One of the first things that struck me when we became involved in education data nearly 20 years ago was how educators prioritize safeguarding student data. It makes sense when you consider the focus educators place on protecting students. Since that moment, we have embraced this same set of priorities:
- Protect students and their data.
- Use data to help students achieve their best education possible. Using data is important, but not until you can be sure it’s safe.
As a supplier of data management software that supports millions of students from early childhood through post-secondary education, we have learned a lot about the threats and risks of using data and methods to mitigate those risks. Since there are currently hundreds of pieces of student data privacy legislation working their way through legislatures across the country, I thought it might be a good time to share some of what we have learned.
Lately we have been consulted by many organizations regarding best practices for protecting student data because we live it and breath it from technological, contractual, and legal perspectives and are happy to share our experience. This is something every stakeholder – educators, students, parents, vendors, etc. – is concerned about. Every day we see the benefits education data can provide and know that by managing data safely, we can help provide those benefits to all students.
One fundamental issue to consider is related to contracts and agreements regarding acceptable use of education data. From the perspective of a practitioner, we encounter two fundamentally different approaches to defining what can and can’t be done with data.
Approach #1: Attempt to clearly prohibit all of the things that should not be done.
Approach #2: Clearly authorize only uses that are acceptable.
There are pros and cons to each approach and they can be done in combination, but we (and our customers) find it essential to include Approach #2. From a logical perspective, we know exactly what we are supposed to be doing and everything else is prohibited. For example, using this approach, you don’t have to tell us that using data for marketing purposes is prohibited; or that using data for targeting sales purposes and an infinite number of other bad things are prohibited.
You may want to explicitly prohibit certain actions, for the sake of clarity, but using only Approach #2 generates an almost interminable number of prohibitions and still leaves room for doing things that are simply not defined or fall through the cracks. Authorizing only specific activities makes contracts simpler and, in our experience, safer.
In future blog posts, we will cover technical topics such as encryption as well as different procedures and rules. If there is interest, we will try to cover a topic or two in each blog post. If there are specific topics you would like to see us cover, please let us know by emailing me at firstname.lastname@example.org