A recent report published by the nonprofit Center for Democracy and Technology argues that school districts need to hire a chief privacy officer to protect student data and oversee privacy policies. But few districts have anyone in these positions, or even a full-time staffer whose role focuses on privacy, EdSurge reports.
With the creation of a student data privacy officer position two years ago, Denver Public Schools is one of at least two, very large public school districts that have leaders who takes on similar responsibilities. The position was created to make sure the district not only complied with federal privacy laws such as FERPA, COPPA, and CIPA, but also state student privacy legislation.
- In Maryland, Baltimore County Public Schools created in 2016 the director of innovation and digital safety, which was created amid privacy concerns due to the increasing role of technology in classrooms. Jim Corns, the first to hold this position, worked with the legal team, oversaw how data moved in and out of the system, and developed a data-sharing agreement, EdSurge reported.
Education has not only become data-driven; in many ways, it has also arguably become more data-dependent. Schools are constantly collecting student data — social security numbers, family information, medical history, educational status and, in some cases, financial details. While schools intend to protect all this valuable data, at least 122 cybersecurity threats or breaches were reported in K-12 schools last year. And experts believe this is just the tip of the iceberg, with EdTech Strategies President Doug Levin suggesting there could have been as much as 20 times as many unreported incidents.
Data mining of school records is a growing concern in education, as data is often shared in more ways than many realize. Educational research requires data sharing and, though that information usually comes with restrictions, breaches can occur. Hackers and malware can break into systems and expose millions of personal records. And educational apps are collecting data constantly — even when they're not in use. As a result, more states are now dealing with issues and laws regarding student data privacy that may be changing this year and in years to come.
Elizabeth Laird, a student privacy senior fellow at the Center for Democracy and Technology, told The 74 that educators don't always understand privacy responsibilities, which are often delegated to several people who are not fully trained for the role. “Your job of protecting data is never finished; policy and technology are constantly changing,” Laird said. “That is why you need a chief privacy officer who is keeping pace with those things.”
The report recommends the creation of a chief privacy officer role, which has already been established at the federal level and by some state departments of education. “Specifically, organizational leadership should establish the CPO as a senior position, ensure multi-disciplinary support for the CPO, and provide financial resources. Once hired, the CPO should serve as a resource to staff, collaborate with the chief information security officer, cultivate privacy advocates, and respond to current events,” the report recommends.
For some districts, finding the funds to hire for this role may be more challenging. If this is the case, administrators should still ensure that there is someone within the district — potentially the chief technology officer or the chief information officer, for example — who can take on these responsibilities. And whoever is charged with this role must have access to proper training and a way to keep abreast of changes — as well as a leadership role or access to the leadership structure — so privacy concerns are at the forefront of major discussions involving student data.