An earlier version of the following article was originally published as a White Paper on the Skyward website in July, 2014. It was featured in EdTech Digest one month later.
A Guide to Protecting Student Data
The breadth of data collection and use in school districts nationwide continues to expand at an exponential rate. In fact, more than 90% of districts today are electronically storing an extensive range of information, including student demographics, attendance, grades, test scores, and course enrollment histories. As a result, student privacy concerns are at an all-time high. The 2013 release of this Fordham Law National Study brought the importance of protecting data to the forefront of education news, leading to discussions both inside and outside the industry.
While administrators have always been concerned about student information security, the increased awareness has ignited important conversations among all stakeholders – discussions that have already had a measurable impact on improving security measures, establishing guidelines for districts and service providers, and balancing the positive impact of student data use with privacy concerns.
As a leading student information system provider serving more than five million students, Skyward has always placed a high priority on data secruity and privacy protection, beyond what is required under the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA).
This paper outlines the importance of data privacy and security in education, best practices for districts to follow, and an overview of Skyward's data protection protocols, which are designed to ensure that student data is used only for its intended purpose. The protection of data involves two elements: privacy and security. Privacy has been the main topic of recent discussions, but security is an equally important core element that has been at the heart of most recent data breaches throughout the country.
Ensuring the privacy of student data at all levels of collection, use, and sharing is a complex challenge that every district faces. As access to student data becomes increasingly widespread, so does the risk of compromised data security. Maintaining a high level of privacy requires ongoing collaboration between districts and vendors.
- Configure strict security access to ensure data use is consistent with FERPA requirements.
- Ensure integration with third-party vendors is well defined and limited to the data they are authorized to access through written contracts and agreements.
- Discuss the importance of data privacy with staff on a regular basis. Even simple reminders about physical security (i.e. stepping away from the computer) are critical.
- Conduct routine security audits to ensure that all roles have proper security and staff are assigned to appropriate groups.
- Establish a defined account management process to fully remove an employee's access to the network and application when he or she leaves the district.
- Have a strong knowledge of FERPA and COPPA guidelines and know when it is appropriate to share student data and when it is necessary to otain consent.
- Confirm that bckup policies include physical safeguards, such as storing copies of data in remote locations.
- Clearly communicate data policies and usage with parents to maintain transparency.
- Provide extensive security functionality within the application to control which data is accessible, printable, or exportable, and to ensure that data management supports even the strictest district's data governance strategy.
- Offer specialized options to provide data access that is user-friendly and easy to arrange and control.
- Ensure data practices that validate data protection policies of third-party partners and include steps for approval and initialization by authorized district representatives.
- Undergo procedures to ensure data is used only by authorized employees and that data is cleared upon completion of a project.
- Run routine security audits of the application and maintain internal procedures to ensure the latest industry standards are not only being met, but exceeded.
Security is an oft-overlooked aspect of privacy, but it is crucial to the sustainability of privacy practices. Each time a new story appears about the loss of personal information in the consumer market, the fault is typically attributed to improper management or malicious attacks on data systems. Without proper security measures, student data is always at risk.
Student data security may depend on whether the district chooses to use on-premise or cloud-based data storage solutions. The Fordham Law study focused heavily on cloud storage; however, it must be noted that security in cloud environments is dependent on the qualifications of the cloud service provider.
Only a short time ago, on-premise storage was the most common approach. In the past five years, however, districts have increasingly opted to move their data to a cloud-based environment to save both time and money. We expect that trend to continue.
Districts that choose to store their student information on-premise should follow these key steps to ensure data security:
- Maintain physical security measures to protect network equipment. Include multi-step processes to access network centers such as server rooms and Storage Area Network (SAN).
- Establish separate network access points within buildings that limit student and guest exposure.
- Limit database administrator rights to a minimum number of staff - typically primary and secondary individuals.
- Conduct routine security audits and network penetration testing to ensure that security measures meet current standards.
- Establish a disaster recovery policy that protects data secured off-premise with the same level of protection dedicated to on-premise data.
- Monitor network traffic to detect and block any unusual activity.
Cloud computing is one of the fastest growing technology sectors. At the time the Fordham Law study was compiled, 95% of districts were relying on the cloud for a variety of functions, including data mining related to student performance, support for classroom activities, cafeteria payments, and transportation planning, among many others.
Districts that utilize cloud computing experience a host of benefits, from eliminating the cost of on-premise hosting and continuous hardware replacement, to enabling IT staff members to focus on other tasks besides system maintenance. The best cloud service providers also offer a significant upgrade in data security and privacy protection by controlling and monitoring direct database access at all times.
In the education industry, minimum requirements have not yet been standardized throughout much of the country and often vary from district to district. Cloud services are poorly understood and weakly governed, with only 25% of districts keeping parents informed about cloud services and as few as 20% having any documented policies for the use of online services, according to the Fordham Law findings. Often, the contractual requirements between district and service provider are outdated and incomplete.
When selecting a student information system and a secure cloud computing provider, districts should ensure that the provider:
- Requires a single contract that includes all parties and defines up-to-date security requirements
- Meets SSAE 16 Reporting on Controls standard as a bare minimum
- Provides hardware updates and database management without hidden fees
- Provides application updating and monitoring services
- Maintains multiple data centers with redundant failover
- Continually monitors industry standards to ensure that the latest protection and security recommendations are always being followed
The Skyward-ISCorp Solution
Skyward has partnered with ISCorp, a leading provider of cloud computing services with extensive experience supporting financial and governmental organizations. Together, the two organizations have provided cloud computing services for more than ten years and are now providing cloud services to 70% of Skyward's customer base.
ISCorp offers a secure, private cloud system specifically built for Skyward's products. ISCorp is annually certified to SSAE 16 industry standards. All employees receive background checks and are required to earn eight certifications in order to operate equipment. All of ISCorp's data servers are located on United States soil and the provider has no authority to own, use, or sell the data under any circumstances.
The spotlight on student data privacy is a positive one for the education community as a whole, and all of the individual schools and districts that it comprises. The ongoing discussions will help administrators strengthen internal procedures for the management and storage of student information while bringing more awareness to the students and families who are directly affected.
Skyward has established a data privacy standard that demonstrates its commitment to maintaining strict customer confidentiality. As security continues to develop and improve, Skyward will continue to strengthen its cloud computing offering, leading the industry by example and providing districts with cutting-edge services that offer administrators, students, and families nothing short of the best.
Additional Privacy and Security Resources
Protecting Privacy in Connected Learning Toolkit from CoSN
5 Key Steps to Safeguarding Student Data by Ray Ackerlund (published September 12, 2014 on eSchoolNews)
New Year's Resolutions for District Leaders from the January, 2015 edition of Advancing K-12 EdTech
Big Data: Seizing Opportunities, Preserving Values from the Executive Office of the President (2014)
Check out these recent articles!