Parents’ and educators’ concerns about data privacy have increased as K-12 districts rely more on digital tools for logistics, management, and teaching and learning.
The increased use of technology has opened doors for cyber criminals to infiltrate districts’ computer networks and access private student and staff data.
Now that cyberattacks are a daily threat for districts, it’s even more important that they ensure all their data is secure and that any new or existing digital tools they use have good privacy policies.
In a video call with Education Week, Kevin Lewis, the data privacy officer for nonprofit 1EdTech, outlines what district leaders should look for in a privacy policy.
This interview has been edited for brevity and clarity.
What are the most important features a privacy policy should have?
Companies should always include who they are. One of the biggest issues is not knowing who owns the application, because there’s always different parent companies and then there’s affiliates and subordinate companies that fall under that parent umbrella, so you never know who you’re really working with. A lot of times in the policy, they will mention they don’t sell or share their information with third parties, but they do share it with all of their affiliates. If you’re that person to want to go down that rabbit hole and research every single one of these companies, there’s a long rabbit hole you can go down and figure out ‘OK, my data is being openly shared with this company, this company, this company,’ and now you have to research all of them.
A privacy policy should also include definitions. In a lot of state regulations, even though we all have sort of the same basic elements, it’s the interpretations and the meaning of the different words and how they apply to different organizations that muddies it up.
What should district leaders look for when they review a privacy policy?
I would first start with what data is being collected. How is it being collected? District leaders need to know what type of controls the user has over that data, like data deletion requests or data retention requests. If districts ask an organization to delete the data, how long does it take to fulfill that request? District leaders also need to know how that data is being secured. Once an organization has collected the data, how are they securing it?
And who is that data being shared with? Districts should know who the third parties are. What data do third parties have access to? Are there any advertisements at all? Do districts have control to opt out of these advertisements? What do those advertisements look like?
What concerns are you hearing from district leaders regarding privacy policies?
I would say their biggest challenge is just an overwhelming amount of requests [from teachers] or just having so many applications available. They have to monitor what’s happening on the district’s network, see what applications are being used, and keep that number small. A lot of these departments that vet these applications have maybe one or two people who wear multiple hats and do not have the time to give a policy a thorough and accurate review.
Do you have advice for how district leaders should tackle that challenge?
I would say they can be proactive. They should categorize different types of applications for all the subjects: math, art, science, whatever the category is. And then find five tools for each category that meet the district’s criteria. It should go through the curriculum department, as well as the educational technology or instructional technology department to vet those tools. Find five tools and stick with those five, making sure that the tools have everything that a teacher or student needs. When someone submits a request for another random application that does the exact same thing, you already have one in your back pocket that you can send to them or even have that as a list that they can readily access.
Another big challenge is teachers using free digital tools without looking into the privacy policies first. How do you deal with that?
I know we struggled with this in Houston [where I was an education technology specialist]. We found that the free web tools were being used more than the district-purchased tools. It’s really hard to get in front of that, because most schools have a process, and these processes are long, drawn-out flowcharts of what has to happen if a teacher needs a tool.
Teachers don’t have time to go through that process. Most of the time, if they see an application, they’re going to use it right then and there. If they are a teacher that follows the rules, they will send that tool off to someone in the department to vet it, and hopefully, it comes back in a timely manner—most of the time it does not. They need those tools almost immediately, so they’ll just go ahead and use them.
I haven’t seen a real solution for it yet, other than schools just blocking everything, which isn’t the answer. Blocking everything and slowly letting things in as they are requested, I think that’s the only solution that I’ve seen so far.