Collect only what you need, use it solely for its intended purpose and retain it for only as long as necessary before securely destroying it.
Interoperability has been instrumental in reducing manual duplication entry for staff. The downside is inadvertently sharing too much data with third parties. The more data you have, the more you need to protect, and the greater the risk. Privacy and data minimization should be the first consideration.
Minimizing the data begins when you are researching resources to use and/or purchase. Do you have a vetting process in place that involves the pertinent departments in your organization reviewing the data elements collected? If you have a data privacy agreement, adding a statement in your RFP that the vendor will sign a data privacy agreement ensures the resources you are vetting will sign the DPA upon purchase.
Other areas to review are enrollment forms and program applications that parents/students/patrons sign. Are all the fields necessary? If you are participating in a research project, ensure the data elements collected are part of the study. Ask questions about the specifics of the research to know exactly what the data will be used for, how it will be protected and what will happen to the data after the study. In K-12, the research should always benefit the district, not the researcher.
Ask vendors on an annual basis what is on their roadmap for product enhancements. AI and LLM are excellent at inference, which can change the exposure of the data. What AI components are they considering and what data will be collected? When a product is upgraded or absorbed/replaced by another company, what new data elements are collected?
If you are a K-12 and use the National Data Privacy Agreement, review the meta data in Exhibit B that the vendor selected. Determine if the data requested is needed for the application or is simply “nice to have.” If the data is not impactful for student learning, question why it is collected. On the other hand, did they miss selecting data that they collect? Ask questions about why the data is required or ask for their interpretation of the meta data field.
SPED and Free and Reduced Lunch information has a higher level of data protection and should be scrutinized accordingly.
Here are some tips when reviewing your procedures for data minimization.
- Create a curriculum and technology partnership to vet all applications for security and privacy.
- Review your single sign-on tools to minimize the rostering data provided to the applications.
- Implement role-based access control (RBAC) on applications that store core data (e.g., student information systems, personnel and payroll systems, etc.).
- Shorten retention periods according to state retention laws.
- Review the data collected on an annual basis.
- When an upgrade is available, read the upgrade notes prior to applying. Ask the vendor if/how these changes affect the data collected.
- Create a destruction schedule.
- Receive a certificate of destruction from third parties.
Below are links to assist you in minimizing the data collected and stored.
SOS Records Retention Webinar February 25
MO SOS General Retention Schedule
A District Guide to Data Minimization in the Age of AI
The K-12 Privacy Policy Guide: How to Quickly Spot Red Flags