Commentary

What it takes: Building a student data privacy compliance program

Commentary: Creating and implementing a data privacy program can be disruptive. These five core requirements are essential to a school system's success.

By Linnette Attai

May 31, 2018

A student data privacy compliance program is a critical part of any school system’s organizational infrastructure. Building and implementing that program will often mean that the school system needs to undergo a culture shift involving behavior and policy changes.

It can all be quite disruptive, particularly at the beginning stages, so before embarking on such a project, it can be helpful to understand what it’s going to take to be successful. (It may not be what you think.)

The truth is that the key ingredient for any successful compliance program is commitment. What matters most is ongoing, focused attention and dedication to these core requirements:

Learn: The learning process is never done, and ongoing education around student data privacy requirements is critical. Read up on student data privacy laws and how they are interpreted and applied, and ensure that anyone helping to build the compliance program does the same.

Leverage free education and training resources provided by the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC), your state department of education and credible trade organizations supporting school systems. Where possible, set aside time and funds to attend national and local conferences hosted by trusted sources to learn more and engage with peers around the issues.

Adapt: Building a student data privacy compliance program is not a “one and done” activity. This is about building a whole new function for the school system, and that may include making fundamental changes in the ways that your school system considers data collection, use, handling, sharing and protection of student information.

If your school system is not able to support a full-time employee to spearhead the privacy program, who will take on the work, and how will that work fit into existing roles? Consider the structure that needs to be put in place as the first step in the planning process.

Plan: Leadership commitment is needed in order to create the program, so draft a proposal so that you can make a case to leadership or begin collaborating with leadership to identify the overall goals for the program and decide on the action plan.

Wherever you choose to begin, understand that this is a journey. Don’t expect to solve every concern at once, or even to identify everything that needs to be done at the outset. Instead, establish a clear goal and map out the first phase of work to get you into action. You’ll be able to build on the initial steps as you go.

Prepare: The initial stages of building a compliance program can be compared in some ways to a home construction project. Perhaps you decided to tear down a wall to fix a leaky pipe, but then you realized that the water damage had seeped below the floorboards, and you also had an electrical issue to deal with. Eventually you’ll end up with a beautiful new room, but in the meantime, all you may feel is overwhelmed.

If your employees are not prepared for the disruption of the changes that often come with implementing a compliance program, you may be met with that same overwhelm, along with shock and resistance. Alleviate some of that by communicating with your staff in advance. Explain why the plan is being developed, how it’s been informed and the structure that will be built to support the work. Ask for their commitment and support. The more your employees understand in advance what is happening and what will be required of them, the easier the work will be.

Focus: Keep your eyes on the end goal: elevated privacy protections for the students in your care. If the resources at your disposal require that you move slowly, making only small changes each year, so be it. You’re committing to data protection for the long haul, and the fundamentals won’t fall into place overnight.

Acknowledge and celebrate the successes, measure your progress over time, and use each small step as motivation to take the next steps. Each incremental change leads to the next one, building momentum and adding up to significant progress over time.

Building a student data privacy compliance program requires time, commitment, energy, effort and knowledge. These are precious resources for any organization, but particularly for school systems, which have so many critical commitments and such small margins with which to invest in new initiatives. Ongoing education and planning, engagement with your employees and acceptance that it may take some time will go a long way toward getting you to your goal.

Linnette Attai is the founder of PlayWell, LLC, through which she advises private and public companies, schools and districts, trade organizations, lawmakers and policy influencers. Attai has been helping clients navigate data privacy matters for over 25 years. She is the author of “Student Data Privacy: Building a School Compliance Program.”