Advocates would have us believe that school districts are incapable of making responsible decisions about technology-related privacy and security issues affecting students. Even if they are correct about the current state of affairs – and they just might be – it doesn’t abdicate our responsibility to help schools and educators do better.
School districts have a duty of care to ensure the safety and welfare of the children and youth entrusted to them and have an obligation to ensure that teachers and other staff employed by the school district are not putting students at risk of harm. I don’t think this is a controversial statement, a new idea, or something that deserves radical rethinking in an increasingly digital world.**
Nonetheless, as schools rely more and more on the internet for the delivery of core education programs and services we must remain cognizant of the ways in which our use of the technology may represent potential new threats to students and school communities. Consider, for example, our experience with connecting schools to the internet for the first time in the early/mid-1990s and the response to issues of internet safety and access to inappropriate material for minors: new issue advocacy groups launched; new laws were passed which required changes in school and company practice; new school and company policies and practices were implemented; and new organizations launched to support educators and families in responding to the identified threats and carrying out policymaker mandates.
Today, twenty years after schools first began to address issues of internet safety, new concerns have been identified with respect to the extent of information collected about students, who has access to that information and under what conditions, how that information is protected from unauthorized access, and how that information may be used today or at some time in the future.
Of course, issues of privacy and security are related, but not the same. In general, privacy-related matters address what information can be collected by schools (whether via technology or not), for what purposes, with whom it can be shared, and under what circumstances. Security-related matters address how information is stored; how those not authorized to access it are prevented from doing so; procedures to prevent against unauthorized use, disclosure, modification, inspection, recording or destruction of information; and how the network, software applications, and computing devices themselves are protected from harm (cf. “Information security“). One cannot be said to have secure IT systems in the absence of a meaningful privacy policy; likewise, one cannot ensure privacy if one’s IT systems also are not secured.
As we look to lessons learned about how schools responded to the issue of internet safety beginning some twenty years ago, my read is that the current set of solutions and responses being advanced today to address privacy concerns can only be kindly described as ‘in need of improvement.’ Most glaring in its absence is the lack of any new direct support available to school district leaders and educators who are – to my way of thinking – the party primarily responsible for the safety and welfare of students in their care, including with respect to issues of privacy.
Consider that:
- School districts are – or should be – in the driver’s seat with respect to which online services, tools, and applications are used and under what conditions with their students in school. Should a school district not have or not enforce policies about what online services and tools its employees use or what information about students they are allowed to collect and/or disclose to 3rd parties then we should address that issue head on. Instead, advocates have focused almost exclusively on the practices of companies serving education. While that’s part of the solution, it is in no way sufficient to addressing the privacy and security concerns being raised by parents and in the media.
- School districts may not fully understand or comply with existing federal and state data privacy rules and regulations (or maybe only do so when it is in their best interests), which suggests that more resources could be used to support implementation (such as training, technical assistance, model policies and practices, etc.) and compliance. I’ve certainly observed that existing guidance can be overly complex and legalistic. Before we create any new privacy or security mandates for schools, we need some assurance that school districts will implement them better than they have in the past.
- Most privacy legislation I’ve had the opportunity to review focuses on issues of privacy and not security – and even when it does it is only by vague references to ‘best efforts’ and ‘best practices’. While a best practices-type approach might very well be ok, it seems rather pollyannaish given that there does not exist to my knowledge widely accepted standards or best practices for K-12 school IT security. None. Nada. Zilch. Bueller?
- School districts under invest in IT leadership and support, so there may simply not be enough well-qualified technology professionals in school districts to manage and mitigate privacy and security threats. And, even if school districts have enough qualified IT staff, they aren’t necessarily being provided with the training and/or ongoing support to stay current in what is a continuously evolving field.
School district practice represents the weakest link in protecting student data privacy and security. A singular focus by advocates on legislating company practice simply doesn’t serve to fully address the issue – and history shows it’s not how we ultimately addressed issues of internet safety sufficiently to move forward with connecting schools to the internet in the first place. To advocates, as the saying goes, don’t pat yourselves on the back for the limited successes to date, you’re liable to hurt yourselves and leave school districts to pick up the pieces.
** I am not a lawyer, and this blog does not offer legal advice. If you need legal advice, consult with a lawyer instead of a blog.