Today’s students will be the first generation entering adulthood with a digital footprint from birth, yet education is one of the most underexplored sectors when it comes to security and privacy. If we’re not careful about securing this data, we leave our children vulnerable to embarrassing — if not outright dangerous — situations.

My experiences as a parent leave me wondering how well-equipped educators and administrators are to protect information under their care. Decision-making regarding technology in schools often revolves around functionality and cost. It lacks a consistent approach for evaluating the risks these decisions bring, not only to the school, but also to individuals. Students and parents often have no practical way to opt out of these decisions because doing so would mean exclusion from learning activities. No one wants to be that parent.

Maintaining Security and Privacy in Education

Principals, teachers and parents put a lot of trust in technology and software providers to do the right thing, but we might not be doing enough to ensure that this trust is earned. The circle of trust is further complicated when you realize that many providers rely on their own business partners to deliver security — companies that the school doesn’t deal with directly and into which they have no visibility.

If this sounds familiar, you need to ask some key questions about the way your school handles personal information. These questions won’t prevent children being exposed to risks — you’ll need a deeper review of your technology use for that — but they can help you formulate security and privacy principles to guide your decisions about technology.

Consider how your school creates email accounts. Combinations with first and last names make a lot of sense because they’re easy to remember. But think about where students might need to use their email addresses: If your school uses Google, Office or Apple accounts, you have entrusted your students’ information to a third party. I’m not just talking about names, but potentially also birthdays, school history, grade level, teachers and all the other data that can be linked through your child’s primary school account.

School principals and parents should understand how long third parties will keep student, teacher and parent information, as well as how information will be deleted when no longer required. Check whether your technology provider will use the data in any way, even if it will be anonymized and aggregated, and consider whether this poses a risk to student safety or privacy.

Harmless Tidbits?

Many applications, educational and otherwise, require email addresses to sign up. When your school provides links to free educational software and games, how many of those will collect the name of your student and his or her school? This information is often available within the child’s email address alone.

Websites and apps might have a very good reason to ask for additional information, such as requesting a birth date to validate that your child is within a certain age range. Just be aware that when we encourage students to visit these sites without scrutinizing the types of information they’re collecting, we could be putting our children at risk.

It seems harmless to provide these tidbits of information to websites, but think about how these pieces of data could be put together to form a more complete picture of your child’s online behavior, which could allow a threat actor to extrapolate other information. For example, location information can be used to track travel patterns that can tell someone where your child lives, their normal route to and from school, what buses they catch and so on.

Your technology providers might be covered by good privacy regulations and data breach disclosure laws in your country. That’s great! But make sure you ask if they outsource part of their infrastructure — for example, by using cloud services hosted overseas. If so, how are they ensuring that data offshore is just as well-protected?

Translating Terms of Use

A study by McDonald & Cranor calculated that it would take you 201 hours, or around five working weeks, to read all the privacy policies you encounter in a year. That’s mind-boggling! The study stated that terms of use should be conveyed in a way that is digestible for consumers. In other words, make sure it helps them understand what they need to do. If your acceptable use policy was written by lawyers, ask a layperson to read it. Better yet, get students to read it and ask them if it makes sense.

I have a confession: I was that parent. I held out for two terms before finally signing my child’s terms of use, despite my reservations. I did this because my child was excluded from class work whenever school computers had to be used. The teacher had no backup activities for children who opted out — not even a trip to the library to do research using print books. When the use of technology is mandatory for children to keep up with classroom work, schools have a larger burden to ensure they’re adequately protecting student information.

The Price of Free Software

Free education software can be a fantastic resource for schools on a tight budget. But when you see a freebie, always consider what it might cost. Often, the answer is data.

Data science is a booming field. Analyzing huge data sets will lead to exciting discoveries and innovation well into the future. But having large data collections also means that if those data sets are compromised, the potential for harm can be great. Schools must be diligent in investigating what data is collected, how it’s used and whether the data can be tracked to individual students.

The risk isn’t so much that one website might be compromised — it’s that criminals could gain access to multiple data sets, allowing them to correlate information about a person. What happens if your child is the target of identity theft? It could eventually affect his or her ability to get a car loan, a travel visa or even a job.

The stakes get even higher when they graduate from high school and enter university or start a job. Bank account details for tuition payment, tax-related information for job applications and an ever-widening online social circle provide new avenues for someone to steal information. The Council of Australasian University Directors of Information Technology (CAUDIT) ranked information security in the top three issues affecting technology strategy — higher than educational technology and learning analytics.

Each piece of data generated by your child adds to his or her digital footprint. As your child grows into adulthood and data science becomes more sophisticated, that digital trail can have consequences we can’t even anticipate today.

Study Up on New Threats

Every year, you need to evaluate your school’s use of technology to determine whether its policies and practices still make sense. Make sure your technology providers are doing the right thing. Be on top of new threats to student data and protect against them. Check your current systems for new vulnerabilities and prioritize fixing them.

Technology has and will continue to revolutionize the way we educate future generations. Like crossing the road or catching a bus home, we need to teach our children how use technology safely. We can only do this effectively if we lead by example.

Learn More About IBM’s Security Framework and Risk Assessment

More from Data Protection

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…

The Digital World is Changing Fast: Data Discovery Can Help

The rise in digital technology is creating opportunities for individuals and organizations to achieve unprecedented success. It’s also creating new challenges, particularly in protecting sensitive personal and financial information. Personally identifiable information (PII) is trivial to manage. It’s often spread across multiple locations and formats and can be challenging to find and classify. Organizations need a modern data discovery and classification solution to identify sensitive data across physical, virtual and public clouds. The Current State of Sensitive Data Discovery and…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…