This story was originally published by Chalkbeat. Sign up for their newsletters at ckbe.at/newsletters.

When Adrienne Staten’s fellow teachers first started talking about using artificial intelligence tools in their classrooms, Staten was not on board.

“AI was scary to me,” said Staten, who’s been a Philadelphia educator for 27 years. “It was like some ‘I, Robot,’ they’re going to take over the world kind of stuff.”

Staten teaches English at Northeast High School, the city’s largest high school, where many of her students have learning disabilities, are dealing with trauma and mental health challenges, or are learning English. She said she didn’t think incorporating a new technology into her lesson plans would help much.

Then, about three years ago, a colleague wrote Staten a poem using an AI chatbot. That completely blew her mind, she said. From there, Staten decided she had to learn more about generative AI, how it works, how she could use it as a teaching tool, and how to inform students about the pitfalls, biases, and privacy dangers of the emerging technology.

AI companies have made grand promises to teachers and school leaders in recent years: Their product will personalize student learning, automate tedious tasks, and in extreme cases, transform the role of teachers altogether. But experts have also raised ethical concerns about how student data is used (and misused) by AI companies, how students can use AI for cheating and plagiarism, the erosion of critical thinking skills, and the spread of misinformation.

Philly school officials say they’re grappling with these questions, while also asserting that the district is leading the way on AI through a professional development program that begins this year. The district has established detailed guidelines and procedures for using AI that attempts to protect student data privacy. But those policies haven’t stopped the district from rethinking certain tasks, like the way teachers design assessments and judge skills such as writing.

As the technology becomes more advanced and embedded within peoples’ lives, teachers like Staten want more support and guidance about it. That means the district must respond and evolve quickly. They also want to guard against how previous technological innovations affected schools and students.

“Everyone seems to have forgotten all of the lessons learned from the social media era,” said Andrew Paul Speese, deputy chief information security officer for the district. “If this tool is free, you are the product.”

How Philadelphia schools are experimenting with AI

When ChatGPT became popular a few years ago, Staten said, “I think we all as teachers were uncomfortable.” Their first thought was that students would use it to cheat, she said.

But what she found is that some of her students were “petrified of it.”

“They don’t understand how it works. They don’t get the idea that just because it spits something out, it doesn’t mean you have to use it,” she said.

Staten can relate. Her early days of teaching involved a lot of printed paper, textbooks, and handwriting. When the district gave teachers “brand-new, shiny computers,” they sat unused in her classroom. She said she was not a particularly tech-savvy person — until COVID.

Now, every student has a Google Chromebook laptop, and the access to technology has transformed how Staten thinks about lesson planning. Being able to do their own research gives all of her students ownership of the lesson, and it’s changed how they respond to activities, Staten said.

Her students who are English learners have found using AI helps them feel more comfortable with their writing and grammar while also giving Staten an opportunity to talk about tone and voice in their writing.

The AI will “spit something out,” and then it’s a conversation starter with that student to determine “is that really you? Does that sound like you? Do you know what this word means?”

Ultimately, Staten said she wants her students to learn how to use machines as a tool to help them locate their humanity within their own writing.

In general, that’s the sort of attitude the Philly school district wants to cultivate. But the district has also prioritized being very clear about what the policies are for acceptable use of AI that guide that enthusiasm, said Fran Newberg, deputy chief in the district’s office of educational technology.

Since November, the district has been training teachers to work with two approved generative AI tools: Google’s Gemini chatbot (which is available for high school students and staff) and Adobe’s Express Firefly image generator (available for all K-12 students).

Both of those programs are examples of generative AI, which includes any tools that draw on a dataset to create new work, such as large language model chatbots like ChatGPT, or programs that produce images, music, or video.

The district’s guidelines for generative AI provide broad resources for some of the most frequently asked questions about academic integrity, verifying information produced by an AI tool, and some examples of how AI could be used in the classroom.

Above all, the district’s guidelines say educators must require students to disclose their use of AI and use citations where applicable.

Balancing passion with appropriate limits can yield encouraging results. At one district school, Newberg said elementary students wrote detailed descriptions of their own imaginary mythological bird creatures. Then, they drew pictures of what they thought their bird would look like. At the end of the project they plugged their descriptions into Firefly.

She said those students looked on in wonder as their drawings and paragraphs were brought to life.

School leaders worry about student data privacy, safety

The district’s approach to AI policy has provided a foundation for what some experts hope will guide national efforts to use AI in education.

Starting this month and next, the district is rolling out a new professional development program called Pioneering AI in School Systems, or PASS. Developed in conjunction with the University of Pennsylvania, PASS provides three tiers of professional development involving AI — one for administrators, one for school leaders, and one for educators.

Michael Golden, vice dean of innovative programs and partnerships at Catalyst @ Penn Graduate School of Education, said by the fall of this year he and his colleagues hope to make PASS available to any school district in the country and across the globe.

“We’re building on the prowess and expertise in Philadelphia to create something that’s scalable and usable in many different contexts,” Golden said.

The district’s enthusiasm for and caution about AI are part of what made Philly an attractive option for the professional development program. But in some ways, the district was pushed to embrace the technology.

Speese, the district’s deputy chief information security officer, said two things happened that forced the district to take AI seriously.

First, in August 2023, an influx of Philadelphia teachers asked for support and information about generative AI just as New York’s school chief made a decision to block ChatGPT citing “negative impacts on student learning, and concerns regarding the safety and accuracy of content.”

Then, Microsoft made its AI assistant, called Copilot, a mandatory part of their software.

Philadelphia has been a Google-centric district. But Speese said he knew if Microsoft was mandating AI in its software, he suspected Google would soon follow. If district officials banned AI tools altogether, it could completely cripple student computers, email servers, and other systems. A blanket ban could also push some students and teachers towards untested models, putting themselves and their schools at risk.

“Obviously, even if we tried to block it, people are going to be using it on their mobile phones so how do we enable you to use these tools in a way that makes sense within our environment?” Speese said.

So district officials set about changing contracts to include language about safe data collection, privacy, and data storage.

The contract language stipulates the data a student feeds into the tools and the output those tools generate must be “housed exclusively in the United States,” can’t be sold or shared without permission, and that vendors won’t use the data to train their AI models.

“Parents have a right to feel that we are doing everything we can to protect their children’s digital footprint,” said Newberg, the deputy chief for education technology.

AI companies have run afoul of other state’s laws and other school district’s rules. One whistleblower told Los Angeles school officials that the AI tool their district adopted was misusing student records and left sensitive student information open to potential hackers.

Newberg drew a connection between AI and the reaction to the rise of social media. She said district leaders initially brushed off social media as a tangential development. But then social media started impacting students’ mental health, increased cyberbullying, and broadcast photos and sensitive student data to the world.

“We want our students to start having agency and start being skeptical,” Newberg said. “We were not as smart with social media.”

But new, free, and experimental AI tools pop up every day. It’s hard for guidelines and rules to keep up.

For teachers like Staten, educating her students about the biases embedded in these systems, how to protect their privacy, how to see through misinformation, and recognize when a fact is actually an AI-generated hallucination, is paramount. And that’s what keeps her up at night.

“I just want to know that I gave them all the equipment and tools that they need to be okay out there,” Staten said. “It’s a process. I realize that it’s going to take some time.”

Chalkbeat is a nonprofit news site covering educational change in public schools.

For more news on AI in education, visit eSN’s Digital Learning hub.

Key points:

• Every privacy program needs leadership to champion the work
• Is your district safeguarding student data?
• Protecting our students: The urgency of securing education data
• For more news on data privacy, visit eSN’s IT Leadership hub

In the year 2025, no one should have to be convinced that protecting data privacy matters. For education institutions, it’s really that simple of a priority–and that complicated.

Despite the passage of over 130 state student data privacy laws, headlines about data breaches in school districts remain alarmingly common. The stakes have never been higher–and strong, top-down leadership is needed to ensure institutions understand the complex landscape and effectively protect student data.

Protecting student data privacy is top of mind for so many who are involved with and invested in the education sector–especially in an increasingly digital learning environment. Yet, for all the concern over how to best safeguard student data, there has been little examination of just what school districts are actually doing to protect student data privacy–or what types of support they need to be more successful.

Certainly, we know that data breaches in education are a pressing issue, and over time, we’ve started to better understand what districts need to help shore up their security efforts. But what about the many other factors involved in protecting student data, like the decisions districts make about what student data to collect, how to use it, how to handle it, who to share it with and how long to keep it?

For the first time, with the CoSN 2025 National Student Data Privacy Report, we have real insights into how school districts across the country are addressing their student data privacy requirements. You might be surprised by the results.

