By Linnette Attai, Founder, PlayWell LLC.
Education technology providers are under significant pressure. Questions about whether or not existing legislation is sufficient to protect student data privacy have come perilously close to overtaking balanced conversation about the benefits of data to advance education and support student needs. Concerns about who might have access to student data, fears about how it might be used and a general lack of knowledge about how technology providers actually manage their operations have helped spark creation of over 300 student data privacy bills in the past two years. “Complex” doesn’t even begin to describe the ecosystem, and innovation hangs in the balance.
It’s incredibly challenging for schools and districts to untangle it all and understand which of the concerns are real and which are imagined. Schools looking to leverage 21st century classroom tools are often stymied by a lack of understanding about how the data would actually remain protected and under their control, as required by law. School leaders need to know not only how companies manage student data, but also how to best explain that to parents and other community stakeholders who have a more than vested interest in the subject. They are under as much pressure as the technology providers to get it right.
Large or small, technology providers have a responsibility and an opportunity to help change the climate and bridge the trust gap with schools. To that end, here are 5 essential practices every technology provider should consider as foundational for their organization:
1.Know the privacy requirements:It’s imperative to understand current privacy regulation and the fundamentals behind much of the proposed regulation. There are common concepts around data privacy that have existed for decades across different sectors that are applicable here. Internalizing those concepts, the current laws and sector norms will help you set up a robust and compliant model for your operation. As a start, data minimization, user choice and control, transparency and use limitations should all be included in your policy frameworks.
Prepare to comply with a wide variety of federal and state laws and district norms that may change over time, and to explain your privacy and security practices in as much detail as possible. In addition, understand the unique challenges faced by schools and districts. It’s not enough to provide them with a great piece of compliant technology. Know how to communicate your operational safeguards to support them in managing their compliance requirements.
2.Lead with security:A comprehensive security program addressing all facets of the organization is critical to managing a compliant and trustworthy operation. To that end:
- Define the measures needed to protect the data you’ll collect
- Know and apply the requirements for data encryption in transit and at rest
- Ensure proper design and protections for your database
- Implement robust device security, including encrypted laptops and two-factor authentication
- Establish role-based rules around data and device access
- Adhere to regular data deletion schedules and appropriate de-identification standards
- Develop and drill on your incident response plan
3.Train early and often:Employee onboarding programs should include training on your student data privacy and security policies. Provide education on the rules around data access and handling, device use and the basic legal requirements. Then go deeper with additional training by role or team. Ideally, training should be repeated at least once per year and whenever policies and practices change.
4.Manage your partners:Every partner or service provider you take on is your responsibility. The Children’s Online Privacy Protection Act (COPPA), the Student Online Personal Information Protection Act (SOPIPA) and other regulations require particular due diligence around their privacy and security capabilities. A robust assessment is needed to ensure that each partner can and will meet the required privacy and security thresholds. The process should include defining minimally required data, how and why they will have system access and required data handling, use and deletion protocols.
Consider how you will operationalize the process and ensure proper integration and review of your partners.
5.Audit and evolution:Your systems and processes will remain robust and effective only with ongoing examination and improvement. Prepare for annual privacy and security impact assessments involving all policies, processes, technologies, employees and partners to ensure that your organization remains up to date on regulations and that the systems you’ve put in place remain up to the task. Assess any new system or technology to ensure you understand not only how it will benefit the organization, but also how its use may impact student data on hand. Ensure that technology advances in one area don’t cause compromises in privacy and security controls.
The climate around student data privacy and security is not likely to ease up soon. Organizations that stand out will have the knowledge and capabilities to drive business growth in a manner that prioritizes protection of student data privacy and security and eases the compliance challenge for schools and districts.