Schools collect, maintain, use and disclose a large amount of sensitive information of students and employees, including educational records, Social Security numbers, health plan information and health care records (medical, behavioral health, substance abuse, etc.). Schools may also utilize software, mobile apps, educational services and websites that collect, use and disclose additional student information. Keeping track of this information, how it is protected and who is using it can be daunting.
In order to be able to account for and safeguard the student and employee information a school maintains, and to pro-actively address privacy concerns in the context of new and emerging technologies, we suggest the following best practices for schools to incorporate into their existing IT, HR and administrative functions:
- Appoint a Chief Privacy Officer: Generally someone in an IT or HR role, the Privacy Officer is the individual responsible for the school’s privacy program and would be the “face” of the school in the event of a privacy incident. From a practical, regulatory and community relations perspective, it is important to have someone “in charge” of privacy matters.
- Conduct Periodic Privacy Assessments: A privacy assessment may be conducted internally by the Privacy Officer (with support from IT, HR and administrative professionals) or by an external consultant. The objectives of the privacy assessment are to: (i) determine what data the school maintains; (ii) determine where such data is located; (iii) identify the risks to such data (e.g. hack, theft, misuse); (iv) review the school’s current privacy safeguards; and (v) identify areas for improvement, if any. A privacy assessment may be conducted annually, bi-annually or upon any material change in the school’s IT systems.
- Establish a Data Privacy and Governance Committee: Some schools, particularly larger ones, may desire to establish a committee to receive privacy-related feedback from stakeholders (e.g. parents, students, and teachers) and to assist the Privacy Officer.
- Periodically Review Privacy Policies: Schools should have privacy policies addressing the collection, use and disclosure of student and employee information, and, most importantly, how to respond in the event of a data incident or breach.
- Develop Vendor Screening/Contract Review Process: Schools should develop a protocol to ensure that data disclosed to third parties will be protected adequately and used appropriately. For example, schools may ask potential vendors to answer certain data privacy questions (e.g. do you encrypt all data?) and to certify compliance with data privacy best practices and applicable state and federal laws.
- Provide Staff Training: A privacy program is effective only if school staff are aware of it and understand their obligations. Schools should consider incorporating privacy-related topics, such as data breach response or disclosing student information to third parties, into its existing in-service or other training programs.
The above best practices are not a one-size-fits-all solution and each school should consider how best to implement these practices into their organizations in light of the school’s size, data held, resources, finances and existing privacy policies.