Outside of federal and state law compliance (think FERPA), SEAs and institutions should also develop their own data governance structures and processes, says the DQC, specifically by focusing on these three key areas:

1. Transparency: Clearly communicate internally and with the public about the policies and procedures designed to protect student data and about how data are collected, used, and safeguarded.

“If the public is confident that the data collected are safeguarded and are used in specific, ethical ways to help students succeed, they can trust the SEA [and institution] to collect and use student data. In addition, seeking public participation, discussion, and input on the use of data and its governance fosters empowerment and builds collaborative relationships with parents, teachers, and education leaders,” states the DQC.

2. Governance: Design structures and delineate roles and responsibilities that establish stable procedural and personnel-based supports for the effective implementation of privacy policies.

Governance is needed to ensure that integrated and master data (data which are collected once but used in numerous places) are used and disclosed only for proper purposes and in the proper manner,” notes the brief. “In addition, governance structures can ensure that the state collects and uses data effectively to answer critical questions about student achievement and [institutional] performance and to identify best practices and pathways for student success.”

The DQC emphasizes that governance related to safeguarding data can include establishing training and supports for SEA personnel, defining roles and responsibilities around internal auditing and accountability, and delineating standards for contractors and vendors who have approved access to limited student data.

3. Data protection procedures: Implement specific security and privacy strategies, processes, and controls that physically, technically, and legally safeguard student data.

“These procedures are formalized, documented, and regularly shared internally. They include measures to physically safeguard data; to ensure the proper orientation, training, and monitoring of staff interacting with data; to implement formal student data privacy policies at the state level; and to create procedures to ensure that data are protected across multiple uses (e.g., research, evaluations, public reporting),” says the DQC.

Other recommendations include:

  • Identifying ways to share information about current data uses and research studies with other members of the public.
  • Using findings from risk assessments (internal review of existing privacy policies and practices) and security audits (internal or external review of processes and technical environment) to strengthen and formalize student data privacy policies and procedures.
  • Implementing SEA policies and establishing practices for public transparency around how student data privacy policies are developed and implemented.
  • Identifying elemental-level data that contribute to student level indicators, and determining appropriate protections for each element (e.g., identifying the exact data pieces used to calculate a student’s record of chronic absence).
  • Creating a policy or process that addresses the commercialization of student data. While states are legally prohibited from selling student data, they bear a responsibility in defining the permissible collection and uses of data by external technologies and programs used in classrooms.

For more detailed information about the Roadmap, including more thorough descriptions, concrete examples of the three target areas, best practices, and a list of further resources on safeguarding student data, read the report.

"(Required)" indicates required fields