Education Framework Blog

Focused on the Future of Education in America

5 Great Questions to Ask to Help Protect Student Data Privacy

Technology has changed the way we teach, it has changed the way we communicate and it will continue to change the way we learn and grow.

But so has privacy.

No longer can we assume our children’s data is protected. We have to actually work to protect it. 

Protecting student data requires committing time, energy and resources towards the effort. It is an on-going and ever-evolving process that when applied correctly, provides real actionable insights.

Educators must remain vigilant in ensuring data privacy is protected, one app and website at a time. The sooner we acknowledge this, and act accordingly, the better off we will be.

The Digitalization of Education

The amount of online learning technologies available to students today is utterly astounding. Just look at iTunes, and you will see that they have literally tens of thousands of educational apps and websites available for immediate download.

Many of these technologies have true potential to make a difference and improve student outcomes. While others, if left unchecked, can pose real-life threats to students and schools.

It is now the responsibility of school and district leaders to determine which apps and websites are appropriate and safe for use in the classroom. But many are finding this to be quite a difficult task.

School and district leaders are adopting new learning technologies at breakneck speeds, and as a result, many are coming to the realization that not all apps and websites are created equal.

Thankfully, there are laws in place to help govern this process. However, the lack of accountability and enforcement is problematic. This kink in the system leaves many doors open to misuse and abuse, exposing students and schools to unnecessary risk.

This is a hard truth. And it needs to change.

Protecting student privacy is an on-going and ever-evolving process that demands time, attention and resources.

In order to protect student data, school leaders must proactively commit to protecting it.

It means reading through endless privacy policies, conducting privacy assessments for each and every online technology used in the classroom, and continuously monitoring those policies for changes.

It requires patience, and persistence, and time.

While this is becoming the new norm for educators and administrators, it is also a responsibility that many school and district leaders are struggling to get a handle on. Many are at a loss of where to even begin.

Protecting student privacy begins with knowledge and understanding.

Protecting student data starts with knowing what technologies are being used by students, understanding how each of the technologies are using the data, and acknowledging that you have control over which technologies make it into the hands of students.

No longer are we living in a time that it’s okay to blindly introduce new learning technologies into the classroom without first determining if they are safe to use. This means ensuring the data is secure and private for the life of its existence. So before an app or website should be approved, it needs to be thoroughly assessed.

Assessing online technologies takes a considerable amount of time and energy. However, when done correctly, assessments provide a wealth of knowledge and understanding about how the technology is being used.  

Knowledge is power. The more you get behind the data and understand what its intended use is, the better off you will be.

Protecting student privacy involves knowing what is going on with the data. 

Protecting student data starts with understanding the process, knowing what is expected of you, and asking the right questions. It also involves deciphering the data. 

Adopting new technologies typically begins with researching new apps and websites, determining their value, negotiating a deal, and ultimately signing a contract; creating a mutual legal agreement between buyer and seller laying out, in very specific terms, what is expected from both parties in black and white.

Good policies clearly define what is appropriate, and what is not when it comes to handling student information. And they include sound provisions to ensure student data is protected.

Privacy policies typically tell a story about the data. They contain nuggets of information that, when properly extracted and pieced together, reveal what is really going on with the data; how it is being used, by whom, for what purposes and for how long.

But getting to that information, making sense of it, and knowing how to keep track of it, is often far easier said than done. 

Assessing online technologies and reading through endless privacy policies is the kind of work that takes time, requires dedication and demands on-going attention. But when applied correctly, privacy assessments provide answers that help define what is really going on with the data.

Not sure of where to begin?

Start by taking stock of the learning technologies being used in your school, or district today. Determine which technologies are safe for use and which ones are not. Eliminate those that are risky or no longer needed. Monitor and repeat.

  • Conduct a technology audit.
  • Remove any technologies that are no longer in use, and eliminate any apps and website that might potentially pose threat or harm to students.
  • Monitor privacy policies for changes.
  • Repeat.

      Protecting student data privacy starts with asking the right questions.

When conducting privacy assessments, it is important to consider the following criteria: data privacy, data deletion, data security, data integrity, and data retention.

It also helps to  ask the right questions. 

Below, I have briefly outlined the 5 criteria that make up a privacy assessment. I have also included some great questions to ask when assessing online technologies for your school or district.

(While it's worth noting that these questions only represent a small sample of what really needs to be asked, they provide general guidance as to what you should be looking for.)


5 great questions to ask when assessing online technologies in school: 

1.       Data Privacy: The ability to keep track of data and understand what happens to it during its lifespan.

Ø  Example of a Data Privacy Question:


o   “What information is collected from students and for what purposes will it be used?”


2.       Data Deletion: The ability to remove data upon request.

                Ø  Example of a Data Deletion Question:

o   “Can parents review &/or delete the personal information collected from their children?”


