A key component of any school system’s student data privacy program is a set of policies and procedures to govern employee behavior related to data use and handling. This set of documents serves as the roadmap for compliance, a resource for employees to rely on, and part of the foundation for measuring the efficacy of the compliance program.
If that sounds like much more than simply putting your school system compliance goals down on paper, it is. It is often about not just creating a guide for achieving certain goals, but also about asking people to learn, stretch, grow and change their behavior to align with the policy requirements. It can be disruptive, so before you start writing, consider not just what policies you want to create, but how you can create them to maximize compliance.
- Be specific. What do you want to achieve? What is the goal for each policy? For example, if you want to write a policy focused on compliance with student data privacy law, avoid simply restating the law as policy. Instead, break the law down into its different requirements and keep drilling down until you’ve captured all the angles. One objective might be to ensure that only individuals with a legitimate educational interest in students’ personally identifiable information have access to that information. This might then require one policy addressing data access for employees and another addressing data access for technology providers. Separate policies might be needed to cover access to sensitive information. Repeat the process until you have a list of policy topics that cover all of the legal requirements.
- Establish the purpose. Why is achieving the policy goal important? How does the policy goal connect with your school system mission and vision? What’s the broader objective? Answering these questions in each policy will provide your teams with the rationale behind achieving the policy goals, and with that, some motivation to comply. It is also the rationale that informs development of appropriate processes to comply with the policy.
- Create expectations for behavior . What do you want employees to do to meet the policy objective? What is the framework for behavior? To continue with the example of limiting access to student data, how do you expect employees to be sure that only those who are required to have access to students’ personally identifiable information receive it? How do you define what roles are permitted access to what data? What individual or team is responsible for evaluating and approving requests for access to data? What criteria are they to use for the evaluation? Are resources needed to meet the policy goals, and are those resources available?
- Collaborate . Each policy should be accompanied by a procedure for employees to follow to meet the policy objectives. Develop the procedure in collaboration with the team that will ultimately be following it. This type of collaboration helps to create a sense of ownership among the team that will be responsible for following the procedure, which in turn makes implementation less disruptive and fosters compliance.
- Audit and enforce . Each policy should include a compliance mechanism. How will you know that the policy is being implemented properly? Since it’s important enough to be a policy, what are the repercussions if it’s not followed? How often will the policy be reviewed to ensure that it remains up-to-date? Who is responsible for implementation, monitoring and enforcement? Draft these requirements into the policy.
Once your policies and procedures are written, introduce them to your employees with training. Take the time to explain the expectations, share the rationale behind the policies, and provide a resource for employees to go to with questions or additional guidance.
Remember that putting new policies and procedures into action can be disruptive, and not everyone in the school system may understand they have a role to play in protecting the privacy of student data. Your training will be the capstone in the policy development process, and a key component to getting your teams working together to achieve the compliance goals.
Linnette Attai is the founder of PlayWell, LLC, through which she advises private and public companies, schools and districts, trade organizations, lawmakers and policy influencers. Attai has been helping clients navigate data privacy matters for over 25 years. She is the author of ” Student Data Privacy: Building a School Compliance Program .”