6 Steps to Protect Student Data Privacy

Many apps used in schools compromise student data. Here’s one way schools and districts can develop a comprehensive plan to keep that information safe.

March 15, 2023 close modal dolgachov / iStock

Elementary student using a tablet in class

dolgachov / iStock

Many school districts have seen an explosion in the number of apps and websites that teachers use with students in classrooms. Although digital tools can enhance learning, the expansion in technology has resulted in an increased number of cyber attacks and privacy breaches. Districts have the power and responsibility to promote student safety by ensuring the protection of student data privacy.

According to the Student Privacy Primer from the Student Privacy Compass, “Student data privacy refers to the responsible, ethical, and equitable collection, use, sharing, and protection of student data.” This data includes personally identifiable information such as a student’s name, date of birth, Social Security number, and email address.

Although there are certainly edtech companies that perform due diligence when it comes to protecting data, others do not use best practices. A recent report from the nonprofit Internet Safety Labs found that 96 percent of apps used regularly in K–12 schools have data-sharing practices that “are not adequately safe for children.”

Many of those apps shared children’s personal information with third-party marketers, often without the knowledge or consent of schools. There have also been some recent instances of edtech company data breaches that have shown those companies are not taking the safety precautions they claim to be taking, such as encrypting student information. It is imperative that districts take steps to protect student information.

6 steps to build a culture of student data privacy

1. Identify a point person. As districts begin to think about student privacy, the first step is to identify someone who can become the primary contact on student data privacy questions and decisions. This might be someone at the district office level (such as a director of technology or tech coach), or it might be someone at the school level (such as an assistant principal or instructional coach). This person can also provide teachers with guidance and best practices.

2. Develop a communication strategy. It is essential to create a plan that effectively communicates the district’s data privacy policies and procedures to all stakeholders (for instance, educators, parents, and students). Clearly communicating the plan at each step of the process will help build the relationships necessary to create an environment in which student data privacy is prioritized. If you need help getting started, check out the Student Privacy Communications Toolkit from the Student Privacy Compass.

3. Identify websites and apps being used in the district. Start with the apps that your district is paying for or encouraging teachers to use. Reach out to curriculum specialists, coaches, and anyone else that regularly provides professional development to teachers. I recommend starting with a small batch (10–20) of the most commonly used apps as you first start to develop procedures. Later, as you fine-tune your approval process, you might decide to utilize outside services to identify additional apps that are being used in the classroom.

For example, our district uses GoGuardian, which operates as an extension on student Chromebooks and monitors their browsing activity. The GoGuardian Director Overview dashboard shows us which apps, extensions, and websites are being used the most by our students. Another tool you can use is the LearnPlatform Inventory Dashboard. This is a browser extension pushed out to district devices that populates a dashboard showing all the edtech tools that teachers and students in your district are using.

4. Develop an understanding of pertinent laws and regulations. To effectively address student data privacy, the technology point person will need to be familiar with related legal requirements. One important federal law is the Family Educational Rights and Privacy Act (FERPA), which requires schools to protect the privacy of student education records.

Another federal law that applies here is the Children’s Online Privacy Protection Act (COPPA). COPPA requires operators of commercial websites and online services to obtain consent from parents before collecting personal information from children under the age of 13. While this rule applies to companies, not schools, it is still important to understand because schools can give consent on a parent’s behalf.

Depending on your state, you might also need to do some research about state laws that govern data privacy; plenty of resources exist to help you get started with FERPA, COPPA, and additional state laws.

5. Vet apps for compliance with laws and data privacy. Each app should go through a standardized vetting procedure. I would strongly recommend putting a team together to perform this vetting so that you get diverse perspectives and input from a variety of stakeholders.

Two things you will want to look at closely for each app will be the Terms of Service (TOS) and the Privacy Policy. Some pieces of information you will want to look for are the kind of data they are collecting and how they are securing that data.

Reviewing the TOS and Privacy Policies can feel overwhelming, especially when you are first getting started. Fortunately, the U.S. Department of Education released guidance to help with this evaluation process.

Another helpful (and free) resource is the Common Sense Privacy Program. Common Sense evaluates the privacy policies of individual apps and scores them in 10 different areas, including Data Collection, Data Sharing, and Data Security.

6. Create a list of approved apps to share with teachers. An important part of creating a culture of student data privacy is getting teachers on board, as they are the people making daily decisions about which apps to use with their students. One way you can help them make safe choices is to create a list of approved apps that have been vetted by a person (or group of people) trained to read through Privacy Policies and Terms of Service notices. With so many apps out there to choose from, teachers often have a choice between two that do similar things. A list can help them choose the app that does a better job of protecting data while still allowing them to use technology to enhance learning for students.

For teachers who would like to learn more about student data privacy, provide some resources. Here are two free training courses:

Creating a culture of student data privacy is challenging, but it is worth the effort to protect our students. Remember that you don’t have to do everything all at once. Take that first step and be a privacy leader!