As I write this, the media is abuzz about the National Security Administration's use and possible misuse of U.S. citizens' personal data. Although there's little we can do about the fed's use of our e-mail or phone records (except to let our legislators know our thoughts), we can and should be working to ensure data security for our students, their families, and ourselves.
Haven't technology people like me been nagging about this for a very long time? Of course. But a refresher is important for two reasons. With data mining, data-driven decision making, and big data analysis becoming standard education practices, schools are collecting and digitally storing more and more information, both academic and personal. At the same time, new tools are making it easier for educators to be good custodians of this data—if they know about these tools and how to use them.
Your district's technology department has an important role to play in ensuring that data are private and safe—by requiring the use of programs and products that take privacy and security seriously; facilitating security audits of networks by independent contractors; and helping other school leaders create good security policies. Yet the technology department alone cannot keep data safe and secure. Every individual has a responsibility for helping protect student privacy. And every school leader has a responsibility for making this a districtwide understanding.
Here are a few things school leaders and all other school staff members need to do to maintain data privacy and security.
Know Laws and Policies
One of the great advantages of the read-write web is the ease with which information can be shared—classroom blogs, photos of daily activities on websites and Twitter, real-time progress reports, and so on. But the Family Educational Rights and Privacy Act (FERPA) spells out families' privacy rights regarding posting of such information. Your school district's Internet Acceptable Use policy may list additional rules, such as requiring parental permission before posting student work on the school's website or keeping students' last names, e-mail addresses, or other identifying information off school web pages. All staff members need to know what they're allowed to share and how to limit access if policy requires it.
Use Strong Passwords
School employees have the responsibility for an ever-increasing number of passwords, including those for the student administration system, network, e-mail account, learning management system, grade-book program, and voice mail. We all know what security gurus recommend: Create unique passwords for each application; change them frequently; include letters, numbers, and symbols; keep your written list hidden; and don't share passwords with anyone, especially students. But do all staff members in your school follow these guidelines?
At last count, I use 112 programs and websites that require a password. This is not a good situation for a guy who can't always remember what he had for breakfast. Given the sheer number of passwords most of us are required to use, special programs for securely storing passwords are becoming popular. Check out Password Safe for Windows or pwSafe for the MacOS. Biometric access—using facial recognition, fingerprints, or other characteristics unique to individuals—can't come too soon.
Use Screensavers and Device Login Screens
In visits to schools and classrooms, I continue to be dismayed by the number of unattended staff computers I see open to programs that anyone passing by can see. By default, all staff computers should have a screensaver that automatically kicks in after a few minutes of inactivity and requires a password to disable.
Portable computing devices like laptops, tablets, and smartphones have increased the complexity of data security. Requiring some form of login for these devices is a must—especially because they can be used to access student data. In addition, the technology staff must have the ability to remotely locate, control, and even erase the contents of school-owned portable devices, especially those used outside the building that are more likely to be lost or stolen.
Be Wary of Social Engineering Hacks
Here's a little secret most technology folks know: The easiest way to obtain someone's password is to ask them for it. Ever get a request for personal information from a bank you didn't know you had an account with? This is just one form of what are called social engineering hacks—those used to trick a victim into revealing personal information. Although trust in our fellow human beings is a lovely thing, school staff members need to be cautious when asked to divulge passwords by persons unknown.
Understand the Hazards Created by Viruses
These small pieces of code (which have been with us for 40 years) have the nasty ability to allow unauthorized computer or network access. Network firewall filters help protect computer users from these programs, but no filter is perfect. New viruses that filters don't recognize appear regularly. Social networking sites like Facebook have opened a new means of malware ingress, with games and programs used within the site sometimes containing viruses.
School staff can minimize exposure to viruses by never opening unexpected e-mail attachments, never downloading programs from unknown sources, turning the "macro" feature off or "macro security" on in word-processing and other applications, not using game or helper applications on social networking sites, and running a virus protection program.
Create Good Backups
This summer, it happened again. A teacher came to my office in tears because her computer was stolen from her car—and the only copies of her documents and digital photos, including information about her students, were on its hard drive. It's everyone's responsibility to maintain at least one backup copy of self-created documents. Teachers should also regularly create a backup of grade-book data if the grade book is a stand-alone program.
Fortunately, technology is making backups easier and more reliable. Large-capacity external hard drives cost less than $100, and programs like the MacOS's TimeMachine and Windows 8's File History can be set to automatically make regular backups onto these drives. Saving copies of files to online storage spaces, either on the Internet or a school server, is even more secure and reliable. Services like Dropbox, SugarSync, and Box, although not free, not only store copies of your files, but also allow you to access and sync your files from multiple devices. Staff in districts using Google Apps for Education can back up and sync 30 gigabytes of data for free in the same way.
Make Sure Students Know How to Protect Their Data
Students in our district can access their education data stored in our student information system using a student portal. They have their own e-mail accounts and store their papers, projects, and other homework online. And of course, they also post personal information to all sorts of personal social networking tools. If your curriculum does not include clear and frequent lessons about how to protect one's online information and reputation, your school is remiss.
