Last month, the nonprofit Center for Democracy and Technology (CDT) published a report arguing schools and districts should go the way of other industries and hire a Chief Privacy Officer to oversee their organization’s privacy policies and practices.
Page by page, the report explains what a CPO is, why the role is necessary and even provides a two-page sample job description districts can use to begin the hiring process for a CPO.
The intent here is good, says Linnette Attai, a K-12 privacy expert and founder of the global compliance consulting firm PlayWell, LLC. Schools and districts collect, manage and analyze more data now than ever before. That data can be used to improve K-12 decision-making, tailor instruction to each student and flag when one student needs extra attention or assistance. But because data can also be misused, abused, exposed and manipulated, it must be protected. Thus, the need for a Chief Privacy Officer—someone who can establish and enforce privacy policies, train staff on privacy procedures and ensure that all data is collected and shared safely.
But the reality is that Chief Privacy Officers in K-12 education are about as common as unicorns. EdSurge contacted education nonprofits, a technology association and a handful of privacy experts, and none could identify a single school district with a K-12 CPO. In fact, it is still extremely rare for districts to hire even one full-time employee dedicated to privacy—leadership or otherwise—says Attai, who frequently advises K-12 districts on privacy issues.
“It should be a leadership position, but it’s not,” she tells EdSurge. “We’re a really long way off from it ever being there, and we may never be there.”
The reason comes down to funding, Attai says. K-12 districts have to establish their priorities, and while privacy continues to move up that list, a CPO isn’t likely to make the cut.
Still, she emphasizes that the absence of a CPO in K-12 is not synonymous with a shoddy privacy program: “It’s unfortunate, but it doesn’t have to be detrimental to student privacy protections.”
Instead of going the more aspirational route outlined by the CDT, Attai argues that districts start by giving privacy personnel—or the closest they have to it—the ears and attention of school leadership. If they’re not going to have a seat at the table, they at least need to communicate with those who do.
In at least two public school districts—both large systems that serve close to or more than 100,000 students—that’s how it works. Denver Public Schools in Colorado and Baltimore County Public Schools in Maryland have each hired a senior-level official who is responsible for the organization’s privacy policies and data governance.
Denver’s Student Data Privacy Officer
Two years ago, Denver Public Schools created a new role, the Student Data Privacy Officer, after the Colorado legislature passed a law to promote student data privacy and transparency.
Bryan Westerman, then a client tech analyst for the district, became the first person to fill the position. At a high level, his job is to ensure that DPS—the largest district in the state, with 90,000 students—complies not only with federal privacy laws (FERPA, COPPA, CIPA) but with the new state one as well.
Colorado was one of the first states, along with California and Connecticut, to pass a sweeping student privacy law, Westerman says. The law focuses on three main areas: data use and data use restrictions for third parties; data destruction, which is required at the end of a contract term or vendor relationship; and transparency, so the public can know which vendors each district does business with.
In his role, Westerman works closely with the district’s legal team to make sure their policies are in compliance with the law. He also spends a lot of time on contract reviews, he says.
When the state legislature passed its privacy bill in summer 2016, a group of district technology leaders in the state convened to get a game plan. “We said, ‘OK, this new law is going to be big and change a lot about how we do business. Let’s come up with a contract template for this but one that still allows us to do our own thing,’” Westerman recalls. “There was a lot of consensus and collaboration with that.”
The education leaders created the “Data Protection Addendum,” a document that each district requires its vendors to sign. A sample addendum—in this case, it was used with the company Amplify—can be viewed here. As part of its commitment to public transparency, DPS publishes each data protection addendum and vendor privacy policy online.
Westerman is a “team of one” at DPS, he says, which makes him the only person in the state in his role or one like it, although district IT staff are sometimes drafted. “There are other people who do this work, but it’s not an official designation. They’re told, ‘Hey, this is part of your job now.’ Those folks need the simplest, easiest ways to manage this stuff. In Denver, we are fortunate enough to get to take a hard look.”
In his position, Westerman reports to the chief information officer’s (CIO) chief of staff, which is comparable to a deputy CIO.
Baltimore County’s Director of Innovation and Digital Safety
Over 1,000 miles away, in Baltimore County, Md., Jim Corns is helping steward the data of nearly 115,000 students.
Corns was named the new CIO of Baltimore County Public Schools (BCPS) in November 2018, but prior to that, he served as the district’s director of innovation and digital safety. It’s the closest thing BCPS has to a privacy official, Corns says.
The position was created in 2016, and Corns was the first to occupy it (it’s currently vacant, due to his promotion, but the district plans to fill it).
Unlike Denver, BCPS didn’t create the role in response to a new state law, nor was there a major data breach that precipitated it. The community was beginning to express concerns about privacy as schools adopted more and more technology, Corns says, and parents wanted to feel confident their students’ data was being handled appropriately.
“It was a proactive move [by the district] to say, ‘Look, this is where the future is headed, and this is how we’re getting in front of it,’” he explains.
In his first full year as director of innovation and digital safety, Corns says he devoted much of his time to data privacy—e.g., calls with the legal team about bringing on new vendors, establishing policies and procedures for vendor relationships, including what data to share and when to destroy it.
As part of that work, Corns’ team built out a data governance manual that laid out how the district would move data in and out of its system, as well as who would own it and how data would be suppressed to protect student privacy. They also developed a data-sharing agreement.
“Baltimore County takes a different tack in how we interact with our vendors,” Corns explains. “We don’t allow edits to our data-sharing agreement. It’s the document all of our vendors have to sign off on to do business with us. We’ve had vendors that refuse to sign it, and we don’t do business with them.”
Both Baltimore County and DPS are among a select group of school districts that have earned the Trusted Learning Environment seal from the Consortium for School Networking (CoSN). The seal, granted to only 17 districts so far, indicates that a district has a strong, clear commitment to student data privacy.
When Corns was in the director role, he attended bi-monthly meetings with leadership to discuss updates and changes that had been made to the district’s data privacy and data governance policies, and he frequently met with the district’s “chiefs” to discuss privacy issues, he says. “It’s definitely a best practice to have somebody work to ensure privacy at that level.”
Attai agrees, reiterating that if privacy personnel in a district aren't a part of the leadership team, they must at least be heard by it.
“Leadership has to be heavily invested in understanding the complexities of managing student data privacy. It has to support and drive the creation of a privacy program,” Attai says. “It doesn’t work without leadership investment. This is not something that can be bootstrapped from the bottom up.”