Skip to content

Category: Data Privacy

Student Data Privacy: Self-Inflicted Wounds

In light of COVID-19 and the mass closure of school districts across the country, affecting nearly 41.7 million students, district and school leadership focus on providing extended learning resources and e-learning options to ensure educational continuity.

However, the influx of emails, social media posts, and phone calls from edtech software companies offering services, resources, and e-learning solutions has become unmanageable and extremely stressful for edtech leaders. The teachers’ and parent/guardians’ understandable state of panic and request for immediate educational solutions to a crisis never seen before in this country are also involved.

Only by establishing a process for decision-making that includes determining what data is shared, why the data is shared, and who owns the data can school districts feel a sense of security. 

Free instructional program solutions promoted by edtech software companies are enticing to teachers and parents/guardians as a quick fix substitution for brick and mortar classroom instruction.

Good Intentions, Slippery Slope

Signing up for free educational software by well-intentioned educators and families is a slippery slope for edtech leaders tasked with safeguarding student data. According to Doug Levin, Founder and President, Edtech Strategies, a report released recently by the K-12 Cybersecurity Resource Center, The State of K-12 Cybersecurity: 2019 Year in Review, in 2019, public K-12 education agencies experienced 348 cybersecurity incidents affecting student and educator data breaches. Over half of the incidents were due to teachers, staff, and administrators’ actions within a school community. With so many school districts turning to e-learning for long term solutions to the current pandemic, these numbers predictably will increase exponentially for 2020.

Self- Inflicted Wounds

Much like childproofing a house with outlet covers when a newborn comes into the family, educators have the best intentions about protecting their students. However, like that one electrical outlet that gets overlooked, teachers unintentionally share student information to promote collaboration, innovation, and personalized learning. In this time of no other option except e-learning, educational institutions must inform and educate teachers and the entire school community about possible student data exposures. School districts are ultimately responsible for data breaches.

As Levin highlights, most causes of school districts’ targeted data breaches are oversharing of cloud documents, unauthorized release of student data, and loss of control of login credentials. While done without malicious intent, a click of a checkbox by students, teachers, and parents/guardians with Google or Microsoft login credentials can give third-party apps permissions that include reading emails and access to documents and personal information.

The move to online learning environments challenges edtech leaders to reiterate the use of district sanctioned software and apps, single sign-on options, and password protection guidelines with the school community. Before teachers, students, and parents/guardians follow the pied pipers of free educational software, compelling edtech leaders need to reinforce current student data privacy practices and make it a priority to establish or ramp up vetting procedures.

Call to Action

If edtech leaders lead the charge to protect student and educators’ data, it will take a concerted effort that involves all stakeholders in the school community.

Sensitizing students, staff, and educators about student data privacy will increase awareness and more communication and collaboration with school and district administrators.

Keeping systems up to date with security patches and addressing interoperability challenges with multiple systems will offer fewer opportunities for data to be accessible outside of the school district network.

According to Charlie Sanders, Chairman, and CEO of Managed Methods, if districts don’t have data available to steal, there is nothing for hackers to steal. So establishing data governance within the district will set up parameters around access to data from unauthorized parties.

If Not Now, Then When?

According to Levin and Sanders, student data privacy is not a problem to solve; it is a problem to manage. Managing data in times of stress when quick educational technology decisions are made unilaterally by school leaders, teachers, staff, and parents/guardians is a tall order for edtech leaders.

Only by establishing a process for decision-making that includes determining what data is shared, why the data is shared, and who owns the data can school districts feel a sense of security. Edtech leaders should strengthen their relationships with current vendors and communicate with the school community the elements necessary to provide students with safe, secure, and reliable access to their education. It is not a question of if school districts will have a data breach; it is a question of when.

Much like preparing for a hurricane, snowstorm, or school shooting, edtech leaders need to prepare for the pandemic-induced move from brick-and-mortar learning environments to one where e-learning and student data has the potential to create a disaster of their own.

Source: EdTech Digest

Student Data Privacy: Our Weakest Link

Technology in schools promotes active learning, provides countless online resources, analyzes student performance for immediate feedback, automates processes like attendance and grading, offers assistive technology options, and develops life skills critical for our students. Yet, the benefits of collaborative, engaging, personalized learning experiences are counterbalanced with the possible exposure of student data to unauthorized parties.

