Data-driven decision making has been a growing theme in education as much as business. 聽As concerns about student progress and proficiency increase, and measurements of all sorts work towards making student growth more transparent, the amount of data on each child that calls our schools part of her community proliferates.
But in a culture where consumers increasingly hand out their personal data without a short second of reflection, why should we care about the trove of data currently compiled on our kids?
Simply put, as school leaders we have a moral and legal imperative.
In this article, I鈥檇 like to outline each of those imperatives and detail six guiding questions that we are asking ourselves and our schools. 聽The lines between digital and face-to-face existence and the data that govern our digital lives has moved from an ancillary topic to .
The Why
Our Moral Imperative
As data proliferates, technologies are increasingly used to distribute customized advertisements and whole narratives to individuals on . This focused delivery of information endangers civil discourse and gives rise to the growing scale of 鈥渇ake news鈥. 聽The data of children, whose opinions and values are still largely in flux, ought to be protected with special care, and families informed of ways to build within their children the ability to judge the media fed to them hours each day.
Our Legal Imperative
Three important legal guideposts for US policy are FERPA, COPPA, and California鈥檚 SOPIPA. 聽The thrust of each of these acts was neatly summarized in by Jim Steyer, CEO of Common Sense Media. 聽Jim writes,
鈥淲e propose three basic principles that attempt to balance the tremendous opportunity provided by educational technology with the need to foster a trusted learning environment …
- Students鈥 personal information shall be used solely for educational purposes.
- Students鈥 personal information or online activity shall not be used to target advertising to students or families.
- Schools and education technology providers shall adopt appropriate data security, retention, and destruction policies.鈥
While school leaders ought to familiarize themselves in greater detail with the provisions of FERPA, COPPA, and SOPIPA, Jim鈥檚 principles outline the spirit of all three laws. 聽Students鈥 right to privacy ought to be retained and protected, and it is the job of both vendors and schools to hold each other accountable for the protection of this data. 聽In the next section, we鈥檒l address what questions we can ask ourselves in order to begin delivering on these imperatives.
Resources:
For more information on the above, please check out 鈥
- for resources that inform technology decisions with an eye towards meeting FERPA requirements
- The Electronic Privacy Information Center’s (EPIC)
- Common Sense Media鈥檚 description of how SOPIPA a
- Blog post by leader of the Arbinger Institute entitled,
The How
We have begun asking ourselves a number of questions around data and security more and more regularly when working with schools. 聽I鈥檝e cut to the chase a bit and have limited these to the top 3 questions a school leader ought to be asking and the top 3 questions IT leaders serving schools ought to be asking.
Questions for School Leaders
To what degree is IT connected to the curriculum approval process?
In a recent keynote presentation to Missouri school IT leaders, Lenny Schad, CIO for Houston ISD, flagged the relationship of IT and Academics as one of the most strategic collaborative relationships to get right in a school system. 聽As curriculum is increasingly delivered through digital means, technical missteps don鈥檛 just impact devices, they impede learning.
Because of this danger to the learning process school leaders ought to be asking,
- Have we asked IT about how this curriculum will impact our other systems?
- What security practices are in place on the vendor鈥檚 side?
- Who is the owner of vetting our contracts with curriculum and application vendors? 聽Does that person understand the privacy language and technology terms set forth in that contract?
How often is my staff trained on best practices around data security, and how effective has that training been?
Staff ought to be briefed on the following topics, with clear policies and procedures for each one:
- Physical security of devices
- Password best practices and district requirements
- Procedures that govern 鈥渇ree鈥 apps that teachers and staff members would like to try
- Phishing practices and implications if a computer is successfully breached
These topics are often uncomfortable conversations because, when implemented properly, many of them slow down teacher and staff workflows. 聽But the fallout from a breach or the impact to a child when her data is used against her is more than enough reason to put up with momentary inconvenience as we protect the people in our care.
To what degree is data privacy woven into the digital citizenship curricula our students complete?
As soon as a child is given access to a device, we have the ability to impart practical lessons about protecting oneself, discoursing civilly online, sifting truth from error, and more. 聽Are you able to present a plan that has been executed with fidelity in your district?
Resources:
There are a number of wonderful resources around the topics above. 聽Ones I can quickly recommend include:
- Common Sense Media鈥檚 , a collection of contractual agreements that have been vetted for privacy concerns by school IT professionals around the US:
- The, which outlines impacts of data breaches and how we can protect against them:
- Common Sense Media鈥檚 , a free, accessible curriculum that also includes a certification process for your school
Questions for IT Leaders
What controls exist around student and staff accounts as they are onboarded, managed, and deleted?
What policies and processes are in place that govern access to resources where personally identifiable information (PII) exists?
What plans and processes are in place that will guide action when a security breach occurs?
Resources:
These three questions, and many more, are addressed in a number of places. 聽Sources that come to mind include:
- If you are on Google, become familiar with the , or investigate an audit tool like or .
- A thorough collection of data privacy recommendations, including webinars, are available on . 聽The TLE is also a certification process that can bring recognition to the work you are doing on data privacy in your school.
- A is publicly available and includes many valuable insights to typical audit requirements.
The Beginning
The work around data privacy and protections for our students is just beginning. 聽The imperatives and remediation steps are the tip of the iceberg, as we have focused in this article more on the people than the technology.
, 鈥淭he primary challenge we face in using technology effectively is human.鈥 聽In light of the themes mentioned above, we might say 鈥渦sing technology securely鈥 as well. 聽聽It鈥檚 a work that is very much worth it, however, and I am glad to be a small part of protecting our schools.