For many years, the education community–including school districts, parents, legislators, and the variety of organizations developing resources to support district privacy work–has had a concerted focus on privacy concerns related to school districts sharing student data with technology vendors. That’s absolutely important, and it should continue, but it’s also woefully inadequate.

As district edtech leaders from across the country have told us, their top concern when it comes to protecting student data privacy is effectively managing employee behavior. Challenges include being unable to 1. enforce employee-facing privacy policies; 2. mandate privacy training for staff; 3. control the influx of free and low-cost technologies into the classroom; and 4. simply not having sufficient privacy and security policies to serve as a basic foundation for student data privacy and security programs.

Thankfully, building momentum to improve student data privacy programs takes just one key ingredient: leadership.

The report’s findings reveal that student data privacy requires greater attention from leaders in state education agencies, school boards and superintendent roles. Notably, nearly 90 percent of edtech leaders say they are responsible for their school district’s student data privacy programs and rank data privacy as one of their top two priorities. Yet, 17 percent say they have never received any relevant data privacy training–and 73 percent say data privacy is not included in their job description. Moreover, 20 percent noted that lack of support from their superintendent was a barrier to improving their district’s student data privacy program.

Every privacy program in every organization needs leadership to champion the work, highlight its importance to the organization, and lead by example. In the education sector, superintendents can clear pathways for edtech leaders to improve their student data privacy program by breaking down organizational silos, clearing pathways for mandatory privacy training and technology vetting programs, enforcing policies, and partnering with their technology teams to develop new privacy and security policies.

When leadership is clear on what student data may be collected, how it will be used, shared, protected and retained, the institution operates more effectively around those core requirements. This clarity strengthens internal processes and builds fluency, making it easier to apply data privacy mandates externally as well. 

At its core, privacy is not about the machines; it’s about the people. For many school districts, successful implementation of a student data privacy program may require some form of organizational change, and change management starts at the top. The rest of the work is hard enough, but once leadership has set the right tone and cleared the pathway, the rest of the road forward becomes much easier to navigate.

Key points:

• The structure to develop, implement, and sustain a privacy program may not yet be in place across all districts
• The advantages of edtech compliance for schools and vendors
• Protecting our students: The urgency of securing education data
• For more on data privacy, visit eSN’s IT Leadership hub

Protecting student data is critical for school district IT leaders, but many cite leadership and training gaps, along with time and manpower, as obstacles in that pursuit, according to the 2025 National Student Data Privacy Report from CoSN.

The report is based on results of a survey of school district edtech leaders from across the country. The report, divided into two parts, provides an unprecedented look into how districts are managing the critical task of safeguarding student data.

With more than 130 state student data privacy laws that have proliferated across the country and a steady stream of headlines highlighting data breaches in schools, the importance of safeguarding student data has become more critical than ever. The report examines how those responsible for student data privacy programs assess their district’s privacy practices, the tools and resources available to them, additional supports they find valuable and barriers to improvement.

“The 2025 National Student Data Privacy Report underscores the urgent need for stronger leadership, training and resources to protect student data in an increasingly digital world. The report provides a roadmap for districts to build stronger, more resilient privacy programs and highlights the significant impact of CoSN’s Trusted Learning Environment (TLE) Seal in fostering leadership alignment and cross-departmental collaboration,” said Keith Krueger, CoSN’s CEO.

CoSN surveyed more than 400 edtech leaders from across 39 states and the District of Columbia. Key findings from the report include:

Leadership and training gaps: Nearly 90 percent of edtech leaders who participated in the survey noted that they oversee their district’s student data privacy program, yet 73 percent say it’s not part of their job description and 17 percent have never received any relevant privacy training. A quarter of those trained paid out of pocket.

Barriers to improvement: Time and manpower (60 percent), guidance on federal laws (47 percent), state laws (46 percent) and privacy expertise generally (38 percent) were more frequently cited as barriers than financial resources (36 percent).

Employee-related concerns: Eighty-nine percent cite employee-related issues as extremely or very concerning, including challenges managing behavior (76 percent), controlling the influx of free and low-cost classroom technologies (69 percent), enforcing policies (55 percent) and mandating privacy training (49 percent).

Program performance disparities: Districts that have earned the CoSN Trusted Learning Environment (TLE) Seal, or have indicated that they are working towards obtaining one, are far more likely to outperform other districts with respect to the breadth and maturity of their student data privacy programs.

Opportunities for improvement: While district edtech leaders are committed to student data privacy, the necessary organizational structure to develop, implement and sustain a privacy program may not yet be in place across all districts. The report’s findings indicate the importance of reinforcing a commitment to student data privacy from leadership as a core priority while providing district EdTech leaders with training and implementation support to strengthen privacy practices.

“Protecting student data privacy has never been more important. The report demonstrates–for the first time–what school districts really need to be successful in their privacy efforts and the steps that every district can take to improve,” said Linnette Attai, project director of the CoSN Student Data Privacy Initiative and Trusted Learning Environment Program, and president of PlayWell, LLC.

The CoSN TLE Seal and the new TLE State Partnership Program are designed to close these gaps by equipping districts with actionable resources, training and a proven rubric of 25 data privacy practices.

States like Illinois, Indiana, North Carolina and South Carolina are already partnering with CoSN to empower districts through this initiative. By achieving the TLE Seal, districts not only reinforce their commitment to protecting student information but also build trust within their communities, setting a standard for excellence in data privacy and security that benefits students, families and educators alike.

This press release originally appeared online.

Key points:

• Modern compliance is playing a crucial role in keeping threats at bay
• Protecting our students: The urgency of securing education data
• Building a culture of trust to protect personal data
• For more news on data protection, visit eSN’s IT Leadership hub

The edtech sector is booming. Valued at $334.2 billion in 2023, it’s projected to grow 14.13 percent annually to hit $738.6 billion by 2029. Schools are increasingly adopting technological solutions that enhance learning outcomes and simplify administrative tasks–from eLearning platforms to teacher scheduling apps and parent communication tools.

But with great tech comes great responsibility. Demonstrating you can protect data is no longer optional. In education, where safeguarding children’s privacy is paramount, data safety is a hallmark of quality and trust.

Transparent and third-party validated security practices can provide schools peace of mind when choosing the right vendors. For tech companies, thanks to modern advancements, developing programs to meet these needs has never been easier, allowing them to gain a competitive advantage with better data safety practices.

Modern compliance is a frictionless process for edtechs

Managing a compliance program wasn’t always seen as an asset for tech companies. It was deemed a burdensome task that went against a company’s best interests–auditors used to be perceived as judges who spot flaws rather than exalt good qualities and seek improvement. But today’s compliance processes are far from this notion, thanks to a better understanding of tech companies and improved auditing tools.

Modern compliance, especially when referring to SOC 2 reports or certifications like ISO 27001, supports vendors by keeping their needs in mind first and foremost. For example, auditors now use governance, risk, and compliance (GRC) tools that connect to a company’s tech stack to monitor compliance practices and suggest improvements.

These programs reduce the need for endless questionnaires and business interruptions, as compliance processes are running in the background rather than through endless paperwork. Auditing has also become more asynchronous, letting companies continue their operations as usual and meeting with auditors as needed throughout the process.

This highly technological and streamlined approach also gives auditors more time to discuss companies’ doubts, preferences, and expectations, allowing them to gain a deep understanding of what each organization wishes to achieve with compliance. As a result, auditors run more purposeful and tailored audits, giving companies actionable advice to improve their operations rather than highlight their weaknesses.

Compliance makes vetting easier for schools

Becoming compliant can be a massive business enabler by streamlining the vetting process for schools. These institutions, just like any other organization looking for vendors, evaluate their options with a magnifying glass to ensure services are safe and meet their standards.

SOC 2 and related reports help vendors demonstrate their security posture in an easy-to-read document that includes different testing criteria, areas of improvement, and an auditor’s assessment of company practices. This neatly organized document answers many of the security questions a school might have, bypassing the usual security questionnaire step in favor of this comprehensive report.

Early compliance adoption gives vendors a competitive advantage

Becoming compliant isn’t necessarily on every tech founder’s priority list–they might have an MVP to finish, investors to attract, and a customer base to secure first. However, there are benefits to adopting compliance early that will make significant differences for vendors down the line. Implementing it as early as possible is the best time to start.

Infusing compliance from the beginning will strengthen a product’s or service’s foundations, codifying data safety in every aspect of its operation. From the way engineers develop the software to how service contracts are drafted, security will permeate every corner of a vendor’s offering.

Early adoption also means compliance and security are built into company culture, placing efforts like employee awareness training and risk management strategies front and center in the company’s mission and values.

