Digital Safety @ CCS

Student data privacy refers to the responsible, ethical, and equitable collection, use, sharing, and protection of student data. Student Privacy Compass

 

 

 

 

 

 

Data Governance

We look holistically at the collection, protection, use, and life cycle of our data. Technology is a key component of the process, but even more important are the processes around data use. And most important of all are the people who carry out those processes and use the data. 

People, processes, and technology are the framework for our data governance. 

Technology

Examples of technology protecting our data:

• ContentKeeper filtering solution
• Multiple data backups
• Routine vulnerability scans

Processes

Examples of processes protecting our data:

• LearnPlatform digital tool request process
• Block/unblock request form for staff
• Report phishing button in staff email

People

Examples of people protecting our data:

• Phishing prevention training
• Data security training
• Role-based permissions and access

There are several laws regarding student data privacy, some apply to schools while other apply to vendors. Four of the major laws are listed below.  

Digital Tool Evaluation Process

There are two ways digital tools are approved for use in Carmel Clay Schools. These include tools that require student accounts or are used to collect or store student information. Tools that do not require student logins or tools that students choose to use independently from classroom requirements are not necessarily included. 

formal program evaluation and curriculum adoption process

Curriculum adoption of digital tools uses an evaluation rubric covering topics such as accessibility, interoperability with current systems, student and teacher account provisioning, and data privacy. Examples include Canvas, McGraw-Hill online textbooks, and Google Workspace for Education. 

LearnPlatform digital tool request process

Teachers who wish to incorporate supplemental digital tools into their classrooms must first check the digital tool library in LearnPlatform. If the tool they wish to use has not already been evaluated, is not listed in the library, and requires student accounts and/or will store student information, they must request an evaluation.

The evaluation process consists of five possible steps. A tool may be denied at any point in the process and must successfully reach Step 5 to be added to the library as an approved tool. Examples of approved tools include Canva for Education and Screencastify. Examples of denied tools include Epic! and Prodigy Math. The complete list of reviewed tools is available at https://ccs.app.learnplatform.com/new/public. 

• Step 1 - Requested
  • Teachers request access to digital tools
  • Once a tool has 5 or more requests, it moves on to step 2
• Step 2 - Building Review
  • Building administrators review the tool, if approved it moves on
• Step 3 - District Review
  • District administrators review the tool, if approved it moves on
• Step 4 - Data Privacy Review
  • Data privacy officer works with the vendor to secure a data privacy agreement (DPA)
• Step 5 - Final decision
  • Once the tool as passed building, district, and data privacy evaluations, both CCS and the vendor sign a data privacy agreement and the tool is added to the LearnPlatform library.

A data privacy agreement is a legally binding contract between a data controller and a data processor, which defines how data will be used. In this case, the data controller is Carmel Clay Schools, while the data processor is any third-party vendor with whom data are shared. 

For schools, a data privacy agreement establishes several key parameters that govern what a third-party vendor can do with data, including:

• Defining student data
• Designating the vendor as a school official under FERPA
• Establishing CCS ownership of the data
• Limiting the use of data to only services defined by the contract
• Requiring compliance with all applicable laws and regulations
• Prohibiting disclosure of the data 
• Forbidding the use of data for advertising purposes
• Determining the data destruction process

Depending on the vendor, it may take days or weeks to negotiate a DPA that works for both parties. Most vendors are willing to work with schools to come to an understanding, and data privacy laws in states such as California, Illinois, New York, and Connecticut are helping to push the conversation forward. 

Personal privacy check-ups

It's important to routinely check on the privacy settings for your own digital life. Best practices include:

Password protection

• Don't reuse passwords on multiple sites, use a different password for every site
• Don't use information that is easily available in your passwords (kids' names, pets' names, birthdates, anniversary dates, etc.)
  • Federal Trade Commission article on why this is important
  • Jimmy Kimmel Live experiment on why this is important
• Think passphrase, not password
• The longer the better; at least 12 characters is best
• Consider using a password manager to generate complex passwords for each site you use
• Avoid keeping a handwritten or digital list of passwords

Turn on multifactor authentication whenever possible

Multifactor authentication (MFA) requires two of the three following elements to log in

• something you know (like a password)
• something you have (like a mobile device that can receive a one-time use code)
• something you are (biometrics)

By enabling MFA, your account is much less likely to be hacked, even if your password becomes compromised. This is especially important for sensitive accounts like banking and health care. For more information on MFA, visit the Cybersecurity & Infrastructure Security Agency (CISA) website. 

Check the privacy settings of the digital tools you use

• The National Cybersecurity Alliance maintains a list of commonly used platforms
• Delete accounts for sites you are no longer using