“Student data privacy is only as strong as its weakest link, and it behooves a district to understand their school community, reevaluate current practices, and institute measures that protect our most vulnerable asset…”

Much like the leaks in a Holland dike, CTOs are always on the move plugging security holes to keep out intruders who are eager to steal student data.

According to the CoSN ‘s 2019 K-12 IT Leadership Survey Report,  cybersecurity is the top priority for IT leaders. “Rather than focusing on corporate targets, which are devoting increased resources to cyber defenses, the group [data breachers] focuses on more vulnerable sectors such as school districts, universities, and nonprofits, which the group likely believes are softer targets.” 

The Goldilocks Effect

The Goldilocks Effect has hackers looking for the most susceptible access to student data, and in many cases, the “just right bed” is with classroom teachers. With edtech software available at the click of a mouse, enticements of free teacher accounts by software companies, crowdfunding financial resources, and easy access to student data, well-intentioned teachers, are unknowingly exposing both their students’ and their own personally identifiable information (PII) to unknown sources.

Teachers are eager to find new ways to engage their students and clickwrap on software agreements without understanding the potential ramifications.

Edtech software companies’ data privacy policies are swimming with legal jargon that can put teachers into a false sense of safety and security without a law degree or extensive understanding of the policies. Most software companies intend to be transparent about their data sharing, collection of information, and adherence to FERPA and COPPA regulations. However, without a clear understanding of student data protections in place, teachers’ data to set up student accounts can become vulnerable to third-party exposure. 

When asking a group of teachers about the data privacy safety of edtech software, their responses reflected the vulnerability of student data privacy in classroom settings. The question of ‘If it is an educational app, it is safe to use?” garnered answers such as “My students are only using the app in class,” “I saw the product in a workshop at an edtech conference.” “It’s an educational app, so it must be safe for my students.”.

These responses are red flags that all CTOs should be addressing in their districts.

Educators are in the business of nurturing, supporting, teaching, encouraging, and providing learning opportunities for students. Edtech leaders cannot expect classroom teachers to understand federal and state privacy regulations, interpret vendor data privacy policies, and disseminate only directory information without education, guidance, and support.

What You (We) Can Do About It

Using resources such as Common Sense Media and, the school community can participate in online data privacy courses. These courses create scenarios and opportunities for the entire school community to reflect on current practices and implement new data security practices. 

Without the entire school community’s collective efforts, student data will continue to be vulnerable and unprotected. By adopting responsible use policies, school districts can move away from the restrictive acceptable use policy and put data privacy responsibility on them.

This collaborative approach to technology use in the district educates all stakeholders on the importance of protecting data. Tom Whitby, the author of “The Relevant Educator: How Connectedness Empowers Learning,” argues that schools should move away from the restrictive filter of acceptable use policies. He suggests, “Teaching kids responsible use is the best form of control. It is a lifelong skill.”

School districts also need to reflect on their practices to support data privacy initiatives in their schools. Using Common Sense Media privacy reports, edtech leaders can access the safety, security, privacy, and compliance of current software used in the district.

Partnering with organizations such as the  Student Data Privacy Consortium (SDPC), districts can share standard practices on app vetting and contracts, student privacy app integration, and “governance” supporting data privacy. Chrome extensions such as LearnPlatform monitor, organize, rate apps, and software used in school districts to ensure transparency and compliance with student data privacy regulations.

Student data privacy is only as strong as its weakest link. It behooves a district to understand their school community, reevaluate current practices, and institute measures that protect our most vulnerable asset—our students. 

Source: EdTech Digest 

FETC 2020: Stem, Safety, and Students

Student engagement and empowerment were evident at FETC 2020 in Miami, FL. Topics ran the gamut from the latest tech tools and personalized learning strategies to funding, supporting, and sustaining district technology initiatives.

FETC 2020 offered sessions and workshops, interactive spaces, an extensive expo hall, and purposefully-chosen dynamic, energizing, and inspiring keynote presentations. More than 20,000 attendees from around the world experienced unlimited opportunities to network, learn effective teaching strategies, share resources, and be inspired. Even though the Miami sunshine was enticing, attendees moved excitedly from session to session, eager to soak up all that the conference had to offer.


