Avoiding pitfalls in student data privacy

What schools should expect from ed tech companies

Though schools have been handling confidential information for decades, discussion of student data privacy is reaching fever pitch. More technology use by schools and districts has increased the collection and storage of student information.

This trend has precipitated new federal- and regional-level privacy laws to which districts must adhere. Schools are legally and ethically required to keep student data secure and private. And, while data can be stored centrally to increase access across school staff, accessibility raises questions about who can see and use the data – and what their intentions are.

As a leading digital learning and data platform, Edsby recognizes the responsibilities that come with handling sensitive information and the importance of data privacy in ed tech. We believe district leaders should have a complete understanding of how vendors use and protect student data.

We know that school leaders are busy. To support the process of evaluating ed tech companies, we’ve created this practical guide to ensure that all bases are covered.

What should I look for when it comes to student data privacy?

When seeking out new technologies, there are a few best practices to keep in mind.

A good place to start is the Common Sense Privacy Program. The program uses an evaluation process to rate technologies and aid administrators in purchasing decisions. Though every district’s needs will differ, this is a good place to find general information on a solution they may be considering.

It’s also important for administrators to consider what their needs are, and if there’s a trusted platform or application that can meet most or all of them. Fewer is typically best when it comes to the number of data solutions at school districts, and finding a single platform that provides multiple benefits often means better data protection for students.

When researching vendors, it’s also important to consider if their technology adheres to education-specific privacy laws. In the U.S., at least 99 new state student data privacy bills passed between 2014 and 2018. These were in addition to the three existing federal laws, which include:

  • Family Educational Rights and Privacy Act (FERPA): Protects the privacy of student education records in the United States, and gives families rights in regard to their children’s education records.
  • Protection of Pupil Rights Amendment (PPRA): Affords certain rights to parents of minor students in the U.S. with regard to surveys that ask questions of a personal nature.
  • Children’s Online Privacy Protection Act (COPPA): Imposes requirements on operators of websites or online services directed to children in the U.S. under 13 years of age.

Though not education-specific, other notable regulations from around the globe have a direct impact on the handling of their countries’ student data privacy, including:

  • General Data Protection Regulation (GDPR): Aims to protect EU citizens from privacy and data breaches in today’s data-driven world.
  • Personal Information Protection and Electronic Documents Act (PIPEDA): Applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.
  • New Zealand Privacy Act (Privacy Act 1993): Governs how agencies collect, use, disclose, store, retain and give access to personal information in the country.

For a list of data regulations worldwide, click here.

Meeting relevant privacy policies in all the jurisdictions an education technology vendor may do business are table stakes when it comes to privacy.

student data privacy - teacher with students in classroom

Districts and regions are investing in safe, centrally-managed digital learning platforms to safeguard students’ private information. Many public Internet applications have questionable data practices.

Student data privacy requires constant vigilance

Another recommendation is continuous due diligence when working with ed tech vendors. For example, an evaluation of contracted ed tech solutions should be conducted annually by a district CIO, CTO or other appropriate administrator. This annual review should aim to ensure compliance and privacy regulations are being met while confirming the district’s return-on-investment with its solutions.

To stay on top of trends in data security and privacy, monitor trusted resources, such as the vendor’s Common Sense Privacy Program rating over time, and the Department of Education’s best practices. Another resource is the Consortium for School Networking (CoSN), which hosts a variety of materials that cover cybersecurity, infrastructure and working with ed tech vendors.

Acting preemptively makes a large difference in keeping information secure and maximizing the value of technologies.

What should I ask a vendor about student data privacy?

When seeking out a new solution, the first step should always be research. Technology leaders should take time to vet through their options, consult the advice of other districts and ask questions.

Though every district’s needs will differ, there are a handful of key questions to keep in mind when researching different solutions.

  • Which jurisdiction’s privacy regulations does the vendor adhere to? If it’s an American vendor, does it only adhere to FERPA, PPRA and COPPA? Is that adequate for your needs?
  • Who owns the data managed by the vendor? Who controls management of the software?
  • Will our data be deleted if we stop using the service?
  • Who has access to the data?
  • Where will information be stored? How will it be secured, both in transit and at rest? How long is it kept?
  • Are backups performed regularly? Where are they stored? How long are they kept?
  • Are the physical servers in a secure environment? How secure? What ratings or certifications does it have?
  • Has the system undergone independent penetration testing? If so, by whom? And how recently?
  • Does the vendor have a procedure to follow in the event of a data breach? Who will be notified? Under what circumstances, i.e. how does the vendor define a breach?
  • Is there a recovery plan in the case of a disaster?

For inspiration on other questions to ask, read through vendor websites, and be sure to check for stories on specific vendors and their handling of student data in education trade outlets, such as Education Week, Education Dive and T.H.E. Journal – there’s a plethora of information available.

What are some student data privacy red flags?

When you know what to look for, it’s much easier to know what not to look for. There are some warning signs that should be considered prior to implementing a product, including:

#1 “Free” products: The old adage: When the product is free, you’re the product. In this case, student data is often the product. Vendors offering free education software solutions often bypass the approval of education organizations, and may put data at risk – or monetize it. More on this here.

#2 Vague privacy policies: Is the vendor being misleading in their user agreement or privacy policy? Without details, it’s tricky to know exactly what data is being collected, and how it’s being used.

#3 Applications that have ads: A vendor may offer a solution at a discounted price with one caveat – the inclusion of ads within the software. Even if the vendor’s tech is secure, external advertisements can open up vulnerabilities. Or even be illegal in some areas if targeted at kids.

#4 Minimal detail on cooperating with regulations: If a vendor isn’t able to provide information about what laws their technology adheres to, a school or district administrator can’t guarantee that compliance is being met.

#5 Bad press: Though every situation will vary, if a vendor is commonly featured in negative data privacy or monetization stories, is it wise to continue using its products?

Whether it’s healthcare, retail or education, every industry has an obligation to keep people’s information safe and secure. Student data is especially precious. As privacy regulations continue to become more stringent, it’s up to vendors to provide as much accurate information as possible – and for district administrators to know what hard questions to ask.

student data privacy - teacher with students in library

Vendors of free education software solutions often bypass the approval of education organizations. Sometimes student data is put at risk or monetized. Well-meaning teachers choosing these apps for their classrooms aren’t always aware of the dangers.

Edsby student data privacy credentials

Edsby is a cloud-based digital learning and data platform that modernizes how teachers, students and parents engage with each other. It is used by national, state and provincial governments, public school districts and private school organizations.

  • Edsby has one of the highest Common Sense Privacy Evaluation scores among K-12 learning platform solutions.
  • Edsby was one of the first signatories of the Software & Information Industry Association (SIIA)’s Student Privacy Pledge, a list of guidelines for responsible collection, maintenance and use of student information.
  • To meet the specific data sovereignty, retention and other regulations of different countries and regions, Edsby leverages Microsoft’s Azure network.
  • Districts utilizing Edsby decide what information Edsby manages, and retain ownership of all data.
  • Edsby uses customers’ existing identity management systems for user logins and does not need to manage any password data itself.
  • Edsby undergoes regular penetration testing by third parties.
  • Edsby does not provide any form of advertising to users, and does not provide or sell service usage information to third parties.

Want more detail on the steps that Edsby takes to safeguard student data privacy? Contact a member of our team today.

Learn more about Edsby