“It’s not a question of if. It’s a question of when.”

When it comes to the fears around student data breaches, those words are commonly heard from school district technology leaders and those who advise them. It’s meant as a caution to not be complacent and to ensure the school district is fully engaged in its student data privacy and security efforts.

All too often, though, well ­meaning but under-resourced district teams are tasked with trying to prevent the unthinkable, sometimes within a school district climate that hasn’t fully come to grips with what is necessary to keep student data safe. On this note, it is particularly important to understand that technology alone cannot solve the problem. Instead, behavior change is needed. After all, multifactor authentication is a terrific security tool, but it doesn’t work if everyone isn’t willing to use it. Not using one password for everything is reasonable advice, but only if everyone follows it.

As with most behavior changes, those needed to truly build and grow a school district’s privacy and security program often are perceived as imposing some level of inconvenience. This perception often prevents a district from reaching its full potential when it comes to data privacy and security risk mitigation because we are, after all, creatures of convenience. Clearing the hurdles of our very human nature and implementing real organizational change requires that leaders drive it forward as an imperative for all.

Changing Behavior The reluctance to change is often understandable. The nature of the risk and the value of the necessary behavior change aren’t always made clear. As Don Langenhorst, director of technology for Dedham Public Schools in Massachusetts, notes, “Today’s rapidly changing technological world makes student data privacy an ongoing and ever-evolving challenge.

“That said, a significant challenge for Dedham, and really for any district, is navigating rapid changes in risk while simultaneously sustaining the appropriate support and continuing to grow a secure culture among administrators, staff and students.”

Dedham Public Schools’ work in data privacy earned it the Consortium for School Networking’s Trusted Leaming Environment Seal.

Yet a focus on behavior change is what’s needed in education, which is at its core, a complex and human ­driven function.

One area that particularly challenges many school districts is building a process of assessment and governance around classroom and organization technologies. The sheer scope of the technology leader’s role is vast, so the task of putting a process in place to review each provider’s practices can seem rather daunting. This is especially the case if the rest of the organization isn’t actively participating in the work.

However, ensuring your district has assessed the data privacy and security practices of each technology provider with which they share students’ personal information is as foundational to a privacy program as understanding the district’s own student data practices.

In addition, by engaging in this work, school districts can set a solid and meaningful foundation for other organizational change that instills a culture of privacy and security that is so critical to organizational and student data safety. When it comes to safety, Louis McDonald, director of technology for Virginia’s 11,000-student Fauquier County Public Schools, says, “In many ways, it can be the easiest for us to manage, as it’s almost entirely dependent on the choices that we make.”

Elevated Practices The questions, of course, are where and how to begin.

First, it’s important not to think of this as a technology problem, but rather an opportunity for the district as a whole to elevate its privacy practices. Rod Russeau, former director of technology and information services with Community High School District 99 in Downers Grove, Ill., says he believes information security and data privacy “are everyone’s responsibility, yet they are traditionally seen as the sole responsibility of the technology department. Working to bring significant awareness to all levels of leadership and staff is one of the most challenging aspects of developing a data privacy and information security program.”

This is where an organization’s top-­level leadership is needed. The technology team — or any team — cannot do this alone. Leadership needs to communicate to all staff that protecting student data privacy and security is a priority for the entire district and that changes to certain practices will be necessary. The simple act of communicating the priority paves the way for needed changes.

Also, superintendents can meet with the technology team to learn about necessary resources. These may be financial, but they also could involve policy development or support in breaking down organizational silos to collaborate on protective measures.

CoSN ‘s Trusted Learning Environment self-assessment tool is a simple way to compare notes with a district’s technology team on the state of privacy and security to identify gaps and areas that need improvement and to set annual goals for data protection improvements over time.

It may seem elementary, but this type of leadership, in the form of partnership and communication, is one of the most critical ways a superintendent can support building truly functioning student data privacy and security programs.

Districtwide Acceptance One reason this form of leadership is so effective is that building privacy and security programs — including creating practices to assess technology resources —requires development of cross-functional teams and an understanding (and acceptance) among staff of the changes to come. Leadership can help to short-circuit our otherwise natural, human tendencies to resist change, cutting through the noise and putting the district into action on the right work in the most efficient way possible.

As Kevin Perkins, former director of technology for Rockingham County Schools in Virginia, noted at the time his district earned its TLE Seal, “We are fortunate to have division leadership and a school board that prioritizes student data privacy, and we did not have the challenge faced by some divisions who have to make that case before getting this kind of work off the ground. I think the challenge is changing a culture … It takes sustained effort and time.”

This level of leadership also forces the breakdown of silos, a critical measure, particularly when it comes to assessing technologies. Whether the technology in question is generative AI or a simple website, the assessment should consider more than data privacy and security.

The district’s procurement team and instructional technology or curriculum team also likely would have a stake in determining what technologies are appropriate and acceptable for the district. In some cases, there may not be a need for a privacy and security review if those teams haven’t been able to justify further consideration for the product. The process of putting all the moving parts together is born out of collaboration that leadership can drive.

Ironically, for one urban district in the Southeast, the birth of generative AI, with all of the complexities and challenges it presents, helped to pave the way for developing just such a cross-functional team. The team, including parents, students, instruc­tional technology and the technology support team, is working together on a methodical approach to support a positive experience and impact for students.

As part of the work, consider whether additional professional development resources would be helpful for your technology team. Many technology teams do not come into the district as privacy professionals. The superintendent’s support can help bridge the education gap they must close to perform the work.

A Vetting Process When it comes to technology assessments, professional development will be necessary to assess the technology provider’s privacy and security practices, including what personal information the technology provider will be collecting, how the information may be used, how it may be shared, how it will be protected and how the district can readily exercise its rights in relation to the student personal information, including rights of parents and students.

Once the assessments have been completed and a determination made to move forward with a particular product or service, the technology staff must ensure a data protection agreement is put in place to document the expectations in a contract. This process should include consultation with district’s data privacy counsel.

In addition, district leadership must ensure teachers are on board with and support the vetting process. Free and low-cost technology tools that teachers bring into the classroom without prior assessment create just as much and perhaps more risk as tools the district may purchase. Classroom technologies that have not been properly assessed also can unnecessarily burden already complex networks and may bind the district to contractual terms known only to the teacher who agreed to them.

If you’re still not convinced, consider this: When was the last time you read the terms of use and privacy policy of a free app before downloading it? In light of your answer, how would your district possibly protect the privacy and security of student data if it’s going places that you’re not even aware of because the terms haven’t been considered? The privacy and security assessment matters, not just for the privacy and security of students’ personal information, but for the betterment of your district operations.

Building a privacy program — or even just a technology assessment process— takes time and will likely be disruptive in some regards. However, privacy and security risks stop and start with leadership, so moving into action is imperative.

Cultural Change As with all organizational and cultural change, with proper leadership support behind it to encourage institution-wide engagement around the work, a more thoughtful process for assessing the technology that you allow through your schools’ doors will become second nature over time.

The success your teams have in undertaking this challenging practice will likely motivate them to further improve the maturity of the district’s privacy and security programs. In addition, the decisions top-level leadership makes to be more thoughtful and deliberate about the products chosen for use in the school district – and about the larger improvements to privacy and security programs – also may benefit the bottom line.

Reprinted with permission from School Administrator magazine, February 2024. Published by AASA, The School Superintendents Association.

Linnette Attai, a data privacy consultant in New York, N.Y., serves as project director for the Consortium for School Networking’s Privacy Initiative and Trusted Learning Envi­ronment Program. E-mail: LAttai@CoSN.org. CoSN is a nonprofit professional organization for K-12 educational technology leaders.