As such, a vendor’s commitment to data safety will be engraved in everything it does, giving investors and clients the confidence that the company takes data safety seriously. For an industry as regulated as education, this trustworthiness is a significant competitive advantage that shines through when schools choose their applications and software.

As schools continue to invest in technology, additional resources can be expected to focus on properly vetting vendors to safeguard student privacy. Modern compliance is playing a crucial role in keeping threats at bay and helping companies prove their commitment to safety. Today’s audits meet tech companies where they are with technological tools to ascertain their security practices and ease them into the vetting process–ultimately streamlining dealmaking, giving schools peace of mind and vendors a clear competitive advantage.

Key points:

• The education sector is a high-value target in today’s threat landscape
• Creating IEPs with GenAI while ensuring data privacy
• It’s not business, it’s personal: Building a culture of trust to protect data
• For more on student data, see eSN’s IT Leadership hub

When considering industries such as finance or healthcare, the potential for sensitive data to fall into the wrong hands is a common concern. These sectors are prime targets for cybercriminals due to the financial and personal information they store. But there is another critical area often overlooked in these discussions: education.

Our educational institutions, from elementary schools to universities, are not immune to the growing threat of cybercrime. They gather a lot of personally identifiable information (PII) such as contact details, health data, and Social Security numbers. For many K–12 students, this represents an early introduction to the risks of digital data collection–and, unfortunately, cybercrime. Schools across the U.S. are already seeing an uptick in cyber threats, making it clear that protecting student data should be a top priority.

Identity theft begins before graduation

The frequency of data breaches in the education sector surged in 2023, compromising the private information of students, parents, and educators. This highlights a significant vulnerability: While schools increasingly rely on digital tools and platforms to enhance learning, many lack robust cybersecurity measures to safeguard sensitive data.

Parents provide schools with sensitive information about their children at the start of each school year, such as immunization records and medical histories. This creates an opportunity for cybercriminals to exploit students’ personal data. For instance, in 2023, the MOVEit ransomware attack affected over 800 educational organizations, compromising the personal information of nearly 1.7 million individuals. Children are particularly vulnerable to identity theft because they rarely monitor their credit, making them prime targets for long-term fraud.

According to a report from Sophos, 80 percent of K–12 schools and 79 percent of higher education institutions in the U.S. were hit by ransomware attacks in 2022–a sharp increase from previous years. These incidents highlight the growing threat to educational institutions, where cyberattacks often exploit system vulnerabilities, putting student and staff data at serious risk.

Misunderstanding cybercrime motivations

Despite the alarming rise in attacks, many have grown worryingly apathetic. Social media is flooded with comments like, “When will hackers pay off my debts since they’re already in the system?”–a sentiment that reflects the growing indifference toward the constant threat of cybercrime.

This attitude stems from a misunderstanding of cybercriminals’ motives. It is crucial to remember that hackers and ransomware attackers are not pranksters–they are financially driven opportunists who aim to exploit vulnerabilities, steal data, and hold systems for ransom. This knowledge should fuel our vigilance and caution in the face of cyber threats.

Historically, education was not a prime target, but that has changed. Cybercriminals are increasingly focusing on schools and universities as lucrative targets. As this threat grows, securing data in educational institutions must become a higher priority.

Steps to prevent data theft in education

Weak cybersecurity measures have made educational institutions attractive targets for cybercriminals. Data from the 2024 Sophos State of Education report revealed that 85 percent of ransomware attacks on K-12 schools and 77 percent on higher education institutions involved data encryption. The financial toll has been significant, with the cost of recovering from attacks doubling for K-12 schools and quadrupling for universities.

A key issue is that educational institutions often disclose data breaches slowly. For instance, only 29% of K–12 schools publicly disclose cyberattacks, though the actual number of incidents is likely higher. This lack of transparency increases risks significantly, as individuals may remain unaware their personal information has been compromised for an extended period, making it harder to prevent further misuse of stolen data.

Cybercriminals continue to target educational institutions, and current security protocols are insufficient. While perfect security may be impossible, schools can take steps to improve data protection.

Prioritizing data protection in education

To better defend against cyber threats, the education sector must prioritize investing in comprehensive data protection solutions. Encryption and tokenization are two powerful techniques that can help shield student and teacher data by making it useless without proper decryption keys. Even if attackers breach a system, encrypted data remains inaccessible.

Schools must also adopt transparent cybersecurity policies. It is crucial to work with external vendors to ensure all digital tools and platforms meet strict security standards. Additionally, promoting cybersecurity awareness among parents, educators, and students can reduce the risk of human error, such as falling for phishing scams.

Conclusion

While the education sector is often overlooked in discussions about data security, it is undeniably a high-value target in today’s threat landscape. Protecting all data is important, but safeguarding the personal information of young students is especially critical. By investing in the right data protection technologies and fostering a culture of cybersecurity, schools can improve their defenses and protect the futures of both students and educators.

Now is the time to act before cybercriminals strike with even greater force. The security of our children and teachers depends on it.

This article originally appeared on CoSN’s blog and is reposted here with permission.

Key points:

• AI tools can benefit students, but student privacy must be protected
• Creating IEPs with GenAI while ensuring data privacy
• It’s not business, it’s personal: Building a culture of trust to protect data
• For more news on GenAI in schools, visit eSN’s Digital Learning hub

In recent years, school districts have shown increasing interest in the potential of Generative AI (GenAI) to revolutionize education. GenAI offers the promise of enhancing personalized learning, streamlining administrative tasks, and providing innovative educational resources. However, as districts rush to adopt these cutting-edge technologies, they must carefully select the right AI tools to meet their unique needs. This rapid adoption brings significant risks, particularly regarding data privacy and accessibility.

Ensuring that AI tools protect student data and comply with accessibility standards is crucial for creating an inclusive and secure educational environment. This blog post will explore expert recommendations for selecting GenAI tools, helping districts navigate these challenges effectively. 

Data privacy considerations and recommendations for GenAI adoption in schools 

Linnette Attai, Project Director for CoSN’s Student Data Privacy Initiative and President of the compliance consulting firm PlayWell, LLC, shares insights on data privacy risks associated with adopting GenAI tools and offers guidance for responsible implementation. 

While security breaches are a common concern, Linnette emphasizes that protecting students’ privacy and data involves more than just avoiding breaches. There is a broader responsibility to safeguard students’ emotional well-being and personal information, or as she calls it, a ‘responsibility of care.’ Key privacy considerations include: 

Ownership and control of data:

District leaders should be cautious when using large language models not specifically designed for educational purposes. These models might use student data to further train the AI, raising concerns about the commercial use of personal information and potential exposure of sensitive data. In addition, for some districts, any type of commercial use of personal information is unlawful. 

Linnette advises districts to adhere to fundamental practices when adopting new tools: 

1. Have a clear objective: Despite the growing popularity of GenAI tools, districts should identify a specific reason for their use. This approach ensures that the tool aligns with district needs and maximizes its impact on student outcomes. 
2. Be informed before testing: Districts must thoroughly understand the tool, including its privacy practices, security measures, and contract terms, before making a commitment. Especially, districts must ensure that the tool will be used solely for educational purposes. 
3. Start with staff: Testing AI tools with staff, rather than students, helps avoid premature exposure of student data. Some companies offer beta tests or sandboxes for staff to simulate student experiences, which can be a valuable way to assess the tool’s effectiveness. 

A practical example: Hinsdale Township High School District 86 

Keith Bockwoldt, Chief Information Officer for Hinsdale Township High School District 86 in Illinois, shares his district’s thoughtful approach to GenAI. Keith’s ‘Reimagining Learning through Innovation’ program allows teachers to pilot new tools funded by the district’s IT budget. Teachers submit proposals for evaluation, which are assessed for compliance with data privacy policies before pilot implementation. Teachers must then provide evidence of the tool’s impact by year-end, and the department reviews whether the tool should be adopted more broadly. 

Keith highlights two critical considerations: 

1. Vendor compliance: He ensures vendors are aware of and comply with data privacy policies, such as the Student Online Personal Protection Act (SOPPA). He discusses data protection measures, including data purging and storage practices. 
2. Ongoing vendor engagement: Continuous communication with vendors is crucial for maintaining compliance with data privacy standards. 

Ensuring accessibility 

Jordan Mroziak, Project Director for AI and Education at InnovateEDU, emphasizes the need for a deliberate approach to adopting new technologies. He warns against the educational arms race of adopting unproven or potentially unsafe AI products. Instead, districts should focus on meeting the needs of all students, particularly those who are underserved or disadvantaged. As a helpful resource, Jordan shared his and his colleagues’ work with the EdSAFE AI Industry Council, which aims to offer guidance and reliable standards for districts exploring GenAI tools. Companies join this alliance by demonstrating how their products adhere to the SAFE framework for AI, which focuses on safety, accountability, fairness, equity, and efficacy. This collective effort ensures that AI tools are developed with these critical principles in mind, promoting responsible and effective use. 

