Gearing up for their district’s password-reset day in October, teachers and school administrators in Raytown, Missouri, watched a spoof video “gym” tour by their tech-support staff, who offered tips for stronger passwords amidst “laptop lunges” and “cross-tech” training.
Every few months in Raytown, there’s a new silly video with the serious purpose of safeguarding student information. Privacy and data-security themes are also woven into Raytown’s professional development workshops, curriculum planning sessions and even parent-teacher conferences.
“It’s become part of our school culture,” said Melissa Tebbenkamp, Raytown’s director of instructional technology.
“If our student data is hacked, it might just be a test score, but it could also be their social security number, or their disability information,” she said. “It can impact them for the rest of their lives.”
Nationwide, however, such training for teachers and school administrators is surprisingly rare. That’s a problem, because it suggests that recent efforts to bolster student data protection have largely neglected one of the biggest risks to any school information network—its users.
“The first line of defense in protecting student privacy are our teachers, and we’re not making sure that they have the tools to keep that data safe,” said Amelia Vance, policy counsel for the nonprofit Future of Privacy Forum.
Since 2013, state legislatures have considered about 400 student data privacy bills, and passed more than 70 into law, according to Data Quality Campaign, a nonprofit that tracks education data policy and use. Yet Colorado appears to be the only state whose law, adopted in 2016, requires that districts train all teachers and school administrators in the basics of privacy and information security. (A few states require such training for people who accesses specific, statewide student databases.)
A simple Web search reveals a bonanza of free or nearly free education technology applications to tempt resource-strapped teachers. But the data protections of these vendors can’t be taken for granted. In 2016, for instance, an audit of some 1,200 Web-based education software products by the nonprofit Common Sense Education found that nearly half the offerings didn’t automatically encrypt student data.
Even when an app has additional privacy settings, many teachers are either unaware of the options or don’t bother changing the defaults, according to Sophia Cope, a staff attorney for the Electronic Frontier Foundation, a watchdog for civil liberties in the digital world.
Teacher preparation programs also pay scant attention to keeping student data safe. “I haven’t found a graduate program, other than ones for special education, that has a course focused on protecting student privacy,” said Vance, who recently took part in an Information Privacy Task Force convened by the American Association of Colleges for Teacher Education.
Vance sees three big training needs for educators. First, schools should target common missteps, such as recycling passwords or working with sensitive information on an unsecured Wi-Fi network. Second, they should make sure every teacher knows the basics of privacy laws such as COPPA (Children’s Online Privacy Protection Act), which requires parental consent for any web service collecting “personally identifiable information” (pii) of children under 13, including photographs and voice recordings. Finally, they should train teachers to clearly inform parents about what student information their classroom technology will use and why.
The federal Every Student Succeeds Act lets states and districts spend Title II funds on privacy and data-literacy training for teachers. And plenty of free privacy resources can be found online. Wisconsin’s Department of Public Instruction, for instance, catalogs privacy-training documents, videos, slide presentations, and a link to the free online course “Data Privacy? Get Schooled” created by Data Quality Campaign in 2015.
In December 2016, Bill Fitzgerald, director of the privacy initiative for Common Sense Education, blogged a practical guide for students and teachers (and the rest of us) called The Five Days of Privacy.
“Most people want to solve this the way you would any technical issue: You buy the software and fix the glitch,” said Fitzgerald. “But, it will actually take a lot of behavioral change.”
Fitzgerald doesn’t just mean increased classroom vigilance over passwords and pii. “Before any bits get passed anywhere, educators should be trained to ask, ‘Does this data need to be collected to help students learn?’ ” he said, “and if so, ‘How is it going to be protected?’ ”
That sort of vetting can be a tall order for busy teachers, of course, given the myriad privacy and security arrangements in densely written terms-of-service agreements.
“It shouldn’t be this hard,” said Steve Smith, chief information officer for Cambridge Public Schools, in Massachusetts. To simplify the app-vetting task, Cambridge uses a boilerplate contract with strong student data protections, and any software vendor seeking an entrée into the city’s schools must abide by it. Teachers who want to use a new app in their classrooms must first check with Smith’s office, which will greenlight the app’s use once the vendor has agreed to the district’s terms.
In the past three years, about 50 other districts in Massachusetts, as well as districts in a dozen other states, have joined Cambridge in the Student Data Privacy Consortium, demanding the same contractual privacy protections from their software vendors. The consortium also keeps a searchable database of ed-tech software being used by partner districts, including the specific types of data being collected and stored.
Last summer, Cambridge was one of the first seven districts awarded a “Trusted Learning Environment” seal from the Consortium for School Networking (CoSN), a professional group for school technology leaders and ed-tech companies.
In 2016, about 100 districts applied for the TLE seal, which requires districts to document data privacy and security protocols, including training for both school staffers and parents. Raytown was also awarded a TLE seal, as was Denver’s school district, which revamped its student privacy policies in 2014, ahead of Colorado’s new law.
The Denver district made a short video about student privacy basics – based on videos from the U.S. Department of Education’s Privacy Technical Assistance Center – required viewing for every employee.
According to Kirk Anderson, Denver’s director of educational technology, instead of asking teachers to personally vet the privacy policies of new apps, “we train teachers to be transparent with parents and guardians.”
Thus, when a Denver teacher wants to use a new educational app they learned about on Twitter or at a conference, the choice is simple: If it’s not on the pre-vetted “Academic Technology Menu,” then the teacher must get parental consent using an online form.
The Denver district also offers “digital citizenship” workshops for students, teachers and parents, which show the extent of everyone’s digital footprints.
That kind of holistic approach to privacy training makes sense to advocates such as Fitzgerald, who see safeguarding private data as a school’s responsibility and a critical life skill students need to master.
“There’s no wrong place to start,” Fitzgerald said. “If you have a heartbeat and access to a computer, that’s a really good place to start.”
This story was produced by The Hechinger Report, a nonprofit, independent news organization focused on inequality and innovation in education. Sign up for our newsletter to get a weekly update on blended learning.