The 21st century classroom is rich with technology-driven instructional possibilities, from more personalized learning and assessment options to powerful collaboration platforms. But with these possibilities comes a greater responsibility for schools to continuously assess and improve data-protection practices.
Savvy school leaders are beginning to prioritize this responsibility. "I believe we are at the precipice of a major turning point with stakeholder trust in the systems we provide," says Dan Layton, chief technology officer for Zionsville Community Schools in Indiana. "Big data can help create much needed, innovative solutions to issues surrounding education, but it also creates a cascade of privacy issues that we cannot be willingly ignorant to for the sake of staff, parents, and students."
Managing privacy risks is a significant undertaking. It often requires policy and process changes that affect all employees, and in some cases, it may require a cultural change in the school system. At a minimum, it means bringing together diverse and sometimes siloed teams around a common goal and method of operation that is responsive to legal requirements and community concerns. As such, it requires committed and knowledgeable leadership to guide the process, set the tone, determine how risk will be managed, and articulate key policies.
Given the variety of stakeholders involved and the complexity of the issues, the first step is often getting everyone on the same page around the centrality of work.
"Our biggest challenge is ensuring a consistent message to all our stakeholders," says Jim Corns, director of innovation and digital safety for Baltimore County Public Schools. "Students, parents, teachers, administrators, and vendors all need to hear the same message so that we are partners in the work of data privacy."
For his part, Layton acknowledges that this kind of strategic communication around the issue of data security was at odds with the district's past approach, which unfortunately is not uncommon. "In the past, we had gotten by with a less than stellar strategy: hope," he says. "We simply hoped nothing bad would happen and that we would undoubtedly react the best we could. … We needed a roadmap to show that we as a district were taking student privacy and protection seriously so that we could create conversations with our students, teachers, parents, and community about how to navigate the digital realm safely."
Essential Practices
It was to help districts like Zionsville and Baltimore County that the Consortium for School Networking (CoSN), a professional association for school system technology leaders, designed a program to help education leaders understand the fundamentals of data-privacy and -security issues, implement continuous efforts to improve their data-protection infrastructure, and measure their progress. The Trusted Learning Environment (TLE) Seal program was created with input from 28 school system leaders, as well as lead partners ASCD, the School Superintendents Association (AASA), and the Association of School Business Officials International (ASBO). The program highlights the practices that school systems should have in place—beyond regulatory compliance—to help ensure student data privacy.
To participate in the TLE Seal program, school systems are required to submit an application explaining how they implement 25 privacy and security practices encompassing a holistic approach to protecting student data. During the course of their work, the school systems are required to submit evidence of the work, including artifacts such as documented policies and procedures that support their explanations. Both Baltimore County and Zionsville are recipients of the TLE Seal.
The practices stressed in the TLE Seal framework fall into five core areas:
Leadership: School system leaders set the tone and define core policies and expectations regarding how a school system will and won't use data to inform instruction, and how it will govern student information.
This requires, first and foremost, that district leaders are educated on student-data privacy regulatory requirements and are able to articulate a vision for the school system that encompasses use and protection of student data. They must create a core data-protection policy, then empower key stakeholders in the organization to implement it. They must also unite the organization under the common goal of protecting student-data privacy and make clear—both in words and in actions—that privacy is a priority. This requires keeping student-data privacy positioned as a key leadership priority through active, ongoing discussion; staying informed about privacy work happening in the school system; providing training and resources to implement and audit privacy practices; and keeping the teams motivated.
Business Practices: Each school system must also define how it will protect student data when working with technology providers. This includes assessing technology before it's brought into the classroom to ensure that it offers adequate and appropriate privacy and security protections and ensuring that contracts are in place with each technology provider that articulate the school system's expectations for control and protection of its student data. As Layton notes,
We work in a human driven enterprise, and it is complex. School systems are busy places that are always looking for ways that technology can be leveraged to create efficiency. For many districts, this uptick in efficiency often takes precedence over reading the privacy policies and terms of use to see if the application or program is in sync with the best interest of student data privacy. Creating urgency about the need for guidelines about compliance and privacy with stakeholders is critical to ensuring that innovation initiatives are managed responsibly and are not creating unnecessary risk.
Data Security: The technical, physical, and administrative safeguards in place to protect student data from unauthorized access are key components to any data-protection program. This means establishing and implementing protocols to protect student data both in transmission and at rest, securely destroying data that is no longer needed, and limiting access to student information to only those individuals who have a legitimate educational interest in the information and require access to perform their role. It also requires that appropriate business continuity and disaster-recovery protocols are in place, as well as an incident response procedure that includes communication plans. These and related policies and procedures must be audited regularly and updated as needed to account for changes in technology and capacity.
For Baltimore County's Corns, the requirement to provide evidence that each data-security safeguard was in place was the most powerful aspect of applying for the TLE Seal. "Working through the application process allowed us to document not only the implementation of data privacy, but also the artifacts that demonstrated [its] effectiveness," he says. "Documenting our practices in a way that individuals outside of our district could understand helped us to further refine and streamline our initiative."
Professional Development: Policies and procedures are only useful if the people responsible for implementation have been trained on them. That training should include instruction on key federal privacy regulations, applicable state student-data privacy laws, and school system policies, as well as expectations of behavior for the teams being trained so that they understand how to comply with all of the rules. Baltimore County provided online professional development for its staff, including both administrators and teachers. Similarly, Layton extended training for the Zionsville staff to ensure that employees knew not just the rules, but also how to properly vet any new tools or programs that use student data before they were brought into the classroom.
Classroom Instruction: Leadership needs to champion all facets of the data-privacy program, including ensuring that students are taught how to make responsible decisions about their data privacy and security. This starts with helping teachers understand, through both formal training and ongoing conversations, how to better protect student data and their own information, as well as the importance of reviewing technology for privacy and security requirements before it's brought into the classroom. Empowered with that knowledge, teachers are better able to model good privacy behaviors for their students and articulate simple steps their students can take to make better informed decisions about their data in the future.
Interconnected Through Privacy
Once the fundamentals are in place, a school system must continuously monitor and improve its data-privacy program over time. When done well, the program should complement any innovative instructional strategy, allowing the school system to move forward effectively, safely, and responsibly.
As Layton states, the key is to begin, and in doing so, to bring the district together around the common goal: "We had to create urgency around data privacy and protection with key decision makers and those on the front lines. The process showed us just how interconnected our district is through privacy [issues]. What started as an initiative in the technology department quickly became a district-level program."
Protecting the privacy of student data is an undeniably complex undertaking. However, it is also a fundamental responsibility for every educational institution in today's highly connected world. It is a key area of concern for legislators, parents, and other community members—and school systems will continue to be challenged on their practices until they can demonstrate that they have made protecting student data a key priority. But as participants in our program show, school systems can take the lead and engage in programs of continuous improvement in protecting students' information. The old approach of just hoping nothing will go wrong is no longer sufficient.
Author's note: Jim Corns, Jr., director of innovation and digital safety for Baltimore County Public Schools, and Dan Layton, chief technology officer for Zionsville Community Schools, contributed to this article.