A locked file cabinet isn't exactly Fort Knox. At the same time, a school in Kentucky doesn't have to worry that a hacker in North Korea can get into their filing cabinet. After transitioning to digital, however, a school's data can become accessible anywhere in the world with internet access. It's how school management software can offer things like online enrollment, touchless attendance with notifications, and before and afterschool billing. However, this also highlights the importance for schools to ensure that only those with proper permission can access the data.
Schools storing their digital files on premises at the school or in the cloud should know how to stay ahead of data breaches and security threats.
But what exactly does it mean to keep student data private?
One way to answer that question is to comply with the legal requirements pertaining to students and children.
Federal and state student privacy laws
When it comes to laws protecting student data privacy, two federal laws are specific to students, and one applies to children under 13. However, the federal privacy laws specific to students were written in the 1970s, well before the average household had even heard of the internet, much less used it.
In 1974, Congress passed the Family Educational Rights and Privacy Act (FERPA). To simplify it, FERPA granted parents the right to see their child's student records and required the school to obtain parental permission to share the student record information with anyone else. It is limited in how much protection it provides because parents can't sue a school for being out of compliance with FERPA. Instead, the risk to schools is the loss of funding. Almost ten years ago, parents learned that these laws provide weak protections for parents who don't want schools to share student information with third parties.
There's also The Protection of Pupil Rights Amendment (PPRA) from 1978. It requires schools to disclose to parents if students are participating in surveys, tests, or activities that are not federally funded, allowing them to opt out. Obviously, that has nothing to do with requiring secure student data storage.
The other federal law that educational institutions will need to consider is the Children's Online Privacy Protection Act (COPPA), passed in 1998. However, it was passed by the Federal Trade Commission, not an education law from the U.S. Department of Education. It's about protecting children from commercial exploitation by providing parents with control over data collection for children 13 and younger, which has some overlap with students. Again, it's about something other than protecting student personal information and doesn't apply to high schools nor higher education.
More recently, states have passed student privacy laws. More than 40 states and D.C. have passed over 100 laws that deal with student privacy. There's enough material to unpack there that we'll have to save it for future posts.
For now, schools should adopt business cybersecurity best practices to safeguard student data.
Cybersecurity 101 for school administrators
Cybersecurity is a continually evolving area of study and best practices. There's enough to know about it that school districts with enough resources might employ experts like a Chief Security Officer or Chief Privacy Officer to manage their data security. For someone new to the topic, the following key concepts will help them get up to speed on the basics.
Use this article as a discussion guide
If these topics are new to you, we've broken them down into plain speak on the following:
- Essential security measures an administrator should know
- Risks of not implementing the measure
- Tips for administrators
The best part is that you don't have to memorize all of this information. It's a great place to start by just reading it once to start familiarizing yourself. When you need to take action, you can share this article with anyone you need to speak with about student data privacy and security, such as your educational technology providers or information technology (I.T.) team. It has all the most important topics you'd want to cover with them.
On-premises vs. Cloud-Based Software Security
The first thing to know is that security practices are different for software that is installed on computers at the school, also known as "on premises" software, and software that is accessed via a browser or an app, which is known as cloud-based software, or sometimes called software-as-a-service (SaaS).
On-Premises Security Measures
- Risk Without It: Unauthorized outsiders may gain access to the school's network, possibly retrieving or corrupting sensitive information.
- What It Does: A firewall examines the data entering and leaving your school's network. If it detects anything suspicious or not allowed by its rules, it blocks it, acting as a gatekeeper to your network.
- Tip for Administrators: Ensure the firewall is regularly updated and configured correctly. Ask about their firewall maintenance routine if you're using a third-party I.T. service.
- Risk Without It: Students and staff might access harmful or inappropriate content, which could contain viruses or malicious code that enables unauthorized access.
- What It Does: Content filters review the content of websites before they are displayed. If the content matches a list of disallowed or inappropriate materials, the filter prevents that site from being accessed.
- Tip for Administrators: Review content filtering categories and adjust them according to the school's needs.
- Risk Without It: If an attacker gains access to one part of the network, they might access all parts, including sensitive, personal data.
- What It Does: Instead of having one single connected network, network segmentation breaks it down into smaller networks or sections. This way, if there's a security issue in one section, it doesn't automatically put the other sections at risk.
- Tip for Administrators: Regularly audit network segments and ensure sensitive data is kept on highly secured segments.
- Risk Without It: Computers and devices can be vulnerable to malware and other malicious software.
- What It Does: Endpoint protection goes beyond anti-virus software for the computers and devices that are part of your network. It continually scans for and protects against malicious software attempting to install or operate on the device.
