability to communicate this information in a clear and concise manner - to parents, teachers, administrators, board members and policy makers, alike.

 

This process starts with understanding what online technologies your students are using and whether or not they are safely protecting student data privacy.

 

Keep Tabs on Technology Usage in Schools

 

Today’s students use hundreds of different apps, websites and programs in school, and while the potential for growth and development is tremendous, keeping track of all this information can be a mountainous load of work.

 

Understanding whether an app or website is safe for students first involves knowing what the third party vendor does with the data they collect, how they store it, whether or not they share it, and ultimately how they plan to dispose of it.

 

This type of review needs to happen for each and every online technology (app, website, program…) suggested for use in the classroom before it is ever approved for use by students. And once it has been determined that it is safe for use in the classroom, continual monitoring is necessary so you know if and when privacy policies change - which they can, and often do.

 

Yet despite this being the cornerstone to protecting student privacy, it’s often viewed as a burdensome task that nobody wants to do. But the fact remains that in order to properly protect student data, somebody has to commit to proactively protecting it, in an ongoing, full-time, administrative capacity.  

 

Understanding that and focusing on a few key factors can help any school or district get ahead.

 

Know Where You Stand

 

Properly assessing online technologies, continuously vetting third party vendors, and giving educators the tools they need to make informed technology decisions are all efforts that minimize the risk of inadvertently exposing student data to misuse or abuse.

 

And while conducting a comprehensive audit of technology usage is a solid first step towards understanding the health and vitality of your privacy initiatives, creating an ongoing list of the apps and websites used in the classroom, keeping track of the online technologies used by students, and regularly monitoring them for changes are all proactive efforts to will help to better protect student data privacy.

 

The next step is to conduct a thorough privacy assessment for each online learning technology to establish a general understanding of the individual safety, security and privacy of the apps and websites currently in use. Those apps and websites that meet the necessary requirements can be approved for usage in the classroom, while those that fail to meet state, federal or district privacy requirements should either be removed or further assessed before they are allowed to be used by students. But it's worth noting that in certain instances, technologies that fall short of certain mandates may still be used in the classroom, they just need to have signed parental consent in order to do so legally. 


Considering the importance of parental approval, it’s wise for schools and districts to have defined method in place to distribute, collect, store and retrieve information in an orderly and timely manner. Knowing precisely what data is being used, by whom and for what purpose enables you see the big picture, to take charge of your privacy initiatives, and to establish control when and where it is most needed.

 

Regularly Monitor Online Technology Usage

 

Keeping up with the demands of student privacy can be a lot for schools to take on. Understanding the safety and privacy of online technologies is often a full-time job, in and of itself. So it’s important to remember that protecting student data privacy is an ongoing effort that requires regular checks and balances. Because companies often alter their contracts after the fact - leaving student data exposed for misuse or abuse - remembering to regularly monitor policies for changes is an important part of properly protecting student data.

 

One option is to implement solutions that utilize automation to do much of the work for you. By automating the privacy process, schools and districts can observe, monitor and adjust accordingly, making improvements based on real-time actionable data. Through the use of student privacy analytic tools, educators are better positioned to understand the safety and security of their student privacy efforts and can quickly and easily plan for change based on the information available.


A bit less formally, but no less importantly, there are some key qualities that define a truly proactive student privacy initiative —and if you want to know what kind of progress you’re making when it comes to protecting student privacy, looking for these qualities can be a good beginning.


Here are some ways you can tell that your organization has achieved a healthy measure of privacy protection:


1. You have a clearly defined, year-round strategy in place. 


Start by asking yourself this question: Is student privacy something you push hard for a week or two a year, but keep on the back burner for the rest of the time? Or do you have a full-time privacy plan in place that helps direct your privacy initiatives and drive successful outcomes?


How regularly do you review third party vendor contracts to ensure they haven’t changed their terms of service agreements? Is it something you address every so often, once or twice a year, or possibly not at all? Or do you have a system in place that monitors third party vendor contracts for changes on a regular on-going basis, enabling you to know immediately if and when a change occurs?


