Five Principles for Securing Student-Data Privacy
From student-identity theft to the sale of student information for corporate gain, there is no shortage of news about challenges associated with the growing presence of technology in our nation's schools and classrooms. And while these challenges affect organizations across all industries and social sectors, constrained financial resources make school systems particularly vulnerable. Moreover, although federal legislation, the Student Digital Privacy and Parental Rights Act of 2015, has recently been introduced in Congress, strong legal protections for student data do not yet exist.
Given the risks, one may ask: Is it worth investing more in technology in our schools? In fact, the benefits are huge. With the cloud-based tools available today, educators can personalize student instruction to a degree that wasn't possible just five years ago. These tools can engage young minds in new ways, including many that no one has even thought of yet. By moving us past the days of assembly-line education plans based on a single textbook, they can allow us to make sure that no student has a lackluster learning experience, and that each is well prepared for the career path of his or her choosing.
Does that sound optimistic? It's an ambition within reach. Over the nearly three decades I've worked in education, I have had a front-row seat as technology has become an integral part of the classroom, and I am confident that by collecting the right data, schools have the power to transform students' lives for the better. Nevertheless, the risks are real, so it is also important for educators to dramatically rethink the approach to student-data privacy they've taken over the last 30 years.
Back in the 1990s, when I served as chief information officer of the Del Rio and San Angelo school districts in Texas, there was much greater naiveté around protecting data, and student data in particular, for a number of reasons. Outside of libraries, Internet access in schools was primarily used by administrators to share data with the state for funding purposes. Students and parents rarely knew what data schools had about them on file or who might have access to that information. Because computers were rarely connected online, paper files were the norm, as were unsecured campuses.
Meaningful measures to better protect educational data didn't pick up until the turn of the millennium, after the world raced to avert Y2K-spurred data-management vulnerabilities, "always on"—or Internet-ready—computing became commonplace, and online identity theft started to rise. Banks and other commercial enterprises were quick to invest in data privacy, but schools lacked the resources to do so, leaving students especially vulnerable. Suppose a 5th grader has her Social Security number stolen and used fraudulently to apply for credit cards and loans? She might not discover it for years, and enter adulthood at a serious disadvantage.
While awareness is better today, there is still a surprising willingness for people—adults as well as children—to share data when they shouldn't. Not long ago, I was checking in to a hotel when the power was out and the computer systems were down. Guests were being asked to sign in on paper and to write down their credit card numbers—and many people were doing it. In a school, this lack of vigilance would place our students' data at tremendous risk.
What this experience teaches us is that technology alone cannot ensure student-data privacy. Instead, we need to enact a massive cultural shift. School administrators must understand that student-data privacy is not just a concern for IT administrators, but also for the executive leadership, who must take responsibility to drive the change needed throughout their organizations. All the security patches in the world don't do much good when information is locally stored on a laptop that can be left in a car, or a network-security password is taped to a computer monitor.
To drive this cultural shift, we must take a holistic look at how sophisticated and complex student-data privacy has become. We must rigorously explore the implications for kids, parents, and school systems alike.
A year ago, a nationwide snowstorm canceled classes after school had started, so the students needed to be picked up. Some were at school, some were still on the bus, and many parents were stuck as well. This created a situation in which parents did not know where their children were, and GPS technology could have played an important role. Location tracking, however, adds a host of privacy issues we haven't had to deal with until recently: how to track student locations, whom to share this information with, and what to do if parents wish to opt out.
Regardless of whether a school is rural, suburban, or urban, or is large or small, there are a few fundamentals I can offer from my experience in school technology to help protect student-data privacy:
• Build data-privacy policies into your school culture, so that every faculty and administrative staff member is thinkingabout it whenever student data is involved. Promote this approach among all employees, from the newest teacher up to the superintendent.
• Be very wary of "free" technology solutions. You may end up paying with students' data, rather than cash.
• When you work with a technology company, don't just ask for a product demonstration. Demand an executive briefing that will show you step by step and scenario by scenario exactly how data will be protected.
• Data privacy often has legal implications; make sure school or district lawyers are involved in the policymaking process.
• Take advantage of reliable online resources that clarify why data privacy is important, best-in-class privacy standards, and strategies for tailoring a school's or district's data-privacy policies.
When my daughter started middle school this year, I felt a tingle of déjà vu when I looked at her school supply list. I checked it against supply lists I found online for an array of districts around the country and realized it was the same school supply list I was given when I was her age. As William Gibson famously said in the early '90s, "The future is already here; it's just not evenly distributed." Even now, schools are often unable to make the best use of technology.
My daughter is fortunate in that I'm in a position to spark her curiosity at home through tech tools. She can use a USB microscope to look at a tooth that she lost, or navigate a drone in our backyard to learn about geospatial information and geography. But all children should have the opportunity for such customized and technologically enhanced experiences, while their parents and educators work together to ensure their privacy is protected.
Vol. 34, Issue 31, Pages 24,28