Additionally, the recent update to ADA Title II requires that accessibility is prioritized from the beginning. Districts must choose AI tools that comply with ADA standards and ensure equitable access for all students. This process includes assessing tools for adherence to accessibility guidelines, involving diverse stakeholders in testing, and making adjustments to meet various learning needs. By addressing these requirements proactively, districts can ensure that their AI tools are inclusive, effective, and legally compliant, thereby maximizing technology’s benefits for every student. 

For more recommendations on accessible GenAI implementation, read Blog 5 of this series: Adapting to ADA Title II: Effective Strategies for Accessible AI in Education. 

The integration of Generative AI tools into education offers significant opportunities for enhancing learning and efficiency. However, it also poses challenges related to data privacy and accessibility. Thoughtful implementation and ongoing evaluation are essential to maximize the benefits of these tools while ensuring the protection and support of all students. 

This story on data privacy in special education originally appeared on CoSN’s blog and is reposted here with permission.

Key points:

• Ensuring data protection helps prevent discrimination and stigmatization
• How to maintain secure access and data privacy
• It’s not business, it’s personal: Building a culture of trust to protect data
• For more news on data privacy, visit eSN’s IT Leadership hub

Adam Garry is the former Senior Director of Education Strategy for Dell Technologies and current President of StrategicEDU Consulting. Through his expertise as a professional development strategist, he has supported districts in the implementation of Generative Artificial Intelligence in their schools. CoSN approached him to discuss the importance of data privacy and the different approaches towards creating IEPs with GenAI while ensuring student data privacy. 

Protecting the data of students with disabilities is crucial for several reasons. Firstly, all students have a right to privacy, and their personal and sensitive information must be kept confidential to protect them from unwanted exposure of their Personal Identifiable Information (PII) and its potential misuse. Ensuring the protection of this information helps prevent discrimination and stigmatization, and in more critical cases, identity theft. To ensure data privacy, legal standards such as FERPA and IDEA have been designed, which require schools to limit the access to the students’ PII. When it comes to the use of Generative AI tools, educators must be aware of the data privacy risks that their implementation entails. 

Special education professionals have started to notice the potential of Generative AI to create Individualized Education Programs (IEPs), as it could help provide recommendations of personalized learning experiences by analyzing vast amounts of data, and tailor educational paths to each student’s unique needs. However, there is a critical concern: IEPs require detailed information about students’ disabilities, learning needs, medical history, and academic performance. Because many AI tools and platforms used in education are developed by third-party vendors, sharing student data through these tools requires trusting that vendors will handle the data responsibly and securely. Any lapse in their data protection practices can result in unauthorized access or exposure. 

Adam suggests a three-level solution for the safe implementation of Generative AI in school districts. The levels are organized in terms of how much personalization of the tool is possible. For each level, he mentions that it is necessary to ponder their risks and rewards. 

General level: Utilizing a Large Language Model (LLM) like Google’s Gemini or Microsoft’s Copilot 

Google and Microsoft have created their own GenAI tools specifically targeted for educators. At a more general level, these tools could be valuable to create personalized content for students. 

1. Reward: Microsoft and Google ensure their tools comply with student data protection regulations. These tools protect user and organizational data while chat prompts and responses are not saved. Additionally, these companies ensure that students’ information is not retained or used to train the AI models (Microsoft Education Team, 2024; Google for Education, n.d.). 
2. Risk: The risk is very low in terms of security, yet it exists. Moreover, there might be some loss in functionality compared to other tools, as it cannot build on from a prompt standpoint. In other words, the prompt cannot “learn” from previous answers, as the latter are not saved by the model.

Small Language Models

Educators could utilize technology from Microsoft or Google to build a Small Language Model. Small Language Models are simpler, more resource-efficient text processors that handle basic language tasks and can be easily deployed on everyday devices like smartphones. Districts can strip out the LLM functions they do not need and focus the tool on specific tasks, such as creating IEPs. 

1. Reward: An SLM maintains the privacy protections established by Google or Microsoft while personalizing the tool for a specific need. By targeting a specific task, it is also easier to set specific guardrails and train teachers. 
2. Risk: In addition to the risks mentioned with LLMs, they might have a more limited knowledge base compared to an LLM. 

The Open-Source Model

The district could create their own GenAI application through the use of an open-source model. This model is a type of artificial intelligence (AI) where the underlying code and data are made publicly available for anyone to use, modify, and distribute. 

1. Reward: The models are highly customizable, allowing districts to tailor them to their specific needs and integrate them with existing systems. This allows them to maintain control over their data, ensuring it is used in compliance with privacy regulations and local policies. 
2. Risk: Setting up and maintaining an open-source model requires significant technical expertise and substantial computational resources, which may necessitate additional investments in infrastructure and staff training. There are security risks involved in handling sensitive student data, and ensuring robust protection is essential. Unlike proprietary software, open-source projects may lack formal customer support, and ensuring legal and regulatory compliance can be complex and challenging. 

Whatever option is selected, Adam highlights the importance of merging the framework that the district has already in place to protect data privacy and go about specific tasks (such as the creation of IEPs) while detailing the tools, guidelines, and resources required in the implementation of GenAI tools. 

Integrating Generative AI tools in school districts offers significant benefits, particularly in creating personalized learning experiences and Individualized Education Programs (IEPs). However, it’s crucial to balance these innovations with strong data privacy measures. By choosing the right AI model—whether a general Large Language Model, a tailored Small Language Model, or a customizable open-source model—districts can enhance education while protecting sensitive student information. With careful planning, school districts can use AI to support diverse student needs in a secure, inclusive environment. 

References: 

Microsoft Education Team. (2024, January 23). Meet your AI assistant for education: Microsoft Copilot. https://www.microsoft.com/en-us/education/blog/2024/01/meet-your-ai-assistant-for-education-microsoft-copilot/ 

Google for Education. (n.d.). Guardian’s Guide to AI. https://services.google.com/fh/files/misc/guardians_guide_to_ai_in_education.pdf

Key points:

• Publishing student images without protections can have serious consequences
• Building a culture of trust to protect personal data
• How to maintain secure access and data privacy
• For more news on student data protection, visit eSN’s IT Leadership hub

In places such as Australia, the UK, and other European countries, strict laws are already in effect to restrict the collection of personal data and the distribution of digital content involving students, to respect those students’ privacy and protect them from harm. But in the US? It’s largely still a free-for-all. Each year, US schools capture, and publish online, millions of images of students, many of which contain personally identifying information. This exposes children to serious risks such as grooming, bullying, AI voice cloning, deepfakes, and identity theft.

However, new legislation to require increased security on social media platforms–as well as lawsuits against social media platforms by parents and school districts–signal that Americans now understand and are mobilizing against the threats that digital environments pose to their children. For school districts, the message is clear: Make changes now, or be swept up in the backlash.

There are three major areas for educators to focus on as they work to protect students’ image privacy:

Infrastructure

Until there is secure infrastructure in place to collect, organize, protect, and share digital content to ensure digital media is processed in a manner that is compatible with data protection law, nothing can be done on other fronts. The technologies that school districts adopt for this purpose need to be airtight, user-friendly, and offer parents or guardians full control over what content is shared.

The following features should be considered a minimum:

• Central, secure file storage to ensure better indexing and organization, and to prevent access by unauthorized parties.
• Direct upload capability, so that no file copies are made inadvertently on personal devices that could make their way onto the internet.
• The collection and management of school media to support schools in gaining real-time exposure, transparency, and control over school media sharing practices, as well as to assist schools in managing parental/legal guardian photo consent.
• Automatic exclusion of unpublishable content, to streamline security processes and prevent human error.
• A priority of user ownership, empowering school districts to change platform settings according to their needs and preferences.
• Parental control over sharing–in a recent survey of US parents, 93 percent said they want control over images of their children, but 42 percent reported that a teacher or school had shared their child’s image online without permission. This has to change.

Consent

It is important that children and young people feel happy about their achievements at school and that their parents have access to images of these special moments. This includes photos and videos taken by teachers during school performances and special events, or by staff and volunteers delivering events and activities outside of school. However, for this to be achieved safely for all students, appropriate safeguards must be put in place to also protect their privacy, especially of high-risk children. Ensuring the timely application of parent and student consent to share digital content is paramount in this digital age.

