The increasing integration of technology into every facet of K-12 education has brought with it a complex and evolving challenge: safeguarding sensitive student and staff data. School districts across the nation are grappling with the potential ramifications of data breaches, which can lead to significant financial penalties, prolonged legal battles, and a severe erosion of trust within the community. Recognizing this critical need, educational leaders are increasingly prioritizing robust data privacy practices, moving beyond mere legal compliance to cultivate a culture of data stewardship.
This shift was underscored at the recent Consortium for School Networking (CoSN) annual conference, where educators and administrators convened to share best practices and innovative solutions for data privacy. A particularly insightful session featured David Zagray, Technology Director at Westlake City Schools in Ohio, and Amanda Musselman, Associate Superintendent of Instruction at the same district. Joining them virtually was Dawn Schiavone, Student Data Privacy Officer for the Northern Buckeye Education Council, a non-profit organization providing collaborative administrative support to school districts in Northwest Ohio. Their collective experience highlighted a proactive approach, emphasizing that data privacy is not an afterthought but a foundational element of responsible educational leadership.
The Imperative for Proactive Data Privacy
The core message from the Westlake City Schools team and their collaborators was clear: data privacy should not be reactive, waiting for a mandate or a security incident to spur action. Instead, it must be woven into the fabric of daily decision-making. "Data privacy should be considered in district decisions because it’s the right thing to do, not just because it’s the law," stated Schiavone, articulating a sentiment that resonated throughout the discussion.
While adherence to federal regulations like the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA) is non-negotiable, and state-specific legislation such as Ohio’s Senate Bill 29 (SB 29), passed in 2024, adds another layer of compliance, the ethical imperative to protect students and staff transcends legal requirements. Schiavone pointed out that many states still lack comprehensive data privacy mandates. "It’s even more important for you to not wait for that mandate," she urged. "If you have some sort of alliance in your state or something like that, work with that alliance."
Westlake City Schools, serving approximately 3,100 students across four schools, has actively embraced this philosophy over the past year. Their efforts have focused on embedding data privacy into the district’s culture, recognizing its significance beyond technical implementation. A key component of their strategy involves leveraging resources like the Student Data Privacy Consortium (SDPC). The SDPC maintains a registry of vetted digital resources and vendors that have entered into formal data privacy agreements, providing a crucial layer of assurance for districts.
Zagray emphasized the importance of inclusive participation in the data privacy initiative. He stressed that data privacy should never be perceived as solely a "tech department project." Instead, it requires the engagement of all key stakeholders from the outset, treating it as a core business necessity. This inclusive approach helps to foster a shared understanding and commitment to data protection across the organization.
Deconstructing the Digital Landscape: The Audit as a Strategic Tool
One of the most daunting tasks for any school district is conducting a comprehensive audit of all digital tools and resources in use. The sheer volume of applications, coupled with the evolving nature of educational technology, can make this process feel overwhelming. Amanda Musselman acknowledged this challenge: "Your goal here is not to spin your wheels when you have hundreds, if not thousands, of applications that you will have to review one at a time. You need to have someone in that room that knows what that application is, how it is being used, if it is valuable, if it is not valuable. And then we’ll also, of course, look at the data privacy component."
Westlake City Schools faced a similar reality when they began their audit. Zagray recalled a startling discovery: their Google console indicated that student personal information was being shared with thousands of applications. This vast number was clearly unmanageable for efficient review. To streamline the process, the district implemented a strategy of self-reporting. Staff were asked to complete a Google Form detailing the applications they were utilizing. This initiative significantly reduced the initial list from thousands to approximately 320 applications. The technology team then dedicated about five months to meticulously evaluating each of these applications individually.
The communication of audit results was a critical step in this process. The district developed a comprehensive spreadsheet categorizing applications as "approved," "pending," or "denied." For denied applications, detailed explanations were provided. These reasons ranged from past malware incidents to the vendor’s refusal to sign a data privacy agreement. This transparency was vital in managing expectations and fostering understanding among faculty and staff.
"It’s important that your staff knows if they have been using Khan Academy, for example, which is very well-used, if they’re going to come back in August and all of a sudden be told they can’t use it, you’re going to create an issue," Musselman explained. "These are all well-educated adults, and we all deserve to know why we can’t use something that we’ve been using in the past."
A nuanced approach was adopted for applications that, despite lacking formal data privacy agreements, were deemed essential for certain academic functions. These were placed in a fourth category, requiring parental consent at the beginning of each school year. Examples of such applications included ACT.org, YouTube, and the Adobe Software Package. This tiered system ensured that essential educational tools could still be utilized while respecting parental rights and district privacy standards.
Furthermore, the audit process provided a framework for the district’s future approval strategy for new digital tools. This included the development of a flowchart outlining their vetting approach and the maintenance of a continuously updated spreadsheet of all approved and denied applications. This systematic process ensures ongoing diligence and consistency in technology adoption.
Building Trust Through Transparency with the Community
Beyond empowering educators with clarity on approved and denied tools, the presenters at the CoSN conference strongly advocated for transparent communication with the broader school community. Resources like the SDPC registry and the CoSN Trusted Learning Environment (TLE) framework were highlighted as valuable tools for vetting digital platforms and providing context for their usage.
However, the responsibility extends to making this information readily accessible on district websites. Musselman suggested integrating data privacy information into existing "annual notices" sections. "We have [information] specific to Senate Bill 29, specific to Ohio, that is on our notices website, just so parents can see the ‘why’ and what is occurring and what is mandated," she explained. This proactive disclosure builds trust and educates parents about the district’s commitment to protecting their children’s data.
The importance of robust backup plans and preventative measures was also stressed, particularly for instances where parents opt out of granting permission for certain applications. Zagray shared Westlake’s experience with YouTube. When parents denied permission for their children to use the platform, the district implemented technical blocks through its web filter and Google admin console to ensure these requests were honored.
For applications like Khan Academy, which were fully denied due to the absence of a data privacy agreement, the district communicated clearly that while parents could utilize the platform at home, the district could not assume liability for any student data entered into it.
The underlying principle is a profound sense of responsibility. "When kids enter the school, she said, educators are responsible for them and need to keep them safe in every way. And that means ‘we also have to make sure we’re watching all their data, because the online world now is becoming just scary in some senses.’"
The session concluded with a powerful reminder from Musselman: "Don’t do anything behind closed doors. Our goal here is to make sure our kids are safe, and can there be frustration along the way? Sure. But is there also understanding of that frustration? Yes." This sentiment encapsulates the delicate balance between implementing necessary security measures and fostering a supportive, understanding environment for students, staff, and parents navigating the increasingly complex digital landscape of modern education. The proactive strategies shared by Westlake City Schools and their partners offer a roadmap for other districts striving to build a culture of data privacy and ensure the safety and security of their educational communities.
