Data Privacy
PRIVACY PROGRAMS
Having a strong district privacy program can demonstrate both compliance with the law and proper ethical use of PII. Having a strong security program in place can go a long way in supporting the implementation of a privacy program. A privacy program is a set of policies and procedures to keep PII safe, comply with laws and policies and protect both students and the district from harm. If you determine a privacy program is needed there are several steps to build this program.
- A privacy coordinator should be appointed. Requirements of this position should include the coordination of privacy efforts and policies.
- The coordinator should work with the data governance council and/or legal staff to determine which privacy procedures and policies are in place.
- The coordinator is responsible for bringing all of the necessary people together to determine needs for each step of the data lifecycle.
- The coordinator should develop and provide all data training to district staff.
- The coordinator should constantly monitor to ensure policies and procedures are being followed.
- The coordinator should assist in creating the messaging to stakeholders about districts’ efforts around student data privacy.
Here is a short 2-minute video from PTAC that gives more information on privacy programs. Video – Developing a Privacy Policy for your District
TRANSPARENCY
Many of the laws require regular notification to the public about student data that is collected by a district. In addition, in some cases, districts must share how they use the data and how they protect confidentiality. Providing transparency around a school district’s plan is not just part of the law but part of good practice.
Here are some suggestions for maximizing transparency with the public:
- Place information about student data policies and practices in an easy to find space on your website
- Provide a detailed data inventory of the student information that is collected and how it is used
- Post vendor contracts online which include the terms of service for online apps and services used in the classroom. For Nebraska school districts using the SDPC website is a good option.
- Share with parents what personal information is shared with third parties and for what purpose(s)
- Publicly provide a staff contact and how they can be reached for stakeholder questions
For more tips on transparency, see PTAC’s Transparency Best Practices for Schools and Districts.
COSTS, BENEFITS, AND RISKS
There are costs involved with implementing these data privacy programs including equipment, professional staff, and training of district staff and both time and money can often be in short supply in education. Often these costs can be barriers to districts implementing quality programs until there is a breach or parents raise concerns related to student data privacy. To ease some of the burden, districts can consider the implementation of parts of these programs over time and as resources allow. Districts need to begin by complying with laws and regulations and gradually expand to security, training and updating equipment. Privacy and security programs will protect districts and their students from potential harm such as theft, predatory activities and emotional and social harm. In the long run, districts can be saved potential financial costs from lawsuits, identity theft, and ransom attacks.
STAFF PROFESSIONAL DEVELOPMENT
There are many aspects to staff training that must be put into place to create success around your data privacy programs. In addition, CIPA law requires additional training for staff to teach students many aspects of proper online behavior, social networking interactions and cyberbullying. Districts are responsible for providing proper training to administrators, teachers and other staff, including contracted employees on data use. Many times this training can be tied to other training staff receives when they join the district. An example would be to provide basic training on data privacy while staff undergoes training on the student information system (SIS). Districts must also provide ongoing training on an annual basis to reinforce policies and procedures or even update on changes. Often districts have Acceptable Use Policies that outline acceptable and prohibited activities that staff must sign each year but this cannot be a substitute for ongoing training that should be occurring.
Here are some topics that could be covered in a staff data training program.
- Definitions of “personally identifiable information” and “sensitive data”
- Federal and State Legal laws and requirements, like FERPA and COPPA
- Nebraska Department of Education Rule 6 and its requirements
- Local board policies related to privacy
- Directory information policies
- District procedures on vetting/approval of classroom used applications and websites
- Processes for managing a data request
- Appropriate uses and sharing of student data
- Protecting student privacy while using online educational services
- Methods for protecting PII in and off site
- Data destruction best practices like shredding and deletion of electronic files
Districts most often have provided this type of training in a face-to-face training experience but increasingly this type of training is being moved to asynchronous online formats. The use of this format provides more flexibility and cost-effectiveness. In addition, there are assurances that all staff receives a consistent message around policies and procedures.