Digital media platforms can incorporate simple solutions to address many challenges schools face today. Real-time image consent forms, for example, give instant self-managed control to parents and/or students (depending on age) over how their content is captured and shared by the school. These forms also let them see that content, and flag any content they don’t want share publicly. Because people may feel differently about their privacy or personal circumstances change from one year to the next or one moment to the next, a good media management platform should be not only secure, but flexible, allowing users to withdraw or grant consent whenever they see fit. This is not often the case currently: In the previously cited parent survey, 82 percent of respondents said it is important to them to be able to update their consent easily, but only 41 percent reported it is very easy for them to do.

Ethical AI

Manually cataloging vast amounts of digital content is a task educators don’t have time for, and yet, it is their legal obligation to ensure such content is managed efficiently and effectively to protect children. How do they quickly organize the tens-to-hundreds of thousands of photos that schools already have on file and ensure they are handled in an ethical way so that students’ privacy is protected? This is particularly important when managing at-risk students.

When combined with human oversight, research shows AI tools achieve faster and more accurate results than either humans or AI can on their own.

Educators and administrators therefore need to feel empowered and confident to sit successfully at the helm of AI innovation and use it in ways that are trustworthy and effective. Ethical AI application, however, is only possible if a school partners with a trusted solutions provider that is able to deliver on privacy-enhanced technology.

I see the recent wave of concern in the US over the insecurity of student content as a move in the right direction. Until you acknowledge a problem, you can’t begin to solve it. Although they may be further behind than they would prefer, school districts across the country have the opportunity to use innovative solutions to safely secure photos and videos of students. It’s imperative that schools act now to protect students’ privacy and well-being.

This post on data protection originally appeared on CoSN’s blog and is reposted here with permission.

Key points:

• More and more steps have become essential to protect critical data
• How to maintain secure access and data privacy
• 4 ways to improve your district’s data privacy
• For more news on data protection, visit eSN’s IT Leadership hub

Protecting our privacy and security is challenging. Really challenging. It is also inconvenient, time-consuming, and sometimes frustrating. Forgot your password? Yeah, that’s going to take some time to reset. Now, I need to enter a code to verify it is me. Or do I have to complete a CAPTCHA? Why is everything so hard?

All these additional steps have become necessary because bad actors never stop trying to access our data. The network we use at work is bombarded with attacks every day. The web services we use both at work and at home are, too. The attackers are relentless and hope to get a phishing email through, to exploit a vulnerability, or to overwhelm the network with a Denial of Service attack. It sometimes feels like a losing battle, but it doesn’t have to be.

We can work together to build a culture of trust, trust in our leadership, data privacy, security protocols, and each other, starting with a shared commitment to protect our personal data.

The “Why”

To start, everyone needs to understand the “why?”. Why is it so important to protect personal data? The answer: It starts as a business, and it becomes personal. Make it personal for members of your school community to understand what is at stake: identity theft, financial loss, and even physical threats to students and staff.

The “How”

Then, the “how”. How can your staff do their part to protect personal data, both personally and professionally? Ensuring your staff understands their roles and responsibilities related to your data privacy and security policy is a necessary step. Developing a policy isn’t enough; everyone must also know how to follow it. Training that includes data privacy and security best practices to apply at work and home is essential and is one of the best ways to protect the personal information entrusted to your care proactively.

Social Engineering

Educating members of your community about social engineering remains crucial. Phishing campaigns have been working since they started in the mid-90’s. It is hard to believe that we have been subjected to these campaigns for as long as there has been email, but the fact remains that social engineering still works. Most data breaches start with human error, leading to privilege escalation and compromised credentials. Bad actors use what makes us “human” and include elements in campaigns like urgency, reward, and punishment against us.

Sharing the “why” with your staff can foster a culture of trust that encourages the smooth adoption of data privacy protections that require extra steps like multi-factor authentication. Ultimately, we (humans) care about our community and each other.

Cybersecurity is a priority concern for most people accessing the internet. Unfortunately, students aren’t thinking about cyberattacks when they access sites for curriculum, research, and entertainment from their 1:1 devices–devices that are now so prevalent since the pandemic.

Schools’ exposure to cyberattacks has also greatly increased due to expanded remote and hyperflex learning.

Join eSchool News and a panel of experts to learn the latest strategies and tools schools are using to help keep student data safe and ensure students’ digital access is secure.

Key takeaways:

• Learn the latest techniques to secure district systems
• Discover best practices for educating students and families on proper digital etiquette
• Ask cybersecurity experts about your data protection concerns

With K-12 school districts using cloud collaboration platforms more than ever before, the approach to data privacy in schools is looking a lot different than what administrators are used to.

Google Workspace and Microsoft 365 are keeping students and staff connected. These apps have forever impacted the way education is delivered in school.

School districts suffer from data leaks—when a student or staff member shares data outside of the school district’s domain. At the same time, school districts have become one of the most targeted organizations for cyberattacks. Regardless of whether these incidents are malicious or inadvertent, they should not be happening in the first place.

Millions of students and staff have had their sensitive personal information exposed due to the cloud security shortcomings of school districts. The cloud has changed the way districts need to handle the data they store and it’s clear that there is a lack of knowledge among administrators on how to do it.

If you’re a technology leader looking to improve data privacy in your schools, you first need to get more serious about making improvements to the way your district’s data is secured.

The Link Between Data Security and Data Privacy

Data security and privacy in schools are linked. If your school district doesn’t have strong security measures in place, you can’t expect to have great data privacy for your students and staff. Despite the number of incidents impacting school districts increasing, there doesn’t seem to be a rise in concern by administrators—yet.

A recent report found that 37 percent of district-level administrator respondents are not concerned about data breaches. An alarming 43 percent of respondents either are not monitoring for potential violations of government data privacy regulations—such as FERPA, COPPA, and CIPA—or do not know if their district is. Further, 60 percent reported being confident in the security of their district’s cloud environments, but 50 percent said they either do not have a cloud security system in place or do not know if they do.

The report findings suggest that cloud data security is not a high priority for school districts. But, if data privacy is one of the top priorities on your list, data security must also be a priority. Your data no longer only lives in your on-premises servers, hard drives, and school-managed devices. It also lives in the cloud and can be accessed from anywhere, at any time. You must ensure your students and staff are handling their data in ways that will not publicly expose it.

It takes a village to have a strong cybersecurity posture. Administrators, teachers, staff, and students all need to shift their mindset to help keep your data safe and maintain privacy.

4 Ways You Can Improve Your District’s Approach

Administrators—for the most part—under-informed about what it takes to protect your district’s online documents and resources. As you and your team are planning improvements to the way your district approaches cybersecurity and data privacy, here are a few things to consider:

1. Cybersecurity Audit: Take a look at the current cybersecurity approach your team is taking. Which systems are in the cloud? Which are on-site? Once you know where systems are located, implement tactics to protect them. Multi-factor authentication, data loss prevention, and external sharing standards are great places to start when securing your cloud data.
2. Educate the educators: Educate your administrative staff, teachers, and students about the cloud. They may not know the steps that need to be taken to protect data. Further, there are people who don’t know which systems are hosted in the cloud or on-site, or how the differences between the two can impact data privacy and security. Having everyone on the same page can help your team make big strides.
3. Awareness Training: Your staff, teachers, and students are the first line of defense in cybersecurity. At minimum, keep up with cybersecurity awareness training for staff. Integrate cybersecurity education into school curriculum to help educate students on proper cyber hygiene.
4. Rethink Your Resources: Your school district has likely adopted many edtech SaaS applications to help facilitate learning and collaboration since the start of the pandemic. But, have you devoted the resources to securing them? As with your on-site networks and servers, you need resources built specifically to secure data in the cloud.

Based on the report results, more resources must be allocated to cybersecurity. Districts have turned to cyber insurance, but insurance is not a panacea.

Insurance does help, but it’s up to you and all district IT administrators to be proactive in improving how your district’s data is secured.

Older approaches to cybersecurity worked when access only occurred inside school buildings. Your technology team had visibility of the activity taking place on school networks and on locally stored data. However, this isn’t the way school districts operate anymore. More activity is taking place outside of your network and in the cloud where you have less visibility.

As pandemic restrictions begin to ease, your technology team must be forward-thinking in your cybersecurity approach. More learning activity will move to the cloud and cyberattacks will continue to originate there. It’s important for your cybersecurity approach to adapt as well. Doing so will help keep your data safe and protect the privacy of your students and staff.

Cyberattacks and data breaches are infiltrating K-12 communities. To proactively thwart these attempts to steal student data, states such as New York are passing legislation that requires school districts to adhere to stipulated student data privacy compliance regulations.

With so much on their plates already, creating, implementing, and monitoring an effective data privacy compliance strategy is a time-consuming and stress-filled task for most school district leaders.

