Teaching Privacy

Teaching Privacy

By Linnette Attai | Originally published in the Back-to-School 2019 issue of AC&E.

Protecting student data privacy is a fundamental requirement for all educational institutions. However, it’s easier said than done. The modern school or district collects a wide array of information from and about students, including addresses, parent names, custodial arrangements, financial information, free and reduced lunch qualification, bus schedules, disabilities and accommodations, learning plans, preferences, attitudes and aptitudes, medical information, grades and behavior. It’s a heady mix, with some of the data clearly more sensitive than others. Despite that, most employees aren’t properly trained on how to handle the data in a manner that protects the privacy of the students.

In fact, when developing a plan to protect student data privacy, it’s common to focus almost entirely on technology and third-party providers. After all, the complexities of understanding the privacy and security practices of the companies running the technology you’re bringing into the institution and managing them in the manner that protects your student data is a significant and necessary undertaking. However, it’s critically important to also remember that protecting student data privacy is dependent on people, not machines. Everyone, including third parties and all of your employees, has a role to play.

Privacy depends on behavior, and there is much that should be done within the walls of every educational institution to set a solid foundation for bringing in technology. Perhaps the first task in setting your teams up for success is to determine who should have access to what data and why. This baseline protection begins by determining the legitimate educational interest for access to different types of data for each role. Ensuring that access to data is sufficient but minimal is one of the most important things you can do to protect privacy and security within your walls. Once that is established, everyone must be trained, at least annually. It is simply not responsible to expect that a data protection program will be successful without accompanying education.

Who receives the least amount of student data privacy training but handles student data most often? Teachers. They are responsible for collecting and using student data every day, but many are not provided with any information about what they should do to protect it properly. When training is provided, it sometimes suffers from being too high level to be able to translate easily into actionable practices. Of teachers who do receive training, for the vast majority it is not customized to the work they do with their students.

Of course, the need to provide robust, tailored training often conflicts with resource constraints and other priorities. With so many important topics already lined up for training, it’s understandably challenging to add one more to the mix. However, if we expect teachers to do their part in protecting student data privacy, we need to provide guidance.

Thankfully, training doesn’t have to be complex or require a significant infusion of resources to get it right. It does require a plan. Here’s how you can get started:

Create the Roadmap

Bring leadership from different teams together to map out the plan for developing training. What platforms will be used? Will you use existing content or create your own? When will training begin? What topics will you cover and in what order? If you plan to issue training in short bursts throughout the year, create the schedule for the different touchpoints so that you have a calendar to rely on over time. Map different training topics to the calendar so that you can be assured of delivering all the information over the course of the year.

Set the Foundation

Before you can move into tailed, role-based training, everyone should be trained on the basics. This might include a discussion of leadership expectations around student data privacy, beneficial uses of student data, an explanation of basic federal and state legal requirements, district norms and community expectations, basic security training, such as phishing awareness and password requirements, and a reminder that employee behavior matters to protect the institution, maintain community trust, protect student privacy, and to teach students how to navigate their own privacy in the future.

Customize the Message

Get granular with actionable training for different teams. What specific behaviors are necessary for each team to protect student data privacy? How do those map to the legal requirements? Explain team-specific policies and procedures and why they are important, and explain how the policies will be enforced and audited. Articulate policies related to data access, use, transmission and sharing. Specific security requirements, reinforced with context for why they are important using real-world examples of what goes wrong when they’re not followed. Provide technical training where appropriate, and show employees where they can go with questions or concerns.

Throughout the training, remember to highlight not just the do’s and don’ts, but also why your institution collects the data it does, how it uses that information to fulfill the school mission and what other steps the institution takes to protect student data privacy. Be sure your teachers have this information so that they can have more constructive conversations with parents about your use of technology and the protections that are in place for your students.

Choose the Media

Do you have an LMS for employee training? Are you purchasing training modules or going with a home-grown approach? If you don’t have the resources for a slick, professional training course, not to worry. Teachers actually enjoy quick email tips, books and other self-paced resources, and short videos almost as much as they like in-person training with a skilled facilitator. What that means is that cost doesn’t have to be a big driver for creating effective training, and it doesn’t have to be a “one and done” module. Consider trying combinations of approaches, with training delivered in different ways, at different times, to keep student data privacy top of mind in your institution.

Choose free resources from the US Department of Education or create your own. Record short videos of teachers delivering privacy and security tips to their peers, compile reading materials for employees to work through at their own pace, send out emails with your top 3 privacy and security lessons for the month, challenge teachers and students to create privacy posters to display in the building, and run monthly privacy quizzes via email for bragging rights.

Keep it Going

Once you get through one cycle of training, you’ll want to do it again. Keep it fresh by changing the combination of media, updating some of your content and tying the lessons to both protecting student data and employee data. Be sure you’re training on the latest policies and procedures and are keeping the material focused on tangible behaviors.

Everyone has a role to play in protecting student data privacy, and the training you provide is critical to ensuring that all stakeholders will be up to the task, armed with the information they need to do the job well. It will also set students up for success in protecting their own privacy in the future. After all, children of all ages model adult behavior. The more your teachers engage in good privacy and security behaviors when operating technology in the classroom, the more they’ll also be planting the seeds for students to begin to absorb those lessons for themselves.

Linnette Attai is the founder PlayWell, LLC, a global compliance consulting firm providing strategic guidance around the complex obligations governing data privacy, marketing, safety, and content. Linnette brings more than twenty-five years of experience to the work, advising on privacy and marketing regulations, developing policy frameworks and compliant monetization models, and building organizational cultures of compliance. She also serves as virtual chief privacy officer and General Data Protection Regulation (GDPR) data protection officer to a range of organizations. Linnette is a recognized expert in the youth and education sectors and speaks nationally on data privacy. She is a TEDx speaker and author of the books, “Student Data Privacy: Building a School Compliance Program” and “Protecting Student Data Privacy: Classroom Fundamentals.”