Establishing a data governance and privacy action plan will ensure privacy, safeguards, and the necessary transparency for accountability purposes. This is accomplished by establishing rules, procedures, and group decisionmaking protocols regarding data collection, usage, and access.
Before embarking on this work, it’s critically important to know the law. Federal and state laws provide a baseline of protection for students and govern how schools collect, use, and safeguard data by establishing minimum protections for students’ personally identifiable information (PII) and guidelines about sharing data. Federal laws include the Children’s Internet Protection Act (CIPA), the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the Protection of Pupil Rights Amendment (PPRA).
Educating multiple stakeholders (data staff, administrators, teachers, counselors, and students) about the law and related topics serves as the foundation of a governance and privacy action plan. Training topics can include legal and ethical responsibilities, best practices, policies and processes, protection of personal information, and cyberbullying. In addition, training should address disclosure avoidance and suppression techniques; when reports are publicly released, it is important to ensure that students cannot be identified.
Most important is the ability to communicate and build trust with parents. Based on the 2015 Future of Privacy Forum, as discussed in the 2016 Forum Guide to Education Data Privacy, parents support the use of student data at the local levels for educational purposes but do not support use of data by third parties. It is critical to involve parents in data governance planning.
For data governance to be most effective, education needs to evolve into involvement, with a team of varied stakeholders part of the process. Depending on the size of the school or district, multiple teams may be needed for various elements of the data governance plan. Team members may include data staff, IT staff, school administrators, counselors, teachers, and parents.
First Steps to Consider
- Ensure that federal, state, and local data privacy laws are posted in all classrooms, cafeterias, office areas, and hallways.
- Provide information annually on federal, state, and local data privacy laws to parents. Allow parents to give explicit consent for data sharing versus implied consent.
- Create a plan for responding to and communicating about data breaches with all school community members.
- Ensure that third-party contracts identify the data to be collected, the purpose of disclosure, restrictions of use, security audit guidelines, and security breach protocols.
- Conduct a comprehensive assessment of the data; organizations must know where all data resides.
- Hold data users and managers accountable to ensure legally binding agreements.
- Store student data in a secure location, safeguard usernames and passwords, and protect the visibility of reports and computer monitors.
Complexities & Pitfalls
Maintaining up-to-date privacy policies to ensure best practices and adhere to current laws is a complex process. In this age of hacking, security is paramount. Schools have access to data that is often stored in many different locations. Unfortunately, many organizations don’t know where the most critical data resides. While most organizations implement security controls, they often overlook human error—the most likely pathway of an attack. Even organizations that are diligent in their attempts to protect data can be victims of breaches. Keeping pace with technological change is important.
- Weak security plans and protocols that help address how individuals interact with technology and data.
- Underestimating the cost to fulfill legal mandates.
- Not protecting the visibility of reports and computer monitors when displaying confidential information.
- Limiting communication to and inclusion of parents in the process of establishing a data governance and privacy action plan.
- Failing to conduct a comprehensive assessment of where data resides.
- Failing to adequately implement security controls.
- What lost or exposed data would be most catastrophic to students, the school, the district, and the state?
- What strategies will be used to measure data governance effectiveness?
- How is data governance integrated into existing processes first, rather than labeling all governed processes as data governance processes?
- How will resistance to new data governance processes be addressed?
- Who in the organization will take on the responsibility for data? Are new personnel needed?
- Who is allowed access rights to which data type, and what actions can they perform?