As the Director of Instructional Technology at a New York school district, I have been leading our data compliance efforts, and I very much understand the significant challenges schools are facing. To help other districts navigate this unpredictable landscape, I have put together the following recommendations:

1. Continuously monitor what your students and teachers are using on their school devices.

With so many free apps and web-based learning tools available, it is extremely difficult for school leaders to track what their students are using if they do not have direct visibility into their students’ and staff’s application usage data. In some instances, teachers are providing their students’ names and dates of birth to access these free resources without realizing the ramifications sharing that information could have on their students’ data privacy.

At my own district, Fayetteville-Manlius School District, we have a rule in place that teachers are not supposed to begin any new software program until they vet it with a member of our instructional technology staff. Despite this policy, I have discovered through CatchOn, a data analytics and data privacy monitoring solution we use, that some educators are continuing to introduce new online tools without notifying our instructional technology team. Even though my team reminds our staff of this policy during our yearly trainings, and the teachers agree to abide by it, I can see through CatchOn that there are products being used that have not been approved and/or vetted.

“I regularly check my CatchOn dashboard to monitor the trending apps being used in the district,” said Chiesa. “Unsurprisingly, there are products being used by teachers and students that are not approved and/or haven’t been vetted, even though our staff has said they would let us know when they wanted to use something and get permission.”

Bottom line:

It’s critical that district leaders keep an eye on what apps and online tools are being used by students and teachers–and not through word of mouth or a survey. You need to actually see what is being used. Some of my colleagues have mentioned that they get this information through their filter, but a filter has so many other functions that it is difficult to track down what apps are being used by whom.

If a program experiences a breach, I can quickly use CatchOn to sort which students have been using that app, see when they used it, and identify how often they used it. Additionally, CatchOn’s IMS Global and Student Data Privacy Consortium data privacy badges add an additional level of assurance and validity regarding the digital tools being used, which is especially valuable for our parent community.

2. Create an organized system for posting and updating approved applications and vendor contracts.

With so many applications being used in their classrooms, it is essential for districts to create an effective tracking system for their edtech tools. Within my district, we are using data analytics to house and track all this critical information because we like having all our approved applications in one place.  Every new software purchase is entered into CatchOn―how much we paid for it, when we purchased it, the renewal date, and the contract. I like being able to quickly see how much we paid for a tool or if we have the contract yet.

Regularly updating the list of approved apps students can use and communicating that list to teachers, students, stakeholders, and parents is also very important. We generate our approved apps and have them posted in multiple places, including on our district website and within our learning management system, which parents have access to.

Bottom line: School districts need to find an effective method of organizing, posting, and updating their approved applications and vendor contracts. And they need to put a system in place to make sure the information does not become stagnant and is regularly updated.

3. Be proactive in your compliance efforts.

Although many states have yet to pass student data privacy legislation, school districts need to be proactive with their compliance efforts and ask questions. Ed Law 2-d was a challenge for everybody in New York, including me, but I’ve really learned a lot through this process.  It’s concerning how long some vendors are keeping their customers’ data–even years after their contract has ended. Also, we are now asking our vendors what security training they provide to their employees who manage their servers.

Districts also need to attain a keen understanding of what software is being used by their students in the event of a breach on the vendor’s side. For example, we had an instance where there was a product that was not approved by our district, and that company had a breach. I reached out to the teachers to confirm it was not being used, and the teachers said they did not use it.  I then checked our district’s analytics, and I could see that there were some individuals using it. Having that visibility is so important because there are always going to be breaches and there are always going to be individuals who may not remember the software they were using.

Bottom line: Districts need to be proactive and diligent about protecting our students.  All districts need to be prepared for an education security breach. They need to know how long companies are holding their data, especially after the district has ended its contract. I don’t see vendors putting that information in their terms of service, so districts need to ask those questions.

With cybersecurity threats and data breaches on the rise, districts need to evaluate their current compliance practices to help safeguard their students’ data. Using a data privacy monitoring tool quickly gives district leaders the visibility, security reviews, and insights needed to strengthen and streamline their data privacy strategies.

When the sixth-largest school district in the United States announced in early April that hackers were holding its data ransom for $40 million, administrators everywhere paid attention.

The Fort Lauderdale-area district has 232 schools and a budget of $2.6 billion for the 2020-21 school year—seemingly, the district has plenty of resources to protect against cyberattacks. It also has thousands of students and staff who use hundreds of applications and technologies each day.

How do educators ensure that they keep students’ data, records, and personal information private and secure? And, on the flip side, how do they ensure that the integration with other systems remains seamless, so student data is always up to date, accurate, and accessible to teachers, students, parents, and district officials?

3 considerations for securing student data

1. Security

State and federal data privacy laws apply to school districts along with the vendors who supply hardware and software to them.  But as educators, you need to ensure that their systems go beyond being legally compliant. You must work with companies to prepare for vulnerabilities and threats long before they occur.

Make sure your partners have rock-solid privacy protocols and breach prevention controls at all levels of the company. Ask if they have regular security awareness training and how often they review their privacy policies. Make sure that all the prevention controls they offer–including automatic backups, firewalls, intrusion detection systems, and third-party vulnerability scans and assessments–are activated and working as they should.

It’s also important to be aware of new updates and releases of technology. Sometimes even browser upgrades come with potential vulnerabilities. These can usually be fixed quickly once they are identified–and having a dedicated team in place to keep up with these patches can save you from a potential security incident.

2. Accuracy

Students’ scholastic success depends on the accuracy of their data. Errors in assessments and out-of-sync work creates frustration and confusion – and interrupts students’ progress. Inaccurate information also prevents educators from seeing the true picture of students’ successes and challenges, which can prevent students from getting the support they need.

Your technology partners should have a strong privacy policy and controls to restrict access to as few people as possible. Look for the phrase “principle of least privilege.” This is the difference between inviting a hundred strangers to a party or only inviting a handful of people you trust.

Your partners’ systems should all integrate seamlessly and automatically with your student information systems. This ensures that student data reflects the most recent and relevant work, not a draft file from five days ago. The key to achieving this is parallel processing. Look for a provider that can conduct daily data integrations that are shared across multiple servers in a distributed environment.

3. Availability

All systems might occasionally shut down. These can range from small interruptions to complete outages. Therefore, it’s crucial to make sure your information is backed up to protect you from temporary hassles as well as data loss.

Best practices for backup and recovery include utilizing distributed servers (to ensure that no single server represents a single point of failure). Your technology partners should work with you to establish a disaster recovery plan that’s focused on restoring the system and the information in a timely manner.

Your student data is both a means for learning and a resource for measuring success. Protecting your technological world, no matter its size or complexity, will give you peace of mind the next time you hear about a major breach that impacts an educational institution.

There’s no point mincing words: School districts and administrators have had a heck of a year. Not only have you been under immense pressure from parents and state officials to reopen schools safely, but your teachers are also understandably concerned about virus transmission. What’s more, your plans keep changing and you’re being forced to adapt.

Related content: How eLearning coaches can support teachers

It’s an uphill battle, and there’s no doubt you’re doing your best. In all the chaos, you’re now responsible for taking temperatures and doing daily COVID-19 screenings, but you may not have had enough time to research screening devices and do sufficient due diligence before welcoming students back through your doors. Unfortunately, making a purchase like this can open you up to risk. Here’s why, and how to mitigate these risks moving forward.

Untested tech, unproven vendors

COVID-19 took the world by surprise, and people have taken a waterfall of reactionary measures ever since. Consumers have bought household goods out of panic, and schools have bought screening devices in much the same way – because they needed to.

You need to reopen your doors, so you need to perform health checks, as well as COVID-19 testing and tracking. It’s understandable that you may have either purchased a device for your school or been given one to install from your district without first undergoing a complete risk assessment.

But these screening devices are largely unproven. Many of them have emerged very recently from vendors that are neither widely known nor trusted. Furthermore, many of them use facial recognition so the technology can connect the dots between the temperatures they’ve taken and whose temperature it is. Do you know how, where, or if that data then gets stored? Whether you have a handheld screening device that looks like a modified cell phone or one that looks like a tablet, you need to understand the associated risks and configure the technology securely.

You’re now handling health data

You’ve always had to manage and protect student data, but as soon as you pull the trigger on a temperature scanner, you’re dealing with sensitive health information. Some people dismiss temperature data as “just a temperature,” but the reality is that this is health data – and it needs to be treated differently than general student records. When you’re handling health data, the complexity and sensitivity is increased significantly.

A lot of COVID-19 testing and tracking devices have a server component to them, so the device sends data to a centralized server system where it’s captured and used for reporting. If someone scans hot, a notification may go out. That notification is then sharing health data. Additionally, many technologies are working to help record contact tracing. This, of course, is another layer of sensitive data, this time about the comings and goings of individuals.

