Ensuring the privacy and security of student data in our schools is paramount. While public school districts can sometimes appear as slow-moving entities, the pace often accelerates regarding educational technology. There is a temptation to move fast—purchasing software and diving into professional development—without fully addressing strict data privacy measures. However, rushing deployment without proper privacy considerations can lead to significant agita for everyone involved.

The need for collaboration between curriculum leaders, administrators, and technology decision-makers has never been greater, particularly when selecting educational software that involves student data. Moreover, let’s face it—student data is nearly always involved. Schools must balance safeguarding sensitive information and providing students with the digital tools necessary for personalized learning. Fortunately, most reputable vendors support strong privacy measures, and those that do not should be eliminated from consideration early in the process.

As schools integrate more technology and software platforms, the complexities of protecting student data grow. Below, I will outline best practices in educational data privacy and how our district proactively addresses these challenges with thoughtful strategies.

Data Minimization: Sharing Only the Essentials

One of the most effective ways to protect student information is through data minimization, which involves sharing only the data necessary for the intended purpose. Our district prioritizes limiting data shared by using tools like OneRoster and Classlink to sync essential information through local identifiers rather than sensitive personal details.

The research underscores the importance of this approach. Beiga et al. (2020) compare data minimization to sharing only the minimum personal data required to meet a specific purpose, thus reducing risks in a security breach on the vendor side of things. By adopting this strategy, we ensure that student identities remain protected while maintaining smooth software integration.

For example, suppose a software tool requires a unique identifier and grade level. In that case, we refrain from sharing demographic or special education data unless those details are critical for the software’s functionality. Such decisions hinge on close collaboration between curriculum and technology teams during the software selection, ensuring privacy considerations are built from the outset.

Proactive Security Protocols: Multi-Factor Authentication

The statistic is striking—Google reported in 2017 that hackers steal over 250,000 logins weekly (Larson, 2017). The good news for public school districts with small but mighty technology departments is that Microsoft shared that Multi-factor authentication (MFA) blocks nearly 100 percent of account hacks (Cimpanu, 2019). Robust security protocols are essential for securing student data. This requires adequate funding and proper personnel levels in the technology department to lead on these data protection projects. In our district, we activated MFA for staff accounts, which is crucial in reducing the risk of unauthorized access to staff email accounts, which have access to shared folders (and student data) within our Google Workspace for Education environment. Students are issued Google Workspace accounts but are limited to emailing only within the domain.

In addition to the initial MFA requirements, our technology team consistently monitors activity through our Google Workspace for Education console, identifying and addressing any password or account issues as they arise. Regular audits and discussions around our security policies help us avoid potential vulnerabilities.

There were some union considerations around deploying MFA a couple of years ago. However, effective communication over months before the band-aid was ripped off and after MFA was deployed proved beneficial for all staff. In truth, it was a relatively simple step to require because passwords do not afford enough protection for an email account with access to sensitive data. MFA is necessary, with over 15 billion account credentials stolen and available on the dark web from over 100,000 breaches (Winder, 2021).

Collaboration with State-Level Privacy Councils

Collaboration at the state level further strengthens our data privacy strategy. We actively engage with the Massachusetts Student Data Privacy Council (SDPC), which offers a wealth of resources for districts and vendors. The SDPC’s clearinghouse of best practices allows smaller districts like ours to build on data privacy protocols developed by larger districts (think Cambridge, Worcester, and Boston), holding vendors to high standards and ensuring compliance with the latest privacy practices. By joining forces with other districts with similar data safety concerns, we benefit from shared knowledge and place collective pressure on vendors to prioritize student data protection.

Role-Based Access Control in Student Information Systems

Alongside data minimization, role-based access control (RBAC) is critical to our data security strategy. RBAC limits data access to only those users who need it, reducing the likelihood of unnecessary exposure. Particularly within SchoolBrains, our student information system, and other platforms containing sensitive data, this approach enables us to manage access responsibly, safeguarding student information without sacrificing accessibility for staff. In most cases, we want teachers to have access to every relevant piece of data on their students and, if possible, assessment and behavioral data from prior years. RBAC is also a consideration within our department and across central office staff members. Only specific users have the authority to authorize and control the scope of available data for teachers. Less super users involved is more in this case.

Advanced Antivirus, Filtering, ChomeOS & Email Security Measures

In today’s digital world, robust cybersecurity measures are essential as nearly everything connects to the Internet. Our district prioritizes protecting student and staff data through a multi-layered approach. Alongside Sophos antivirus protection, we utilize advanced email security software like Abnormal Security, which identifies and mitigates phishing attempts before they ever reach inboxes. Notably, Abnormal Security developed a collaborative purchase program in our regional school district area, offering consortium pricing—a rare and welcome move in public schools. Kudos to them for leading the charge in this area!

For staff, we provide Windows-based laptops equipped with Sophos endpoint protection, while students use Google Chromebooks, which employ a secure sandbox approach to minimize risks. Within Google Workspace for Education, we tailor features to meet district needs, such as turning off disruptive Chrome extensions and restricting email access from outside domains. Further, our partnership with Linewize Filtering also bolsters online safety with real-time monitoring, customizable filters, and detailed insights into student internet use. This software ensures compliance with safety regulations and fosters a more secure and focused digital learning environment.

Educating the School Community on Cybersecurity Awareness

A successful data privacy strategy extends beyond the technology, including educating our staff, students, and the broader school community. Through a professional development system, our district offers staff members training in cybersecurity best practices, awarding 10 PDPs upon completion of a state-sponsored online security awareness course. By fostering a culture of digital responsibility, we ensure that everyone in our district understands how to contribute to a secure educational environment, keeping student data privacy at the forefront.

Looking Ahead: A Commitment to Data Privacy

In an era where digital learning is increasingly integral to education, safeguarding student data privacy (and the educators who require this data to provide an engaging and personalized curriculum) is a responsibility and a commitment that technology departments must strive to attain. We are taking meaningful steps to secure student information through data minimization, proactive security measures, role-based access, collaboration with state privacy councils, and ongoing education for our staff and team. These strategies protect our student data and build trust within our community, as parents and guardians can feel confident that their children’s data is treated with care and respect.

As technology continues to evolve, our district’s approach to data privacy will grow alongside it, ensuring we are always prepared to meet the challenges of tomorrow while prioritizing student wellbeing!

References

Biega, A. J., Potash, P., Daumé, H. III., Diaz, F. & Finck, M. (2020). Operationalizing the Legal Principle of Data Minimization for Personalization. In Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR ’20), July 25–30, 2020, Virtual Event, China. ACM, New York, NY. https://doi.org/10.1145/3397271.3401034

Cimpanu, C. (2019, August 26). Microsoft: Using multi-factor authentication blocks 99.9% of account hacks. ZDNet. https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks

Larson, S. (2017, November 9). Google says hackers steal almost 250,000 web logins each week. CNN. https://money.cnn.com/2017/11/09/technology/google-hackers-research/index.html

Winder, D. (2021, June 20). New Dark Web Audit Reveals 15 Billion Stolen Logins From 100,000 Breaches. Forbes.
https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/#6b57bc88180f