In the early years of STEM and STEAM adoption, students’ hands-on experiences were limited to isolated classroom activities and computer labs. This stand-alone model did not engage the entire school community, nor was it transferrable to content areas instruction.

With sessions at FETC 2020 such as “Coding, Robotics, Project-Based Learning and Mathematics” and “Cross-Curricular STEAM Integration for Every Classroom,” attendees learned how innovative educators are integrating STEM STEAM projects to connect students to real-world situations.

In the Expo Hall, companies such as Ozobot created “classrooms of today” to demonstrate how empowering teachers with a strong curriculum and products designed to engage students can help them incorporate coding and STEAM into social studies, ELA, math, and science courses. Even more inspiring was the STEM Theater, where throughout the conference, K-12 schools recognized as FETC STEM Excellence Award finalists showcased innovation, commitment, and visionary paths for their students.

Social and emotional learning

Empathy, self-regulation, responsibility, and relationship-building skills are human skills that are critical to the development of digital citizens. It can be challenging for education leaders to measure SEL programming’s success and impact on their students.

Edtech professionals at FETC were on hand to discuss how they’ve developed programming, strategies, and personalized options to allow classroom teachers, support staff, and building administrators to do just that.

Ed Tech Library Media Specialist and Future of Ed Tech Educator tracks highlighted sessions such as “Social and Emotional Learning in the Library” and “Social-Emotional Skill Building Through Coding and Robotics” that demonstrated how project-based learning increases student engagement and reduces behavioral management issues.

Software companies such as Everyday Speech were resources for school-based professionals and educators to use tools such as video, modeling, worksheets, and games to help students with social learning challenges. With new SEL content, Brainpop offered multiple sessions at FETC to incorporate social and emotional learning skills through modeling and classroom strategies.

Student safety

Student safety and student data privacy were on every CTO, IT professional, and district administrator at FETC 2020. Sessions including “What Every District Leader Needs to Know about Cyber Security” and “Cyber Security Measures and Assessments,” highlighted critical strategies that every district should implement to combat cyber-attacks. The “How to Find Technology That Improves School Safety” panel focused on the do’s and don’ts when it comes to safety solutions.

Software companies such as Impero, Securly, Gaggle, GoGuardian, Mimecast, and Managed Methods offered district tech leaders optimal student safety options ranging from protecting student data to protect students from self-harm, inappropriate content, and potential violence.


With the advent of esports in schools across the country, FETC offered conference attendees a not-to-be-missed interactive experience. Encompassing a significant space in the Expo Hall, the Esports Gaming Arena, and the North America Scholastic Esports Federation staged an esports environment easily replicated in any school setting. Middle and high school age students invited attendees to experience and learn about how this program positively supports, impacts, and engage a population of students eager for this educational environment.

Underlining all the sessions, workshops, keynotes, sandboxes, and learning spaces at FETC 2020 was the commitment of every edtech company, classroom educator, IT professional, district leader, and CTO to ensure that students have the tools and skills to own their learning and to grow and develop into the curators of our future.

FETC will be back in Orlando, January 26-29, 2021, for its 41st year.

Source: eSchoolNews

District Leaders Take on the New Reality of Cyber Security in Schools

This cyber security incident shut down Columbia Falls SD 6’s 25 schools for three days and impacted 1600 students, staff, and local sheriff and police departments.

The third in the Super-Connected: Empowering Superintendents & District Leaders CoSN and  series,  “Cyber Security: A Critical School District Priority,” took place on November 12, 2018. Moderated by Ann McMullan, Project Director, CoSN Empowered Superintendent Program, this webinar spotlighted the cybersecurity concerns rapidly becoming part of the school district’s daily operations. According to CoSN, the fastest growing and most common cyber incidents in K-12 schools are phishing attacks and unauthorized data breaches. McMullan warned that district leaders couldn’t “just check it off” regarding policies and procedures around cybersecurity. She emphasized that “it is an ongoing issue that needs to be looked at in new ways that are comprehensive, strategic, and persistent.” The three guest panelists Steve Bradshaw, Superintendent, Columbia Falls SD 6, Columbia Falls, MT, Juan Cabrera, Superintendent El Paso ISD, El Paso TX, and Dr. Gary Lilly, Director of Schools, Bristol Tennessee City Schools, Bristol TN, don’t just check it off when it comes to cybersecurity.

