To learn about how schools can protect student privacy and data security, we hosted a webinar featuring a panel of two district technology leaders who are experts in district-wide security and privacy strategies. ParentSquare’s Chad Stevens spoke with privacy experts Rod Russeau and Steve Smith to discuss how districts can meet their technology needs, while keeping student and district data safe and secure.
Our panelists both hold distinctive credentials in school cybersecurity and data privacy––Rod is the Chairman of the CoSN Cybersecurity Advisory Committee and Steve is on the board of the Student Data Privacy Consortium. Their experience with these organizations offered valuable perspectives throughout the webinar conversation.
CoSN Cybersecurity Advisory Committee
The CoSN Cybersecurity Advisory committee seeks to support school leaders in their efforts to protect their networks and provide information security. This committee supports leaders with guidance and actionable tools, including tools to analyze their current cybersecurity status and to validate what they are doing well to maintain a successful cybersecurity program.
Student Data Privacy Consortium
The Student Data Privacy Consortium aims to address the real-world, multi-faceted challenges faced daily by privacy professionals and school leaders in the protection of learner information. The organization hopes to bridge the gap between schools, districts, divisions, states and territories and their technology partners when creating privacy agreements and security programs.
What is Privacy?
Steve gave his perspective on privacy as a district leader, focusing on student privacy and keeping student information safe. “[It’s about] ensuring that the information about students is protected and only used and shared in appropriate ways,” Steve said.
The responsibility is on school districts to make sure that no matter where the data is being shared––whether with edtech vendors or community partners––the data doesn’t go beyond those partners and vendors.
Steve also noted that security and privacy are different things. “Security is the controls needed to ensure privacy,” Steve said. He pointed out that it’s possible to have a very secure system, but still be misusing data or sharing it in places it shouldn’t be.
Rod elaborated on this idea, mentioning the many overlaps between security and privacy. In order to have privacy, you first need to ensure you have good security. When you’re building good security, the main goals to focus on are confidentiality, integrity, and availability.
How Can We Maintain Student Privacy and Security With All of the Stakeholders Involved?
Steve mentioned that when his district first started addressing data challenges and vetting partner applications, it was a lot of work and very difficult to get all stakeholders on board. Things are a bit easier now, but a lot of that has to do with setting expectations for student privacy and security with all stakeholders in the district. “The hardest part in a district is building awareness and a culture around student privacy and security,” Steve said.
At Steve’s district, a list of digital resources that have been vetted for both educational alignment and student data privacy protections is available. Both “approved” and “not approved” resources are listed.
Rod had a similar sentiment, noting that it can be difficult to maintain privacy and security because of how easy it is for anyone in your community to access and use digital services and free apps. Fortunately, some states have begun to implement laws that require privacy agreements to be signed with vendors. With that legal requirement and formal vetting and request process in place, districts now have greater leverage to communicate to school leaders, teachers, and staff about how important student privacy is.
“Human beings are the biggest risk factor we have when it comes to tech.”
— ROD RUSSEAU
Where Should Districts Start?
There’s still a large percentage of small districts around the country who haven’t been able to fully establish privacy and security controls. Steve said that the best place to start is to figure out what your requirements are. Identify any privacy risks you may have, who is currently receiving data from your district, and how that data is being utilized.
Steve and Rod both emphasized the importance of reaching out to peers and organizations to find resources and build your own framework for creating a privacy program in your district. Everyone in a district has a role in student privacy––reach out to all stakeholders and make them aware of what their role is in maintaining this privacy and security.
Rod added that it can be helpful to start small with something that is really important to you on your list of privacy concerns or goals. It’s also critical to identify what your critical assets are because you can’t protect what you don’t know you have.
Vetting EdTech Providers
Ultimately, your success will likely stem from how well you evaluate your edtech providers. There’s going to be a minimum set of requirements for your vendors, and from there you can create a privacy agreement for your vendors. Steve noted that this helps to bridge the gap between district needs and what the vendors provide.
From the edtech provider perspective as the Chief Strategy Officer at ParentSquare, Chad added that standardization helps providers offer the services districts need and collaboratively create security and privacy programs alongside districts. This can enable a stronger partnership that is truly focused on the importance of student privacy.
To view the conversation in its entirety, check out the webinar recording here.
Resources
COSN:
- TLE Self-Assessment
- Risk Assessment (Free by S2/CoSN)
- SecurityStudio developed with/for CoSN
- Cybersecurity in K12 Education (CoSN facilitated class)
STUDENT DATA PRIVACY CONSORTIUM:
- Explore the Resource Registry (8,500+ student data privacy resources) https://privacy.a4l.org/sdpc-resource-registry/
- National Data Privacy Agreement https://privacy.a4l.org/national-dpa/