We talk about building trust so that we can work on protecting student data privacy, but it is difficult to protect student privacy only with policy. We need to also advocate for proper encryption of databases and privacy training. Only when we educate users (schools, districts, parents, students) on proper security practices can we be confident that kids’ information will be safe. Setting policy is important. It provides us with guidelines on what set of rules ought to be followed. But rules may be broken, actually, they are commonly broken. Data breaches are happening more and more often in educational institutions. Mostly, because of someone’s negligence or lack of understanding how the system works; which is why it’s so difficult for people to trust their children’s data is being properly secured. Without real consequences for those failures, all the good policies in the world will not protect student privacy. Parents and students put their information in the hands of their schools. Schools in turn put that information in the hands of the third parties they contract with. The responsibility for the data gets passed on. There has to be adequate security protocols in place.
EdTech companies need to step up and take the lead if they are to be the stewards of our children’s data. We cannot continue to put the burden of security and privacy policies on budget strapped schools. An easy first step would be if companies requested that educational apps in their stores encrypt student data. This is a good first step. Additionally, adopting standard language related to privacy and security makes understanding complex legal issues transparent.
But I also urge school districts to look at their community. Beyond privacy laws what does the school community expect when it comes to privacy? What agreement can the community come to when the issue is the collection, use and sharing of student data? And what is important for different communities when it comes to privacy? That is an important conversation that we need to have.
School districts need to understand best security practices – securing devices, strict password policies, and security audits. School staffs need training so they can understand how to identify those educational apps that provide adequate privacy protections. While there are no measures that can guarantee 100% security and protection of student privacy, awareness of the issues and a proactive approach will prove more effective by ensuring good policy is followed and acted upon. And therefore, I urge policymakers to help schools with the administration of security safeguards.
A FERPA rewrite is important, for we need to our laws and policy to keep up with technological change, but we also need to change our entire approach to security. We must focus on students and how we can use technology to create the learning environment that works best for them.