A panel of experts outlined at least five steps that school districts should take to manage their data in the cloud.
The cloud prompts school district leaders to consider where they store their data, why they're collecting data and how to keep it private, experts said in a CoSN webinar on Tuesday, Nov. 12. And it's not easy to keep data private in the cloud because technology and privacy policies change so quickly, said Jim Siegl, technology architect at Fairfax County Public Schools in Virginia, who moderated the webinar for CoSN.
"Is privacy in the cloud possible?" Siegl said. "Yes, but it takes a lot of work and a lot of communication."
Communication is one of the steps that Chief Privacy Officer Kathleen M. Styles recommends because it helps districts be transparent about their data practices. As the U.S. Department of Education's first privacy officer, she suggests that school districts maintain a page on their websites that outlines what data they collect, who has access to it and why it's being collected.
This transparency builds trust between school districts and the community, said Aimee Guidera, executive director of the Data Quality Campaign. If the community doesn't see the value of collecting data, they will negatively react to the practice.
"If it's all risk and no value add, that's when fear grows," Guidera said.
Oftentimes, school districts are collecting data that's not valuable because no one uses it, Guidera said. For every piece of data that's collected, school districts spend money and take on the risk of guarding its privacy.
That's why it's important for school districts to figure out who needs what data. And this conversation starts by asking parents, administrators and others what data they need.
The data that stakeholders need will determine where the school district places its values. One school district might want students to enhance their learning by working in third-party cloud applications. Another district may want to enhance students' learning on its own without using any third-party cloud providers.
Either way, superintendents and school boards should make these decisions, not teachers, said David Rubin, an attorney who's a member of the Council of School Attorneys. Many teachers have good intentions when they sign their students up for no charge websites, but they're putting student data in the hands of a third party without the district's knowledge.
"Districts are not policing their teachers adequately in terms of signing up for these free apps," Styles said.
Any app or service should go through a procurement, policy and legal review before school districts hand over student data to third parties, Styles said. And when they do hand it over, the privacy law FERPA requires the third party to:
Styles stressed that third-party providers do not own the student data and that they act at the school district's direction.
"When you share data with a third party IT provider, you are always responsible for the data," Styles said.
Teacher data practices aren't the only ones that need to be considered when deciding what to do about data and the cloud. School districts should take the time to analyze their data collection practices and processes before moving anything to the cloud, Styles said.
And this analysis could help address problems that the school district previously didn't handle, Rubin said.
"Oftentimes when you're dealing with new legal issues, it forces you to confront concerns that really have always existed, but we haven't paid much attention to," Rubin said.
Once school districts address these problems, they may be ready to move data to the cloud. But not before they record where all of their data is located.
If districts don't take an inventory of the records they have, they'll have a hard time finding them later when they need them.
"This is just a fabulous opportunity to get a handle on what you're doing," Styles said.