Driving EdTech Systems: Student Data Privacy

Overview

The number of edtech tools students use daily has increased significantly in recent years. At the same time, these tools are collecting more information about students than ever before. Developing and strengthening equitable edtech systems requires school- and system-level edtech leaders to safeguard this data and ensure that information about students remains secure. This resource provides guidance to users of the EdTech Systems Guide, created by The Learning Accelerator (TLA) in partnership with the Massachusetts Department of Elementary and Secondary Education’s Office of Educational Technology (MA DESE OET), on how to prioritize student data privacy in their edtech decisions and practices.

Practices

Many participants of the 2023-24 EdTech Peer Learning Cohort facilitated by TLA in partnership with MA DESE OET identified student data privacy as a critical focus for their edtech systems improvement efforts. For some, this meant developing selection criteria around edtech products’ data practices. For others, it involved streamlining edtech usage and teacher adoption of specific edtech tools vetted in part by their student data privacy policies. Their work highlighted several specific opportunities to support student data privacy through equitable edtech selection, implementation, and evaluation processes. These practices are outlined below:

Foundational Practices

Developing strong baseline practices is essential before meaningfully improving student data privacy through edtech selection, implementation, and evaluation. Consider the following starting points:

• Conduct an Edtech Inventory: Ensuring student data privacy starts with understanding which tools are deployed throughout your school or system, what information they collect about students, and how the tools or companies handle this data. Conduct an edtech inventory to understand which tools are used, whether or not they are vetted for student data privacy, and what information they collect about users.

• Develop or Strengthen Data Privacy Policies: Comprehensive data privacy policies are essential for guiding your edtech practices. Effective policies: clearly outline what constitutes student data and the importance of its protection; establish guidelines on how student data can be collected, used, and shared; and provide a clear plan for responding to data breaches, including notification procedures and corrective actions.

• Communicate Your Privacy Practices: Transparent communication about your data privacy efforts builds trust and keeps stakeholders informed. Effective communication involves explaining data privacy policies and practices to students, their families, and staff, regularly updating stakeholders on any changes to data privacy policies or incidents, and encouraging feedback from stakeholders to improve data privacy practices continuously.

Selection

Your edtech selection practices offer a powerful opportunity to ensure the tools adopted in your edtech ecosystem have been properly vetted for appropriate student data privacy. When considering new edtech tools for selection, the following should be non-negotiable criteria:

• Compliance with Legal Standards: Edtech tools must comply with legal standards, including the Family Educational Rights and Privacy Act (FERPA), which governs the access and privacy of student education records, and the Children’s Online Privacy Protection Act (COPPA), which protects the privacy of children under 13. The U.S. Department of Education provides a Model Terms of Service Agreement to help edtech leaders determine whether tools comply with these regulations.

• Data Encryption and Security: Edtech tools must use strong approaches to keep data safe when it is being sent or stored. They should have strict controls enabled to make sure only authorized individuals can access the data, including using multi-factor authentication (like a password in addition to a code sent to your phone). Vendors should also provide regular updates to fix any security issues quickly.

• Transparent Data Practices: Edtech vendors must provide clear, transparent privacy policies detailing how student data is collected, used, stored, and shared. They must ensure the school retains ownership of student data and that the vendor does not claim ownership, use, or misuse it. Additionally, the tool should collect only the data necessary for its function, minimizing the amount of personal information collected and stored.

• Vendor Accountability and Support: Edtech vendors should undergo regular third-party audits to verify compliance with privacy and security standards, have a clear incident response plan for addressing data breaches (including timely notification procedures), and offer comprehensive support and training to help school staff implement and maintain data privacy practices.

• Data Retention and Deletion: Edtech tools must have clear policies on how long student data is retained, ensure it is kept only as long as necessary for its intended purpose, and allow schools to permanently remove student data when it is no longer needed.

