5 Steps for Effective Data Privacy in Your District

Five critical guidelines, identified by CoSN in partnership with AASA as part of the EmpowerED Superintendents’ Initiative, provide a framework to ensure data privacy within a school district’s use of technology.

During the edLeader Panel “Leading Effective Data Privacy Processes Within a School District Setting,” three superintendents along with CoSN’s Student Data Privacy Project Director, weighed in on this framework, sharing personal encounters with ransomware attacks and mounting community pressure to safeguard without losing sight of innovation. How these districts tackled the murky waters surrounding data privacy could reveal a clearer path forward for uniting privacy and technology access in your district.

Administrators teeter on a very narrow line between safety and access when dealing with data privacy. On one side, schools balance securing private information and safeguarding against relentless attacks from hackers, phishers, and others. On the other side, parents, teachers, and students want access to the latest technologies and programs reshaping learning and productivity typically wrought with security challenges like remote access and AI.

The answer is yes, and here are the five ways to get started.

1. Staying Current and Compliant

Districts must comply with federal and state laws. Schools and school leaders are not protected entities under the COPPA (Children’s Online Privacy Protection Act) rule. Those protections apply to the technology vendors only, said Linnette Attai, Project Director of CoSN’s Student Data Privacy Initiative and Trusted Learning Environment Program.

The panelists agreed that assigning a leadership person or team to monitor legal, insurance, and technology compliance is the best strategy for busy school leaders. A dedicated compliance role helps especially with tricky state laws that change in response to timely issues, said Scott Elder, Superintendent of Albuquerque Public Schools (NM). His district recently experienced a high-profile ransomware attack, creating new compliance requirements.

Dr. Templeton recommended uncovering any gaps by taking advantage of free annual audits from technology and insurance providers. She also said to review any gaps in funding. Consider if it covers the qualified expert support needed to protect data and comply with new standards.

2. Setting Community and Stakeholder Expectations

According to CoSN, data privacy touches every aspect of operations—from school transportation to instruction, athletics, and community initiatives. It’s recommended that district data policies be clearly communicated through websites, participation forms, vendor documents, student handbooks, and other stakeholder communication.

Consistent and clear expectations on AI or sharing student information, for instance, can mitigate risk and potential confusion. Every school may be different. Dr. Templeton recommended making principals ambassadors because they anticipate community needs and regularly communicate with parents, children, and staff.

3. Addressing Instructional Impacts

Student data is instrumental in every aspect of the instructional picture—from teacher planning to student evaluation. “The tightrope walk between access and privacy is where the rubber meets the road,” said Elder. Technology can appear as plug-and-play, but he recommended comprehensive infrastructure be built around it to ensure compliance. Reviewing data usage with vendors, teachers, parents, and students can drive policy changes and reduce risk. Working together helps address AI, YouTube, and other programs that can be invaluable classroom tools.

4. Mitigating Risk

If you’re going to address data privacy, “then you need to manage it. . . we’re extremely vulnerable,” stated Elder, who emphasized school systems are easy to attack because they are public and lack the same level of protection resources as other entities. He also said one of the most important management outcomes from his district’s recent ransomware attack is monthly briefings to the executive committee.

Each department acts on the monthly briefing, reviewing processes and procedures to address any vulnerabilities outlined. It ensures responsive, responsible privacy administration and management, which is effective in mitigating risk.

5. Training, Training, Training

Bill Burr, Superintendent of Wrangell Public Schools (AK), said frequent training is necessary because behavior change is the biggest hurdle. He suggested that in-person training can be helpful in changing mindsets.

Regular training exercises such as phishing emails also help identify those vulnerable to clicking on compromised information. Elder added that gathering specific information can be used to better target training. For instance, the Albuquerque school district identified the area of special education teachers and tailored training to address their unique workload challenges, which includes working with the personal data of the students they teach.