- Tip for Administrators: Ensure all devices have endpoint protection installed and are regularly updated.
Cloud Security Measures
- Risk Without It: Data exchanged between the user's browser and the cloud service could be intercepted.
- What It Does: When data is sent or received over the internet, it's sent as plain text that is open for anyone to see. The secure sockets layer (SSL) ensures the text is wrapped in an encoded layer, ensuring the data inside is kept secret and not tampered with.
- Tip for Administrators: Nowadays, most sites use SSL. And browsers will usually warn users if they visit a site that isn't using a secure connection. To check, look for the "s" in "https://" in a web address. It indicates an SSL connection. Most browsers show a lock icon in the address bar when there is a secure connection.
Data Encryption Between Services in the Cloud
- Risk Without It: Data traveling between different parts of cloud-based software can be intercepted and read.
- What It Does: As data travels from one place to another within the cloud, this measure ensures the data is encrypted, ensuring it can't be easily peeked into or changed by unauthorized parties.
- Tip for Administrators: Ask vendors about their data transit encryption protocols.
General Security Practices
Multi-Factor Authentication (MFA)
- Risk Without It: Logins are vulnerable to breaches with only a username and password.
- What It Does: MFA is like asking for two or more types of I.D. when signing in. This could be something you know (password), something you have (a phone or code generator app), or something you are (fingerprint). Requiring that two or more must be verified before access is granted means someone can't just steal your password to gain access.
- Tip for Administrators: Ensure your systems support MFA and encourage its use among staff.
- Risk Without It: Unauthorized staff could access sensitive data.
- What It Does: Think of these as specific entry badges. Only those with the right badge get access to certain personal information. A math teacher might have access to math grades but not student medical records.
- Tip for Administrators: Regularly review and update access rights as staff roles change.
- Risk Without It: Staff can inadvertently cause security breaches.
- What It Does: An educational session on cybersecurity teaches staff how to spot and steer clear of digital threats, just like a workshop instructs people how to identify and avoid real-world dangers. Educate staff on recognizing and preventing potential hazard threats like phishing, which is when a fake login page looks just like the real login page to steal login credentials.
- Tip for Administrators: Schedule regular cybersecurity training sessions, keeping the content updated with the latest threats. It's also a good idea to train staff on privacy policies and other materials that govern how personally identifiable information (PII) should be handled.
Understanding and implementing these measures will significantly boost the security of student data. It's a collective responsibility; when everyone is informed and diligent, the entire system becomes more secure.
Managing parental expectations
In addition to knowing the security measures that keep student data private, administrators also balance parental expectations. And the 21st century has undoubtedly made digital data an integral part of our lives. Data privacy is becoming a hot-button issue as more aspects of our daily interactions, transactions, and activities move online. This is especially true for parents, who prioritize the safety and security of their children above all else. They're not just thinking about physical safety anymore; they're also deeply concerned about their children's digital footprint.
The digital information schools store about students can include everything from grades and medical information to addresses and social interactions. Parents, being the first line of defense for their children, are now more likely than ever to question how this data is stored, used, and protected. Consequently, it's common for administrators to field questions or concerns from parents who have been reading about or educating themselves on digital privacy. Being prepared to answer these questions and ensure data security builds trust with parents and enhances the institution's reputation.
Helping staff transition from paper to digital
We covered a lot of material that, for an educator learning it for the first time, could feel like a lot. But, the fact is, the conveniences and benefits of an online service mean educators must have a baseline knowledge about data security and what it takes to keep student PII . Administrators should plan to help their staff transition, mindful that some will be reluctant. After all, the shift from paper to digital systems is much more than just a change in medium. For those who've spent most of their careers or lives working with tangible, analog records, digital platforms can seem foreign and sometimes unsettling.
There's a tactile assurance to paper - you can touch it, store it in a locked cabinet, and physically control access. Digital data, on the other hand, exists in a seemingly intangible space, raising concerns about its vulnerability.
As educators and administrators begin this transition, they might struggle with various concerns: "Where is the data stored?" "Who can access it?" "How easy is it for someone to break in?" It's a journey of trust, and gaining information about digital security practices can be a way for them to mitigate their concerns. The more they understand about how data is protected, the more confidence they can have in using and advocating for digital systems. Some staff may have more questions beyond privacy and security—check out our tips on overcoming the challenges of moving from paper to school management software.
To help staff get up to speed, consider sharing this primer on student data privacy and the key things to know about school cybersecurity. We have helped school administrators with more in-depth explanations and answering their questions. If you or your staff would benefit from discussing how systems like Curacubby keep student data private and secure, please get in touch with us. We've given presentations on this topic and have materials available to share.