In response to those survey results, student data privacy expert Linnette Attai shared key steps to build a K-12 data privacy program from the ground up during a three-hour workshop Monday at CoSN's annual conference in Seattle.
The most important step is to first map your district's data, according to Attai, who serves as project director for CoSN’s Student Data Privacy and Trusted Learning Environment initiatives. She provided a starter template for this process, which involves listing each data element and finding out who it’s collected from, why it’s collected, the sensitivity level of the data, who has access to it, how it’s protected and when it’s deleted, among other factors.
“If we don’t know what it is, we don’t know how sensitive it is. If we don’t know where it is, we don’t know if it’s protected properly. If we don’t know who has it, we don’t know if we’ve overshared,” Attai said. “If you’re able to map your data, in whatever format you want that map to be, this is a tool you can maintain over time, and it’s going to allow you to answer some really key questions about protecting it.”
She added that this is not a fast or easy process given the amount of data school districts collect, but that mapping this data is fundamental to protecting it — and will likely provide 20 to 40 action steps right off the bat, which can then be triaged accordingly.
Attai said the next step to strengthen student data privacy is to find and review your district data governance policies and procedures. She directed workshop participants to a free CoSN resource that lists what she said are the fundamental policies every district should have in place.
“You can gather your policies, compare it to the list, and just do the checkbox exercise — do we have these, do we not have these?” Attai said.
She recommended setting up a system to review all district data governance policies annually, making sure to indicate when it was last updated and reviewed at the bottom of each document.
“Then we need to conduct a gap analysis. Are you even able to complete your data map? Do you have enough district policies? Are they current? Are they enforced?” Attai asked. “Do you have procedures for all your policies? Do you have training that addresses your policy and procedure requirements? This is a down-and-dirty audit of privacy practices.”
Such an audit should help ed-tech leaders come up with a clear remediation plan that they can then present to district administrators to gain their support for building and improving student data privacy, Attai said.
She added that procurement standards that address how ed-tech vendors handle student data should be part of any district privacy plan, and that vendor red flags include the lack of a privacy policy, no apparent understanding of applicable privacy laws, contract language that allows a vendor to change the contract without telling the school district, and immature security relative to the sensitivity of the data.
“It’s not innovation or privacy. It’s not instruction or privacy. We need to do both together,” Attai said. “If the technology is not built with privacy in mind, it’s not good enough to be in your school district.”
