Prioritizing the Privacy Work for the Technology-Enabled School District

In the midst of important discussions on data privacy and security taking place across the nation, school leaders can easily forget how and why we adopted the array of applications that support learning and school operations. These systems did not arrive overnight. Rather, over the course of years, school leaders began to leverage software that helps scale personalized learning, provide engaging learning experiences, and run the “business” side of districts (e.g., scheduling, transportation, etc.).

Instructional technologies are prime examples of districts using the Family Educational Rights and Privacy Act (the major federal education privacy law) “School Official” exception, where districts outsource work that would otherwise have been accomplished by district staff, while maintaining the mandatory direct and legal control over any data shared in these circumstances. In the case of online resources, leveraging this exception has become almost mandatory, as much of the work is either not possible or much more costly for a district to accomplish with their own staff and tools.

The use of data can help deepen learning and introduce efficiencies in ways that were not possible just 20 years ago. That said, we must also acknowledge that the use of such apps, extensions, and systems comes with costs that extend far beyond licensing fees. The collection and use of this data bring new legal and ethical obligations of trust and protection. Establishing and running an effective data protection program requires time, resources and diligence. The stakes continue to escalate, as cyber-attacks increase in number and complexity, privacy laws change, especially at the state level, and educational technology resources evolve. In fact, 68 percent of respondents to CoSN’s 2018 IT Leadership Survey indicated that cyber security and privacy are of greater concern than they were in the prior year.

Those concerns translate into increased staff time needed to conduct due diligence and compliance. In Connecticut districts, for example, additional work to comply with the state’s first student data privacy law resulted in an estimated 80,000 staff hours to complete software reviews and vendor negotiations – not to mention substantial out-of-pocket legal fees to review terms of service. And those efforts bring an opportunity cost, with many technology leaders focused on compliance work at the expense of other projects that directly advance teaching and learning. The CoSN 2018 IT Leadership Survey results also show that just 13 percent of leaders have staffing levels and other needed resources that match the operational and instructional needs of their districts.

School leaders can and should advocate for resources that reflect the true needs of running a district, with a multi-year technology plan that directly supports the 21^st century student.

Districts should partner with their technology providers in the areas of privacy and security. Technology and curriculum leaders should look for educational software developers that design security, compliance, and controls into their products. Contract language should ensure transparency in the data these applications collect, even if — as in the case of many Web content-management solutions — those systems only collect aggregate visitor information via cookies or related technologies.

They should also leverage the research and best practices already developed through frameworks such as the Trusted Learning Environment (TLE) to help ensure privacy and security. Insights from the network of TLE districts across the country provide peer support to backfill some of the gaps in staff and expertise.

Given the array of concerns and responsibilities facing district technology leaders, perhaps their top priority is prioritization itself. With limited time and resources, they need to take a reasoned approach to addressing the greatest risks first, such as protecting school networks from attacks and securing confidential student and staff data. This list of responsibilities certainly includes issues such as encrypting public-facing websites and understanding and communicating the use of tracking tools on those sites. However, as with all organizations tasked with privacy and security responsibilities, prioritization based on a threat matrix as well as the knowledge and resources on hand is key to meaningful improvements in data protections.

Driving innovation and efficiencies in schools will continue to be a wonderful challenge for leaders who can balance the potential of technology with sound privacy protections. As district leadership teams undertake these responsibilities, they can also leverage the full array of peer, professional, and market resources in the national K – 12 ecosystem.

Doug Casey. @dougcasey In his current role, Doug designs and manages the State’s educational technology plan that supports the successful integration of technology in Connecticut’s schools, libraries, universities, and towns. His prior experience includes managing technology and security for a network of magnet schools that are helping to close the achievement gap between urban and suburban learners. He began his career as a middle school English teacher and brings a diversity of experience to every challenge — from managing online publications for the Smithsonian Institution to systems engineering for the U.S. House of Representatives and national security agencies. He holds a BA from the College of William & Mary, MA from Georgetown University, and MS from George Washington University

Melissa Tebbenkamp. @MTebbenkamp Melissa Tebbenkamp has served as the Director of Instructional Technology for Raytown Quality Schools in Missouri since 2006.  She holds a master’s degree in Educational Technology, with a concentration in networking and systems management. Mrs. Tebbenkamp was one of the first 50 in the nation to earn the status of a Certified Education Technology Leader and is a current member of the CoSN National Board and co-chair of the CoSN Student Data Privacy working group.  Under her leadership, Raytown Quality Schools was among the first nationwide to move to large-scale server virtualization and was published internationally for the progressive approach to data center resource management.   In August 2016, Mrs. Tebbenkamp led the Raytown School District to becoming one of the first seven districts in the nation to earn the Trusted Learning Environment Seal for student data privacy.