All Articles Education Top 5 ways schools can protect student privacy in the digital age

Top 5 ways schools can protect student privacy in the digital age

4 min read


New technologies offer great potential in the education setting, providing students and teachers with more opportunities for connection, more interactive ways of learning and anytime-anywhere access to education resources and tools. As a new generation of technologies rapidly makes its way into schools, administrators also need to ensure student data is secure and not used in unlawful or inappropriate ways by technology vendors who have access to that data. According to a recent Brunswick Insight Survey, overall, 93% of parents of children in grades preK-12 surveyed expressed concern regarding the online tracking of their children.  Given my company’s partnership with many education institutions and customers who must face privacy obligations in today’s hyper-connected online world, we know this is a major concern for administrators and parents that should be taken seriously.

There are five things every school can do to ensure students’ privacy and data are secured.

1. Understand your legal obligations: FERPA, COPPA, and HIPAA are all federal regulations that are in place to ensure student data is kept secure. Depending on your school district, there may also be state and local privacy regulations to abide by as well.

  • FERPA: Family Educational Rights and Privacy Act applies to educational agencies and institutions that receive funding under the U.S. Department of Education and prohibits disclosure of information contained in student education records absent consent from parents (or students age 18 or older, if they are enrolled in any post-secondary educational institution).  FERPA requires schools to impose restrictions on vendors who have access to such records, for example prohibiting vendor data mining of records for advertising purposes.
  • COPPA: Children’s Online Privacy Protection Act requires parental consent prior to the online collection of personal information from children 13 years of age and younger.  In the school setting, this translates to obligations of vendors to fully disclose commercial data collection and use practices, as well as a responsibility for schools to convey information about those practices to parents and obtain parental consent.
  • HIPAA: Health Insurance Portability and Accountability Act requires “covered entities” to protect sensitive health information, including restricting vendor access to and use of that data.  While people think of HIPAA as applying only to medical practices, it applies in many other contexts as well, including to medical schools and employee benefits plans. Moreover, HIPAA also requires that student treatment records be handled consistent with FERPA, meaning the restrictions outlined above must be imposed on vendors who have access to student treatment records.

2. Choose a vendor you trust: The consumerization of IT has resulted in many consumer-oriented tools being deployed into schools, sometimes without adequate review of data collection and use practices; however some vendors have data collection and use practices that are not consistent with applicable regulations and historical norms related to student privacy.

3. Understand your obligations and your vendor’s privacy agreements:  Ensure the data collection, use and disclosure practices of your cloud and IT providers align with regulations and norms. By signing an agreement with a third-party vendor, large amounts of student, teacher, and institution data are in the hands of those vendors.

4. Understand how your vendor will use your data: Ensure your vendor will not scan or mine your data for marketing or advertising purposes. Ask if they plan to scan or co-mingle your e-mails, data, or documents stored in the cloud for purposes that don’t directly relate to the education of your students.  Don’t be swayed by vendor claims they will “anonymize” student data or that no one will be involved in the scanning. Neither of these approaches are sufficient to meet the regulatory requirements outlined above.

5. Educate faculty, students, and parents on appropriate activity: Create a culture of respect for student privacy by providing school administrators, teachers, and anyone else who may deploy technology in the classroom with the tools to understand their role in protecting student privacy.

Cameron Evans is national and chief technology officer of U.S. Education at Microsoft. You can connect with him via Twitter: @EDUCTO.