Experts in K-12 edtech and data protection share their expertise and advice in this panel discussion recap
We recently had the great fortune to host two experts in K-12 education technology and data protection during a live webinar panel discussion focused on student data privacy and security.
Our panelists for this discussion were Marlo Gaddis, Chief Technology Officer at Wake County Public School System in North Carolina, and Libbi Garrett, Director of Resource Programs at California IT in Education (CITE) in California.
Here, I make an attempt to summarize their key insights and advice to help you understand and protect your own students in education technology. But, really, the best way to glean the knowledge they impart to the world is to watch the recording of our discussion here (no forms).
A special and heartfelt “Thank You” goes to Marlo Gaddis and Libbi Garrett for your valuable time and expertise, which made this post possible.
EdTech Student Data Privacy And Security Tips
#1.) Know that you have a problem
As with most challenges in life, knowing that you have a problem in the first place is the first step to recovery.
Most of the ManagedMethods customers that I’ve talked to have said it: “You don’t know what you don’t know.” Many IT leaders simply don’t (or didn’t) know that 3rd party apps create risks to both data privacy and data security.
“You have to start off with: ‘Hello, my name is Marlo Gaddis and I have a problem.’” Gaddis joked during the panel discussion. “If you think you don’t have a problem, or you don’t know that you have a problem, then I hope you have really good luck. Because I’ve not met one district leader across the country that doesn’t have issues with this that they’re working through. You have to know that you have a problem and start having conversations with your leadership and others to start figuring it out.”
#2.) Free isn’t free
One of the many problems IT teams are facing is the lingering presence of all those free remote learning resources that became available during COVID shutdowns.
If you didn’t already have a process around vetting and approving technology, and a way to monitor and control them in your system, you probably have a lot more apps connected to your Google and/or Microsoft domains than you think you do.
“Free edtech tools are like free as a puppy. You know when you get a free puppy the work isn’t over. It’s just begun,” said Gaddis. “I know it’s tough because you want to use anything you can to support your kids. The problem is that there are a lot of issues with these free tools. You’re looking at manually uploading student information into a system with no privacy or security checks on the back end.”
#3.) Manage app cybersecurity risks
Gone are the days that districts could ignore the cybersecurity risks, and consequences, they face. I don’t have to repeat the numbers or the headlines, we’ve all seen them at this point.
What may be new information to you is how much of a risk connected apps pose to your cybersecurity stance.
“The FBI, CISA, and MS-ISAC released a Joint Cybersecurity Advisory in late 2020, warning us that K-12 schools have the most valuable data, and yet we are the most vulnerable. And we all know that they don’t release those public service announcements lightly,” Garrett said. “And now they keep telling us and telling us. We need to take these warnings seriously.”
There are several ways that threat actors can use 3rd party apps to gain access to students’ data. OAuth risks are one of the new and interesting ways they are exploiting.
Using OAuth permissions granted by your users, they can do things like access documents and spreadsheets containing sensitive information, read, write, and send emails to all contacts, and even potentially access other apps all without ever actually logging into the user’s account.
They can accomplish this in one of two ways. The first way is by developing their own malicious app and “tricking” people into installing it and granting OAuth permissions. Or, they can exploit and take over the code of legitimate apps that have poor security controls (this goes back to the point previous point that free isn’t free).
“Cyber attacks are happening all over the place, and quite often they’re coming through 3rd party apps that we may adopt,” explains Gaddis. “So, the idea we’re talking about here is trying to close those holes from a cybersecurity standpoint to keep our students’ data safe and private.”
#4.) Be transparent with parents/guardians
One of the many interesting points that Garrett and Gaddis made during our conversation was how remote learning has changed parents’ perspectives and understanding of how much technology is used in schools. While most agree that keeping up-to-date with technology trends is good for students, it’s critical to be responsible for how that data is handled.
“One of the things that I’m finding fascinating is, as students had to learn from home, parents basically became teacher assistants. What happened is a lot more of them are now a lot more knowledgeable about the technology we’re using,” Gaddis explained. “Now, they’re asking the questions: ‘Okay, this is what you’re using with my kids, how are you keeping them safe in this product? What are you doing with the data? What are the companies doing with the data?’ These are really great questions and they are wanting to hold us accountable. As a parent myself, I applaud them for that.”
#5.) Encourage data protection literacy
They say it takes a village to raise a child. While the proverb couldn’t have possibly been born out of a need for online safety and digital literacy, this is where we are today.
We’re well past the days of expecting data protection to fall solely in the hands of the IT team. Everyone, including parents/guardians, students, teachers, administrative staff, contractors, and leadership, need to develop data protection literacy to protect students’ (and everyone else’s) data.
“We’re teaching and training our parents, teachers, and students so that they understand how to keep themselves safe in this world that is now so high tech,” explained Garrett. “We can’t be telling people, ‘We’re doing everything right and we’re keeping you safe.’ No, we’re doing everything we can to protect them. But everyone needs to learn to see the dangers and make good decisions on their own. We need to be having those conversations.”
#6.) Monitor your Google and/or Microsoft domains for installed 3rd party apps
It’s one thing to say that you only allow vetted and approved apps to access data. It’s quite another to make that a reality.
This is true on a number of levels, one of which is actually controlling those apps in your domain. Some levels of Google/Microsoft licensing allows for some control over this, but they can be quite heavy-handed and sometimes downright impossible for many districts to manage.
