As K-12 school use of technology and data increase, parents and other stakeholders are asking more questions about what personal student information is collected, how it is used and secured, and with whom it is shared. Often school privacy practices have not kept pace. Even if they have, often school communications practices have not. Yet, it is often this very lack of transparency that can fuel concerns. As per the ‘if a tree falls in a forest’ adage: If a school is appropriately safeguarding student data, but nobody hears about it, then . . . Often, parent alarms originate simply from lack of awareness and understanding, with fears filling that void of the unknown.
Often, parent alarms originate simply from lack of awareness and understanding, with fears filling that void of the unknown.
Effective school communication of student data collection and use is therefore a primary best practice and core to parent and community trust, which is necessary to empower schools in their appropriate use of student data so critical to instruction and administration. Communication is also core to the general awareness that is needed among school staff and the entire school community to ensure a culture of student privacy and data security.
In fact, among the leadership practices needed for school recognition as a CoSN Trusted Learning Environment is: “School system leaders provide transparent, updated and accessible communications regarding the collection, management and use of student data to their community.”
In general, many school leaders struggle to balance messaging around the educational value of student data with the risks associated with its management. Too many are slow to announce data practices, and not prepared to answer questions from the community. Schools should ensure parents are informed about information use, student privacy, and data protections and benefits. The goal is to proactively answer parent concerns that may cause them to question the use of technology and data.
Communication includes two key components: What and How. The ‘what’ identifies the information schools should be sharing with families and stakeholders. The ‘how’ identifies the formats and channels for doing so.
What to Communicate
Schools benefit when they are able to most clearly and effectively communicate the following to parents and guardians, beginning with broader descriptions and over time moving toward the sharing of more granular information:
- Legal Requirements & Restrictions: Among the best places to start is to share the requirements and protections in existing federal and state regulations. Since 2013, some 40 states have passed over 100 laws, including those placing restrictions on states and school service providers and others requiring parent transparency. The federal FERPA law also protects certain student data from unauthorized disclosure and requires parent/guardian consent except in certain exceptions. Parents likely don’t need or want the details, but a brief summary with a link to more information is a helpful start – See Student Privacy Compass.
- Governance & Accountability: Local policies may resonate with parents even better than state and federal laws, so long as they understand there is an open and deliberate decision making process. (Communication about) a district or school governance system creates a framework for school practices that takes account of community input, while also ensuring that officials are responsible for implementation. An effective governance system will solicit and reflect community values, set broad policies without school board micromanagement, empowers educators to use data consistent with those values and policies, and points families to that process when they have questions and concerns about the district’s approach.
- Types & Uses of Collected Data: While broad laws and policies are necessary, they may not be sufficient to answer parent questions. Transparency will also require explanation about what data is collected and how it is used. Absent awareness and understanding of its compelling use, parents may be more likely to react negatively and opt against the electronic collection and storage of their children’s sensitive information. Outline the types of data (i.e., demographics, performance, parent contact) and how it will be used (i.e., instruction, decision making). All uses should be explainable and justifiable. Communication to parents should avoid extreme granularity that may be overwhelming and impossible to manage, and instead leave that detail for responses to individual parent inquiries.
- Privacy & Security Practices: Again, parents don’t need the details, but they should be made aware of general practices to safeguard their children’s sensitive information and that they evolve from the district’s governance process. Examples might include: role and purpose-based restrictions on data access; physical, administrative and technological security of data (paper and electronic); staff awareness and training; and student digital literacy curriculum. Also, it is important to ensure ongoing review and continuous improvement of these practices.
- Third-Party Data Sharing: Extra attention to partners and service providers is appropriate given that parents do not know them directly. Parents should know that you have a vetting process and a trust-and-verify approach with app providers, research organizations, and other partners. This includes a broad outline of procedures for who and how data authorization is made, including decision criteria, risk assessment, oversight, and legal and functional data control. Of course, you must also balance transparency with practical process – it may not be realistic or appropriate to inform parents of every third parent or of every piece of data collected or shared.
Parents should know that you have a vetting process and a trust-and-verify approach with app providers, research organizations, and other partners.
- Parent Access & Rights: Finally, schools should communicate parent rights. In fact, FERPA requires schools to give annual notice about rights to: review and correct their education records; consent to disclosure (with exceptions); receive opportunity to opt-out of directory information; and file a complaint regarding a violation. Some state laws may go further, while best practice calls increasingly for student “data backpack” portability. Communication plans should also include procedures for notifying parents in the case of a data breach as defined and required under state law or as otherwise locally determined.
How to Communicate
How is as important as What to communicate. A multi-layered approach is most effective, matching the content format with the message scale, complexity and timeliness. Information dissemination is necessary, but likely not sufficient for full transparency and trust. Building a culture of trust should also include ongoing mechanisms for active involvement of parents that solicits their feedback as appropriate.
- School Websites and Mobile Applications: This district owned and operated information portal provides a home for schools to describe their student data practices. A consolidated “Student Data” or “Data Privacy” landing page can be a one-stop-shop for all things related. The district can provide basic information specific to its practices, while also linking to appropriate third-party resources, being careful not to overwhelm parents with information that may be inconsistently framed.
- Notifications: E-mail communications provide a channel for periodic announcements of new programs, or reminder of ongoing policies. This could include a regular e-newsletter whose template includes a standard location and format for such information. In select cases, text or voice messages may be appropriate formats where the item is more timely and actionable such as the unfortunate occasion of a data breach announcement. Note that message fatigue might occur if messages are too frequent.
- Parent Involvement: Parent firsthand exposure to technology and their children’s data builds familiarity, trust and support. PTA meetings and parent-teacher conferences can be one place to give parents a comfortable forum for hands-on understanding. Most important is to explain the use of data, and its importance to supporting teaching and learning. Similarly, parent data dashboards such as through a parent app can increase parent use of sensitive student data, and therefore their support for related school programs.
- Technology Dashboard: A school Single Sign-On (SSO) can be a mechanism for transparency, providing a customized login portal to the apps and websites each student is authorized to access. Parents can then review those technologies in one virtual space, including access to data-use terms of service and related information.
- Tiered Staff Response: Schools should be available to answer questions as needed. A layered approach will equip teachers with simple answers to basic questions, while the most technical questions ultimately can be forwarded to the CIO/CTO (or a chief privacy officer, if available).
No matter the format, the goal should be clear and easily accessible information, using plain language over the legal or technical wherever possible. Consistency in terms and explanations is important across various communications. Effective messaging should always identify the positive uses of the personal student information so that any question of risks (perceived or real) is accompanied by an understanding of the benefits.
Mark Schneiderman is VP Government Affairs for West Corporation’s Education group, provider of SchoolMessenger solutions, where his roles including supporting the company and its school customers in navigating the impact of public policies on communications technologies and practices, including authoring “School and Student Data Privacy: Nine Considerations for Community Engagement.” Schneiderman previously was Senior Director with SIIA’s Education Technology Industry Network, where his privacy work included co-production with FPF of the Student Privacy Pledge, now signed by more than 300 school service providers including SchoolMessenger.