5-step process for better student data privacy in K-12

The following article is a guest post by EdTech expert, former district administrator, and author Carl Hooker. Carl has 20+ years in education and K12 consulting. He speaks on various topics, from digital wellness to technology integration and district leadership.   

In recent years, data privacy has risen from conversations in the server closet to discussions during school board meetings. As a former district technology leader, I'm excited to see that district administrators have finally prioritized data privacy. 

But I also realize many districts need help implementing solid, reliable data privacy practices. This is often due to tight budgets, limited staff support resources, and a need for more knowledge regarding what high-quality data privacy practices look like in schools. 

During the pandemic, there was a mad rush by educators and solution providers to flood the market with a variety of "freemium" digital tools to help fill in the gaps when it comes to teaching and learning. 

When you factor in the increase in student-issued devices and the complexity of some state privacy laws, it's easy to understand why tech leaders might prefer to stick with what they know rather than audit their school's data privacy practices. Where do you even begin to audit new tools and ask the right questions when there are hundreds of software solutions to choose from?

Our student data is out there, and it's being used by companies, sometimes for profit. According to research by The 74, 96% of our students' digital tools expose their data for profit or marketing use. That's a staggering number.

In 2018, we ran an audit of all the applications and systems staff and students utilized in our district (Eanes ISD in Austin, TX). At that point, we were entering the 5th year of our one-to-one student device program and felt that digital devices were finally ubiquitous in classrooms. 

After years of training, support, and promotion of digital tools, an educator could step into any classroom and witness high-quality blended learning in action. 

However, we still had a few issues that needed some major fine-tuning. For one, we knew they used the devices but needed to figure out how often and what programs were in use. We knew what programs we'd purchased but were unaware of the free apps and programs teachers sometimes download. 

Even some of our previously vetted platforms had some holes regarding data privacy and collection. 

I realized that I couldn't confidently stand in front of a school board and tell them that our devices and student data were safe. This was a problem.

A major problem. 

Phase 1: Formation of a task force

Before purchasing our second round of devices, we had created a "Digital Learning Task Force" to help gather input from our broader learning community. This task force consisted of district EdTech coaches, principals, teachers, parents, and students. 

As data privacy and device usage were now the concern, we reconvened a small portion of the task force to help us with this challenge. Our mission was to increase awareness and gain deeper insight into what programs we were using that could leave students and staff at risk. 

After several years of promoting a core group of applications for student use (apps like Nearpod, Google Classroom, and Kahoot!), the task force realized that there were at least 60 other programs on student devices that were utilized for learning in and out of the classroom. 

The formation and brainstorming session was the first step toward guaranteeing high data privacy standards in our district. To truly verify and audit student data privacy, the task force would have to dive deeper. With our agreed-upon mission in front of us, we set out on phase two of the journey.

Phase 2: Data gathering and discovery

In 2018, few tools or dashboards could quickly reveal what platforms were being used and how often. We didn't even know with certainty what platforms were housing our student data without our knowledge. 

As part of phase two, we utilized a combination of data-gathering tools. Surveys of teachers, students, and parents would help fill in the gaps of anecdotal evidence, but we also needed some quantitative data. 

Part of my job for the next several weeks was going to each platform, paid or free, and requesting a report of usage from our district devices and the company's most recent data privacy agreement. 

Again, having a single usage dashboard like Linewize's School Manager would have made this part of the process much quicker and streamlined, and tools like this are what districts strive towards today. Once we gathered all the usage data and survey information, the task force reconvened for phase three. 

Phase 3: Data privacy audit and clean-up

After weeks of research and data gathering, we could say with 99% certainty that we knew where our student data was going. Now we had another problem. 

Teachers and students had become accustomed to using specific free platforms that we knew had weak data privacy agreements (DPAs). They housed our student data and, in many cases, could even utilize it to sell to third-party companies. 

We spent a large part of phase 3 going through each platform's DPAs to see which passed what we considered a minimum standard (utilizing other states' published standards like New York's Ed Law 2-D). 

We then created an internal district dashboard that our teachers could view to see which tools met our data privacy standards and which didn't. For those that met the standard, it was business as usual. However, we found a handful of free applications that needed to meet the standard. This led us to the final two phases of our data privacy task force. 

Phase 4: Vendor outreach

A small task force subcommittee set out to contact companies with loose data privacy standards. A couple of the companies were surprisingly responsive to our concerns and altered some practices, including beefing up the decryption of student data they housed on their own servers. 

Unfortunately, this group was in the minority. Most companies either didn't respond or told us that they wouldn't change without a larger contingency of complaints. Essentially, we were too small a district to really impact their data privacy decisions. 

This put us in a difficult spot. We had the following options in front of us for those applications that didn't pass our data privacy audit:

1. Continue to use the application, knowing there were risks that our data could be leaked or misused. 

2. Try and gather a larger contingency of districts to approach the companies and ask them to change their policies. 

3. Discontinue the use of the platform and block it on our devices and network.  

Each of these pathways provided challenges and risks. After reviewing our mission of high-quality data privacy standards, we decided as a task force to pursue options 2 and 3. 

We would continue to use applications deemed vital by staff and, in some cases, join forces with other districts to better their data privacy practices. 

For those deemed non-vital, we would seek to remove them from usage in the classroom. This would lead to the final phase of the data privacy task force.

Phase 5: Ongoing education and a new vetting practice

We knew that eliminating some of the applications would cause concern and stress among staff. After years of promoting the usage of the devices, we were now coming back and asking them to alter their practices. 

This would mean continual and ongoing education for staff regarding the usage of various digital tools and the data privacy standards of said tools. It also meant we needed a better process by which staff and students could request and utilize new applications. 

As a team, we scheduled time during faculty meetings to share our audit and the concerns we had around certain tools that potentially compromised our student data. Whenever we found a tool that didn't align with our standards, we offered staff an alternative tool. 

This "campaign" towards high-quality data privacy standards would take much more than a tech guy blocking apps to be successful. We needed belief and buy-in from all staff. 

We also didn't want to slow down the momentum of the one-to-one device program by creating more roadblocks for staff to overcome when using digital tools. We shared our internal site of vetted and approved applications but also gave staff an avenue to request the usage of new tools, free or paid. 

As part of this new process, an app would have its DPA reviewed by members of the task force before approval to implement. While we knew this would be a change, we tried to make the process as frictionless as possible for staff and encouraged them to look through data privacy agreements themselves for red flags. 

As no teacher has time to read a 62-page DPA, we encouraged them to search for terms and sections within the agreements that mentioned the following:

1. What student data was captured

2. Where student data was housed

3. What the student data was being used for

4. What happens to the student data when the platform is no longer in use

Knowing these answers would streamline the process for approval while also educating staff on their own best practices around data privacy. We also provided them resources like this ConnectSafely Educator's Guide to Student Data Privacy.

All-in-all, this process of student data privacy awareness was a very enlightening and necessary journey. Schools now have many more useful tools at their disposal to shorten up the time and energy spent on phases 1 through 4. 

Companies that provide digital tools are becoming more aware of the concerns of schools around data privacy and updating their practices as well. In the end, education and training will be on-going for any and all members of the educational community. But if it leads to better protection of our students' data, the time and energy spent will be well worth it.