Only a few years ago, before the pandemic, finding a school district with a dedicated leadership position focused on data privacy was like spotting a “unicorn”—something so rare it was practically mythical.
Districts might have been theoretically interested in hiring a Chief Privacy Officer whose job is to keep student data from being abused by doing things like setting up privacy policies, training staff on privacy matters and making sure that data is collected and used safely. But most didn’t have the resources or will to create the role.
Unlike mythical unicorns, though, some of these school privacy officers actually exist. For example: Baltimore County Public Schools created the position of director of innovation and digital safety, its closest equivalent, around 2016. The district formed the position proactively, according to its leadership, because the community around the district had grown concerned that its increasing adoption of technology carried extra privacy risks. As one of the larger districts in the country, it works with hundreds of tech providers.
Despite its efforts, the district suffered a big ransomware attack in 2020.
In the years since that attack, the district and state have poured more resources into privacy. The Baltimore district, for instance, has increased the budget for its IT department by $12.5 million—and, last year, Maryland hired both a chief data officer and a chief privacy officer for districts in the state. Data privacy has become part of the “core and root” of what the school system does, says Jim Corns, executive director of information technology for Baltimore County Public Schools.
The state has also pushed other resources toward beefing up privacy: Maryland passed data governance requirements for districts, and the state’s education department put together guidelines on how districts should approach the issue. That was a signal from the highest levels of leadership saying that this is important, Corns says.
Falling Apart
The need for districts to devote resources and personnel specifically to data privacy has become apparent over the last couple of years, as high-profile ransomware attacks and data breaches have made headlines. And the COVID pandemic brought a wave of new technology and increased technology use in schools across the country.
But is Baltimore a sign that things have changed fundamentally? Have schools staffed up positions dedicated primarily to safeguarding privacy?
Well, yes and no. But mostly no.
A number of states have mandated data privacy officers as a component of their larger student privacy legislation, or are considering doing so, says Cody Venzke, senior counsel for the Center for Democracy in Technology’s Equity in Civic Technology Project. (Venzke’s organization published a report in 2019 arguing for chief privacy officers in schools and providing a template job description.)
But those efforts haven’t yet translated into change for most schools, argues Linnette Attai, a data privacy expert and the president of the consulting firm PlayWell, LLC. Across the country, it’s still unusual for school districts to have a dedicated person for data privacy, she says.
That’s because even in states like California and Illinois—where such positions are required by law—schools don’t always follow through, Attai argues. The jobs are often given as extra duties to already busy staff, for example. “In practice, it tends to fall apart,” Attai says. Although the law makes districts hire those positions, it doesn’t necessarily offer up resources to do that. It can amount to states saying “do better” without explaining to districts how or what that would even look like, she says. In some cases, state laws aren’t even clear about what the privacy officer job’s definition is, she adds.
The result is that the people in positions of protecting student data often don’t have much training, and they may be simultaneously holding down another job.
That’s certainly better than nothing, Attai says. But the challenges in this time of increasing tech use at schools is bigger than even one dedicated role can manage, she adds. After all, schools these days deal with a growing number of vendors, and have to navigate confusing contracts and laws that are difficult to parse.
Corns, of Baltimore County, says his district has been pretty successful at getting everyone on the same page. One thing the district does, for example, is put teachers through mandatory data privacy and compliance training, so they’re up to speed on how to handle student data.
And officials are working to stress not just data security but data stewardship—to make sure best practices are being followed by anyone working with data.
In that way, Corns hopes to make data privacy everyone’s job, not just that of a lone person or unit. “We have built this into the fabric of the organization so that individuals are helping us,” he says. “We're working on getting everybody on the same team and same page.”