The Evolution of the Student Data Privacy and Security Paradigm:
Incorporating the Effective Data Privacy and Security Practices of Other Sectors in Education
A RESOURCE FOR EDUCATION POLICYMAKERS AND PRACTITIONERS
Authors: David F. Katz, Steven Y. Winnick, Reginal J. Leichty, & Katherine E. Lipper
… This publication first examines data privacy and security approaches in the financial services, healthcare, and software sectors. A landscape analysis of these three sectors is intended to help states, districts, and schools see how common issues are addressed in other fields as they consider how to best to address privacy and security in their unique contexts. The paper then makes recommendations regarding best practice standards for use in districts and schoolsi as follows:
1. Establishing internal ground rules by assessing your data collection practices; identifying privacy and security objectives; engaging key stakeholders and ensuring oversight of and accountability for data privacy and security compliance; conducting a risk assessment to identify security needs; implementing a security program; and ensuring compliance through background checks, training, monitoring individual and institutional activity, and accountability for all participants involved in the processing, exchange, transfer, or analysis of student data.
2. Managing third‐party vendor relationships by putting in place a vendor approval and governance framework; executing risk assessments before selecting vendors; relying on legal counsel and a technical expert to draft agreements that include appropriate data protections and constraints on the use of data; establishing baseline standards for privacy and data security of student data; declining “contracts of adhesion” that give vendors unrestricted access to and use of data and the authority to make unilateral changes in agreements (i.e., “take it or leave it” contracts); ensuring vendor compliance with security requirements; requiring audits, indemnification, and confidentiality; and establishing responsibilities in the event of data breach.
3. Committing to continuous improvement and transparency with respect to data practices to ensure public understanding and support and to maintain credibility for responsible collection and use of student data by monitoring legal requirements; leveraging information about data use and security to make improvements over time; dedicating budget dollars to maintain privacy and security controls; and promoting open communications with and educating parents, students, and educators regarding the need for secure and reasonable data collection, sharing, and use.
Download the paper from EducationCounsel.com.
h/t, Daniel Solove