The last week of January is National Data Privacy Week. As part of the global online safety, security, and privacy campaign called ‘Stop. Think. Connect.’—an initiative of the National Cyber Security Alliance (NCSA)—this serves as a reminder to those in education to evaluate how we are doing when it comes to keeping our students and their data safe in the classrooms and beyond.
Student Data Privacy Rules—Is the Party Over?
Educators are trying their best to keep kids feeling connected and excited about school, even in these chaotic and uncertain times during which “school” might be located in a different place each week. Does remote school safety mean an end to the fun of sharing and showing off projects and achievements?
“We don’t need to stop celebrating the students and their work,” says Eileen Belastock, Director of Technology and Information at Nauset Public Schools, Orleans, Massachusetts. “We just have to make sure it’s safe and secure. So it means having district-sanctioned social media accounts, or a secured website where only your art Google classroom or your students’ parents can see what’s going on.”
Getting permission from parents to even have their child’s image and voice out there is a must. “At the beginning of the year they sign off on a general release form,” says Belastock. “But whether it’s a project they want to showcase on a website of the great things these kids are doing or a video clip pulled from Zoom, systems can be set up to ask permission from parents every time before posting. We’re not trying to say no, we are just trying to do it safely. Yes, it’s an extra step, but the last thing we want to do is put a child in jeopardy.”
Student Data Security: An Issue Not Remotely Going Away
It feels as if the news is peppered with daily stories of school data breaches and privacy leaks. Is this just the buzzword of the day or a developing issue schools need to tackle to ensure the safety of their students?
“Information security and privacy have grown and will continue advancing as major factors for all educational institutions,” says Ed Zuger, J.D., Associate Professor and Dean at University of the Cumberlands, School of CIS. “During the past couple years, the revolution of remote schooling removed security controls from the relatively careful environs of trained, formal IT experts. We now have hundreds or thousands of separated students and their homegrown security ‘solutions’—e.g., the $120 big box router. Along the way, every new node, onramp, and pathway amounts to another point-of-entry for potential criminals, not only to access content on students’ personal devices, but to walk through these unlocked and interconnected doorways into sensitive data on the greater school networks.”
Ask any cybersecurity pro and they will say the most risky element of keeping a system protected is the users. “So how do we save the budget?” says Zuger. “Do what we do best and teach. Teach our staff and students how to be savvy cyber-citizens. The best and most expensive security network can’t undo the damage of a careless user clicking on malicious links or kicking open a virtual doorway for any outsider to wander in.”
In conjunction with that, Belastock offers some best practices for schools.
Assess your current landscape. How is the district software being acquired—at the school level, the teacher level? You need to have an easily accessible vetting process so there is a process in place for approval to ensure there are no inherent risks within that tech.
Be transparent about why. We don’t want to be the people of “No.” Explain to teachers and parents, “What if it was your photo being tagged in a public site or your personal video being shared because there wasn’t security preventing that?” Make it relatable for adults to drive home the importance.
Partner with vendors. Talk to them as there are a lot of data privacy agreements available. Vendors want you to use their product, so make sure they understand your privacy policies. It’s been really helpful for our district.
Get the word out to the school community. Put it in the face of the superintendent, go to school board meetings, just talk about this whenever you can. Talk to teachers, students, parents— always share the same mantra about protecting student and staff data.
Why Student Data Privacy Matters
“What drives my institution to maintain tight security protocols is the value of our students,” says Zuger. “We are talking about some of the most vulnerable in society, as well as the most targeted because of the inherent vulnerabilities of those who have not yet experienced life’s cautions.”
In some cases, the consequences of lax security protocols could be much more serious than a paper getting swiped, risqué photo accessed or grade changed.
“Years ago, we interrupted a potentially dangerous incident,” Zuger says. “One student, intent on personally connecting with another, tracked their target’s computer lab usage and circumvented our security by installing a keylogger on their usual workstation. This tool records every keystroke, giving access to countless private and personal communications, passwords and data. However, because our protocols included regularly reviewing logs and system changes, we spotted the keylogger, identified the offender and they were turned over to law enforcement before the student-victim was ever compromised.”
An Uphill Challenge
With increasingly more sophisticated cyber criminals and hackers out there, it can make a district leader wonder if there is any point to trying to shield things anymore.
“On the one hand, there is some rationale in simply throwing the hands up. Everyone is prone. The trillion-dollar organization that is the U.S. government, with endless human capital expertly trained and practiced in cyber-defense, still experiences scores of attacks and breaches daily,” says Zuger. “But on the other more practical hand, why do we secure anything? We lock our front doors, enable the car alarm, and use PIN at the ATM. In those days of yore, nearly everyone left their front door unlocked. Eventually we realized that by simply spinning that deadbolt we might shuffle the scofflaw to the next address for easier access.”
Although it might feel like an overwhelming challenge, doing what we can to protect our students is non negotiable.
“It can be expensive. Securing assets does not create revenue; it costs. So there must be a discussion about the hard costs, both of the tech and in training users to use and rely on the security solutions,” says Zuger. “What, though, might the cost of noncompliance be? Our students’ reputations, psychological and physical health? The institution’s reputation? Accreditation, even? All those and more are at risk. We have a duty to our students and our communities.”
“We can’t control what humans do,” says Belastock. “But we as tech directors can have all the safeguards, communications policies regarding public displays—we can at least do our best to protect our students. There will always be that one parent who takes a video or photos at a celebration and puts it out on Facebook. We can at least say we did our due diligence and put protections in place.”