2020-01-06 04:07:49

Does your school own its data?

Compliance
By Emma Westwood
Writer | Editor | Content & Digital Strategist

When it comes to data ownership and edtech, many schools believe they own their data – but the reality might not be what they expect. We explain...

Most schools would likely answer with a resounding ‘yes’ when asked if they own their data. But, as technology evolves, and companies come up with new and innovative ways to monetise their intellectual property, schools need to understand what data ‘ownership’ now means.

There is also a whole range of challenges schools face in this day and age when meeting their compliance commitments, and how those commitments intersect with data ownership.

Ownership and access

In the education sector, it is imperative that schools own their data. At a time when the importance of statistics and analytics cannot be understated, ownership means access and, just like knowledge, ownership means power.

EdSmart’s Co-Founder and Chief Technology Officer, David Eedle, says there are a number of areas schools need to familiarise themselves with when it comes to their technology (or 'edtech', to use the modern parlance) and confidently answer the question about who owns their student and community data.

David cautions there are many edtech products currently being used by schools that make it extremely difficult for the school to access what is rightfully theirs: their data. He uses the following analogy:

“They essentially are castles with moats around them; they're like walled gardens.”

As David elucidates, “A school we have a relationship with in New York uses an American student management database platform. We wanted to gain [programming] access so to run reports and communicate messages from EdSmart. This company sent us their ‘partner program documentation’ and it was going to cost us $US20,000 a year to partner with them, and they wanted 15 percent of [EdSmart’s] gross turnover from the school. All we were asking for is access to data that the school owns; that the school wants to provide to us.”

Far from this example being a one-off, David admits such a practice is widespread: “It's a massive problem and they literally charge for access to that data, which I also have a major philosophical problem with.”

Data integrity

Owning your data also gives you greater control over its accuracy and, most importantly, its security – something that is often referred to as ‘data integrity’. Another way of defining this concept is through a risk compliance and privacy lens.

The flipside to today's reliance on collecting data and making it available and accessible is that it has become much easier for something to go wrong. Schools have privacy and security concerns that simply did not exist 20 or 25 years ago.

“Schools are dealing increasingly with security issues around the data, and it's coming in multiple directions,” says David. “You've got internal threats – students or unauthorised people accessing data – and then external threats – hackers and external people trying to access personal information about students, parents and staff.”

Most schools also have their fair share of complicated family situations that pose a new raft of threats to schools and their data. As David explains, it is vital that schools adhere to their privacy obligations to accommodate these more complex arrangements.

“You might have court orders between parents and so forth,” he elaborates. “And schools are expected to deal quite often with some complicated rules about who's allowed to see what.”

“For example," he continues, "you might have separated parents where both parents are still permitted to see academic progress information about a child – their marks or grades and so on – but, because of a violence order or some other reason, one parent is not allowed to see the contact details or the home address of the student. As you can imagine, the price of getting this situation wrong is really high. Schools spend an awful lot of time trying to make sure they're managing their information in the right way.”

There are also constant cases emerging where unintended user error has meant confidential student information was made public, highlighting another of the many reasons why it is important that schools own their own data.

What steps should schools take?

Each school will have their own unique requirements when it comes to their education technology. It is suggested that schools – as well as performing their due diligence on any organisation they’re considering partnering with – should know where they stand with relation to ownership of student data.

David recommends asking the following four questions:

1. Where is the data? Is it in the cloud or stored on a server rack?

“I know of a school hit by major storms last year. Water began dripping through a light-fitting above their server rack, and they lost all their hardware. It also took all their systems offline, to the point where they couldn't communicate with parents to tell them that the school was flooded and keep the kids at home, because their student software management data went kaput, courtesy of water damage.”

2. Who has access to the data?

"Permissions to access data should always be set to the minimum necessary for staff to do their job. Your school's software should enable controls and access levels to be set that restrict staff from accessing data outside the scope of their role."

"The permissions should include read/write attributes, so some people can see information but not edit. And an audit trail must be maintained so, if someone does view data or makes changes, this can be traced back for compliance or to identify the source of information leaks."

3. How can the data be accessed?

“Is there an API (Application Programing Interface) key? Are we able to run reports? How can we utilise and manipulate the data? So often, developers make it very difficult for a school to access its own data. Access to the data is important.”

4. What security precautions have been put into place? Is an external security-testing contractor used?

“Does your edtech provider undertake, for example, penetration testing? At EdSmart, we pay a company to try to break into us, so we can be confident about our security and privacy protection levels.”

The importance of schools owning their students’ data cannot be understated. Thankfully, as we’ve detailed, there are a number of steps that schools and learning institutions can take to tick the right boxes when it comes to controlling and owning their data.

Remember, this data is yours to use and protect, and no organisation should tell you otherwise.

New call-to-action

Let's talk

Keen to learn how EdSmart could
help transform your school?
Email us at sales@edsmart.com
or call us on +61 3 8560 0980