by Annalisa Keuler
(crossposted from chooseprivacyweek.org)

Our job as educators is to facilitate student learning, and each year more of this learning is happening in an online environment. We ask students to log in to websites, download apps, and research online. These apps and websites may be used with the best of intentions, but many of them that require students to log in employ an information acquisition technique known as “data mining” and will sell this information to a third party. We must ask ourselves if we are doing everything in our power to secure the information that is transmitted and received. How do we protect students’ data and make sure that this data is confidential and secure?

To answer this question, school systems around the country have begun confronting the issue of data governance, which, in schools, refers to the management and protection of student information. In 2015, student data privacy was the focus of many new bills and part of an important amendment to the reauthorization of the Elementary and Secondary Education Act. My school system, Mountain Brook City Schools, in Birmingham, Alabama, implemented a data governance policy in January of 2015. This came after the state of Alabama passed legislation in October of 2013 that stated every school system in the state is required to have a data security and privacy policy.

To make sure that students’ data is protected, our school system is now in the process of requesting a Memorandum of Agreement (MOA) that ensures all software vendors are aware of and adhere to the new data policy. All teachers and librarians in our district must submit any new website, app, or software program that will ask for student information to be reviewed to ensure that their privacy policy adheres to our standards. When possible, teachers and librarians are asked to use a nickname or avatar for students online and no names at all. Teachers are responsible for the removal of student information once the resource is no longer in use. If there is an online resource not listed on our website, and is used with students under the age of fourteen, then no personally identifiable information should be used, or the teacher should request permission from the parent to use the resource.

As a part of data governance policy, we are required to participate in yearly training for data privacy. In this training our district technology director, Donna Williamson, shared with us the strategies that have been implemented or are in progress regarding data privacy and data security. For data privacy, these include: providing a website with data policies, providing guidelines for all contracts and Memorandums of Agreement that involve data, getting to know the laws, listing reviewed educational apps, and incorporating a secure means for accessing, sharing and storing data. For data security, strategies our school district has implemented include: enforcing mandatory password changes, updating and monitoring a firewall, maintaining virus protection and Internet filtering, backing up key data, securing the wiring closet, and updating and maintaining a disaster recovery plan. A very important part of this plan includes communication with students and parents. It is imperative that parents and students know how their information is used and when the policy changes.

As a librarian, my role in this process is to keep student library records and other student information I have access to private and secure. I am also a facilitator for our online learning platform so access to student records and other confidential information must be kept secure. When we spend much of our day online and logged in to a school network, it is important to do the following: keep all login information and access to data private and protected, do not share devices when email is turned on, never take student personally identifiable information off campus or discuss in a public place, use school website to deliver information and require a login if personally identifiable information is used, use school supported sites that require a secure password whenever possible, and never discuss students on social media. It is also important to educate students whenever possible to secure their information by teaching them to log out of public use computers and to never share passwords. Students must also know about and understand the data governance policy. Remember, communication is key.

A data governance policy must be a fluid document and continually updated based on changes in legislation and technology. We have a data governance committee in place at the district level that updates the policy as needed, and reviews all websites and software packages to make sure that they adhere to our privacy policy. Students and parents place their trust in us to keep students safe online. These policies will help us do just that.

Resources

Mountain Brook Schools Data Governance and Security Policy

Mountain Brook Schools Online Software and Apps

Student Data Privacy Legislation

Student Data Privacy Pledge

Annalisa Keuler is a nationally board certified school librarian at Mountain Brook High School in Birmingham, Alabama.