What K-12 School Districts Need to Know about Student Data Privacy

Students using their devices in a school environment. The devices are connected to clouds full of icons representing their data, each cloud is secured with a padlock

Edtech applications are omnipresent in K-12 education. The latest EdTech Top 40 List reports that the average number of edtech tools in use in K-12 school districts in the 2022-23 school year was 2,591. These technology tools have become essential to preparing students for the modern world. However, because of the vast amounts and types of data they collect about students, they also present valid student data privacy concerns. 

The data collected by edtech applications includes a wide range of information about a student’s identity, such as a student’s name, date of birth, Social Security number, and email address. Student data can also include details about academic performance, mental and physical health, and behavior.

With this much private and potentially sensitive information being collected and stored, educators, parents, and the students themselves are right to be concerned about how student data is being accessed and used. The K-12 Edtech Safety Benchmark Report published in December 2022 suggests that 96% of apps being used by schools share data with third parties, and 78% share information with advertisers, often without schools’ knowledge or consent.

Edtech tools are here to stay, so how can K-12 schools ensure their benefits in the classroom outweigh their risks to student data privacy?

Read on to learn about:

  • Federal and state K-12 student data privacy laws 
  • How edtech providers demonstrate a commitment to data privacy and security 
  • Ways to ensure your students’ data privacy is protected and prioritized

What Student Data Privacy Laws Do I Need to Know About?

The most basic level of ensuring student data is secure and private is compliance with existing student data privacy laws, both at the federal and state level.

Federal Laws

The main federal law concerning student data privacy is the Family Educational Rights and Privacy Act, or  FERPA. Under FERPA, educational institutions that receive federal funding must protect the confidentiality of and control access to student records, including grades, transcripts, and disciplinary records. FERPA grants parents and older students the right to review, request amendments to, and control the disclosure of their educational records.

COPPA (the Children’s Online Privacy Protection Act) is another federal law that requires operators of any websites or online services that collect personal information from children under the age of 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information. COPPA also mandates the implementation of reasonable security measures to protect the confidentiality and integrity of children’s data.

State Laws

Beyond the federal, nearly every U.S. state has one or more laws on the books regarding how K-12 schools can collect and use student data. You can reference a source like Student Privacy Compass,  which maintains a list of more than 100 state student privacy laws, to make sure you’re in compliance with the rules in your state. that legislate how K-12 schools can collect and use student data.

What Data Privacy and Security Certifications Should Our Edtech Providers Have?

A group of high school students sit in the corridor accessing various technologies together

Aside from compliance with federal and state laws, there are numerous other certifications that edtech providers can achieve to demonstrate their commitment to higher standards of student data privacy and security.

Student Privacy Pledge 2020

The Student Privacy Pledge 2020 is a voluntary commitment initiated by the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) to protect student data privacy in edtech applications. Edtech companies and service providers who sign the pledge are committing to transparent data practices, including:

  • Obtaining appropriate consent for data collection
  • Maintaining the security of student information 
  • Refraining from selling student data
  • Adhering to relevant laws and regulations

The Student Privacy Pledge serves as a mechanism to encourage responsible data handling practices and foster trust between educational institutions, parents, and edtech providers to ensure the privacy and protection of student data. The Pledge is a legally enforceable commitment to maintaining these practices and has been endorsed by other organizations such as the National School Boards Association (NSBA) and the Consortium for School Networking (CoSN).

SOC 2 Type 2 Certification

SOC 2 Type 2 certification is an industry-recognized validation that assesses the effectiveness and security of a service organization’s internal controls related to data security, availability, processing integrity, confidentiality, and privacy. Achieving this certification involves undergoing a thorough audit by an independent third-party auditor over a specified period.

Some K-12 student safety and wellness technology providers may claim this certification because their cloud service provider (such as AWS or Google Cloud) has attained it. However, certification in this case applies only to the cloud service provider’s data centers, not the handling of data by the edtech company and its technology tools. In reality, very few have attained SOC 2 Type 2 certification of their own.

Currently, there is no state or federal requirement for edtech providers to have achieved this highest level of certification. Therefore, if an edtech provider has gone through the rigorous requirements to attain SOC2 Type 2 certification, this demonstrates the highest commitment to data privacy and security.

Bug Bounty Programs

A bug bounty program is an initiative offered by a technology provider to proactively identify vulnerabilities or bugs in their software, systems, or digital infrastructure. The program sets rewards or bounties for ethical hackers and security researchers to discover and report vulnerabilities, motivating participants to actively search for and disclose potential security weaknesses. An edtech company’s investment is another demonstration of their commitment to the highest data security standards.

What Impact Does Student Activity Monitoring Have on Student Privacy?

Student activity monitoring software is used by many schools to identify student safety and wellness concerns. These tools provide schools with invaluable insight into students who may be at risk of self-harm, suicide, violence, and bullying.

Side view portrait of teenage schoolboy in distress using computer in school at his desk

As the use of this potentially life-saving technology becomes increasingly popular in K-12 districts and schools, privacy concerns are also being raised. However, not all monitoring is the same, and how the monitoring occurs makes a significant difference when it comes to student data privacy. 

For example, some student activity monitoring relies heavily on human content reviewers. Having humans review extensive amounts of student online activities introduces privacy risks and exposes potentially sensitive student data unnecessarily.

In contrast, the use of reliable and secure technology tools to identify student safety and wellness risks significantly minimizes student data privacy risks. Securly relies on advanced technologies — including the longest-learning AI engine in K-12 education, advanced multi-step analysis of online searches and activities, and proprietary risk assessment technology — to securely analyze students’ online activities and identify indicators that a student may be at risk. 

The use of technology like nudity detection and quarantine further ensures that sensitive content, like nudity in images that students may be sharing, isn’t exposed to human content reviewers. These important differentiators minimize student privacy risks.

What Questions Should I Be Asking Our Edtech Providers about Student Data Privacy?

When evaluating edtech tools such as school web filtering and student wellness monitoring, you have a lot of choices. How an edtech provider manages student data privacy is a crucial consideration.

Here are some questions to ask edtech providers so you can feel confident in their commitment to your students’ data privacy and security:

  • What student data is collected and how is it used?
  • How is student data stored and secured?
  • Do you have any data-sharing or third-party agreements?
  • How long is student data retained?
  • Do you conduct regular security audits and assessments?
  • Has your company — not your cloud service provider — attained SOC 2 Type 2 certification?
  • Do you maintain a bug bounty program?
  • Do you offer student wellness monitoring and, if so, how do you ensure student data privacy?
  • How do you control or limit access to data by your employees?

While it may sometimes feel like you have to make a choice between monitoring students’ online activities and ensuring student privacy, it is more than possible – and reasonable – to ask for and have both. 

Securly Aware is a student wellness monitoring tool that helps schools maintain students’ privacy, while also prioritizing student safety and wellbeing – learn more here

You can also learn how Securly prioritizes student data privacy here. 

Leave a Reply