It is not hypothetical. 

McMullan affirmed that “while school districts are very familiar with closing schools due to weather, we never expect to have to close schools for cyber-attacks.” Yet that is exactly what happened in Columbia Falls, SD 6. What began as one strange text message quickly turned into a physical threat created by a remote access breach. This cybersecurity incident shut down Columbia Falls SD 6’s 25 schools for three days and impacted 1600 students, staff, and local sheriff and police departments. Bradshaw reflected on one action that he felt helped get his school district to get through the cybersecurity attack. That action was the school district’s transparent communication approach with the community and the “honesty and integrity that went along with it.”  

“Some lessons you have to learn the hard way” were how Lilly described the Bristol Tennessee City Schools’ cybersecurity breaches. The district was completely taken by surprise once an HVAC controller was hacked and again when 20% of the district’s employees failed a phishing test. His takeaway from these two events was that liability will always be an issue, but as long as a school district “takes reasonable steps to mitigate the exposure, then they can weather the breaches and hacks.” According to Lilly, these reasonable steps include the cybersecurity education of faculty, staff, students, and administrators and the awareness of all potential “holes” in school buildings’ infrastructure systems.

Cabrera conveyed that, as El Paso ISD tried to be more accessible for students and employees by giving them 24/7 access to their systems, they inadvertently created access points for potential data breaches.  His district’s vulnerability point did not impact student data but impacted another critical data group’s PII – employees. He described how the El Paso ISD payroll system had been hacked twice, and it took an FBI team involvement to recover over $100,000 in payroll. His suggestion for other district leaders is to elevate the district’s level of cybersecurity importance to protect both students and employees. He also recommended that school districts create a cybersecurity team that includes the CTO, the IT department, and the HR department to collaboratively allocate resources, train staff, and heighten school boards’ awareness.  

The New Reality

Cabrera affirmed that “people may think that they are late to the party, but it’s ok because we are all late to the party. As our school districts are becoming more dependent on cloud technology and remote access, the safety and security of our schools have become extremely critical.” When Lilly testified at the Committee on Education and the Workforce at the US House of Representatives, he focused on this new reality with the legislators.  “I wanted them to know that cybersecurity and privacy are massive deals as school districts are collecting a tremendous amount of information on students, faculty, and staff.  While most districts are taking steps to protect that information, district leaders need the federal government to take a look at the laws and update those laws for the world that we live in now.”

Don’t Wish This On Anyone.

While these three superintendents hope that no other school districts experience cybersecurity breaches and hacks as they described in this webinar, they understand that all school districts are vulnerable to these types of attacks. Even though Bradshaw felt as though he was the “poster child of cybersecurity,” he explained that it also opened the doors to the reallocation of resources within the district for employee training and the creation of an experienced IT staff with cybersecurity.  Lilly recommended that other school district leaders communicate with all stakeholders about their cybersecurity needs, expectations, challenges, and issues. “After you think you have said it, you need to repeat it. People need to hear it more than once.” Cabrera urged school districts to hire good leaders who understand that both the infrastructure and the learning and teaching aspect of technology need to be under the umbrella and protection of cybersecurity.”

Source: District Leaders Take on the New Reality of Cyber Security in Schools. Tech and Learning Magazine December 2018 


District Leaders Navigate Student Data Privacy Laws to Champion for Students

The second in the Super-Connected: Empowering Superintendents & District Leaders CoSN and  series,  “Student Data Privacy: A Priority and Essential Commitment,” took place October 8, 2018. Moderated by Anne McMullan, Project Director, CoSN Empowered Superintendent Program, this webinar spotlighted the critical guidelines developed by CoSN for ensuring student data privacy in school districts. Anne McMullan said that

technology has such a big role in education today. We can’t just go and ask the IT guy.  We all need to talk the talk.

