It is the responsibility of all school system employees to protect the privacy of student data, but a leadership champion is required for efforts to be successful.
Many different school system employees may identify the need to build or improve on a student data privacy compliance program, and ultimately, they’ll bear the responsibility for implementing any such program. However, without school system leadership endorsing and driving the work, attempts to build and sustain a data privacy program often fail, stymied by the challenges of identifying resources, directing employees to work in new and different ways without the authority to do so, and maintaining motivation among the teams to stick with different and sometimes challenging procedures over time.
Leadership engagement is critical, but leaders are often not close enough to the details to be able to truly assess the effectiveness of existing privacy protections. It’s not uncommon for the district CTO, CISO, CIO or engineering team to be the first to raise the alert that perhaps the scaffolding that exists to manage student data privacy responsibilities is a bit rusty or is so outdated as to not be up to the task of supporting current responsibilities and requirements.
However, superintendents and board members are often pulled in different directions, focused on other critical priorities. How, then, can you make the case to leadership that building or improving a student data privacy program needs to be prioritized?
Know your audience
How do your superintendent and board make decisions? Does everyone work independently then gather to compare findings, or do they prefer sorting through the initial questions together? Do they like to receive information in reports that they can read at their leisure, or do they prefer scheduled presentations? Are there trusted advisers that they might to listen to? How do you normally get their approval for work or capital-intensive projects? Why haven’t they championed a student data privacy compliance program yet?
Take what you know about how your board operates and leverage that knowledge in your planning.
Begin with the end in mind
What are you asking leadership to do? Provide resources? Build policy frameworks? Authorize you to build a cross-functional team to build the compliance program? Clearly establish what leadership support would look like and why. Include specific tasks and also a description of the role you would like them to play in establishing and supporting the program. Build your plan around the requests.
Make it relevant and real
It’s easy to put together a presentation to leadership outlining all of the legal requirements for protecting student data. However, before you do that, consider whether or not it will move your leadership team into action. Do they not already feel the risk?
Think about the earlier question, “Why haven’t they championed a student data privacy compliance program yet?” and be sure you are answering that. Is it budget concerns? Be sure to include information about how a strong compliance program can save money in the long term. Is it a sense that bad things happen to other school systems? Comb through the U.S. Department of Education’s FERPA Letters of Importance , or find examples of data incidents caused by human error in districts that are similar to yours. Too many critical priorities? Be sure the case you make illustrates how you can streamline their efforts in this area.
Don’t forget about the carrot
The repercussions for not protecting the privacy of student data can be severe. However, sometimes even that is not enough to compel action, especially in the face of so many other competing priorities.
Use the carrot and the stick when making your case. What are the opportunities to be gained with properly controlled collection and handling of student data? How will use of student data allow you to better deliver on the school system’s overall mission? Focusing on the benefits can be a positive differentiator when you’re making a request of leadership.
Leadership in any organization is used to hearing about problems. Understanding risk is part of the role. Provide not just the problem but also the solution.
Compliance is a “top-down, bottom-up” function, which means that leadership needs to champion the efforts and set the expectations, and then the details of implementation are best determined by the employees responsible for the work. This is no different in a school system.
When it comes to building a student data privacy compliance program, leadership sets the tone, establishes the expectations, provides the resources, develops the policy frameworks, and, ultimately, owns the risk.
No matter how skilled, knowledgeable, passionate or persistent school system employees are in building and attending to a student data privacy compliance program, the work simply cannot succeed without a leadership champion. Provide the support your leadership needs to understand existing risks as you do, and give them the road map to elevate your school system to a better place.
Linnette Attai is the founder of PlayWell, LLC, through which she advises private and public companies, schools and districts, trade organizations, lawmakers and policy influencers. Attai has been helping clients navigate data privacy matters for over 25 years. She is the author of ” Student Data Privacy: Building a School Compliance Program .”