Data security is a challenge for everyone, but imagine that when you send your children to school, the information you provide the school district to complete enrollment for your child is then used to track their habits and build a profile on them that allows marketers to target them, if not now, then in the future. Would you feel invaded and uncomfortable?
Student Data Security is in the News
In March of 2021, the Buffalo, New York school district was hit with a ransomware attack. They were forced to close schools for the day, but the ramifications of the attack were much more serious. And Buffalo was only the latest in a string of incidents impacting schools across the nation and around the globe.
The Risk to Schools Is Growing
The Cybersecurity and Infrastructure Security Agency (CISA) has warned against a heightened risk of attacks against K-12 schools. More than half of all attacks against government entities have been against schools, CISA reported. Several districts across the country – from Maryland to Nevada – have been hit.
For schools, protecting student data is about much more than compliance. Of growing concern for parents is what might happen to data outside the school, should the school not have sufficient cybersecurity protocols in place to guard against:
- Targeted marketing: While it is ethical for schools to collect personally identifiable information (PII) to meet students’ educational needs, there are now companies in business for the sole purpose of collecting data on children, to begin building a marketing profile on them.
- Identity theft: One of the biggest reasons that schools are a target for cybercrime is that there is a wealth of information contained within the records that schools maintain. PII can be used to steal the identity of children who may not yet be monitoring their credit, only to be dealing with the ramifications of the crime years later.
- Bullying and harassment: Data in the wrong hands can lead to danger for the student, including targeted harassment based on their gender, identity, and other information. In one instance in 2017, a hacker group released information about students and their parents which resulted in threats of harm to their families.
Compliance Matters
There are three federal acts with which schools must comply:
- Family Educational Rights and Privacy Act (FERPA)
- Protection of Pupil Rights Amendment (PPRA)
- Children’s Online Privacy Protection Act (COPPA)
Each of these legislations addresses ways in which student data must be protected and how schools must inform parents of their privacy rights. In addition, there are several local and state laws that also protect student data privacy. But many of these laws do not fully protect students.
Data Privacy Laws Are Outdated
Most data privacy laws are outdated and fail to consider the shift many districts have made to accommodate online learning. But even the most strenuous data privacy law on the books – FERPA – is not always adhered to. FERPA gives students and parents the option to deny schools the ability to publicly disclose directory information, which can include everything from birthdate to height and weight to a student’s photograph. According to the World Privacy Forum, more than 60% of the schools surveyed don’t have a FERPA opt-out form online and only a little more than half of the schools have posted an annual FERPA notice online.
Managing Student Data Must Be a Priority
Regardless of compliance, schools should be handling student data with care. Even with the pandemic behind us, it’s likely that online learning will continue to be used as a means of improving education. But every app or edtech solution that a school includes in their curriculum requires student information. Most schools use, on average, 20-25 different solutions from 20-25 different vendors. Each vendor requires access to specific information about the students. Sometimes the information simply amounts to roster data; sometimes it’s more. Managing multiple edtech solutions can be costly and time-consuming, but more than that, the practice puts the school and student data at risk.
What Can Parents Do to Protect Their Children?
Under FERPA, parents can opt out of public disclosure of directory information. Even if a school doesn’t disclose FERPA policies or provide parents with an opt-out form, it is still within their legal rights to request this. Another way parents can take action is to insist that schools institute a trusted digital engagement hub that is designed to protect student data and minimize the risk of data being exposed.
The Importance of Parental Consent in Student Data Privacy
In the context of student data privacy, parental consent plays a vital role. Parents have the right to control the disclosure of their children’s personal information and make informed decisions about its use. Educational institutions must obtain explicit consent from parents before collecting, storing, or sharing student data. This consent should be obtained in a clear and transparent manner, ensuring that parents fully understand the implications of their decision. By involving parents in the process, educational institutions not only comply with legal requirements but also foster trust and transparency, strengthening the relationship with both students and parents.
The School’s Role in Protecting Students and Student Data
Students begin sharing data with schools before they are even conscious of the fact. Parents fill out forms to enroll students in school from the moment they begin preschool. Unfortunately, students are often the last to know what information has been shared and the first to be impacted by any kind of breach or cyberattack. In a survey by Educause, it was revealed that more than 50% of students lack understanding of how their school uses their personal data or what precautions the school takes to protect student data.
If students are educated about the role data plays and the importance of protecting that data in an increasingly app-driven world, they can continue to protect themselves as they navigate future settings in which their data is commoditized.
Schools not only have need to avoid risk by establishing strict data privacy protocols but also a moral obligation to protect the data of their students. Yes, having access to data across multiple platforms and applications can bring about more efficiency and deliver cost savings to schools. But without proper security in place to ensure that information is shared in its most limited capacity and only for the purpose intended, access to data can be more harmful than beneficial to students.
The Role of School IT Leaders in Ensuring Student Data Privacy
School IT leaders play a crucial role in ensuring student data privacy. They are on the front lines, handling sensitive information. It is essential for school IT leaders to understand the importance of privacy and the impact it has on students. By practicing good data hygiene, such as securely storing physical documents and using secure digital platforms, school IT leaders can set the standards by which their schools manage student data.
In an interview in EdWeek, Kevin Lewis, data privacy officer for 1EdTech, explained:
“District leaders need to know what type of controls the user has over that data, like data deletion requests or data retention requests. If districts ask an organization to delete the data, how long does it take to fulfill that request? District leaders also need to know how that data is being secured. Once an organization has collected the data, how are they securing it? And who is that data being shared with? Districts should know who the third parties are. What data do third parties have access to? Are there any advertisements at all? Do districts have control to opt out of these advertisements? What do those advertisements look like?”
The Impact of Data Breaches on Student Data Privacy and Schools
Data breaches can have severe consequences for both students and educational institutions. For students, the exposure of personal information can lead to identity theft, fraud, or various forms of harassment. It can also have long-lasting psychological effects, undermining their trust in educational institutions. Schools, on the other hand, face reputational damage, financial implications, and potential legal consequences. Data breaches can erode the trust and confidence of students, parents, and other stakeholders, affecting enrollment numbers and overall institutional success. It is crucial for educational institutions to be proactive in their data security efforts to prevent such breaches and protect the well-being of their students and their own reputation.
Student Data Privacy Is a Collective Responsibility
The ongoing need for vigilance in protecting student data privacy cannot be overstated. It is a collective responsibility that requires continuous effort and adaptation to stay ahead of emerging threats. Together, we can ensure that student data remains confidential, secure, and protected in the digital age.
Schools Need SchoolDay to Manage Access to Student Data
The digital transformation is going to continue. Schools must be transparent with families about their rights, but they also must ensure that parents and students know that their data is safe. To do that, schools must ensure that student data is handled cautiously when shared with edtech vendors, that the vendors they use are vetted and treat student data carefully, and that policies are in place that prevent educators from using apps or sharing student data without going through a centralized solution.
SchoolDay is the first-of-its-kind school-centric, trusted digital engagement hub that empowers schools to centrally:
- Govern the exchange of student, staff, and parent PII data with SaaS vendors.
- Approve and publish apps to a district- or school-branded, on-demand app store.
- Delegate to school staff and teachers the ability to activate apps within their managed groups on demand.
SchoolDay enables ubiquitous access to all apps from within any learning management system (LMS), student information system (SIS), or any pre-existing enterprise portal, while leveraging anonymized, secure, and federated access credentials for all end users.