The guest panelists in this webinar can certainly talk the talk and walk the walk.  These student data privacy champions included Dr. Charles Dumais, Superintendent/Executive Director, Cooperative Educational Services Fairfield County CT,  Dr. Quinn Kellis, Superintendent  Dysart Unified School District. Surprise AZ, and  Linnette Attai, Project Director, CoSN Privacy Initiative and Trusted Learning Environment Program and President and Founder of PlayWell, LLC

The webinar launched with Linnette Attai explaining the four federal student data privacy regulations; FERPA, PPRA, COPPA, AND GDPR. She highlighted one of the lesser-known federal regulations, the Protection of Pupil Rights Act ( PPRA), which is concerned with student surveys and assessments that ask for sensitive information or, as Linnette described it as the  “sex, drugs, and rock and roll” of student data.  Ann McMullan stressed  that “it is incumbent for superintendents and state leaders to stay on top of these laws as they are constantly evolving and not set in stone.”

Steering the ship through the sea of state and federal student data privacy laws

When the panelists were asked how to navigate state/federal data privacy laws, Dr. Kellis described it well.  “It’s almost like being in a foreign country. Whenever you enter someone else’s territory and need to be compliant to someones else’s laws, you have to be familiar with those laws before you start navigating their streets and their lands.”  Dr. Kellis also pointed out a recently passed Arizona PPRA type law that applies penalties directly to the person, not the district, who conducts or performs the violation. Dr. Dumais explained how aggressive Connecticut has been with student data privacy laws and how the timeline gave their 160  individual districts little time to become compliant.  The state’s Commission For Educational Technology has worked hard to provide the school district the tools and resources they need to meet the requirements. However, some of the vendors are large and hard to work with, and some of the vendors are small and don’t have the legal resources to comply with the regulations.

How much information is too much information

Both Dr. Dumais and Dr. Kellis are concerned about communicating with parents regarding student data privacy.  Dr. Kellis talked about how it can “create a culture of fear amongst parents,”  and the challenge for school districts is to be transparent and informative while at the same time not overwhelming stakeholders.  All the panelists agreed with Dr. Dumais’s statement that it is ”difficult to keep up with all the changes to student data privacy regulations and that at times it feels like we are pulling technology and resources away from teachers to ensure compliance.”

Instruction should always proceed with technology.

Dr. Dumais stressed that superintendents need to be aware of the student data privacy laws and be mindful of how the district’s implementation is going to best support instruction.  An example of success in the Connecticut Public Schools system was moving to a single learning management system. “It not only ensured compliance with student data privacy regulations, but it made the state stronger by allowed us (Connecticut) to be better at effectively using student data to drive instruction.”  Dr. Kellis echoed the sentiment around instruction and technology when he talked about how the Dysart Unified School District has high expectations and supports classroom innovation. “We want the teachers to be innovative and out there looking for solutions to affect their teaching, and we want our students to go beyond their classroom walls and have a holistic experience. However, this innovative approach to education comes with a price as it falls on the district to protect our students.”

All the “ly” words working together

Ann McMullan heightened our awareness when she announced that  “everyone has to learn how to use student data securely, effectively, legally, and ethically ensuring that all those ly words work together.”  The Dysart Unified School District, Dr. Kellis explained, focuses on employee online training modules that include a module on student data privacy. Any new technology rolled out in the district consists of student data privacy training for all employees.  Dr. Dumais explained how “going back thirty years, our staff (Connecticut) training of FERPA was limited to a small population, comprised mostly of special education teachers and administrators. Now we do a lot of training with attorneys on helping all our staff understand the implications of the state and federal student data privacy regulations.”

Listen up, future superintendents.

Both Dr. Kellis’s and Dr. Dumais’s final words on student data privacy spoke to future superintends and district leaders.  Dr. Kellis recommended that  “to be an effective superintendent and make a difference, you have to have a core belief that students come first and that their safety is important.  It’s an easy issue to delegate or set aside because it is not right in your face, like a threat or fire evacuation. Everything you do is for the students, and you cannot minimize student data privacy.” Dr. Dumais conveyed that

 “the best superintendents are the ones who are addressing the issue in districts and were the leaders who are pushing it forward. This is not a single person solution, and only through a systematic solution, will we find a way to protect students.”