3.       Data Security: The ability to protect the data from unwanted or unauthorized users.

Ø  Example of a Data Security Question:

o   “Are security policies and procedures in place to protect against risk? When student data is transferred, is it encrypted?”


4.       Data Integrity: The ability to maintain the accuracy & consistency of data over its entire life-cycle.

Ø  Example of a Data Integrity Question:

o   “Is student data backed up on a regular schedule?”


5.       Data Retention: The ability to understand that the data is only to be used for its intended educational purposes and should be otherwise disposed of when no longer needed. 

Ø  Example of a Data Retention Question:

o   “Will the data collected only be retained for as long as it serves an educational purpose?”


Protecting student privacy begins with knowing what is expected of you.

Designating someone to be responsible for reviewing privacy policies, conducting privacy assessments and monitoring policies for changes will help any school or district get ahead. 

In closing, I’ll leave you with some best practice recommendations for protecting student data privacy from The US Department of Education:

  •  When negotiating technology contracts, it’s important to pay close attention to the fine print.
  •  Make sure the agreement explicitly describes how the provider may use and share student data.
  •  Maintain awareness of other relevant federal, state, tribal, or local laws.
  •  Be aware of which online educational services are currently being used in your district.
  •  Have policies and procedures to evaluate and approve proposed online educational services.
  •  When possible, use a written contract or legal agreement.
  •  Know that extra steps are necessary when accepting Click-Wrap licenses for consumer apps.
  •  Be transparent with parents and students.
  •  Consider that parental consent may be appropriate.

Source: http://ptac.ed.gov/  

Who is Responsible for Protecting Student Data?


In a perfect world, student data would belong solely to the student. In practice, the responsibility for student data is shared by anyone who has contact with that data, including teachers, administrators, IT departments, school districts, software developers and parents. As such, there are often competing philosophies for how much or how little student data is collected and shared. Today we are talking about how you can manage student data in a way that best satisfies parents, your school districts, and the law.

The first step, after understanding your requirements under state and federal law, is to create written policies and provide the resources required to support data protection. These policies should be crafted in a way that ensure front-line teachers and administrators are using the tools and processes necessary for optimal data protection. The Privacy Technical Assistance Center has created a checklist for developing school district privacy programs that should help you get started. In addition, a data governance team should be created, within the district, to recommend new policies and best practices related to data use, to collect feedback, and to conduct compliance audits. Perhaps the team’s greatest responsibility will be acting as an advocate for resources and investment into student privacy, such as training, technical assistance and data coaches.

Second, you should work with your local, state and federal government representatives to advocate for consistent policies and support across the state. By advocating for strong, consistent laws across school district lines based on transparency and accountability, schools and software makers will find it easier to be in compliance, reducing costs and ensuring stronger, more robust data protection for schools. Talk to legislators and policymakers about the importance of secure student data, and their role in ensuring consistent regulations across state lines. The more you can be part of the conversation, the more you can ensure new laws and policies are crafted with your concerns in mind.

Next, understand how your software and service providers use student data. Each app, website and program your students use is limited in how they can use the data they collect and manage. For example, they are prohibited by law from using or disclosing student data for commercial purposes like advertising without parental consent. However, with schools using hundreds of different apps and websites, it can be difficult to weed through countless Terms of Services documents to ensure compliance. Tools like EdProtect make it easy for teachers and administrators to review individual apps and websites, and know at-a-glance whether they comply with state and federal regulations. At the same time, schools are equally responsible for ensuring their contracts with vendors spell out specific requirements for student data privacy, such as stating the district retains ownership of all data, and that the service provider is prohibited from using data in any way they aren’t explicitly given permission for.

Finally, and most importantly, make sure you are constantly communicating your plans to others responsible for student data, with special attention given to parents. By engaging parents in an ongoing conversation about their student’s data, together you'll ensure that the data is safe and secure. Ways to engage parents include sharing lists of apps and websites their children use and posting the safety ratings of those apps and websites on an easy-to-access district website. Report any changes to privacy policies, and obtain parental approval when necessary. Doing so actively draws parents into the conversation and assures them that their child's data is a priority in your school district.

The responsibility for student data belongs to all of us. We help make it easier to do your part with tools that protect your students from data abuse and your district from costly fines and litigation. 

To learn how EdProtect makes your job easier, sign up for a free demonstration today.

Student Data Privacy Best Practices


Understanding that you need to do something and knowing what to do are two very different things. But simply breaking things down into smaller chunks often allows one to see more clearly, understand how the pieces fit together, and determine how to tackle each piece individually to achieve a positive end result. 

Today, we are utilizing this approach with regards to managing student data privacy. By breaking it down into simpler components, we are condensing a vast and often confusing array of information into a manageable set of guidelines for educators to follow. 

