A Conversation with Kim Nesmith
Educators, parents, and students today have access to more data than ever, as new technologies and tools facilitating the production and use of this data continues to grow. Louisiana’s Data Governance & Student Privacy Guidebook designates rules, procedures, and stakeholders responsible for decision-making about responsible data collection, access, and use, to provide a framework to help schools and local education agencies (LEAs) establish data governance.
On August 13, 2019, the Future of Privacy Forum (FPF) spoke with Kim Nesmith, Data Governance and Privacy Director, Louisiana Department of Education, who developed the guidebook with her team, about key steps that schools and LEAs can take to use data to achieve educational success while ensuring privacy, transparency, and other necessary safeguards.
FPF: What was the catalyst for publishing this guidebook?
Kim: In 2014, Louisiana passed one of the nation’s strictest data privacy laws (LA R.S. 17:3914, Act 837 of 2014). This law was very challenging for districts, teachers, and anyone else handling student data, who were at risk of fines up to $10,000 or six months in jail for violations. This is a pretty high-stakes situation. Once we at the Louisiana Department of Education were able to adapt internally to the law, set up our system appropriately without personally identifiable information (PII), and ensure that our operations could continue going forward, we moved on to the urgent task of assisting districts and teachers make the changes they needed. We wanted to make sure that they knew how to handle the requirements under the new law. By learning how to adjust our own processes, we were, in turn, able to share our learned experiences to help teachers and districts adapt and adjust to the laws to help guard them against the risks or consequences of being found to be noncompliant.
FPF: Can you tell us about the guidebook’s primary steps for achieving good data governance and privacy plans?
Kim: I started by looking at numerous data governance tools, primarily within the education realm, and tried to distill what I thought were the most important points. From these, I was able to identify six main recommendations.
First and foremost is to be aware of the law and understand its requirements. It seems unfair to impose potentially dire consequences on teachers who do not even know about the legal requirements or how they are expected to protect students’ data. Beyond the strict Louisiana law, there is also the Family Educational Rights and Privacy Act (FERPA) and other state laws that place responsibilities on educators, which were not being discussed with teachers and explained sufficiently to them. These circumstances are unfair to teachers and to students, whose data were unwittingly placed at risk because the required protections were not being explained to their teachers and schools.
To effectively protect students, parents, and teachers, it is necessary to build a comprehensive team to implement and maintain a data governance plan.
The second point is that to effectively protect students, parents, and teachers, it is necessary to build a comprehensive team to implement and maintain a data governance plan. This team should include representatives from different stakeholders, all of whom bring their own knowledge and critical perspectives. Together, this team can help build the privacy policies and practices that are appropriate for the school.
The third step is to provide the necessary training and support. Training should cover the relevant legal and ethical responsibilities and common-sense approaches and practices that many teachers may not know simply because they never received privacy and security training. The guidebook does not include specific content suggestions for the training itself because this will likely vary among schools and evolve over time as technology continues to change and develop. Instead, the guidebook breaks down content by audience. What matters most to a teacher may be less important to administrators at the district level, which is different from what students need to know and different from what should be emphasized for IT departments. It is important to differentiate audiences and match the training to them.
The next step is to build strong protocols. This aspect relates to setting policy and implementing processes, practices, and guardrails that help keep teachers and schools from accidentally stepping into potentially risky privacy issues. This includes having written data sharing agreements and basic security steps. These elements should be contextualized so that those involved really understand what is at stake and why it is important to take the measures we are asking them to take, in terms of the real privacy or security risks, not merely as vague compliance issues. For example, if a teacher understands how valuable education records are on the black market and what is at risk for students whose information is inappropriately shared or disclosed, that is enough to help them remember appropriate practices to protect this data.
Making security a priority is the fifth aspect of establishing a data governance and data action privacy plan. We’ve had increasing numbers of attacks on educational institutions targeted at education records, which have incredibly high value. These records need to be secured by professional IT staff who have appropriate training. Basic security recommendations include keeping records of who has access, securing the hardware, and regularly installing security patches and software updates. We now know that an overwhelming majority of cyberattacks are due to human error, so it is also important to ensure that the entire staff, not just IT teams, undergo basic security training on best practices, including phishing awareness training that incorporates simulated attacks. Over time, people learn and internalize best practices and are able to minimize these kinds of risks. In this way, security practices are not just about having system protections but also changing human behavior.
FPF: The sixth step in the guidebook is about involving the parents. How should this be done and why do you think it is so important?
Involving parents is a crucial piece of the puzzle. Student data privacy is a whole aspect of their children’s lives that parents are not always sufficiently aware of or involved in. By involving parents, we can preemptively build trust so that even when a new law is introduced, even one as strict as Louisiana’s, we can prevent unnecessary miscommunications and concerns that may arise down the line. When parents hear directly from schools and districts that certain information is being collected, for what reasons, and how it is being protected, this eliminates fear or potential backlash from learning about it from other sources, such as a report or news item. By engaging parents and building a trusting relationship on the front end, we can prevent headaches on the back end. As educators, we need to be aware that parents entrust not only their children to us; they also entrust their students’ data to us. When teachers have this responsibility without even being aware of it, this is unfair to teachers and unsafe for students. Schools need to do a better job of dedicating time and resources to discuss this issue with teachers and staff members and to involve parents as well.
FPF: You’ve mentioned the importance of adapting training to different groups of stakeholders. What is the target audience for this guidebook and who do you think could benefit from it?
Kim: While the guidebook was written specifically for the Louisiana school system, we were mindful that there may be readers across the country who might be interested and could benefit. For that reason, the guidebook contains generally useful information that is not specific to the Louisiana state law. We’ve included links to other resources and examples and tried to use bullet lists where possible, to make the information more easily digestible.
FPF: We’ve talked about the importance of educating teachers and involving parents. Are there other important takeaways?
Kim: I think a very important takeaway is about finding the middle ground regarding student safety and student privacy. These issues are often presented as binaries or opposing forces, when in reality they both work together to protect students. The key is figuring out how to do well on both rather than doing one at the expense of the other.
This interview was conducted by Ahuva Goldstand on August 13, 2019. It has been edited and condensed for clarity.