5 Critical Steps to Operationalize Privacy in a School District

By Guest Contributor Andy Bloom, VP, Chief Privacy Officer, McGraw Hill

The K-12 privacy landscape is changing rapidly. The ways in which technology is applied to learning and the environments in which students and teachers use that technology are evolving. The sudden shift to online learning during the pandemic only accelerated that evolution and caused headaches for district privacy leaders across the country, as they worked (and continue to work) to monitor what software is in play across districts. The task of ensuring school compliance has not eased, nor have the digital demands of the modern classroom.

The type of personal information schools collect is also evolving. As schools adopt whole-child approaches to instruction, measuring social and emotional learning and student well-being needs potentially creates a new set of information to manage and protect. From an academic perspective, as students increasingly learn and take assessments using technology, each of their digital interactions can inform educators about their needs.

To navigate the changes that are already here and those yet to come, districts will need a robust strategy and a tangible, applicable set of best practices. Whether you work in a small district ready to get ahead in the privacy space, or a larger district navigating a disjointed privacy environment, it’s critical to operationalize privacy, or to get the strategies, processes, procedures, and common understandings in place that can enable you to manage, measure, and plan your approach to privacy.

The following are what I believe to be the top critical steps to operationalize privacy in a school district – and the necessary actions to take to prepare your community for the future.

  1. Create a Personal Information Inventory
    Understanding what specific personal information your district collects and processes

    The first step is to get your bearings on your school’s individual personal information landscape. In any sector, it’s nearly impossible to operationalize privacy without understanding what personal information an organization has. The key is to develop (usually over time) an inventory of systems and business activities that collect and process personal information so you can identify the data flows and use. Simply put, to operationalize personal information, you have to know what you’re working with.

    For more on why this is critical, read: “Why Should Your School Care About Cybersecurity?
  1. Provide Notice
    Providing parents with notice of what information is collected and processed

    Notice is required by almost all privacy laws and regulations. But beyond compliance, simply being transparent with parents (or any individual) is key to reassuring them that you are doing things properly. Be sure that your district has a notice on file that’s accessible for parents that explains how student information is collected and used; as well as who you share personal information with, such as vendors.

    Equity and accessibility are also key here. Any communication with parents and families should be made available in the languages spoken in your community, digitally and through paper mail for those who don’t have internet access and should align to your districts’ approach to building transparent, trusting relationships with families.
  1. Establish Policies
    Establishing internal policies for appropriate collection and processing of personal information

    Having an internal policy is key to making sure there is a standard across the board on how personal information is collected and processed. It can be challenging to create policies that prioritize safeguarding and protecting personal information while still leaving room for educators to creatively use that information to differentiate instruction. For a few basic principles to keep in mind when striking that balance in your policies, see “Supporting Student Data Privacy: An Educator’s Conundrum.”
  1. Start Training
    Providing privacy training for all school staff

    Employees need to understand each of the above principles, because much of the ability to really operationalize privacy relies on ensuring educators know what they need to do. In the way that educators strive to make learning individualized for student needs, privacy training should be individualized to staff roles. It should consider the ways in which they interact with personal information in their daily work and the intersection between stakeholders.

    As much as possible, training shouldn’t be isolated to a set of sessions, but translated to a culture of awareness and best practices. It can be tricky to balance explicit training and awareness in daily work, but it will go a long way to ensure compliance in the long run.
  1.  Establish Vendor Management
    Doing due diligence and contracting for vendors that collect and process personal information on the district’s behalf

    Every district outsources processes to vendors for busing, meals, health, instruction, and more. You can’t have a successful privacy program unless you ensure that your vendors and partners also meet your internal policy requirements.

    When it comes to EdTech and learning software vendors, look for externally verified stamps or badges of approval, such as vendor alignment to the IMS Global Learning Consortium, vendors that have signed the FPF / SIIA 2020 Student Data Privacy Pledge, or vendors that are members of critical student privacy organizations, such as the Student Data Privacy Consortium. Make sure educators are aligned and understand what systems they can and can’t use and have time to prepare curriculum for the impact of policy changes.

These five principles are of course not comprehensive, and within each are nuances and interdependencies that will vary between each district. Your district’s needs are personal to your district’s journey with privacy, education technology, infrastructure, and even pedagogical approaches to supporting students, like the whole child example I referenced above. Regardless of your individual challenges and objectives, privacy must be prioritized, operationalized, and continually revisited, because the technological evolution in our industry will continue through most of our careers – we just need to be ready to protect and empower students and teachers.

For more information and resources on managing and protecting personal information in schools, be sure to bookmark the U.S. Department of Education’s Student Data Privacy site, designed just for K-12 officials: Protecting Student Privacy, U.S. Department of Education.


Andy Bloom

Andy Bloom is Vice President and Chief Privacy Officer of McGraw Hill, overseeing the McGraw Hill global privacy program. Prior to joining McGraw Hill, Andy worked at the Graduate Management Admission Council as the Director, Data Protection and Privacy. Andy has served on the International Association of Privacy Professional’s (IAPP) Education, Training, and Publication Advisory Boards and is an IAPP Fellow of Information Privacy. Andy currently serves on the Future of Privacy Forum Advisory Board and the Student Data Privacy Consortiums Management Board.