So, consider where the personal information captured by these devices goes. Is it being used by the vendor for purposes aside from COVID-19 testing and tracking? Odds are good that it is (or eventually will be). Also, is it part of your network? If so, there’s a possibility that a cybercriminal could access the network – and all the data. There has been an increase in attacks on COVID-19 testing centers, vaccine development facilities, etc. so it’s not a stretch to imagine this type of data being a target within your own walls.

Assess risk & make plans

If your data, school, or district does get compromised and your screening technology is taken offline, what’s your backup plan? Do you have one? If not, take the time to think through all possible outcomes and what your next moves will be. Whether it’s because of cybercriminals or simply because the technology fails (as all tech does eventually), having contingency processes in place will increase your speed of response and level of security.

For example, if your device fails, will you use a handheld thermometer and record students’ names and temperatures manually? If so, how will you keep that information secure? Or, will you close the building and send kids home? Whatever scenario keeps your students, staff and data safest needs to be properly mapped out in the event it needs to be followed.

If you haven’t yet purchased and implemented a COVID-19 testing and tracking device, first perform a proper risk assessment on both the technology itself and the vendor. Make sure you understand how the device works, what data it’s capturing, where it’s being stored and how that data will be used today or in the future. Then, take steps to deploy it securely. It should be isolated to its own network or segmented to a virtual LAN. You don’t want any unproven, untested technology on your main network or your risks increase dramatically.

If you’ve already purchased and even begun using such a device, retroactively execute a risk assessment – as soon as possible. Then go through the same steps above. You may need to undo and redo its initial configuration in order to make sure it’s secure and on its own network, but it’s worth the time and energy. After all, you don’t get second chances with protecting sensitive student health data.

As the global pandemic extends into the fall, it’s clear that most schools and universities will continue to rely on online instruction in the near term. However, although online instruction can help minimize health risks, it also introduces heightened security risks and highlights the importance of protecting data.

This was certainly true in corporate environments, where more than 80 percent of companies saw “slightly to considerably more” cyberattack attempts in the first half of 2020. As the threat landscape continues to evolve, higher education will continue to become an increasingly target-rich environment.

Related content: Dealing with data during COVID-19

To keep their courses and students safe, it’s up to institutions to make cybersecurity top of mind. Robust access control, authentication, data integrity, and content protection are all essential to safeguarding sensitive data and communications. Educators must not only protect sensitive data but take proactive steps to safeguard online communications.

Safeguarding a wealth of personal data

School systems have long been a ripe target for hackers and other bad actors. Many are especially vulnerable to attacks because they lack the security systems and IT resources that corporations and large enterprises utilize. In 2019, ransomware infections impacted more than 500 schools in the U.S. alone. As schools spend more of their limited IT resources building digital classrooms, the threat is likely to grow. Just this past June, hackers took Columbia College student data hostage and threatened to sell it on the dark web.

Most schools host huge volumes of data related to their students, tracking everything from test scores to demographic data, behavior records, financial information and more. To keep this sensitive personal data from falling into the wrong hands, institutions must restrict access and encrypt data, regardless of where it resides.

Protecting data in transit

When it comes to protecting data that’s in transit, you need to secure your website with a TLS/SSL certificate to encrypt information and maximize trust. Three key types of TLS certificates can provide protection, including Organization Validation (OV), Domain Validation (DV) and Extended Validation (EV). EV certificates, the worldwide standard for protecting extremely sensitive data, offer the highest level of authentication. To enable organizations to manage these certificates, certificate authorities (CAs), like DigiCert validate each type of certificate to a specific level of user trust.

Protecting data at rest

With so much personal and financial information residing on-premises at education institutions, protecting data onsite is critical to prohibit hackers from harvesting it. The best way to protect data onsite is to encrypt it at rest. If a hacker were to infiltrate a system that contains encrypted data, it would be worthless.

Safeguarding third-party platforms

Learning management systems (LMS) like Blackboard or Canvas also host a vast array of personal data that is vulnerable to attack. To protect these systems from unauthorized access, two-factor authentication should be mandatory for these systems.

Securing online communications and classrooms

Classroom and online communications like videoconferencing and email platforms are also vulnerable to hackers and other attacks. We’ve all heard the stories of disruptive “Zoombombing” episodes in education and at private enterprises. Although some of these pranks may seem lighthearted, they disrupt and waste valuable classroom time. Establishing role-based accounts, robust access control and frequent re-authentication can help minimize these issues.

Securing school devices

Maintaining control over the devices students use to access learning is a powerful way to enforce security for video collaboration and classwork. However, it also requires mechanisms like Mobile Device Management (MDM). MDM lets you control your devices, security profile and level of access for users from anywhere in the world. When combined with PKI for identity management, it offers a formidable security combination.

Protecting videoconferencing

As universities and school districts discover more vulnerabilities in their videoconferencing platforms, they are taking proactive steps to make them more secure. For example, the New York City Department of Education recently developed a DOE-licensed version of Zoom. Tailored to the Department’s security standards, it prohibits participants from renaming themselves, blocks private chats and restricts students from controlling screens. Whether you are using Zoom or another video collaboration platform, it’s essential to ensure that only authorized users can access a conference and participate in sharing content.

Safeguarding email

Phishing and other email threats have plagued enterprise corporations for decades and unfortunately, students are highly vulnerable. Making sure that students cannot accidentally install malware on their devices is key, especially if the laptop or tablet has been issued by the school. Students are subject to the same type of phishing accounts as corporate employees. Although there isn’t necessarily a financial gain, hackers do it for fun and then lock out the real students. Especially with school-issued devices, it is key to ensure that students do not accidentally install malware on school property. Protocols such as S/MIME and security through DMARC certification can help you ensure that your email communications are fully protected.

Securing sensitive documents

The need for security isn’t limited to communications and classroom activities. You’ll also want to protect sensitive documents from individuals who may tamper with report cards, transcripts, or diplomas. Digital document signing lets organizations and individuals incorporate a digital signature in a document to prove their identity. It is more secure than scanned signatures and other methods, never expires and can be customized to meet local legal requirements.

It’s clear that the impact of today’s healthcare crisis will continue to ripple across our education systems for months or even years to come. Educators will have plenty of challenges as they shift to online or hybrids of remote and in-person instruction. With strong security best practices in place, they can gain peace of mind in knowing that their students and institutions will stay safe from attacks—and free up time to focus on delivering the best possible learning experience.

Every school district is faced with a choice about how to protect student data. As districts have implemented more technology to support digital learning, student data privacy in schools has become a critical issue.

It can be a huge undertaking to vet and manage the privacy policies of all of the online resources used in a district. Even with good intentions, most districts do not have adequate protection and are vulnerable to a data breach. These breaches are becoming more common as districts struggle to keep up with technology.

Related content: 5 ways IT directors handle student data privacy

Here is the story of one district that is doing it right by effectively supporting its student data privacy policy with a comprehensive privacy management tool.

Forsyth County Schools

District administrators and school board members in Georgia’s Forsyth County Schools were committed to data privacy—and with nearly 50,000 students, the district knew protection was of the utmost importance.

District tech leaders actively searched for an enterprise data privacy solution that would allow their teachers and schools to be autonomous in finding and selecting safe applications for use in the classroom. They also knew they wanted a tool that would give local school personnel the ability to independently find online resources that are FERPA and COPPA compliant. These requirements led the district team to EdPrivacy by Education Framework.

Like many districts, Forsyth County Schools does not have a large enough IT staff to conduct the labor-intensive evaluation of every digital tool and learning resource used in classrooms throughout the district. District leaders and school board members needed a comprehensive, cost-effective solution to automate this process, and also needed EdPrivacy to integrate with their SSO solution—Classlink.

Education Framework worked with the district and developed the integration needed for Classlink. Forsyth educators now have access to more than 10,000 digital resources in the EdPrivacy database, and can order a privacy evaluation for new digital tools and programs at any time. New evaluations are provided within 24-48 weekday hours of each request.

Because the EdPrivacy database has an extensive library of approved educational resources, the district has been able to give teachers guidelines and greater latitude in choosing tools and learning resources to support their curriculum, all while protecting student data privacy. Also, the district’s professional development program has spurred adoption and implementation of EdPrivacy throughout the district.

