Chief  Privacy  Officers:  The  Unicorns  of  K-12  Education

Chief Privacy Officers: The Unicorns of K-12 Education

By Anne Rowe for DPS board, March 15, 2019

Last month, the not-for-profit Center for Democracy and Innovation (CDT) released a report arguing schools and districts need to go the method of other industries and hire a Chief Privacy Officer to oversee their organization’s privacy policies and practices.

Page by page, the report describes what a CPO is, why the role is required and even supplies a two-page sample task description districts can usage to start the working with procedure for a CPO.

The intent here is good, states Linnette Attai, a K-12 privacy expert and creator of the worldwide compliance consulting company PlayWell, LLC. Schools and districts gather, manage and evaluate more data now than ever previously. That data can be utilized to enhance K-12 decision-making, tailor instruction to each trainee and flag when one student needs additional attention or support. However due to the fact that information can also be misused, mistreated, exposed and manipulated, it should be safeguarded. Therefore, the need for a Chief Personal Privacy Officer—someone who can establish and implement privacy policies, train staff on privacy treatments and make sure that all data is collected and shared securely.

But the truth is that Chief Privacy Officers in K-12 education are about as typical as unicorns. EdSurge called education nonprofits, a technology association and a handful of privacy experts, and none might identify a single school district with a K-12 CPO. In truth, it is still incredibly rare for districts to hire even one full-time employee dedicated to personal privacy—leadership or otherwise—says Attai, who regularly encourages K-12 districts on privacy issues.

“It should be a leadership position, but it’s not,” she informs EdSurge. “We’re a really long method off from it ever being there, and we may never ever be there.”

K-12  privacy

The reason comes down to funding, Attai states. K-12 districts have to develop their priorities, and while personal privacy continues to move up that list, a CPO isn’t likely to make the cut.

Still, she highlights that the absence of a CPO in K-12 is not synonymous with a inferior privacy program: “It’s unfortunate, but it doesn’t have to be detrimental to trainee privacy securities.”

Instead of going the more aspirational route described by the CDT, Attai argues that districts start by providing privacy personnel—or the closest they have to it—the ears and attention of school management. If they’re not going to have a seat at the table, they at least need to communicate with those who do.

In at least two public school districts—both large systems that serve close to or more than 100,000 trainees—that’s how it works. Denver Public Schools in Colorado and Baltimore County Public Schools in Maryland have each employed a senior-level official who is responsible for the company’s privacy policies and data governance.

Denver’s Trainee Data Personal Privacy Officer

Two years ago, Denver Public Schools produced a brand-new function, the Student Information Privacy Officer, after the Colorado legislature passed a law to promote trainee data privacy and openness.

Bryan Westerman, then a customer tech analyst for the district, became the first individual to fill the position. At a high level, his task is to guarantee that DPS—the biggest district in the state, with 90,000 trainees—complies not just with federal personal privacy laws (FERPA, COPPA, CIPA) however with the new state one as well.

Colorado was one of the first states, along with California and Connecticut, to pass a sweeping trainee privacy law, Westerman says. The law focuses on three main locations: information usage and data usage restrictions for third celebrations; information destruction, which is needed at the end of a agreement term or supplier relationship; and openness, so the public can know which suppliers each district does company with.

In his function, Westerman works closely with the district’s legal group to make sure their policies are in compliance with the law. He also spends a lot of time on agreement reviews, he states.

When the state legislature passed its privacy costs in summertime 2016, a group of district innovation leaders in the state assembled to get a video game plan. “We stated, ‘OK, this new law is going to be big and change a lot about how we do company. Let’s come up with a agreement design template for this but one that still permits us to do our own thing,’” Westerman remembers. “There was a lot of agreement and cooperation with that.”

The education leaders produced the “Data Defense Addendum,” a file that each district needs its suppliers to sign. A sample addendum—in this case, it was utilized with the business Enhance—can be seen here. As part of its commitment to public transparency, DPS releases each information defense addendum and vendor personal privacy policy online.

Westerman is a “team of one” at DPS, he says, which makes him the only person in the state in his function or one like it, although district IT personnel are in some cases drafted. “There are other individuals who do this work, but it’s not an official classification. They’re told, ‘Hey, this is part of your job now.’ Those folks need the most basic, easiest ways to handle this things. In Denver, we are fortunate sufficient to get to take a tough look.”

In his position, Westerman reports to the chief information officer’s (CIO) chief of personnel, which is comparable to a deputy CIO.

Baltimore County’s Director of Development and Digital Security

Over 1,000 miles away, in Baltimore County, Md., Jim Corns is assisting steward the data of nearly 115,000 students.

Corns was called the new CIO of Baltimore County Public Schools (BCPS) in November 2018, but prior to that, he served as the district’s director of development and digital security. It’s the closest thing BCPS has to a privacy official, Corns says.

The position was produced in 2016, and Corns was the very first to inhabit it (it’s presently vacant, due to his promotion, but the district plans to fill it).

Unlike Denver, BCPS didn’t develop the role in action to a brand-new state law, nor was there a significant information breach that precipitated it. The neighborhood was start to reveal issues about privacy as schools embraced more and more innovation, Corns states, and moms and dads desired to feel confident their trainees’ data was being handled appropriately.

“It was a proactive move [by the district] to say, ‘Look, this is where the future is headed, and this is how we’re getting in front of it,’” he describes.

In his very first full year as director of development and digital security, Corns says he dedicated much of his time to data privacy—e. g., calls with the legal team about bringing on brand-new suppliers, developing policies and procedures for supplier relationships, consisting of what data to share and when to destroy it.

As part of that work, Corns’ group constructed out a data governance handbook that laid out how the district would relocation information in and out of its system, as well as who would own it and how information would be reduced to secure trainee personal privacy. They likewise developed a data-sharing contract.

“Baltimore County takes a various tack in how we interact with our vendors,” Corns discusses. “We put on’t allow modifies to our data-sharing arrangement. It’s the document all of our vendors have to indication off on to do business with us. We’ve had suppliers that refuse to sign it, and we wear’t do business with them.”

Both Baltimore County and DPS are among a choose group of school districts that have made the Trusted Knowing Environment seal from the Consortium for School Networking (CoSN). The seal, granted to just 17 districts so far, suggests that a district has a strong, clear dedication to trainee data personal privacy.

When Corns was in the director function, he participated in bi-monthly conferences with management to discuss updates and changes that had been made to the district’s information privacy and information governance policies, and he regularly satisfied with the district’s “chiefs” to talk about privacy issues, he states. “It’s absolutely a best practice to have someone work to guarantee privacy at that level.”

Attai agrees, repeating that if privacy workers in a district aren’t a part of the management group, they should at least be heard by it.

“Leadership has to be heavily invested in understanding the intricacies of handling student information privacy. It has to assistance and drive the production of a personal privacy program,” Attai states. “It doesn’t work without management financial investment. This is not something that can be bootstrapped from the bottom up.”