As stories of data breaches in schools and districts regularly make headlines, many K-12 organizations are working hard to implement policies and procedures to protect confidential student and employee data. In most cases, human error causes data breaches, and districts both large and small are at risk. Examples include the accidental publication of confidential student information online and employees clicking on links in phishing emails. Because human error is often the weakest link in the privacy chain, schools and districts need to weave privacy awareness and protection into the fabric of their organizational cultures. Safeguarding student data privacy is a communal effort made easier if staff at every level understand its importance and have clear roles in that effort.
As with any aspect of change management, this is easier said than done, but it is possible. Consider the following five steps to help build a culture of data privacy in schools and districts:
1. Assess the organization. The first step in building a culture of data privacy is to understand where the organization is and where leaders want it to be by the end of the year, taking into account the staff and leadership’s willingness to build such a culture. What privacy policies, breach-response protocols, and staff training are in place? What are employees’ and students’ attitudes toward data privacy? The Council of Chief State School Officers provides a discussion guide for establishing the importance of student data privacy and security and developing an action plan.
The Consortium for School Networking’s (CoSN) Trusted Learning Environment (TLE) Seal signals that school systems have taken strong, measurable steps to ensure the privacy of student data, and is a mark of distinction for schools. The TLE Framework requires demonstration of adherence to 25 requirements categorized into five practice areas. Even if an organization is not ready to apply for the seal, conducting a self-evaluation by reviewing the TLE application is helpful. Self-evaluation can help schools strategically begin and succeed at initial tasks. Establishing a culture of privacy can feel overwhelming, but schools don’t have to do everything at once. CoSN’s Protecting Privacy Toolkit provides additional resources.
2. Get leadership buy-in. Organizational culture starts from the top. Senior leadership’s support and willingness to invest time, resources, and political will in privacy initiatives are critical to success. Without this support, the impact of any efforts will be limited. Lip service is not enough; active engagement is critical. Help senior leaders (including the board) understand how a strong privacy culture will support educational objectives. Ask them to identify their priorities for student data privacy. Educate them about the potential impact of privacy breaches by providing examples from other school districts (the K-12 Cybersecurity Resource Center has links to several examples). Discuss how these breaches could have been prevented and how your school or district could implement such mitigation strategies. Paint a picture of what might happen if privacy risks are not addressed. The CoSN Empowered Superintendent’s Initiative offers the helpful one-page resources Student Data Privacy and The Importance of Cybersecurity. When senior leadership is on board, engage them in developing an action plan. The more involved they are in planning the privacy initiative, the stronger their support will be.
3. Integrate privacy considerations within regular organizational processes. Include privacy training in the organization’s orientation program for new employees. New employees should be required to complete this training before being granted access to systems containing personal information and should be required to attend continuing privacy training annually. This helps to communicate the message that protecting student data privacy is important. Districts should also incorporate language about protecting data privacy into their employee code of conduct and should require employees to sign it annually. In addition, districts should incorporate privacy protocols into purchasing processes. For instance, before districts purchase new technology tools, the terms of service and policies should be reviewed, preferably at the district or state level. Ideally, school systems should establish a process for vetting and procuring digital classroom tools. The following resources are helpful:
- The U.S. Department of Education has published a model terms of service for online educational services;
- The Student Data Privacy Consortium offers a privacy contract framework and app vetting registry to help school systems develop digital tool procurement processes;
- The Weber School District in Utah describes their app vetting process, in which all third party vendors are required to sign an agreement with the district.
- The Denver Public School District in Colorado provides resources addressing vetting and consent for teachers, principals, and other school staff.
- Teachers should be aware of and use established processes for vetting and procuring digital classroom tools.
4. Provide privacy and cybersecurity training for faculty, staff, and students. High-quality, job-embedded, and timely privacy and cybersecurity training should be mandatory for all school employees. For example, new employees might receive training on creating secure passwords and recognizing phishing emails and be required to complete online data protection training before being given computer network or other software credentials. Some schools and districts incorporate ongoing phishing simulation and testing as part of a proactive testing and evaluation program. Ideally, privacy and cybersecurity training should be comprehensive and incorporated throughout the year. However, because many school systems have limited opportunities to implement such training, it’s important to design messaging and training based on the self-assessments performed in Step 1.
Educating students about protecting their privacy is also important. School systems should implement a curriculum to promote student information literacy, digital citizenship, and internet safety. For example, Common Sense Media offers a comprehensive K-12 digital citizenship curriculum that includes modules on protecting privacy, Fordham Law School has a free middle school curriculum on privacy, and the Berkman-Klein Center for Internet and Society’s Digital Literacy Resource Platform has numerous curricular modules for middle and high schoolers on privacy, security, and other digital literacy-related topics.
In addition, school communications to parents should include clear information about how schools collect, use, and protect student data.
For instance, the state of Wisconsin offers guidance for parents that answers key questions about student data privacy:
The Green Bay Public School District offers clear descriptions for parents on how schools in the district use student data:
5. Start simple and build on success. Developing a culture of data privacy in any organization is a journey, not a destination. Culture change doesn’t happen overnight, and educators will likely encounter pushback. However, no matter where an organization is on the privacy culture spectrum, the most important thing is to get started. Focus first on easy successes, and build a strong track record. Don’t try to boil the ocean; incremental improvements can lead to larger changes over the long term.
Check out our related blogs on 3 Easy Ways for Educators to Keep Their Accounts Secure, 3 Easy Steps for Educators to Make a Secure Passphrase, and Easy Tips for Keeping Student Data Safe When Taking Your Work Home.
Susan M. Bearden is an education technology consultant for the Future of Privacy Forum and the Chief Innovation Officer for the Consortium for School Networking. She was previously the Senior Education Pioneers Fellow at the U.S. Department of Education’s Office of Educational Technology in 2015-2016, and the Director of Information Technology at Holy Trinity Episcopal Academy in Melbourne, Florida.