It is hard to overstate the gravity of personally identifiable information as it relates to any and all student and minor populations. By definition, personally identifiable information (PII) is a clear and present danger to every school and every district. We can look at the current data governance, what is planned, and which organizations are taking the lead in this arena. If PII is any data that could potentially identify an individual, then districts really need to take a hard look at their practices.
Potential pitfalls
By collecting and storing PII data within their application database and/or their platform (willingly or unwillingly), school and district vendors will have to meet a higher standard of regulatory compliance in terms of what they can or cannot do with any of the school data and have to agree to strict data privacy rules and regulations by signing a Data Privacy Agreement (DPA). A sample DPA could be found in A4L’s SDPC (Student Data Privacy Consortium) website; SDPC is a national initiative that is attempting to standardize the suitable language for DPA’s that both schools and vendors are willing to agree to.
In addition to signing DPA’s, vendors have to comply with strict security requirements and audits that are now being imposed on all vendors. There are several standards for security compliance, including ISO 27001 & 27002 and NIST, in addition to SOC-2 Types 1 & 2 audits. These types of compliance requirements and third-party audits are very expensive and take a long time to materialize. They become major barriers to market entry for early stage EdTech startups, and in many cases, larger EdTech companies.
Another challenge for school districts now is auditing each of the applications for PII data collection or storage and going through and vetting each of the vendors that require PII data in their platform. The vetting process and tools are still very primitive and are usually driven by the State regulations, and many of the districts don’t have the expertise nor the resources to do it correctly. This is an area in which several standards organizations such as IMS Global Learning Consortium are currently working.
Real-time risks of not getting it right
Districts have a lot to lose by not getting this right due to student and consumer data privacy compliance regulations - and associated financial penalties - imposed by the federal and state government regulators. But the biggest financial risk is ransomware attacks to schools and vendors alike. There are hundreds of reported cybersecurity ransomware attacks on schools every year, and it is increasing exponentially, costing these school districts hundreds of millions of taxpayer dollars every year. You also have personal and professional liability on the part of the superintendent - this can be very serious.
The growth of online learning is spooling up effects on student data privacy
As students and teachers spend more time learning online remotely from home outside their school’s firewalled and/or filtered internet infrastructure, there is no more proactive school-monitored protection. This leaves the students and staff open to online scammers through several types of online cybersecurity attacks and vulnerabilities. Phishing attacks are common and more untrained learners may fall hostage to such attacks, stealing their identities and accessing credentials to other important online applications. This is why it is important to create a safe online digital learning environment that starts with a managed access device (such as a ChromeBook or PC), a filtered Internet connection (from home) and more importantly, a safe and secure iPaaS (Integration Platform as a Service) such as School Passport which will govern the exchange of data with vendors.
With 90 percent of students using digital devices at least four days per week, the use of EdTech platforms has exploded. Hundreds of new product ideas were launched globally into the market for student use during the pandemic. EdTech is here to stay and evolve. As new companies emerge, they can better equip themselves to face a security crisis, and every EdTech business should have an incident response plan in place.
The bottom line is that schools are obligated to keep PII private. As a rule, schools should reduce the amount of information collected and govern the exchange of data with EdTech vendors providing only what is necessary to use their SaaS platform.
About the author
Robert Iskander is a global business transformation leader passionate about leveraging technology to improve the quality of life for all, with a special focus on K-12 education and was nominated as one of the Top 100 EdTech Influencers in 2017 by EdTech Magazine. Prior to his current role as CEO at GG4L, Robert had several corporate leadership roles over the past 30 years, including General Manager of Sun Microsystems in the Middle East and Global Director of Education at Sun Microsystems (now Oracle). He also ran SchoolMessenger for several years and grew its customer base to 63,000 schools in the US and Canada.