Five Principles for Securing Student-Data Privacy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.edweek.org/ew/articles/2015/05/20/five-principles-for-securing-student-data-privacy.html

> From student-identity theft to the sale of student information for
corporate gain, there is no shortage of news about challenges associated
with the growing presence of technology in our nation's schools and
classrooms. And while these challenges affect organizations across all
industries and social sectors, constrained financial resources make school
systems particularly vulnerable. Moreover, although federal legislation,
the Student Digital Privacy and Parental Rights Act of 2015, has recently
been introduced in Congress, strong legal protections for student data do
not yet exist.

Given the risks, one may ask: Is it worth investing more in technology in
our schools? In fact, the benefits are huge. With the cloud-based tools
available today, educators can personalize student instruction to a degree
that wasn't possible just five years ago. These tools can engage young
minds in new ways, including many that no one has even thought of yet. By
moving us past the days of assembly-line education plans based on a single
textbook, they can allow us to make sure that no student has a lackluster
learning experience, and that each is well prepared for the career path of
his or her choosing.

Does that sound optimistic? It's an ambition within reach. Over the nearly
three decades I've worked in education, I have had a front-row seat as
technology has become an integral part of the classroom, and I am confident
that by collecting the right data, schools have the power to transform
students' lives for the better. Nevertheless, the risks are real, so it is
also important for educators to dramatically rethink the approach to
student-data privacy they've taken over the last 30 years.

Back in the 1990s, when I served as chief information officer of the Del
Rio and San Angelo school districts in Texas, there was much greater
naiveté around protecting data, and student data in particular, for a
number of reasons. Outside of libraries, Internet access in schools was
primarily used by administrators to share data with the state for funding
purposes. Students and parents rarely knew what data schools had about them
on file or who might have access to that information. Because computers
were rarely connected online, paper files were the norm, as were unsecured
campuses.

Meaningful measures to better protect educational data didn't pick up until
the turn of the millennium, after the world raced to avert Y2K-spurred
data-management vulnerabilities, "always on"—or Internet-ready—computing
became commonplace, and online identity theft started to rise. Banks and
other commercial enterprises were quick to invest in data privacy, but
schools lacked the resources to do so, leaving students especially
vulnerable. Suppose a 5th grader has her Social Security number stolen and
used fraudulently to apply for credit cards and loans? She might not
discover it for years, and enter adulthood at a serious disadvantage.

While awareness is better today, there is still a surprising willingness
for people—adults as well as children—to share data when they shouldn't.
Not long ago, I was checking in to a hotel when the power was out and the
computer systems were down. Guests were being asked to sign in on paper and
to write down their credit card numbers—and many people were doing it. In a
school, this lack of vigilance would place our students' data at tremendous
risk.

What this experience teaches us is that technology alone cannot ensure
student-data privacy. Instead, we need to enact a massive cultural shift.
School administrators must understand that student-data privacy is not just
a concern for IT administrators, but also for the executive leadership, who
must take responsibility to drive the change needed throughout their
organizations. All the security patches in the world don't do much good
when information is locally stored on a laptop that can be left in a car,
or a network-security password is taped to a computer monitor.

To drive this cultural shift, we must take a holistic look at how
sophisticated and complex student-data privacy has become. We must
rigorously explore the implications for kids, parents, and school systems
alike.

A year ago, a nationwide snowstorm canceled classes after school had
started, so the students needed to be picked up. Some were at school, some
were still on the bus, and many parents were stuck as well. This created a
situation in which parents did not know where their children were, and GPS
technology could have played an important role. Location tracking, however,
adds a host of privacy issues we haven't had to deal with until recently:
how to track student locations, whom to share this information with, and
what to do if parents wish to opt out.

Regardless of whether a school is rural, suburban, or urban, or is large or
small, there are a few fundamentals I can offer from my experience in
school technology to help protect student-data privacy:

• Build data-privacy policies into your school culture, so that every
faculty and administrative staff member is thinkingabout it whenever
student data is involved. Promote this approach among all employees, from
the newest teacher up to the superintendent.

• Be very wary of "free" technology solutions. You may end up paying with
students' data, rather than cash.

• When you work with a technology company, don't just ask for a product
demonstration. Demand an executive briefing that will show you step by step
and scenario by scenario exactly how data will be protected.

• Data privacy often has legal implications; make sure school or district
lawyers are involved in the policymaking process.

• Take advantage of reliable online resources that clarify why data privacy
is important, best-in-class privacy standards, and strategies for tailoring
a school's or district's data-privacy policies.

Making these principles a priority will not only provide a solid basis for
improving your student-data-privacy policy, but will also help create
better and more equitable educational opportunities for all students.

When my daughter started middle school this year, I felt a tingle of déjà
vu when I looked at her school supply list. I checked it against supply
lists I found online for an array of districts around the country and
realized it was the same school supply list I was given when I was her age.
As William Gibson famously said in the early '90s, "The future is already
here; it's just not evenly distributed." Even now, schools are often unable
to make the best use of technology.

My daughter is fortunate in that I'm in a position to spark her curiosity
at home through tech tools. She can use a USB microscope to look at a tooth
that she lost, or navigate a drone in our backyard to learn about
geospatial information and geography. But all children should have the
opportunity for such customized and technologically enhanced experiences,
while their parents and educators work together to ensure their privacy is
protected.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!