Source: District Leaders Navigate Student Data Privacy Laws to Champion for Students|TL Advisor Blog November 2018

The privacy risks of AI use at school

By Emily Ann Brown District Administration, October 2018 

When voice-activated tools are used in the classroom, school leaders need to safeguard student data.

Whether school system leaders realize it or not, voice-activated, artificial intelligence devices such as Alexa and Google Home are becoming a part of classrooms.

“I know of a lot of school districts where teachers use it, and in some districts, the [school administrator] knows about it, but in other districts, they don’t,”  says Eileen Belastock, director of academic technology and chief technology officer for Mount Greylock Regional School District in Massachusetts. (read more)

Source: The privacy risks of AI use at school | District Administration Magazine


Technology Not Going to Solve Data Privacy

Washington, D.C., and the MLB All-Star game were the backdrop for the inaugural CoSN Student Data Privacy Workshop. 35 CTOs, CIOs, and Superintendents from as far away as Texas gathered to collaborate on this important topic. The framework of this event was the CoSN Trusted Learning Environment (TLE) Seal Program. This seal program is the “nation’s only data privacy seal for school systems” that recognizes school districts’ commitment to high standards around student data privacy. The workshop was presided over by Linnette Attai, CoSN Project Director, President of Playwell, LLC, and author of Student Data Privacy: Building a School Compliance Program focused on four of the five TLE core practice areas: Leadership, Data Security, Business Practices, and Professional Development and Classroom.


The workshop began with a very informative keynote address by Michael Hawes, the Student Privacy Policy and Assistance Division (SSPAD) Director for the U.S. Dept of Education. He stated that the SSPAD’s core mission is to promote best practices, raise awareness, and seek adoption of student data privacy policies “above and beyond” FERPA. He highlighted the challenges that school districts face when dealing with third-party service providers and student personally identifiable information (PII). He emphasized that edtech is here to stay. Until data privacy policies and procedures are in place, districts, students, teachers, and parents are vulnerable to phishing and identity theft. He ended his keynote with words of encouragement for the group by saying that it doesn’t have to happen at once… set reasonable goals, involve leadership, and utilize the many available resources such as SSPAD resource site and the CoSN Protecting Privacy in Connected Learning Toolkit.


Champions was the term most used during this session. During both the leadership failfest and the discussion panel by four TLE seal leaders, it was emphasized that it is critical to have leadership champions. By getting district and building leadership involved, decisions around student data policies will be value-driven, not fear-driven.

Data Security

The tabletop exercises around data security were educational for many at this workshop. Linnette energized us into action when attendees were walked thru a comprehensive incident response plan model that included response team identification, detection and analysis of the situation, containment, remediation, communication, and post-mortem.

Business Practices

This third core element ignited much discussion around the building and implementation of third-party vetting processes. The group’s consensus was that it is important to look at what other schools are doing, get into a dialog with third-party vendors around a district data privacy agreement, and recognize the risk management around vetting possible third-party applications program adoptions in your district.

Professional Development

This share session focused on creative ways to approach professional development within our districts. It was a lively discussion ranging from posters around the school to phishing tests to weekly tips for faculty in creative locations. We all agreed that student data privacy is a mindset and cultural change that will take time. If we can make connections for parents and teachers about how this could impact their personal lives, we can make those critical changes that will protect our students. Educating teachers then helps inform their classroom practices and then educate students and parents on these important issues.

Action Planning

This CoSN workshop modeled engaging in the process by having all participants complete a CoSN TLE Practice Self-Evaluation. This self-evaluation had the group taking a hard look at strengths and areas of concern around data privacy policies in our own districts. The workshop ended with a reflection activity that resulted in a data privacy action that participants could build upon in our own districts.

Data privacy is not an IT problem; it is a people problem. As Keith Krueger, CoSN CEO, stated in his welcome letter, we need “to reframe the conversation around privacy of student data, and the key is to move from privacy to trust with our parents, community and policymakers.”

Source: Tech&Learning
Copyright © 2022 Belastock Consulting- All Rights Reserved.