The privacy and security of student data was a hot topic in 2014, and we expect much of the same in the years to come. The biggest problem facing schools and districts right now is the fact that legislation has not yet caught up to the edtech landscape, forcing decision makers into a tight spot due to a lack of standardized privacy and security contract provisions.
As a result, a number of districts throughout the country received negative press in 2014 for failed security audits and data breaches. Every one of these events could have been avoided with tighter controls and oversight. The start of a new year is a great time to review your own policies and make sure you have the necessary safeguards in place.
The most common failure point for student data repositories lies in role-based security configurations. FERPA prohibits the release of student information to anyone who does not have a “legitimate educational interest” in that information, yet many districts unknowingly provide student data access to staff members that should not be able to see it. The built-in security of student information systems and data warehouses is critical, but it is up to the district’s system administrators to ensure that this application security is being properly applied in all cases.
The easiest way to maintain proper controls is to consolidate account management as much as possible within your existing technical environment, preferably using the industry standard, vendor-neutral Lightweight Directory Access Protocol (LDAP). Microsoft’s Active Directory is the most common tool used by districts to accomplish this, so it is important to verify that any major student data systems are fully integrated with Active Directory services. Multiple user names and passwords for daily activities are not just a nuisance for end users, they also make security administration needlessly complex.
For tighter control, any LDAP integration should be capable of real-time updates, either via SIF or another, equally capable interface. This will ensure that your district passes the “snapshot” test, keeping you in compliance at any given point in any given day, without having to worry about the delays that come into play when your technical staff needs to import or export updates to congruent systems.
Technology and policy are just two parts of the security puzzle. The human element is equally important, yet often overshadowed. Districts experience turnover of IT staff, systems evolve with time, and the entire privacy landscape is subject to major changes on a semiannual basis. There are a number of steps you can take to ensure that your team is always up to date.
First, make sure that thorough system administration training is included as part of any contract with a student information system or data warehouse provider. In this ultra-competitive marketplace, edtech firms frequently make their proposals more attractive through a “trim the training” approach that reduces upfront costs while increasing long-term risk. Look for proof that the proposed training is effective, including multi-tier training levels to support various stages of the implementation process.
As time goes on, the expertise of your staff needs to evolve as quickly as the systems they are supporting. Make sure your vendor has an active user community; a dozen peers in your state can often provide more value than a host of vendor trainers. In order to support your team as much as possible, it is important to verify that ongoing training opportunities will be available, product documentation is detailed and accessible, and system releases are accompanied by detailed notes and tutorials.
As the old adage goes, “a chain is only as strong as its weakest link.” Even the most vigilant school districts are at risk if even one building fails to follow protocol. The key here is effective communication and clearly stated technology guidelines. Do school level personnel have the ability to access your database directly in order to build an interface to a third party product? If so, are building-level staff aware of both the district’s security provisions and application of FERPA? Are they reviewing every third party for compliance before sending data?
Clear and frequent communication is the best support. Especially in large districts, it is important to have a resident security expert assigned to every building, with the task of reviewing and approving apps, utilities, and web-based learning tools for the classroom. The process should be quick and easy, with minimal red tape and procedural burdens. In this, the technology staff and end users (teachers, counselors, administrators, etc…) need to work closely together to make sure that everyone has the resources they need to improve student outcomes without sacrificing the privacy and security of those students along the way. Approved resources should be easily accessible throughout the district and reexamined on a regular basis to account for any changes or updates.
Privacy and security are complex issues wrapped in many different guises and interpretations. The status quo is not always the best solution when looking toward the future. By taking the steps outlined in this article, you can add an element of flexibility to your district’s best practices, putting you in a better position to adapt to new educational data policies and concerns in the future. Kick off 2015 by creating a security to-do list for your district, so you can spend the rest of the school year checking off boxes and setting a strong example for fellow K-12 leaders everywhere.
Check out these recent articles!