Highlights after EdPrivacy’s first year in Forsyth County Schools include:
• 1,112 teachers are using the system
• 8,356 searches have been completed in the EdPrivacy database
• Users are advocates as they help teachers and administrators use the system
• Vendor privacy policies are vetted and continuously monitored for changes
• Quick turnaround on new edtech privacy vetting requests
• 80 percent ROI on Forsyth’s student data privacy efforts

Forsyth’s ROI for protecting student data privacy

The time spent on vetting the privacy of each online resource varies from 30 minutes for a trained person to multiple hours for an untrained individual. Using 30 minutes as a conservative calculation, Forsyth’s 8,356 searches in the EdPrivacy database saved them the equivalent of two FTE, or two full-time employees, using the district’s average salaries. If the vetting activity averaged an hour each, then the district has saved the equivalent of four full-time employees. After one school year, Forsyth has experienced an 80 percent return on its investment in student data privacy and in EdPrivacy.

In addition to this significant savings, Forsyth employees have confidence that they have ensured the ongoing protection of students’ personally-identifiable information. Forsyth educators benefit from the expanding database of approved digital resources and the monitoring of privacy policies on an ongoing basis. District leaders are notified via automatic updates of any changes in the privacy policies.

School data breaches are becoming more common, and there is an urgency for districts to do everything they can to safeguard student information. This type of 24/7 protection assures districts and school boards that they are providing the most comprehensive protection available for their students’ personal data.

Whichever assessment practice model you use—be it Response to Intervention (RTI), multi-tiered systems of support (MTSS), or any other—building a positive culture of assessment is the key to success for both students and teachers.

Tech tools alone cannot transform your data culture, but the right knowledge and strong leadership can. We’ve found that schools and districts are most successful if they possess these five common traits.

The school or district has a broad definition of assessment.
The word ‘assessment’ should not be a substitute for the word ‘test’ or ‘grade.’ When teachers, schools, and districts broaden their overall definition of what an assessment can be, teachers are able to get a more complete sense of what a student has learned and where there is still room for improvement. These don’t need to be limited to benchmarking, check-points, or end-of-level tests, and not all assessments factor into a student’s gradebook. Whether it be performance-based evaluations, rubrics, or even a one-on-one conversation about frustrations and successes, think of an assessment as any time you allow a student to demonstrate what they know and don’t know.

Teachers and students do not fear assessments.
When the statistics come back and the data doesn’t show perfect scores or off-the-charts comprehension, many instinctively assume the data is “bad” and shy away from acknowledging what it can illuminate. All data is good data. Even numbers that reflect a less-than-ideal outcome offer an opportunity to improve and address specific student needs. Just as we tell students, take every opportunity to apply what you’ve learned.

Students shouldn’t be afraid to take assessments either. Often, students fall into the trap of seeing every evaluation as a grade that tells them how well they’ve prepared or how “smart” they are. Instead of seeing low scores or numbers and thinking “I can’t do that,” teachers work with students to identify additional learning opportunities and help them reframe the way they see assessments to say, “I can’t do that yet! But I will learn.” Evaluations are opportunities for growth and challenge, rather than a harbinger of doom and gloom.

Teachers should have an understanding that no matter where students are in their learning process, the results of assessments are tools to guide further instruction and evaluate the efficacy of their own teaching. The ultimate goal is to refine programs to best benefit the students and meet them where they are. When students see assessments as ways to show off what they know rather than exposing where they fall short, they’ll be more likely to approach them with a positive outlook geared toward learning and addressing their own knowledge gaps.

Teachers are engaged in conversations and analysis centered on data.
Professional Learning Communities (PLCs) empower teachers with the knowledge and tools to best evaluate student data as a team. From sharing experiences to exchanging resources for growth, teachers making use of PLCs to broaden their own perspectives and create a culture of collaboration. Joining forces with other experienced professionals often paves the way for a more robust program of evaluation (rather than creating competition as some may worry).

No educator is an island. Sharing resources and delivering common assessments on a school- or district-wide scale forms a solid foundation of consistent data and allows teachers to get new eyes on data. Working together, teachers and administrators can collaborate on instructional strategies to create a space for conversations that have a real impact on student learning.

Teachers know how to leverage real-time data to address student needs.
See evaluations as a tool for constructive feedback on all levels to address students’ needs. Many successful teachers use the ITS model: Identify student levels of understanding; Target students for intervention; Self-evaluate your own instruction and efficacy. Breaking down assessment data allows teachers to see the full picture of a student’s understanding on an individualized level. First, find the students that have room for improvement and target their weak spots for extra attention. Then, take the critical step of understanding how you can improve instruction as a teacher.

Data is not just “collected”—it’s used!
If we solicit data from student evaluations, we have a moral obligation to use that data to benefit those students. For example, benchmark data is integrated in the formative process. One example of a technological tool that helps make the most of student data is Instructure’s MasteryConnect. This product has a Benchmark Compare feature that allows educators to have a side-by-side view of students’ formative and benchmark assessment data, allowing them to identify important patterns and trends in student levels of understanding to inform their instruction. Data is always used to differentiate learning and instruction on an individual basis.

Scary evaluations are a thing of the past. Changing our perspective on assessments can take them from a time-consuming necessity to a useful resource to provide pathways to a better future in academia. In a school atmosphere where evaluations are seen as roadmaps for successful learning, teachers and students both win.

Trenton Goble | VP of K12 Learning
Trenton left his position as an elementary school principal in January 2012 to become MasteryConnect’s Chief Academic Officer and Co-Founder. He now serves as VP of K-12 learning at Instructure. During Trenton’s 19-year career as an educator, he taught various grade levels, served as an Assistant Principal, and spent 11 years working as an Elementary School Principal. Trenton holds an M.Ed in Instructional Technology from Utah State University, and he designed the Mastery Leadership Institute to support school and district leaders in implementing successful data strategies and cultures.

Every school district is faced with a choice about how to protect student data. As districts have implemented more technology to support digital learning, student data privacy in schools has become a critical issue.

It can be a huge undertaking to vet and manage the privacy policies of all of the online resources used in a district. Even with good intentions, most districts do not have adequate protection and are vulnerable to a data breach. These breaches are becoming more common as districts struggle to keep up with technology.

Related content: 5 ways IT directors handle student data privacy

Here is the story of one district that is doing it right by effectively supporting its student data privacy policy with a comprehensive privacy management tool.

Forsyth County Schools

District administrators and school board members in Georgia’s Forsyth County Schools were committed to data privacy—and with nearly 50,000 students, the district knew protection was of the utmost importance.

District tech leaders actively searched for an enterprise data privacy solution that would allow their teachers and schools to be autonomous in finding and selecting safe applications for use in the classroom. They also knew they wanted a tool that would give local school personnel the ability to independently find online resources that are FERPA and COPPA compliant. These requirements led the district team to EdPrivacy by Education Framework.

Like many districts, Forsyth County Schools does not have a large enough IT staff to conduct the labor-intensive evaluation of every digital tool and learning resource used in classrooms throughout the district. District leaders and school board members needed a comprehensive, cost-effective solution to automate this process, and also needed EdPrivacy to integrate with their SSO solution—Classlink.

Education Framework worked with the district and developed the integration needed for Classlink. Forsyth educators now have access to more than 10,000 digital resources in the EdPrivacy database, and can order a privacy evaluation for new digital tools and programs at any time. New evaluations are provided within 24-48 weekday hours of each request.

Because the EdPrivacy database has an extensive library of approved educational resources, the district has been able to give teachers guidelines and greater latitude in choosing tools and learning resources to support their curriculum, all while protecting student data privacy. Also, the district’s professional development program has spurred adoption and implementation of EdPrivacy throughout the district.

Highlights after EdPrivacy’s first year in Forsyth County Schools include:
• 1,112 teachers are using the system
• 8,356 searches have been completed in the EdPrivacy database
• Users are advocates as they help teachers and administrators use the system
• Vendor privacy policies are vetted and continuously monitored for changes
• Quick turnaround on new edtech privacy vetting requests
• 80 percent ROI on Forsyth’s student data privacy efforts

Forsyth’s ROI for protecting student data privacy

The time spent on vetting the privacy of each online resource varies from 30 minutes for a trained person to multiple hours for an untrained individual. Using 30 minutes as a conservative calculation, Forsyth’s 8,356 searches in the EdPrivacy database saved them the equivalent of two FTE, or two full-time employees, using the district’s average salaries. If the vetting activity averaged an hour each, then the district has saved the equivalent of four full-time employees. After one school year, Forsyth has experienced an 80 percent return on its investment in student data privacy and in EdPrivacy.

In addition to this significant savings, Forsyth employees have confidence that they have ensured the ongoing protection of students’ personally-identifiable information. Forsyth educators benefit from the expanding database of approved digital resources and the monitoring of privacy policies on an ongoing basis. District leaders are notified via automatic updates of any changes in the privacy policies.

School data breaches are becoming more common, and there is an urgency for districts to do everything they can to safeguard student information. This type of 24/7 protection assures districts and school boards that they are providing the most comprehensive protection available for their students’ personal data.