Answering questions like these, establishing plans and procedures, and communicating what is going to parents reveals much about a school or districts’ intentions, priorities, and potential protection level.


2. You engage parents in the privacy conversation.


Is parental engagement part of your plan? Do you have a way to communicate what apps and websites are being used by their children in the classroom? Do you have a way to obtain parental consent, particularly for those schools and districts with students 13 and under? And do you have a method in place to quickly and easily retrieve information at a moment’s notice when requested by a parent?


Providing a method to engage parents in the privacy conversation helps keep them current with what is happening in the classroom and informed about their child’s technology usage while at school.


Transparency and accountability measures, such as these, go a long way towards eliminating unnecessary worries and building trust with parents and schools.


3. You have formal structures in place to check for privacy. 


Remember the student privacy analytic tools I mentioned above? Well, having a program in place that keeps track of all the apps and websites used by students is a sound way to better understand the technology usage in the classroom.


Knowing the privacy of online learning technologies used by students in schools offers an added level of safety and security, and provides an extraordinary level of insight into the effectiveness of your technology initiatives.  


4. You have a formal method to obtain parental consent. 


In addition to having access to a library of apps and websites safe for use, educators often need a way to obtain parental consent when using certain technologies in the classroom. Of course this, along with all the other items listed above can be done manually, but for those education leaders that really want to get ahead, deploying a paperless, digital solution is really the most efficient and effective way to go.


By eliminating the paper pushing processes of the past, schools and districts now have a safe and sustainable method to obtain, store and retrieve parental consent with the click of a button. While utilizing paper forms is an acceptable method, online, paperless options are far less wasteful and easier keep track of. 


5. You know why student privacy matters. 


A final consideration: Do you know why protecting student privacy is so important? Do you have a clearly defined plan in place to protect your students and your school that breaks down exactly what you’re trying to achieve?


Having a clear sense of goals and expectations is critical to achieving successful privacy outcomes. Understanding what you want to do, how you plan to do it, and who is going to help you along the way are all hallmarks of a solid student privacy plan.


Bottom Line


Whether you working towards improving your current system, or are just looking for ways to affect change, start by answering these kinds of questions to ensure you are on the right track.


Establish a plan, be knowledgeable about the online technologies your students are using in the classroom, understand how third party vendors are utilizing the data they have access to, and have a way to quickly and easily communicate this information to parents in a clear and concise manner. Following these steps will help your school or district get ahead when it comes to protecting student privacy.


Does your student privacy initiative have the hallmarks of success? As a student data privacy advocate, I know that this is a topic many education leaders are wrestling with. I hope you find this quick checklist to be helpful!


Do You Think Student Data is Protected? Think Again!

As student data privacy continues its moment in the spotlight, a darker reality often exists behind the scenes: one where school districts treat information security, privacy and compliance as a reactionary afterthought; where data governance programs are not properly established or implemented; where security controls are lacking; and where third party vendors are not appropriately vetted for privacy assurances.

Despite this sounding like the making of a bad after school special, this is happening in schools and districts all across the nation. Too little is being done to protect student information, exposing our students and schools to unnecessary risk.

Case in point…

The Missouri State Auditor recently conducted a comprehensive analysis of a local school district to better understand their position when it comes to protecting student information. What they discovered was failure across the board.  

The Boonville R-1 School District Student Data Governance Audit was completed as part of the Cyber Aware School Audits Initiative and designed to assess the effectiveness of privacy and security controls, with a focus on identifying practices that improve the security of information school districts have on students and their families.  

The thorough audit was conducted in response to increasing concern for protecting the security and privacy of information schools maintain on students, coupled with the continued emergence of cyber threats.

Based on six core criteria, the audit was intended to evaluate 1.) The effectiveness of privacy plans and controls for safeguarding personally identifiable information (PII); 2.) The effectiveness of information security controls for protecting the confidentiality, integrity, and availability of systems; and 3.) The effectiveness of compliance.

