Today’s students come to the classroom with more than just fascinating personal histories and interesting outlooks on the world. They come with data. Lots of it.
Ed tech tools designed to assess students as individuals – how they learn best, what subjects they excel in, where potential problem areas are – hold a treasure trove of data that can be extremely helpful to ensuring a student’s success.
But with these digital data-collection and storage tools comes a new danger: protecting students’ personal data.
EASY AS PII (PERSONALLY IDENTIFIABLE INFORMATION)
Generally, there are two ways we think about student data.
The first includes more traditional data points such as:
attendance and participation rates, and
high school transcripts.
Then there are the data points that are relatively new on the scene, as 21st-century education becomes more and more dependent on digital learning tools. These types of data include:
personal device data (such as an assigned laptop or tablet),
login details (including usernames and passwords), and
personal history on social media sites.
Information like this is what’s typically known as “personally identifiable information,” or PII. According to eSchool News, the proliferation of this data – and the ease of access – is a double-edged sword.
“This [data collection] can be knowingly done for gain — i.e. marketing or future sales — or it can be done with good intentions, as in capturing and using data about an individual to deliver more tailored learning experiences. Even if being done in the aggregate, there are still concerns of misuse,” writes James Litton.
AN EXPENSIVE PROPOSITION
Increasingly, PII security is a new frontier of concern for district administrators, IT teams and teachers.
As reported in a special EdWeek report on student data privacy, Houghton Mifflin Harcourt surveyed 1,000 teachers and administrators around the world. What they found: fifty-eight percent of those surveyed were either “very” or “somewhat” concerned about the privacy of their students’ data.
And when a data breach does happen, it can be more than just an embarrassment for the IT department. It can be a costly enterprise for school districts whose budgets are already pretty tight.
One example from the EdWeek report is of a 2015 data breach in Mount Pleasant Independent School District in Texas that put former employees’ private information (including Social Security numbers) at risk. While this breach didn’t compromise student data specifically, it ended up costing the district $36,000 in annual credit-monitoring services.
Threats of data breaches have also prompted a rise in the number of districts purchasing cyberinsurance. Many cyberpolicies cover everything from accidents (like emailing sensitive information to the wrong person) or malicious attacks (such as coordinated hacks), writes Malia Herman in EdWeek.
Herman goes on to note:
“Expenses following any of those scenarios could be astronomical, depending on how many current or former employees’ or students’ information was compromised. Laws differ by state on who must be notified, how quickly, and how the notifications must be handled.”
Want an idea of what cyberinsurance policies cost several U.S. school districts that’ve purchased them? Three cyberinsurance policies noted in Herman’s article (from school districts in Ann Arbor, M.I., Paulding County, G.A., and Garden City, N.Y.) span from $11,000 to $25,000 annually.
FOUR DATA PRIVACY TIPS
The onus, at the end of the day, is on the schools themselves to protect the data they collect and use.
Limit Access. In some cases, anyone designated a “school official” (consultants, contractors, volunteers) can have access to student data, in addition to teachers, administrators and parents. School districts should limit access to PII data to as few essential people as possible. This lowers the risk that an individual may accidentally or intentionally access data. It also ensures a sharp team is able to respond better to potential threats.
Communicate Often. Teachers, administrators, parents, students – everyone should be kept in the loop when it comes to matters of student data privacy. Make sure to keep your community informed and involved, whether it’s awareness of a potential security threat or ethics on how to use a particular tool in the classroom and at home.
Search and Destroy. Your data isn’t gone when you delete the file – it takes a lot more to make sure student data is wiped away for good. Underlying data remains that can then be “undeleted.” The U.S. Department of Education outlines a spectrum of ways, from weakest to strongest, of ensuring valuable information is irretrievable.
Practice and Prepare. The savviest districts are the ones who are prepared for a threat when it happens. Make sure the parties responsible for data privacy in your district are up to speed on the latest threats, and have the flexibility and background knowledge learned from test cases to respond appropriately. The U.S. Department of Education has a helpful training kit.
MINDFUL AND VIGILANT
Yes, there are security dangers out there. Yes, there are people who would use student PII for malicious ends. But that doesn’t mean your outlook should be bleak.
The important thing is to always be mindful and vigilant of the data you collect, or that students provide how it’s gathered, where it’s stored and – of course – how it’s deleted.