This article is about the gravity of personally identifiable information as it relates to any and all student and minor populations.

We can look at the current governance, what is planned, and which organizations are taking the lead in this arena. If PII is any data that could potentially identify an individual, then districts really need to take a hard look at their practices.


Potential pitfalls

By collecting and storing PII data within your application database and/or platform, your company will have to meet a higher standard of regulatory compliance in terms of what you can or cannot do with any of the school data, and you must agree to strict data privacy rules and regulations by signing a Data Privacy Agreement (DPA).  A sample DPA can be found in A4L’s SDPC (Student Data Privacy Consortium) website, SDPC is a national initiative that is attempting to standardize on the suitable language for DPA’s that both schools and vendors are willing to agree to.  In addition to signing DPA’s, you have to comply with strict security requirements and audits that are now being imposed on all vendors. There are several standards for security compliance, including ISO 27001 & 27002 and NIST, in addition to SOC-2 Types 1 & 2 audits.  These types of compliance requirements and third-party audits are very expensive and take a long time to materialize.  They become major barriers to market entry for early stage EdTech startups, and in many cases larger EdTech companies. 

Another challenge for school districts now is auditing each of the applications for PII data collection or storage and going through and vetting each of the vendors that require PII data in their platform.  The vetting process and tools are still very primitive and are usually driven by the state regulations, and many of the districts don’t have the expertise nor the resources to do it correctly.  This is an area that several standards organizations such as IMS Global Learning Consortium are currently working. 


Risks of not getting it right

Districts have a lot to lose by not getting this right due to student and consumer data privacy compliance regulations - and associated financial penalties - imposed by the federal and state government regulators. But the biggest financial risk is ransomware attacks to schools and vendors alike. There are hundreds of reported cybersecurity ransomware attacks on schools costing these school districts hundreds of millions of taxpayer dollars every year. More importantly, schools and education technology serve children. Severe and lasting emotional and material damage can be done to children and their families when technologists get it wrong. 

The growth of online learning affects student data privacy

As students and teachers spend more time learning online remotely from home outside their school’s firewalled and/or filtered Internet infrastructure, there is no more proactive school-monitored protection. This leaves the students and staff open to online scammers through several types of online cybersecurity attacks and vulnerabilities. Phishing attacks are common and more untrained learners may fall hostage to such attacks stealing their identities and access credentials to other important online applications.  This is why it is important to create a safe online digital learning environment that starts with a managed access device (such as a ChromeBook or PC), a filtered Internet connection (from home) and more importantly, a safe and secure digital engagement hub such as School Passport,  which will govern the exchange of data with vendors. 

With 90 percent of students using digital devices at least four days per week, the use of EdTech platforms has exploded. Hundreds of new product ideas were launched globally into the market for student use during the pandemic. EdTech is here to stay and evolve. As new companies emerge, they can better equip themselves to face a security crisis. The bottom line is your business should have a comprehensive incident response plan in place.

The rate of technology adoption often outpaces regulation. We will see new regulations coming at a faster rate as federal, state, and local governments evolve to keep pace with industry. In addition, standards bodies are studying and publishing specific, privacy-related controls and adding those in support of their overall standards specifications.   

Student data privacy is important to any school district. Schools are obligated to keep PII private. It is important for schools to consider reducing the amount of information collected and govern the exchange of data with EdTech vendors, providing only what is necessary.

District and staff can best protect data by implementing an information security program that includes documented controls and follows best practices.  Data protection needs to be “baked into the cake” and not be an afterthought.  The best way to protect data and prevent a breach is through constant awareness and daily execution of a structured information security program.

Effective information security and data protection require management and oversight.  This is called governance.  Administrators can only manage what they can see.  A lot of development revolves around making knowledge about data in all its forms--at rest and in transit--more visible to administrators and then giving them tools to actively manage where and how data is stored and shared.

Technology alone can only do so much. People are responsible for data protection.  With the help of the right technology, these people can manage data better, respond to change more quickly, and intervene instantaneously should a suspected or real data breach occur.


About the author

Robert Iskander is a global business transformation leader passionate about leveraging technology to improve the quality of life for all, with a special focus on K-12 education and was nominated as one of the Top 100 EdTech Influencers in 2017 by EdTech Magazine. Prior to his current role as CEO at GG4L, Robert had several corporate leadership roles over the past 30 years, including General Manager of Sun Microsystems in the Middle East and Global Director of Education at Sun Microsystems (now Oracle). He also ran SchoolMessenger for several years and grew its customer base to 63,000 schools in the US and Canada.