The expanding use of technology in K-12 classrooms is transforming education. Student assessments—from pop quizzes to large-scale statewide tests—are frequently administered through computer-based applications and homework assignments often include the use of online apps or tutorials.
While these trends are expanding opportunities for student learning and school collaboration, they are also bringing renewed attention to the importance of maintaining the confidentiality of student data and protecting student privacy, as more student data is being generated than ever before. Because this data is shared electronically, not only across schools and districts, but also with state, local and federal agencies, data privacy is critical for student security, maintaining compliance, and ensuring community trust.
To mitigate the security risks associated with increased amounts of data and the need to share sensitive information, schools must engage in a variety of new processes—from implementing best practices to providing technical support. A critical first step in protecting K-12 student data is educating teachers and school staff about why and how to keep student data secure.
Educating the educators on how to define student data, state and federal K-12 data privacy laws, and data security best practices will put them on the front line of defense in protecting students and their data.
Step 1: Understand K-12 Student Data
Personally identifiable information (PII) includes any information that can be used, either alone or in combination with other information, to directly determine or find the identity of an individual person. PII can include a person’s name, Social Security number, health records, date of birth, grade levels, race, ethnicity, and education records. Along with PII, there are two other types of data:
- De-identified data: Information about individual students, but with identifying information removed.
- Aggregate data: Information about groups of students without any identifying information.
If PII is lost, misused or exposed to unauthorized parties, the individual could experience an adverse impact, such as having their identity stolen or having their data sold on the “dark web.”
Types of Data Collected in K-12
Student data is collected from many sources and in many formats, although the type of data, and who can access it varies.
- Demographic — age, race, gender, economic status, and special educational needs
- Academic — courses, enrollment, grades, disciplinary, and graduation
- Testing — quizzes, tests, interim assessments, and annual assessments
- Actions — attendance, behavior, extracurricular activities, and program participation
- Teacher-generated — observation and engagement
- Student-generated — homework and learning apps
Who Uses Student Data?
While most personal student information stays local, school districts, states and the federal government all collect data about students for purposes such as informing instruction and providing information to the public.
- Schools and teachers use data to make changes to lessons, decide what students need for improved learning and understand how students are learning, so they can help each student be more successful.
- School districts use data to make decisions about what resources each school needs to support students.
- State Departments of Education use data to measure how districts are meeting goals for students, deliver insights that inform instruction, assess how state funds are improving education, and provide aggregate information to the public.
- U.S. Department of Education uses aggregate data to provide information to the public about how all districts are performing and to measure how federal funds are helping improve education.
Additionally, other members of the community can get access to student data for legitimate reasons.
- Parents have access to information about their own children.
- Service Providers in critical functions, such as transportation rely on PII, but only get access to the data directly relevant to their work.
- Researchers can get access to de-identified and aggregate data to assist in their work, for example to study what is helping students learn most effectively.
- The Public, including neighbors, future employers, and elected officials, only get to see aggregate reports—never information about individual students. They use this information to understand how districts and schools in their community are performing.
Step 2: Know the Privacy Laws Impacting K-12
Due to the sheer amount of PII generated within schools, a recent Security Scorecard report suggests the education sector is most vulnerable to data security risks. In response to the rising data security threats, there has been a corresponding increase in data security regulations and penalties for non-compliance, both at the state and federal levels.
K-12 schools must consider all applicable federal and state laws when establishing privacy programs for protecting the confidentiality of their students’ data.
Federal Laws to Protect Student Data
- Family Educational Rights and Privacy Act (FERPA). The most significant federal law governing the protection of student information, it sets forth the basic legal requirements for protecting student privacy and serves as a foundation on which states and localities may build by adding more stringent privacy protections for student data.
- Protection of Pupil Rights Amendment (PPRA). This law requires that schools allow parents to see any instructional or survey materials that will be used with their children, and requires parental consent before minor students can participate in a survey administered by the U.S. Department of Education that reveals certain types of PII.
- Children’s Online Privacy Protection Act (COPPA). This law protects children under the age of 13 who use commercial websites, online games, and mobile applications.
- Health Insurance Portability and Accountability Act (HIPAA). The main goal of HIPAA’s Privacy Rule is to ensure that individuals’ health information is protected while allowing the flow of health information needed to provide high-quality healthcare. This includes healthcare data flowing from schools to healthcare entities and back.
Along with four leading federal regulations, state lawmakers have passed 116 laws, across 40 states, to protect student privacy. Many of these state laws overcome gaps and loopholes in FERPA. More state regulations are predicted to be on the horizon.
Step 3: Follow Data Security Best Practices
To maintain compliance with data security regulations, schools, teachers, and staff members must follow data security best practices – including these critical practices:
- Collaborate securely. There are times when it’s necessary for teachers and staff to send student data via e-mail to authorized school officials. Establish policies on how, when, under what circumstances, and with whom the data can be shared, and ensure they follow privacy laws and regulations. While there are a few options, schools need a solution that provides both ease-of-use and high-strength security capabilities, such as encryption.
- Use end-to-end encryption. Sensitive data should be encrypted before it’s shared, so that only the senders and authorized recipients can read the messages. When integrated with the tools already in place, such as G Suite or Microsoft Outlook, encryption makes sharing sensitive data confidential, compliant, and secure.
- Encourage user adoption. Even the best data security won’t work if users won’t adopt it. Easy-to-use encryption programs support high levels of user adoption.
The importance of data security best practices and encryption technologies for ensuring K-12 students’ data protection cannot be overstated. However, the best processes won’t work unless users are educated about the critical importance of data security. Make it a priority in your schools to boost your security and compliance by educating your educators. They’ll be prepared to help keep data safe and your school will be better prepared to avoid the significant losses of revenue, reputation, and trust created when students’ data is breached.
Learn more about using Virtru to protect student PII and maintain compliance.