Listed below are the findings from the audit, the associated risk for non-compliance, and recommendations for improvement provided by the Missouri State Auditor’s office:  


1.  DATA GOVERNANCE

 

ASSESSMENT: The district has not established a comprehensive data governance program, therefore being unable to ensure PII is adequately protected and safe from unauthorized access, misuse, or inadvertent disclosure.

 

RISK: Without a formal program, the district cannot ensure that PII is adequately protected and safe from unauthorized access, misuse, or inadvertent disclosure.

 

RECOMMENDATION: The district should establish and implement a formal data governance program encompassing the full life cycle of data, from acquisition to use to disposal.

 

2.  SECURITY CONTROLS

 

ASSESSMENT: The district has not implemented necessary security controls, leaving technology assets, including PII at risk of inappropriate access, use and disclosure.

 

RISK: Without documented and approved policies and procedures, management lacks assurance that security controls are appropriate and properly applied.

 

RECOMMENDATION: The district should formally appoint a security administrator, ensure passwords are periodically changed, establish access control policies and procedures, formally document responsibility for physical protection of technology resources, and fully document and periodically review security policies and procedures.

 

3.  USER ACCOUNTS

 

ASSESSMENT: The district has not fully established controls for creating and maintaining user accounts for accessing system resources.

 

RISK: Without appropriate account access policies and procedures, users may be granted inappropriate or unauthorized access, which can provide opportunities for misuse or inappropriate disclosure of sensitive data.

 

RECOMMENDATION: The district should establish and document formal policies and procedures, periodically monitor user accounts and user access to data to ensure rights remain appropriate.

 

4.  INCIDENT RESPONSE & CONTINUITY PLANNING

 

ASSESSMENT: The district has not taken all the necessary measures to protect data in the event of a breach or other disruptive incident. It does not have a complete incident response plan, has not adopted a formal data breach response policy, and has not fully documented and tested a continuity plan.

 

RISK: Without comprehensive incident response and breach-related policies, management may not be able to respond quickly and effectively. And without a tested and functional continuity plan, management has limited assurance the organization’s business functions and computer processing can be sustained.

 

RECOMMENDATION: The district should establish and document an incident response plan, formally document and adopt a comprehensive data breach response policy, to promote an appropriate response in the event of a breach, develop a continuity plan, formally assign responsibilities, and run periodically tests of the plan.

 

5.  SECURITY AWARENESS PROGRAM

 

ASSESSMENT: The district has not established a formal security and privacy awareness training program.

 

RISK: Without adequate training, users may not understand system security risks and their role in implementing related policies and controls to mitigate those risks.

 

RECOMMENDATION: The district should establish a formal security and privacy awareness training program, because those with proper security and privacy awareness training and clear communication of data and device use policies, can become the first line of defense against cybersecurity incidents.

 

6.   VENDOR MONITORING

 

ASSESSMENT: The district has not established a process for ensuring software acquired or outsourced from information technology vendors complies with data security principles. Additionally, the district is unable to locate a written contract with the vendor of one of its key systems.

 

RISK: Without an effective process for monitoring and managing risk and software acquisition or outsourcing, the district has less assurance in a vendor’s ability to deliver services effectively, securely and reliably, and to ensure that services meet current and future data privacy and security needs.

 

RECOMMENDATION: The district should develop procedures to formally monitor information technology vendors have access to, to ensure the district’s data is properly protected and the vendor acts in accordance with contract terms and conditions.


CONCLUSION 

While this audit casts a negative light on a single district, it illuminates the reality of what is really going on in schools and districts across the nation, and it shows the unfortunate truth of how student information is regularly exposed.

By establishing and implementing the proper plans and procedures, schools and districts that proactively protect student privacy are better poised for success. In contrast, assuming it will take care of itself is a recipe for disaster.

As technology usage advances in schools, increased risk of PII being compromised and exposed is a real and ever-present danger. The need to protect information against cyber threats and misuse is increasingly important, and school districts need to do more to ensure student information is safe, private, secure and protected.

Note: After failing on all six counts, the Boonville R-1 School District has addressed their areas of weakness and have issued an action response to remedy their shortcomings. Read the full audit here >>