Based on best practice recommendations from the U.S. Department of Education Privacy Technical Assistance Center (PTAC) and other leading education organizations, we have assembled three easy-to-remember recommendations to help protect student privacy. They are as follows: 

1. Be Knowledgeable - Understand the privacy landscape and your legal obligations.

  • Know your student privacy laws. Federal laws include FERPA, COPPA and PPRA, but new state regulations are being implemented all across the nation, so it is important to know what is going on in your state. 
  • Create data inventories to fully understand the scope of information being collected and shared. 
  • Track which online and educational services are currently being used in your district.
  • Monitor privacy policies for changes.

2. Be Accountable Establish a data governance plan and guidelines to follow. 

  • Make a plan that addresses the full life cycle of data, from acquisition - to use - to disposal. Ensure the individual privacy and confidentiality of education records by defining rules.
  • Have policies and procedures in place to evaluate and approve online educational services. Determine who has purchasing authority and proactively define the scope and limitations of that authority. 
  • Use written contracts or legal agreements laying out security and data stewardship, data collection, data deletion, data use, data retention, data disclosure and data destruction provisions. 
  • Consider parental consent even in instances where federal law does not require. 

3. Be Transparent - Communicate your plan and engage parents in the privacy conversation. 

  • Post information about your student data policies, practices and usage on an easy-to-locate public webpage. Utilize parent-teacher dashboards, if possible. 
  • Be explicit about what information you collect about your students, and what that information is used for. 
  • Explain what, if any, personal information is shared with third party service providers, and how that information is safeguarded. 
  • Let parents know where they can get more information.

By following these recommendations, school and district administrators are taking necessary precautions to protect their students and their districts from harm. As mentioned in our previous blog entryPTAC has a wealth of resources available to help. They have even created a specific checklist for developing school district privacy programs. 


There are also automated student data privacy solutions available to help schools and districts proactively manage privacy obligations with transparency and accountability. Solutions like EdProtect take the guesswork out of managing student data privacy and offer an added layer of security, providing peace-of-mind for those tasked with protecting student information.  

Student Privacy 101: The low down on the laws of the land


Long gone are the days when protecting student information meant locking a filing cabinet. Today, with students using hundreds of different apps over the course of their education, software providers obscuring how they use data in complicated Terms of Service contracts, and an ever-shifting legal landscape, it can be extremely difficult for administrators, teachers and parents to know exactly what they need to do to protect their student data.

Over the next few posts we’ll be exploring the different factors affecting the world of student data. Our goal is to demystify the subject of student data privacy and help bring you up to speed so you can address this serious topic in your school district.

Today we’re starting by taking a current snapshot of the legal landscape. Federal laws like the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA) work to ensure student data is only used for authorized purposes; protects that data from further disclosure or other uses, like marketing or being resold to others; and mandates that it is destroyed when no longer needed for the authorized purpose.

While these laws lay a foundation for educators and online operators to follow, they don't necessarily cover all aspects of data collection and deletion. For this reason, many states are now creating their own, more specific student data privacy laws to define what is and what isn't acceptable when it comes to the collection of student information in their respective states. 

Over the past two years, nearly every state has introduced its own legislation addressing student data privacy. In 2014, California passed the Student Online Personal Information Protection Act (SOPIPA), the first of its kind, which has since been used as the model for much of the legislation being introduced by other states.

Many of these are focused on creating greater transparency and accountability for educational data, clarifying the data and privacy activities of third-party service providers, and giving parents the ability to have a say in the management of their children's privacy. They generally fall into two types of approaches: prohibitive rules that seek to limit or halt certain types of collection or uses; or governance rules that seek to establish procedures, roles and responsibilities. In addition, numerous bills have established fines and penalties for data misuse and breaches to ensure accountability.

However, for everyone with a stake in education - teachers, parents, school & district leaders, and state & federal policymakers - the new challenge is knowing what all this actually means and understanding how to properly implement an effective plan to manage student privacy. Thankfully, there are resources available to help. 

The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) is a terrific resource for understanding your legal requirements and what steps you need to take to establish compliance. The Privacy Toolkit in particular provides a useful centralized depository of materials to guide schools and districts looking to improve the security and privacy of their student data. 

In addition, groups like the Future of Privacy Forum (FPF) and the Software and Information Industry Association (SIIA) seek to create change from the industry side by encouraging members to sign the Student Privacy Pledge, committing to use student data in a responsible way. The pledge is intended to hold school service providers accountable and encourage effective communication with parents, teachers and education officials about how student information is used and safeguarded. 

Tools like EdProtect take it one step further and actually manage the process for you. Designed to protect students from data abuse, it ensures that schools and districts are in complete compliance with various federal and state regulations, engages parents in the privacy conversation, and lessens the risk of costly fines and penalties associated with the mismanagement of student information. Resources like this are crucial for helping administrators, IT staff and teachers proactively manage their student privacy obligations with transparency and accountability.

To learn how EdProtect makes your job easier, sign up for a free demonstration today.