Implementation

In addition to strengthening the privacy standards of the tools that enter your school or system’s edtech ecosystem, it is essential to support the humans who use these tools to facilitate more effective usage. Implementing robust training programs and resources ensures all stakeholders are knowledgeable about data privacy and can use edtech tools safely and responsibly. Consider the following areas for training:

• Privacy Awareness: Emphasize that student data privacy is everyone’s responsibility and the expectation is that all users know how edtech tools collect and use data. Educate staff and students on: the types of data collected, the purposes for which it is used, and the potential risks associated with improper data handling. Clarify the roles and responsibilities of staff and students in protecting data privacy and emphasize the importance of individual actions in maintaining overall data security. Highlight the significance of data privacy in creating a safe and trustworthy learning environment, and use real-world examples to illustrate the potential consequences of data breaches.

• Policy Implementation: Provide comprehensive training on your institution’s data privacy policies. Ensure staff understand the specifics of the policies, including guidelines for data collection, usage, storage, and sharing. Train staff on procedures for complying with data privacy policies, including handling data requests, reporting breaches, and following protocols for secure data disposal. Inform staff about any updates or changes to data privacy policies, and regularly review and reinforce policy knowledge to ensure ongoing compliance. Leaders must also ensure educators understand the process for using or signing up for new tools. For example, is your school or district part of the SDPC? Are your stakeholders limited to using tools approved and vetted by your edtech team? Can they suggest or use other tools? If so, what is the process for getting these tools approved?

• Cybersecurity Practices: Educate staff and students on recognizing cybersecurity threats such as phishing emails, malware, and suspicious links, and provide practical examples and scenarios to enhance understanding. Offer guidelines on preventing cybersecurity attacks, including best practices for creating strong passwords, using multi-factor authentication, and maintaining software updates. Train staff on the steps to take if they suspect the occurrence of a cybersecurity threat or data breach, and ensure they report incidents promptly and follow the established response plan(s) relevant to your context. For example, in Massachusetts, school and municipal entities are able to apply each fall to the Municipal Cybersecurity Awareness Grant Program.

Evaluation

Regularly evaluating and monitoring data privacy practices is essential for maintaining high standards and addressing emerging issues in a constantly evolving edtech landscape. By systematically reviewing and updating your practices, you can ensure ongoing compliance and protect student data effectively. Key steps include:

• Conducting Audits: Schedule regular audits of your data privacy practices to ensure compliance with internal policies and legal requirements. This includes reviewing data collection, storage, and sharing practices to identify potential vulnerabilities. Thoroughly document audit findings and corrective actions taken; this documentation demonstrates your commitment to data privacy and helps track progress over time.

• Monitoring Access: Implement robust access controls to restrict data access to authorized personnel, and use role-based access control (RBAC) to ensure individuals can access only the data necessary for their roles. Maintain detailed access logs to track who accesses student data and when – and regularly review these logs to detect any unauthorized or suspicious activity. Conduct periodic reviews of access permissions to ensure they remain appropriate and adjust permissions as roles change or as employees leave the organization.

• Implementing Continuous Improvement Processes: Establish mechanisms for collecting feedback on data privacy practices from staff, students, and parents. Use this feedback to identify areas for improvement and make necessary adjustments. Regularly update training programs based on audit findings and feedback, and ensure staff are aware of any changes to data privacy policies or procedures. Periodically review and revise data privacy policies to reflect technological changes, legal requirements, and best practices. Ensure policies remain relevant and effective in protecting student data.

Maintaining student data privacy is essential for building a secure and equitable edtech environment. By developing robust data privacy policies, training staff and students, regularly evaluating practices, and communicating transparently, edtech leaders can ensure the responsible handling of student information. Continuously returning to and refining these practices will help protect sensitive data and foster a culture of trust and security within your educational community.

This strategy is a part of TLA's Driving EdTech Systems series, which accompanies the EdTech Systems Guide developed in partnership with MA DESE OET. Explore the full guide to find additional strategies, insights, and resources.