6 Device Security & Compliance

Basics

Schools have long taken steps to safeguard students and their data even when most records were kept on paper and stored in file cabinets or locked in safes. The Family Educational Rights and Privacy Act (FERPA) was passed in 1974, which is well before even personal computers were commonplace in schools. With digital records becoming somewhat of an expectation for managing student data, students and staff must be vigilant about maintaining student confidentiality for some types of personally identifiable information (PII) and student records that may include academic, health, discipline, and other records.

To support the efforts of staff, students, and families that access school or district resources, IT technicians are charged with implementing and maintaining secure environments that help protect confidential data and information. IT staff have to understand how student privacy laws impact how data is transferred and stored and which data must be kept confidential and accessible only to those with the legal right to use it. There are legal considerations that will influence your mobile device deployment, and you should understand your role in following them.

You should know the following terms:

  • Acceptable Use Policy (AUP)
  • Access Controls
  • Compliance
  • Consent Mechanisms
  • Copyright
  • Digital Citizenship 
  • Encryption
  • Intellectual Property (IP) rights
  • Personally Identifiable Information (PII)
  • Privacy Laws
  • Secure Storage
  • Student privacy laws

IT technicians play a key role in keeping computers, smartphones, and other devices safe from potential threats and unauthorized access. Technicians must be equipped with the knowledge and tools to ensure that systems and information are protected from hackers, viruses, and other dangers. Some important concepts and practices that help maintain a secure and trustworthy environment for everyone include understanding and complying with privacy laws--including federal student privacy laws--using secure storage practices, data encryption, and developing acceptable use policies.

Privacy Laws are rules and regulations that control how personal data and privacy rights of individuals are protected. These laws ensure that individuals have control over their personal information and that it is handled responsibly. They establish guidelines for organizations and entities on how to collect, use, store, and share personal data. The purpose of privacy laws is to safeguard individuals' privacy, prevent unauthorized access or misuse of personal information, and promote transparency and accountability in data handling practices. 

Student privacy laws are similar to general privacy laws, with further considerations, guidelines, and requirements for how schools handle and use student information. Compliance refers to adhering to legal and regulatory requirements for collecting, storing, and managing data. It is important that students and staff in your school(s) and district comply with privacy laws to maintain the privacy rights of individuals and build trust in the handling of personal data.

To safeguard personal data, data protection practices like secure storage, encryption of data, implementation of access controls, regular data backups, and secure disposal of unneeded data are important aspects of compliance as well. Organizations must obtain appropriate consent, most often from parents or guardians, when collecting and using student data. Clear notifications must also be provided about the purpose of data collection, the rights of students and parents to that data, and how the data will be protected and used.

  • Secure storage uses technology and relies on people to follow appropriate data practices to protect digital information from unauthorized access, loss, or theft.
  • Encryption converts data into a code that can only be deciphered by a key. It makes the data unreadable to anyone who does not have the key.
  • Access controls are a critical component of access control management, a critical cybersecurity practice. Your district should develop consistent access rights for each user role and assign users to their appropriate roles. Role-based access is based on the users' need to know, least privilege, privacy requirements, and/or separation of duties. 
  • Consent mechanisms are a means of collecting consenting from responsible parties for accessing and using student data. Minors cannot provide their own consent. In many school districts, consent is still provided through a signature (wet signature) on a form such as an Acceptable or Responsible Use Policy.

Additionally, your district IT Department should have procedures established for responding to data breaches or unauthorized access to personal information. They should have created incident response plans that include notifying affected individuals and taking necessary actions to lessen the impact of a data breach. Your job is understanding these plans and knowing what your responsibilities are in the case one might be implemented.

In order to comply with privacy laws, it is important to understand applicable laws and regulations. IT technicians need to be familiar with privacy laws and regulations, including the Family Educational Right and Privacy Act (FERPA), the Children’s Internet Protection Act (CIPA), and the Children’s Online Privacy Protection Rule (COPPA), all of which are Federal laws. It is also crucial that your district develops and communicates a privacy policy to all students, families, and staff that explains how personal data is collected, used, stored, and protected within the organization. Make sure the policy complies with privacy laws and provides individuals with clear information about their privacy rights. 

There are also some mobile device-related legal considerations for users in organizations and schools. An Acceptable Use Policy (AUP) that outlines the proper and responsible use of all district and school technology resources, including mobile devices, should be developed and enforced. Sometimes these policies may be referred to as a Responsible Use Policy (RUP). These policies should include guidelines for users regarding acceptable uses of their devices--whether personal or provided by the district, requirements for keeping data secure, and how they can comply with relevant laws and regulations. Education and training for digital citizenship, including responsible and ethical use of mobile devices and privacy laws should also be used, and users should have an understanding of copyright laws and intellectual property rights so they don’t use their devices to inappropriately use content, media, or ideas of others that are protected by copyright. 

Here are additional resources you may find useful:

Complete the following task or self-assessment:

Assess compliance with student privacy laws within your institution. Follow the steps below:

  1. Review the student privacy laws applicable to your jurisdiction or institution, such as FERPA or GDPR.
  2. Evaluate the current data protection practices and policies in place within your institution. Identify any areas that may require clarification or stronger alignment with legal requirements and share those with your team or supervisor(s).
  3. Assess the consent and notification processes followed for data collection and use. Ensure that appropriate consents are obtained and clear notifications are provided to parents or guardians. If not, determine who should be informed to improve the processes.
  4. Examine the acceptable use policy for mobile devices within the educational environment. Ensure it covers relevant legal considerations and provides guidelines for responsible device usage. Know whom to follow up with if you identify concerns or questions, and do follow up with them.
  5. Review the digital citizenship education programs and resources available to students and staff. Ensure they address privacy, security, and legal aspects of mobile device use. If they don’t, what steps can you take to inform school or district leaders that they should?