Articles Compliance

Getting Started With Student Data Privacy Compliance

By Linnette Attai, founder of PlayWell, LLC

The 21st-century classroom is a rich ecosystem of diverse technologies that create a dynamic learning environment for all of our students. However, taking advantage of the opportunities that technology provides results in an increase in the complexities around how student data is collected, used and shared. As a result, it goes hand in hand with the requirement to build a student data privacy compliance program or to improve on an existing program.

Such a program is part of the fundamental responsibility of care that school systems have for their students. It is no small challenge to deliver on that requirement in a way that is comprehensive and measurably reduces risk. It requires knowledge and commitment. It also requires implementation of new policies and procedures to guide changes in employee behavior and to manage technology providers, as well as new ways to clearly communicate the compliance efforts to parents. To get started, it helps to have a road map to guide you through it all.

1) Start with the laws

There’s no way around it: Education data is subject to special legal protections, and the privacy laws are complex and varied. In addition, when it comes to data privacy, the context in which we are collecting, using and sharing data matters, which means that binary rules and procedures to comply with the laws often fall short of the mark. Leverage trusted resources such as the materials available at the U.S. Department of Education’s Student Data Privacy website to start building your fluency.

2) Go a step beyond

The laws are just a starting point. To understand what a data privacy compliance program should look like in your school system, spend some time considering how your use of student data aligns with your school system’s mission and vision. Consider community norms, sensitivities and parent expectations, then establish not just what the laws require, but also what you can and should do with data in alignment with the local sensibilities.

3) Be a compliance champion

A compliance program impacts all facets of an organization, so building it requires that leadership spearhead the effort. Remember that a compliance program is there to manage all forms of risk, including legal, financial and reputational harm. This is not something that one individual or team can effectively build and implement from the ground up unless leadership sets the tone, makes it a priority across the organization and provides the necessary resources to make it happen.

4) Make the case

If your leadership isn’t yet engaged or aware of the risks, build a compelling case to help them appreciate the responsibility, and partner with them to bring the program to life. Even when leadership is engaged, remember that the compliance program will impact everyone in the school system.  Introduce the effort across the teams to lay the groundwork for cooperation and participation later on.

5) Know where you stand

Before putting pen to paper on policies and processes, know where your gaps are. A privacy impact assessment will help you uncover where your greatest risks lie, which in turn allows you to prioritize remediation efforts. It’s impossible to address all the issues at once, so take the time to map out an action plan to tackle problems over time, in accordance with risk level and existing resources.

6) Establish new norms

Document policies and procedures for teams to follow around collection, use, sharing and destruction of student data so that old issues are not re-created in the future. Remember that policies are not the laws. They are the behaviors that you expect employees to engage in so that the school system will be in compliance with the laws, as well as in alignment with your mission and community norms. Also create a procedure for each policy, so employees will know not just what is expected at a high level, but also how they are supposed to implement the policy to meet those expectations.

7) Train, train and train again

Employees interact with student data every day. Training on student data privacy laws, policies and procedures is critical if they’re to be able to implement the compliance program. Training should explain both what is expected in terms of behavior and why, so that everyone understands the context for the requirements. Training doesn’t have to happen all at once or overnight. The point is simply to get started, roll it out over time if you have to, and stay consistent.

8) Be accountable

Any good compliance program must include a system for auditing to ensure that policies and procedures are implemented consistently and are effective in meeting the intended aims. Auditing also helps identify gaps in compliance, and where policies and procedures may need to be adjusted to work more effectively within a particular school system’s environment. How will you monitor your program? Who will be responsible for reporting? Give some thought to this before rolling out your program, and document the accountability measures you’ll put in place to measure your success.

9) Communicate

Help your community understand how you are acting to protect the privacy of the student data that is entrusted to you. Provide information on the program, ensuring that it is clear and comprehensible. Also ensure that your teachers can explain the work to parents, as they are often the face and the voice of the school system in the community.

10) Begin at the beginning

Compliance is not a “one and done” proposition. It’s a living, breathing function that is constantly moving forward, evolving, improving and growing stronger. When you’ve implemented the program, go back to step one. Where can you learn more? What else can you bring to the program? Is your school system’s mission providing a touchstone for employees to refer to when making decisions about data or writing policies? Why or why not? What area of data collection and handling is ripe for a privacy impact assessment? Have you reviewed the policies and procedures recently? Do any of them require updating? How can you expand on your training program or refresh it? A compliance program is about ongoing improvement. Keep moving through the cycle, building stronger with every turn.

Stay positive and stay focused. Building a compliance program is akin to building a muscle: You need it for survival, but getting it where you want it to be takes time, energy, knowledge and consistent effort. It doesn’t happen overnight. But the results are worth it every time.

About the Author

For over 25 years, Linnette Attai has been building organizational cultures of compliance and guiding clients through the complex governance obligations governing data privacy matters, user safety, and marketing. As the founder of PlayWell, LLC, Linnette advises private and public companies, schools and districts, trade organizations, lawmakers, and policy influencers. She serves as a virtual chief privacy officer and data protection officer to select clients, and speaks nationally on data privacy matters. She is the author of “Student Data Privacy: Building a School Compliance Program.”