A K-12 data privacy program should infuse the school district with a defined purpose for collecting, using and sharing data.

In the past year we’ve had hundreds of conversations with educators and students about student support needs. It’s critical that as schools capture more data about support needs that well-defined policies and practices are in place to protect privacy, and student data privacy has come up in almost every conversation. Many schools are tracking student information for Multi-Tier Systems of Support (MTSS) in spreadsheets and forms that don’t offer field-level security or the ability to track or monitor who has access to what information. Given the lack of well-designed tools to support a holistic MTSS implementation, this isn’t surprising. But, as MTSS becomes more embedded in practice, it’s critical to address the student data privacy implications — which is one reason we’re building Intellispark Pulse.

Student data privacy is top of mind for us, and we know it is for the schools and students we serve. With this in mind, we invited Linnette Attai, a noted expert on the subject to provide a guest blog post. She offers a path to build a K-12 data privacy compliance program that can give all who serves students peace of mind.

—        —        —        —        —

When building a data privacy compliance program to protect the privacy of student data, it’s tempting to think that we can be successful by simply establishing policies that articulate our requirements and rolling them out to our teams to implement. However, more than anything else, data privacy is about our behavior, and policies are only words on paper — a formal documentation of expectations. They don’t change anything if we haven’t laid the proper foundation and given our teams a reason to prioritize them.

People are often only willing to change their behavior when they have a reason and a purpose for doing so. Given that, a strong data privacy program should infuse the organization with a defined purpose for collecting, using and sharing data. It needs to be developed in a way that looks beyond what can’t be done with data and invigorates the teams around what can be done ethically to support student success.

Understand your goals

The path forward is often to look beyond your reporting requirements and the basic necessity of collecting student data to run the school and consider some of the larger questions about the purpose and value of student data. For example, what do you want to do with student data? How can you use student data to fulfill your school system mission and vision? Since everyone in the school has a role to play in protecting student data privacy, what would it look like if employees were working together to ensure that the mission-driven purpose was realized? How would that benefit your students? Can you articulate a vision for working differently and lead your teams to collaborate around it? Answering these questions will help you and your teams to better understand the need to change behavior for the betterment of your students.

Once you have your teams working on the challenge, you are on your way to earning their buy-in around consistent application of requirements to properly use and protect student data.

Define a data use and protection mission statement

Continue the work by developing a data use and protection mission statement. Let this be the new touchstone or lens through which everyone can filter decisions about the use and protection of data. This will also inform the policies you develop, in alignment with the legal requirements and community expectations. By leveraging your new mission statement, your policies and will also empower individuals and teams to make smart, consistent decisions about data use that benefit students.

When done well, the benefits of building a mission-driven compliance program are significant and tangible. The commitment to protecting student data privacy increases, risk is reduced, the predictability of practices and efficiency improves, and knowledge and collaboration between teams increases.

Remember that protecting the privacy of student data is a complex function that requires a depth of knowledge, ongoing monitoring, vigilance, review, training and adjustment. It is a living, breathing function that is never quite finished, and it requires constant care and attention to remain viable. Much of that life comes from the employees who implement the policies and processes on a daily basis. Keep them inspired and energized around the work by keeping the bigger purpose top of mind.

So before you put pen to paper on your next data privacy policy, set your organization up for success by creating an ethical, mission-driven backbone for your data privacy program. Bring it to life in a way that makes it easy for your teams to understand that protecting the privacy of student data is meaningful, important and central to their role in the organization.

For more information about how to build an effective student data privacy compliance program, please see Linnette’s book: Student Data Privacy: Building a School Compliance Program.

Linnette Attai

Linnette Attai

Linnette Attai is the founder of PlayWell, LLC, a global compliance consulting firm providing strategic guidance around the complex obligations governing data privacy, marketing, safety, and content. Linnette brings more than twenty-five years of experience to the work, advising on privacy and marketing regulations, developing policy, and building organizational cultures of compliance. She also serves as virtual chief privacy officer and General Data Protection Regulation (GDPR) data protection officer to a range of organizations. Linnette is a recognized expert in the youth and education sectors and speaks nationally on data privacy. She is a TEDx speaker and author of the books, Student Data Privacy: Building a School Compliance Program and Protecting Student Data Privacy: Classroom Fundamentals.