Listen to the article
This audio is auto-generated. Please let us know if you have feedback.
CHICAGO — Few challenges facing school districts today are as thorny as data privacy.
Missteps with the personal information of students or staff can be costly not just financially, but also in terms of time and legal consequences.
“Very few things happen in a school district these days that don’t involve tech, and all of those processes involve data in some way,” David Zagray, technology director at Westlake City Schools in Ohio, told attendees during a Tuesday session at the Consortium for School Networking’s annual conference. “You have to open every closet, and look under every rock to be sure you haven’t missed anything.”
Located outside Cleveland, Westlake City Schools serves around 3,100 students across four schools. Over the past year, the district has deepened its efforts to protect student and staff data, viewing it not just as a legal compliance issue but as a foundational need within school culture, said Zagray and Amanda Musselman, associate superintendent of instruction at Westlake.
Over the course of an hour-long session, Zagray and Musselman, who both joined over Zoom, detailed Westlake’s data privacy journey and shared takeaways for other districts along with Dawn Schiavone, student data privacy officer for Northern Buckeye Education Council in Ohio. The council is a nonprofit that offers collaborative administrative support to school districts in Northwest Ohio.
Don’t wait for a mandate
“Data privacy should be considered in district decisions because it’s the right thing to do, not just because it’s the law,” said Schiavone.
While it’s absolutely key to understand and remain compliant with federal laws like the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act — as well as state laws like Ohio’s SB 29, passed in 2024 — protecting data privacy begins with the ethical need to ensure student and staff safety.
“There’s still quite a number of states out there that don’t have any state mandates” like SB 29, said Schiavone. “It’s even more important for you to not wait for that mandate. If you have some sort of alliance in your state or something like that, work with that alliance.”
Westlake, for instance, worked with the Student Data Privacy Consortium, which maintains a registry of vetted digital resources and vendors that have signed data privacy agreements.
Ensuring that key stakeholders were at the table from the beginning — and that data privacy wasn’t seen as “just a tech department project” but as a core business need — was also critical to building a data privacy culture, said Zagray.
Among the roles recommended to be involved are:
- Director of technology.
- Associate superintendent.
- Director of secondary education.
- Director and supervisor of student services.
- General education and special education representatives from each grade band: K- 4, 5-8 and 9-12.
- Media specialists from each grade band.
Schiavone added that having an advocate from a regional organization like Northern Buckeye Educational Council can also be helpful, because when the message isn’t consistently coming from the same person within the district, superintendents may hear it “a little differently, potentially, a little better.”
Don’t get overwhelmed by an audit
Approaching an audit of all digital tools and resources being used in a district can be the most daunting task when it comes to shoring up data privacy.
“Your goal here is not to spin your wheels when you have hundreds, if not thousands, of applications that you will have to review one at a time,” said Musselman. “You need to have someone in that room that knows what that application is, how it is being used, if it is valuable, if it is not valuable. And then we’ll also, of course, look at the data privacy component.”
Zagray said that when the district started this process and saw that its Google console indicated that students’ personal information was being shared with thousands of applications, “that was way too many to deal with efficiently.”
To make the audit more manageable, staff were asked to self-report apps in use via a Google Form. That brought the number of apps from thousands down to around 320, which the district’s tech team then had to go through one at a time and evaluate over the course of roughly five months, Zagray said.
In communicating the audit results to faculty, staff and leadership, the team put together a spreadsheet that broke apps down by whether they were approved, pending or denied — the latter of which also included a detailed explanation for the denial, which could include past malware issues or something as simple as “vendor will not sign data privacy agreement.”
That communication is critical.
“It’s important that your staff knows if they have been using Khan Academy, for example, which is very well-used, if they’re going to come back in August and all of a sudden be told they can’t use it, you’re going to create an issue,” Musselman said. “These are all well-educated adults, and we all deserve to know why we can’t use something that we’ve been using in the past.”
A handful of applications or services that lack data privacy agreements are still necessary for certain classes or educational needs. These landed in a fourth category in the audit, under which they require parental permission at the start of the school year. Among them: ACT.org, YouTube and the Adobe Software Package.
The audit process also helped the district develop its approval strategy for new digital tools going forward, which includes a flowchart detailing its vetting approach, as well as a running spreadsheet of every application approved or denied for use.
Be transparent with the community
Aside from helping educators understand what can or can’t be used in classrooms, as well as the reasons why, the presenters also stressed the need to keep the community informed.
Resources like the aforementioned SDPC registry and CoSN’s Trusted Learning Environment framework can serve as valuable resources for vetting digital tools and platforms as well as providing context for why an application may or may not be used.
But school districts should also make this information available on their own websites.
“I’m sure all of you have an ‘annual notices’ tab on your public-facing website,” Musselman said. “We have [information] specific to Senate Bill 29, specific to Ohio, that is on our notices website, just so parents can see the ‘why’ and what is occurring and what is mandated.”
It’s also key to have backup plans and preventative measures in place for when parents deny access to an application that requires their approval.
“Because parents have told us in some cases that they do not grant permission to use — we’ll use YouTube as an example — for their student, we put some technical blocks in place,” Zagray said, noting that this can be done through the district’s web filter, its Google admin console and other tools to ensure those requests are honored.
And in the case of a tool like Khan Academy, for instance, that’s fully denied because there is no data privacy agreement, Musselman said the district has been clear that parents are allowed to use it at home, but the district can’t assume liability for the student data put into it.
When kids enter the school, she said, educators are responsible for them and need to keep them safe in every way. And that means “we also have to make sure we’re watching all their data, because the online world now is becoming just scary in some senses.”
“Don’t do anything behind closed doors,” Musselman said. “Our goal here is to make sure our kids are safe, and can there be frustration along the way? Sure. But is there also understanding of that frustration? Yes.”
