digital
leader
Privacy, Please
The principal's role in protecting the privacy of student data
Dana Greenspan
I
f you ask chief technology
officers or IT directors what
keeps them awake at night, the
response-ahead of Common Core
State Standards support and online
assessment-is likely data security
and privacy issues. The school
principal can be a local education
agency's (LEA) key resource when
partnering with IT staff in order to
deter privacy breaches by ensuring
that students, families, and staff are
aware of-and avoid-potential risks
by practicing safe online behaviors.
Protecting data has long been on
the radar of the IT staff and security
experts, but it's taken breaches at
Target, Home Depot, and Sony for
most of us to become aware of how
vulnerable we are. In any given year,
I attend numerous workshops given
by excellent teachers demonstrating
how they effectively integrate
technology into their curricula
via a smorgasbord of engaging,
educational applications; but rarely
have I heard them talk about privacy
issues. This needs to change. One
can't fault the teachers, principals,
or LEA staff because protecting
student (and family and teacher)
data has only recently become a
hot topic. We're beginning to hear
more conversations about student
privacy and data protection among
state and federal legislators, at
educational conferences, and within
LEAs. Training educators to think
about data privacy when choosing
digital programs and applications
can-and should-become a routine
part of the selection process.
Principals, with assistance from
other site administrators, will
play a large role in making certain
54 Principal Leadership | April 2015
these conversations transform into
routine practices.
According to the Privacy Rights
Clearinghouse, there have been 299
educational breaches since 2010
(Privacy, 2015). These represent
10.7 percent of the total tracked
breaches, for various reasons. Aside
from hacking or malware, insiders
with legitimate access, such as
an employee or contractor, can
make intentional or unintentional
breaches. Other data breaches can
result from physical loss or theft of
a device or even of paper containing
sensitive information. What's
disconcerting is that theft of student
data, particularly that of young
students, is now of prime interest
to organized cyber criminals.
Although it varies from state to
state, many entering students are
required to provide a Social Security
number, which is entered into the
student information system along
with other personal information.
Because children have essentially
perfect credit scores, they are ripe to
become victims of identity theft that
may continue undetected for years.
As adults, especially if we suspect
we are victims of a data breach, we
know to monitor our credit reports.
But how many parents monitor their
children's credit reports-how many
would even think it's necessary?
We must help our stakeholders
be savvy consumers by educating
parents about the need to monitor
credit reports for the entire family,
regardless of age, annually.
Cloud computing has led to
greater vulnerability as well. Secure
servers physically housed at LEAs
are under the control of IT staff
who work diligently to ensure safe
practices and monitor networks
for potential security breaches.
Now many LEAs are turning to
fully web- or cloud-based solutions
where the data is housed by the
program/application developer or
even a designated third party. In
that instance, do you know which
data is collected or how that data is
shared? Do you know what happens
to the data when the program or
application is no longer in use?
Which staff can access the data, and
do they need to have access? These
are questions we need to be asking
before choosing and using a program
or application, especially when
individual student data is required as
a condition for use.
Content creators are becoming
more accustomed to being asked
for specific contractual language
to appear in purchase agreements,
but, depending on local legislation,
this varies from state to state. We
are all responsible for looking at a
company's privacy policy. Rather
than automatically clicking "I agree"
when a pop-up window appears for a
downloaded or updated application,
we need to get in the habit of
checking applications and websites,
as well as actually reading the
privacy policy in full.
Federal laws protecting the
privacy of student data have
existed since 1974, and some
have been updated to reflect
digital technologies. The Family
Educational Rights and Privacy
Act (FERPA), which sets rules for
how LEAs can use and disclose
student records, was updated
in 2012 to include digital data
Table of Contents for the Digital Edition of Principal Leadership - April 2015