Advocates would have us believe that school districts are incapable of making responsible decisions about technology-related privacy and security issues affecting students. Even if they are correct about the current state of affairs – and they just might be – it doesn’t abdicate our responsibility to help schools and educators do better.

Are Schools Helpless, Hapless When it Comes to IT Privacy and Security?

School districts have a duty of care to ensure the safety and welfare of the children and youth entrusted to them and have an obligation to ensure that teachers and other staff employed by the school district are not putting students at risk of harm. I don’t think this is a controversial statement, a new idea, or something that deserves radical rethinking in an increasingly digital world.**

Nonetheless, as schools rely more and more on the internet for the delivery of core education programs and services we must remain cognizant of the ways in which our use of the technology may represent potential new threats to students and school communities. Consider, for example, our experience with connecting schools to the internet for the first time in the early/mid-1990s and the response to issues of internet safety and access to inappropriate material for minors: new issue advocacy groups launched; new laws were passed which required changes in school and company practice; new school and company policies and practices were implemented; and new organizations launched to support educators and families in responding to the identified threats and carrying out policymaker mandates.

Today, twenty years after schools first began to address issues of internet safety, new concerns have been identified with respect to the extent of information collected about students, who has access to that information and under what conditions, how that information is protected from unauthorized access, and how that information may be used today or at some time in the future.

Of course, issues of privacy and security are related, but not the same. In general, privacy-related matters address what information can be collected by schools (whether via technology or not), for what purposes, with whom it can be shared, and under what circumstances. Security-related matters address how information is stored; how those not authorized to access it are prevented from doing so; procedures to prevent against unauthorized use, disclosure, modification, inspection, recording or destruction of information; and how the network, software applications, and computing devices themselves are protected from harm (cf. “Information security“). One cannot be said to have secure IT systems in the absence of a meaningful privacy policy; likewise, one cannot ensure privacy if one’s IT systems also are not secured.

As we look to lessons learned about how schools responded to the issue of internet safety beginning some twenty years ago, my read is that the current set of solutions and responses being advanced today to address privacy concerns can only be kindly described as ‘in need of improvement.’ Most glaring in its absence is the lack of any new direct support available to school district leaders and educators who are – to my way of thinking – the party primarily responsible for the safety and welfare of students in their care, including with respect to issues of privacy.

Consider that:

School district practice represents the weakest link in protecting student data privacy and security. A singular focus by advocates on legislating company practice simply doesn’t serve to fully address the issue – and history shows it’s not how we ultimately addressed issues of internet safety sufficiently to move forward with connecting schools to the internet in the first place. To advocates, as the saying goes, don’t pat yourselves on the back for the limited successes to date, you’re liable to hurt yourselves and leave school districts to pick up the pieces.

 

** I am not a lawyer, and this blog does not offer legal advice. If you need legal advice, consult with a lawyer instead of a blog.