Further, we’ve seen many IT admins overlook the very real use of district accounts to install and log in to apps on personal devices.
When Gaddis ran her initial 3rd party apps audit with ManangedMethods, she was a bit shocked by what she found.
“Y’all, we had 11,374 applications that our students and staff were using,” Gaddis shared. “And it was amazing some of the things we found. We had folks using their district accounts for dating apps, travel apps, and all kinds of things that we had to say no to. We went through a process of identifying what had been vetted and approved. Everything else we shut off. It closed a big gap in our data protection process.”
#7.) Create a process for vetting apps
Going along with #6, you need to create a process for reviewing and vetting apps. New edtech tools are entering the market all the time. There’s nothing inherently wrong with using them. You simply need to make sure you’re controlling the situation and doing everything you can to protect and secure your data, rather than allowing a free-for-all.
Gaddis and Garrett both agreed that you need a cross-functional team for creating your vetting process. Collectively, they recommended at least considering including:
- Teaching staff
- Curriculum staff
- Business departments
- Possibly your superintendent and/or a member of the school board to gain support from leadership
Garrett shared that CITE has some great resources for creating and communicating your edtech vetting process that are helpful for districts in all states.
#8.) Maintain & train your vetting process
Lest you thought we were going to overlook it, it’s not enough to simply create a process. Once you’ve established and documented a process, you need to communicate it to your stakeholders, train them on how it works to set expectations, and then maintain the process going forward. You will also need to review your process periodically and likely adjust, particularly in the early days as things come up that you didn’t consider initially.
“My advice is that you don’t want to just develop your plan. You’ll also want to make sure it’s trained on appropriately, and you’re following it up with good resources,” said Garrett. “Also, have conversations and training regularly with staff so you know what’s occurring in your environment and can support needs as best you can.”
Gaddis shared that CoSN also has some great resources in its Trusted Learning Environment program that helps with this.
#9.) Don’t do it alone
You’re probably acutely aware that this is not a popular process in most districts. It is usually narrowly regarded as the technology team taking away everyone’s favorite tools.
That is one of the reasons why it’s important to involve key stakeholders in your overall edtech student data privacy and security process. Garret and Gaddis recommended involving at least one representative from the following stakeholder groups:
- Academic staff
- Student support services
- Finance team
- Leadership team
- School board
“By involving the right people in your process, you’re empowering your staff, rather than forcing them. Otherwise, they’re going to see it as you’re putting another process on top of them to hinder what they’re trying to do in the classroom, and that is the last thing we want to do,” said Garrett.
Not doing it alone also extends past the confines of your own school district. Reach out to your counterparts in other districts to learn how they’re addressing this issue. What challenges have they faced? What is working well? What isn’t working so well?
“This is a national conversation we’re having. There’s a reason why people are not only joining this webinar, but people are having conversations nationally at conferences,” Gaddis said. “So, don’t do it alone in isolation in your own district. You don’t have to reinvent the wheel.”
“We had one vendor of a very popular application change their terms this past spring to include wording that they could geo-locate our kids. We happen to catch it, though I’d say probably 99% of people across districts didn’t catch it,” Gaddis recalled. “We had to have a long conversation with the company about that change and, ultimately, we made the decision to no longer allow that application. My understanding is that they no longer geo-locate kids, but it’s an example that you have to be knowledgeable and stay on top of these things, which I know is really hard because we’re short staff already.”
#11.) Compliance is just the beginning
Student data privacy and security laws have been around for a long time. Regulations like FERPA, CIPA, HIPAA, etc. do regulate how schools can share and secure sensitive information. Many state student data privacy laws have also been cropping up over the past several years.
The problem with many of these laws is that there’s really no accountability. Therefore, district leaders and school boards have been able to get away with de-prioritizing security measures for decades. And we’re experiencing the very real consequences of that mindset now.
“There are no teeth in the laws,” Gaddis said. “The idea with FERPA, COPPA, and CIPA, for example, is that you could lose federal funding if you don’t follow the guidelines. But the truth is that never happens. And yet, we know that our data is more at risk.”
Garrett described the new California consumer protection law, the Consumer Privacy Rights Act (CPRA), as an eye-opener for a lot of people.
“There were a lot of parents, teachers, and staff who that was an eye-opener for them. They were asking questions like, ‘Why do we need to have this law? What do you mean when I download an app it takes all this data?’” Garrett explained. “Well, you already gave it permission to do what you need to do. Even now, with all the laws that we’ve had in California for consumer privacy and protection, so many still aren’t aware. So, when I think about people in other states who don’t have consumer laws, people just aren’t aware of how much data is being collected and used. You need to be having those conversations because if you don’t it’s going to get harder as time goes on.”
Student data privacy and security in education technology is a huge topic that is not all going to be solved in one day, or even one year. The goal is to get a bit better at managing your district’s edtech tools and 3rd party applications as you can.
Let’s be honest, auditing and controlling applications is a contentious undertaking for most technology teams. Many continue to “kick the can” down the road to deal with it later. Others are ignoring it. Most simply don’t realize how big of an issue it is.
I’ll leave you with this sentiment from Libbi Garrett:
“It shouldn’t be us against our CTOs, or us against curriculum, or teachers, or superintendents, or school boards. It should be all of us, nationally, against them: the people who are coming after our data.”