Edsby

Avoiding pitfalls in student data privacy

Avoiding pitfalls in student data privacy

Edsby data privacy
Posted on by Dallas Kachan

What schools should expect from ed tech companies

Concern over student data privacy is reaching the boiling point. And for good reason. More technology use by schools and districts has increased the collection and storage of student information, and breaches are more common than anyone wants.

While data can and should be stored centrally to increase access across school staff, accessibility raises questions about who can see and use the data – and what their intentions are.

As a leading digital learning and data platform, Edsby recognizes the responsibilities that come with handling sensitive information and the importance of data privacy in ed tech. We believe district leaders should have a complete understanding of how vendors use and protect student data.

We know school leaders are busy. To support the process of evaluating ed tech companies, here’s a practical guide to ensure that bases are covered.

What should I look for when it comes to student data privacy?

When seeking out new technologies, there are a few best practices to keep in mind.

A good place to start is the Common Sense Privacy Program. Common Sense uses an evaluation process to rate technologies and aid administrators in purchasing decisions. Though every district’s needs will differ, this is a good place to find general information on a solution being considered.

It’s also important for administrators to consider what their needs are, and if there’s a trusted platform or application that can meet most or all of them. Fewer is typically best when it comes to the number of data solutions at school districts, and finding a single platform that provides multiple benefits often means better data protection for students.

When researching vendors, it’s also important to consider if their technology adheres to education-specific privacy laws. In the U.S., there’s a myriad of state-level laws in addition to three existing federal laws, which include:

  • Family Educational Rights and Privacy Act (FERPA): Protects the privacy of student education records in the United States, and gives families rights in regard to their children’s education records.
  • Protection of Pupil Rights Amendment (PPRA): Affords certain rights to parents of minor students in the U.S. with regard to surveys that ask questions of a personal nature.
  • Children’s Online Privacy Protection Act (COPPA): Imposes requirements on operators of websites or online services directed to children in the U.S. under 13 years of age.

Though not education-specific, other notable regulations from around the globe have a direct impact on the handling of their countries’ student data privacy, including:

  • General Data Protection Regulation (GDPR): Aims to protect EU citizens from privacy and data breaches in today’s data-driven world.
  • Personal Information Protection and Electronic Documents Act (PIPEDA): Applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.
  • New Zealand Privacy Act (Privacy Act 1993): Governs how agencies collect, use, disclose, store, retain and give access to personal information in the country.

For a list of data regulations worldwide, click here.

Meeting relevant privacy policies in all the jurisdictions an education technology vendor may do business are table stakes when it comes to privacy.

student data privacy - teacher with students in classroom
Districts and regions are investing in safe, centrally-managed digital learning platforms to safeguard students’ private information. Many public Internet applications have questionable data practices.

Student data privacy requires constant vigilance

Another recommendation is continuous due diligence when working with ed tech vendors. For example, an evaluation of contracted ed tech solutions should be conducted annually by a district CIO, CTO or other appropriate administrator. This annual review should aim to ensure compliance and privacy regulations are being met while confirming the district’s return-on-investment with its solutions.

To stay on top of trends in data security and privacy, monitor trusted resources, such as the vendor’s Common Sense Privacy Program rating over time, and the Department of Education’s best practices. Another resource is the Consortium for School Networking (CoSN), which hosts a variety of materials that cover cybersecurity, infrastructure and working with ed tech vendors.

Acting preemptively makes a large difference in keeping information secure and maximizing the value of technologies.

What should I ask a vendor about student data privacy?

When seeking out a new solution, the first step should always be research. Technology leaders should take time to vet through their options, consult the advice of other districts and ask questions.

Though every district’s needs will differ, there are a handful of key questions to keep in mind when researching different solutions.

  • Which jurisdiction’s privacy regulations does the vendor adhere to? If it’s an American vendor, does it only adhere to FERPA, PPRA and COPPA? Is that adequate for your needs?
  • Who owns the data managed by the vendor? Who controls management of the software?
  • Will our data be deleted if we stop using the service?
  • Who has access to the data?
  • Where will information be stored? How will it be secured, both in transit and at rest? How long is it kept?
  • Are backups performed regularly? Where are they stored? How long are they kept?
  • Are the physical servers in a secure environment? How secure? What ratings or certifications does it have?
  • Has the system undergone independent penetration testing? If so, by whom? And how recently?
  • Does the vendor have a procedure to follow in the event of a data breach? Who will be notified? Under what circumstances, i.e. how does the vendor define a breach?
  • Is there a recovery plan in the case of a disaster?

For inspiration on other questions to ask, read through vendor websites, and be sure to check for stories on specific vendors and their handling of student data in education trade outlets, such as Education Week, Education Dive and T.H.E. Journal – there’s a plethora of information available.

What are some student data privacy red flags?

When you know what to look for, it’s much easier to know what not to look for. There are some warning signs that should be considered prior to implementing a product, including:

#1 “Free” products: The old adage: When the product is free, you’re the product. In this case, student data is often the product. Vendors offering free education software solutions often bypass the approval of education organizations, and may put data at risk – or monetize it. More on this here.

#2 Vague privacy policies: Is the vendor being misleading in their user agreement or privacy policy? Without details, it’s tricky to know exactly what data is being collected, and how it’s being used.

#3Applications that have ads: A vendor may offer a solution at a discounted price with one caveat – the inclusion of ads within the software. Even if the vendor’s tech is secure, external advertisements can open up vulnerabilities. Or even be illegal in some areas if targeted at kids.

#4 Minimal detail on cooperating with regulations: If a vendor isn’t able to provide information about what laws their technology adheres to, a school or district administrator can’t guarantee that compliance is being met.

#5 Bad press: Though every situation will vary, if a vendor is commonly featured in negative data privacy or monetization stories, is it wise to continue using its products?

Whether it’s healthcare, retail or education, every industry has an obligation to keep people’s information safe and secure. Student data is especially precious. As privacy regulations continue to become more stringent, it’s up to vendors to provide as much accurate information as possible – and for district administrators to know what hard questions to ask.

student data privacy - teacher with students in library
Vendors of free education software solutions often bypass the approval of education organizations. Sometimes student data is put at risk or monetized. Well-meaning teachers choosing these apps for their classrooms aren’t always aware of the dangers.

Edsby student data privacy credentials

Edsby is a cloud-based digital learning and data platform that modernizes how teachers, students and parents engage with each other. It is used by national, state and provincial governments, public school districts and private school organizations.

  • Edsby has the highest Common Sense Privacy Evaluation score of K-12 learning platform solutions.
  • To meet the specific data sovereignty, retention and other regulations of different countries and regions, Edsby leverages Microsoft’s Azure network.
  • Districts utilizing Edsby decide what information Edsby manages, and retain ownership of all data.
  • Edsby uses customers’ existing identity management systems for user logins and does not need to manage any password data itself.
  • Edsby undergoes regular penetration testing by third parties.
  • Edsby does not provide any form of advertising to users, and does not provide or sell service usage information to third parties.

Want more detail on the steps that Edsby takes to safeguard student data privacy? Contact a member of our team today.