School systems make highly enticing targets for cybercriminals, and the number of cyberattacks against K-12 institutions continues to rise. In fact, one of the top concerns for educational leaders today is data privacy, which means keeping students’ personal information private as they and their educators use online communication tools more frequently.
Superintendents and other K12 leaders can never be too careful when it comes to data privacy and security. Having a strong cybersecurity posture is critical, and this involves three core elements: people, processes, and tools.
The “people” layer means ensuring that all stakeholders know how to use online tools safely and effectively, such as not clicking on unfamiliar links or sharing their personal information online.
The “processes” layer involves having sound policies in place, such as creating strong passwords and being deliberate in rolling out new technologies, so you don’t open up any security holes unintentionally because you’re moving too fast with your implementation.
And the “tools” layer means deploying security technologies such as firewalls and network monitoring software, as well as choosing communications platforms and other edtech tools that take data privacy and security very seriously.
Big data privacy decisions
There’s a commonly held belief that technologies available to educators free of charge are of lesser quality or aren’t as stringent about protecting student data. That’s not necessarily the case.
Some free tools are very focused on data privacy and security, while some subscription-based software is not. An application’s business model is a poor proxy for assessing its security posture—and K12 leaders would be wise to do their own research instead of simply blocking a platform because it’s free or a “freemium” application.
When evaluating the privacy and security of school communications tools, here are three important questions to ask:
Is the provider fully transparent about its privacy policy?
Transparency is the foundation for trust. If an edtech provider isn’t open and honest about its privacy policy and how it collects, uses, stores, and secures student information, that should set off warning bells.
Has the provider made its student data privacy policy publicly available? Is this policy clearly written and easy to find?
2. Has the provider earned the Common Sense Privacy Seal or other high level privacy seals?
Navigating the digital privacy policies of multiple edtech providers can be time-consuming, which is why earlier this year Common Sense Education launched a new program designed to cut through this complexity, called the Common Sense Privacy Seal. Companies that volunteer can have their privacy policies evaluated by Common Sense Education using a comprehensive rubric across seven key dimensions, such as:
- Personal information is not sold or rented to third parties.
- Personal information is not shared for third-party marketing.
- Personalized advertising is not displayed.
The organization notes that currently fewer than 10 percent of companies meet these stringent requirements to earn the Common Sense Privacy Seal.
3. Where does the provider do business—and does it comply with the data privacy laws in those regions?
In the United States, data privacy is governed by a patchwork of state and local laws. The most rigorous of these exist in California, where companies doing business in that state must protect consumers’ personal information if they meet certain thresholds, such as having annual gross revenues exceeding $25 million or handling the data of at least 50,000 consumers.
Companies that do business in Europe, however, must comply with the General Data Protection Regulation, a European Union regulation that is an even stricter privacy standard than exists in the U.S.
Under the European model, organizations must obtain clear consent before collecting or processing any personal information. The law also grants individuals the right to restrict the use of their personal information on a case-by-case basis. This opt-in model is very different from the opt-out model seen in the U.S.
Keeping student data secure is mission-critical, and choosing communications platforms with comprehensive privacy policies is an essential component of any K-12 cybersecurity plan. By asking these three questions of edtech providers, you can ensure that the platforms you use in your schools take data privacy as seriously as you do.
