• avatar

    Share This:

    • Share on Facebook
    • Share on Google Plus
    • Share on Linkedin
    • RSS
    « Back to Blogs
    January 2017

    Protecting K-12 Student Data Privacy in a Changing Learning Environment

    teacher and student working on computer

    Each year, more technology enters schools and classrooms for record keeping or learning applications. Some teachers may be implementing such education technology (edtech) with little, if any, administrator oversight. As this data universe expands, it is important to consider what student data you are generating, where it is stored, and who controls it. Since most of your students are minors, you also need to understand the privacy implications and inform parents about the data you accumulate. Here are some steps to take.

    Understand the Data

    Administrators should conduct an inventory and survey teachers to learn where your school collects and stores student data, considering everything from enrollment information to health forms to classroom edtech data.

    Develop a Policy

    Once you know what data you are generating and where it is, consider developing a student data policy that addresses:

    • Who will approve classroom applications that create, collect, or store student data
    • Appropriate uses for student data
    • Who decides what student information will be collected and where it will be stored
    • How to secure the collected information

    Consult with the school’s attorney to understand your state’s student data laws; even independent schools may have student data protection obligations under state law.

    Finally, determine how often to review your policy. Designate someone to track student data and update the policy periodically.

    Understand Contracts With Outside Vendors

    Your school contracts with vendors that create or store student data, such as in a records management system or edtech applications. Many vendor contracts are binding user agreements that are difficult to negotiate, but you should understand what happens to the student data they generate.

    When contracting with vendors, consider:

    • Who will own and possess your student data? The vendor may want ownership of the data generated by its technology. Ask whether the institution can access the data at any time. Find out how any subcontractors handle the data.
    • Where and how will the data be stored? Understand whether storage is subcontracted, the nature of that agreement, and who is responsible for storage security. Data may be stored in foreign countries; keep in mind that some countries have less stringent privacy laws than the United States.
    • How can the vendor use the student data? Understand what rights the vendor reserves for itself and whether it intends to sell the student data (either in the aggregate or for individual students). Know whether other companies will mine this student data and limit marketing as much as possible.
    • Is the data de-identified? Find out how much of the data can be linked directly to an individual student, especially regarding educational performance
    • How else might the data be used? Consider the impact of storing data for a long time or later use. Also, understand whether the vendor can alter the terms of the user agreement or contract without your institution’s permission
    • How do you know the data will be secure? The vendor should provide information on its privacy and storage policies as well as the results of a third-party security audit. You should also understand what will happen, and whether you will be notified, if there is a data breach. Determine whether the data is encrypted, and when (in transit, in storage, as backed up). While you are unlikely to secure indemnification from a vendor, explore whether that is negotiable
    • Will parents be able to view or access the data? This is especially important if the students are minors; many parents will want access and assurance that they control what is known or shared about their children.
    • Who will control data destruction? What will happen to the data if a student leaves your institution or you cease using the vendor? Know whether the data will be destroyed or returned to you.

    In an era of ever-changing technology and the expansion of data accumulation and storage, careful management of student data can allow for institutional oversight and protection of student privacy.


    U.S. Dept. of Education Privacy Technical Assistance Center Toolkit
    Protecting Student Privacy in a Networked World
    Student Data Principles
    Protecting Data
    Article: States Enact New Data Privacy Law

    by Heather Salko, senior risk management counsel


    Add Comment

    Text Only 2000 character limit

    Page 1 of 1