In New Hampshire, school technology directors collaborate to protect student data

By EILEEN O’GRADY

Monitor staff

Published: 11-26-2022 4:00 PM

Keeping students’ school data private online is an increasingly high-stakes task. But for a small New Hampshire school district, getting a large tech company like Microsoft or Zoom to agree to protect their student data can be a daunting task.

After all, school districts use hundreds of different software programs that range from teaching apps like Edpuzzle to student information systems like PowerSchool. The process of trying to convince each company to agree to an individual contract to protect student data privacy for the district – a contract that needs renewing every few years – can be a near-impossible full-time job for someone like Bow and Dunbarton school technology director Roy Bailey.

“In terms of workload, we would have to read the privacy agreement for every one of these apps, hopefully have enough expertise to understand the legalese, and then keep track of it,” Bailey explained. “If you don’t get a vendor to sign a multi-year contract, they can change it at any point; you’d have to continually vet it. And if you are a fairly small school district, you don’t really have the muscle to entice the vendor into agreeing to your terms.”

For the past three years, an alliance of school technology directors called the New Hampshire Student Privacy Alliance has been working together to solve this very problem. Each school district chips in a fee – $1.10 per student – and collectively hires a consultant to do much of the negotiating with companies on their behalf. The idea is that school districts working together as a single unit can have more leverage with the companies and reduce the overall workload for each district.

“When we sign the contract, we know that our liability has been transferred from us to the company, basically,” said Pamela McLeod, technology director for the Concord School District. “It’s also kind of shifting the heavy lifting to the districts which have more staff and more capabilities, and kind of letting the smaller districts pay a little bit less attention.”

The New Hampshire Student Privacy Alliance was started in 2019 by McLeod, Oyster River technology director Joshua Olstad and the Massachusetts-based education cooperative TEC in response to House Bill 1612, which was signed by Gov. Chris Sununu in 2018 and requires all schools to develop a data security plan. They formed their alliance under the umbrella of the national Student Data Privacy Consortium. Today, New Hampshire’s alliance includes 87 public school districts, three charter schools and one private school district, and handles data privacy for 82% of New Hampshire students.

Under state and federal law, schools must protect every bit of a student’s personal identifying information, including their first and last name, age, grade level and more. All student work – essays, tests and even art assignments – also needs to be protected, as its considered part of the educational record. New Hampshire is one of the few states that requires school employees’ data to be protected as well. Since public school employees are in the public sector, many things – name and salary, for example – are public information, but personal things like their home phone number, home address and social security number must be kept private under the law.

The technology directors said HB 1612 went into effect with little support from the state, did not include implementation funding, and no one from the NH Department of Education was assigned to support school districts during the process.

Article continues after...

Yesterday's Most Read Articles

“When the bill passed it was, I think, pretty intimidating for most school districts,” McLeod said. “They put in a lot of requirements.”

McLeod said maintaining privacy is important for schools to do because children’s data is valuable on the black market. It’s easier to impersonate a child using stolen information than it is an adult, she explained, because children don’t have credit records yet. That’s why she recommends parents freeze their child’s credit until they come of age.

“It’s surprising, people don’t think there’s much value in a child’s information, but [thieves] are partially gathering this information for future crimes against now kids when they become adults,” McLeod said. “If you have one data set from the school or from the application that you were able to steal, and then you’ve got other datasets from other places and these are all bought and sold on the black market, all of a sudden you’re able to collate the data.”

So far, New Hampshire’s Student Privacy Alliance has successfully entered into data privacy agreements with over 1,300 products including Microsoft, Canva, McGraw Hill, PickUp Patrol and PowerSchool. But some companies, including Google, Apple, Adobe and the New York Times have declined to sign their agreement. In the Concord School District, McLeod declines to use some products like Calendly which hasn’t signed an agreement. But if a product already has strong security that exceeds New Hampshire’s legal requirements McLeod may allow it, as is the case with Adobe.

“It’s that evaluation of risk against innovation,” McLeod said. “At some point you have to decide if you’re confident enough in the company that it meets the state standards and are willing to use it.”

The protection of student data has changed dramatically in the last two decades. Olstad says his work today is a vast contrast from the days pre-2010 when student data was kept in paper files.

“You’d have to come down to the front office, you’d have to request that file, you’d have to sign it out, review whatever you want to review and then that file gets closed up, returned and put back,” Olstad said. “Now you have this explosion of things like Google Docs and ed tech tools where that barrier of going to a physical place to get something isn’t there anymore. You have access to stuff and there’s an easy way to share access.”

School technology directors have to work closely with classroom teachers, to make sure they are only implementing programs that have been vetted to make sure their privacy policies meet the legal standards, and don’t include targeted ads.

“Anything that attaches to the internet has to be vetted,” Bailey explained. “The thing that’s confusing to some teachers is they might have the kids go to a website, they don’t know it needs to be vetted but the website will put cookies on your browser and use that for targeted advertising, which is illegal for students under the age of 13.”

Since New Hampshire’s Student Privacy Alliance was launched, states like Rhode Island, Maine and Vermont formed their own alliances, also with the help of TEC from Massachusetts. Some alliances are now trying to collaborate on privacy agreements, in order to have even more leverage. Nationally, the Student Data Privacy Consortium now has 34 states under its umbrella, support each other’s efforts. Collaboration is not an easy task because legislation varies across states.

“The goal is to come up with a single document that could be used nationally,” said Olstad, who sits on the Consortium’s management board.

McLeod says New Hampshire’s efforts are unique due to the collaboration of school technology directors who are doing the work voluntarily in addition to their regular day-to-day jobs, in order to make sure students data stays safe.

“A lot of states are looking to New Hampshire as the model for how to do this and watching how successful we’ve been, completely in the course of our regular jobs,” McLeod said.

]]>