Leading by Example: Security and Privacy in the Education Sector

Today’s students will be the first generation entering adulthood with a digital footprint from birth, yet education is one of the most underexplored sectors when it comes to security and privacy. If we’re not careful about securing this data, we leave our children vulnerable to embarrassing — if not outright dangerous — situations.

My experiences as a parent leave me wondering how well-equipped educators and administrators are to protect information under their care. Decision-making regarding technology in schools often revolves around functionality and cost. It lacks a consistent approach for evaluating the risks these decisions bring, not only to the school, but also to individuals. Students and parents often have no practical way to opt out of these decisions because doing so would mean exclusion from learning activities. No one wants to be that parent.

Maintaining Security and Privacy in Education

Principals, teachers and parents put a lot of trust in technology and software providers to do the right thing, but we might not be doing enough to ensure that this trust is earned. The circle of trust is further complicated when you realize that many providers rely on their own business partners to deliver security — companies that the school doesn’t deal with directly and into which they have no visibility.

If this sounds familiar, you need to ask some key questions about the way your school handles personal information. These questions won’t prevent children being exposed to risks — you’ll need a deeper review of your technology use for that — but they can help you formulate security and privacy principles to guide your decisions about technology.

Consider how your school creates email accounts. Combinations with first and last names make a lot of sense because they’re easy to remember. But think about where students might need to use their email addresses: If your school uses Google, Office or Apple accounts, you have entrusted your students’ information to a third party. I’m not just talking about names, but potentially also birthdays, school history, grade level, teachers and all the other data that can be linked through your child’s primary school account.

School principals and parents should understand how long third parties will keep student, teacher and parent information, as well as how information will be deleted when no longer required. Check whether your technology provider will use the data in any way, even if it will be anonymized and aggregated, and consider whether this poses a risk to student safety or privacy.

Harmless Tidbits?

Many applications, educational and otherwise, require email addresses to sign up. When your school provides links to free educational software and games, how many of those will collect the name of your student and his or her school? This information is often available within the child’s email address alone.

Websites and apps might have a very good reason to ask for additional information, such as requesting a birth date to validate that your child is within a certain age range. Just be aware that when we encourage students to visit these sites without scrutinizing the types of information they’re collecting, we could be putting our children at risk.

It seems harmless to provide these tidbits of information to websites, but think about how these pieces of data could be put together to form a more complete picture of your child’s online behavior, which could allow a threat actor to extrapolate other information. For example, location information can be used to track travel patterns that can tell someone where your child lives, their normal route to and from school, what buses they catch and so on.

Your technology providers might be covered by good privacy regulations and data breach disclosure laws in your country. That’s great! But make sure you ask if they outsource part of their infrastructure — for example, by using cloud services hosted overseas. If so, how are they ensuring that data offshore is just as well-protected?

Translating Terms of Use

A study by McDonald & Cranor calculated that it would take you 201 hours, or around five working weeks, to read all the privacy policies you encounter in a year. That’s mind-boggling! The study stated that terms of use should be conveyed in a way that is digestible for consumers. In other words, make sure it helps them understand what they need to do. If your acceptable use policy was written by lawyers, ask a layperson to read it. Better yet, get students to read it and ask them if it makes sense.

Related to this Article

I have a confession: I was that parent. I held out for two terms before finally signing my child’s terms of use, despite my reservations. I did this because my child was excluded from class work whenever school computers had to be used. The teacher had no backup activities for children who opted out — not even a trip to the library to do research using print books. When the use of technology is mandatory for children to keep up with classroom work, schools have a larger burden to ensure they’re adequately protecting student information.

The Price of Free Software

Free education software can be a fantastic resource for schools on a tight budget. But when you see a freebie, always consider what it might cost. Often, the answer is data.

Data science is a booming field. Analyzing huge data sets will lead to exciting discoveries and innovation well into the future. But having large data collections also means that if those data sets are compromised, the potential for harm can be great. Schools must be diligent in investigating what data is collected, how it’s used and whether the data can be tracked to individual students.

The risk isn’t so much that one website might be compromised — it’s that criminals could gain access to multiple data sets, allowing them to correlate information about a person. What happens if your child is the target of identity theft? It could eventually affect his or her ability to get a car loan, a travel visa or even a job.

The stakes get even higher when they graduate from high school and enter university or start a job. Bank account details for tuition payment, tax-related information for job applications and an ever-widening online social circle provide new avenues for someone to steal information. The Council of Australasian University Directors of Information Technology (CAUDIT) ranked information security in the top three issues affecting technology strategy — higher than educational technology and learning analytics.

Each piece of data generated by your child adds to his or her digital footprint. As your child grows into adulthood and data science becomes more sophisticated, that digital trail can have consequences we can’t even anticipate today.

Study Up on New Threats

Every year, you need to evaluate your school’s use of technology to determine whether its policies and practices still make sense. Make sure your technology providers are doing the right thing. Be on top of new threats to student data and protect against them. Check your current systems for new vulnerabilities and prioritize fixing them.

Technology has and will continue to revolutionize the way we educate future generations. Like crossing the road or catching a bus home, we need to teach our children how use technology safely. We can only do this effectively if we lead by example.

Learn More About IBM’s Security Framework and Risk Assessment

Share this Article:
K. Avila

Senior consultant, IBM Security Australia

K. Avila has worked in security consulting for over 15 years, specialising in governance, risk and compliance (GRC), with a general interest in the intersection of information security governance, ethics, and user behaviour.