Privacy Best Practices

When developing a data privacy program, there are a variety of steps that will make setting this up run smoothly. Determining why your organization needs a program, what should be included in a program and how to go about creating one should all be considered.

The U.S. Department of Education established the Privacy Technical Assistance Center (PTAC) as a one-stop resource to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data. PTAC provides timely information and updated guidance through a variety of resources, including training materials and opportunities to receive direct assistance with privacy, security, and confidentiality of student data systems. More PTAC information is available at http://studentprivacy.ed.gov.

Their Checklist for Developing School District Privacy Programs can be utilized as you are just getting started. It gives a good overview of how to work through the process of setting up a program.

The Data Governance Checklist can assist your organization with establishing and maintaining a successful data governance program to help ensure the individual privacy and confidentiality of records.

Use the steps below to implement your privacy program!

Step One: Policies for Users of Student Data Checklist

The Policies for Users of Student Data Checklist aims to assist schools and districts in crafting data use policies to ensure appropriate protection of students’ data. While it is not mandatory to develop a data use policy, the U.S. Department of Education recommends doing so as a best practice.

Step Two: Data Minimization

Data minimization principles are critical in the AI era. Edtech platforms and data analytics tools may capture extensive details about students’ school experiences, including their quiz scores, assignment completion rates, medical conditions, counseling records, and family income information for meal programs. AI can connect the dots and create inferences that can directly affect the student’s data. The Public Interest Privacy Center has provided this resource to assist districts.

A District Guide to Data Minimization in the Age of AI

Step Three: Inventory Worksheet

Collecting key information about instructional and administrative systems in one place enables a systems overview that can serve as the starting point for data mapping and consolidation discussions. The worksheet should include the vendor, their contact information — including log in information, their security protocols, data classification of the info within that system and who in your district is the key contact. It should also include links or information about defined protocols, incident response plans and end-user training.

We have created a template for our members that includes a list of data software systems that include operations, personnel data, learning resources and applications with student-specific data. Download that template here.

Step Four: Data Classification Guide

To help you make informed decisions about managing sensitive data in your organization, we have created this Data Classification Guide. Download it and utilize it as a reference when determining what software and systems you have with access to various data, as well as the consequences of improper use or sharing of that information. Here you will find sample security controls as well as framework to who should have access to various levels of sensitivity.

Step Five: Mapping Data Flows Checklist

The Mapping Data Flows Checklist is intended to help create visual “maps” of how your data flows within your systems. Including maps in data governance plans can help you better understand what data is in your systems, where the data resides, what sources provides the information, why those data points are collected, what limitations or restrictions apply, how it is linked, and what policy questions that data is used to answer.

Step Six: Data Destruction Document

The Data Destruction Document is a best practices guide on properly destroying sensitive data after it is no longer needed. It details the life cycle of data and discusses various legal requirements relating to the destruction of data under FERPA, while examining a variety of methods for properly destroying data. The guide also provides some real-world examples of how to implement data destruction within your organization.