Cyber threats are plentiful and cyber attacks are on the rise for K-12 educational institutions. As schools have been relying more on digital and online platforms in the era of COVID-19 when many schools provide full or partial online education, they’ve become more vulnerable to threats including hacking, ransomware attacks, phishing attacks and data breaches. PublicSource consulted with experts and resources at The U.S. Department of Education about best practices school districts should employ to manage student privacy and personal information.  Here’s what we learned.

Build on the existing knowledge about privacy already within the district

“Don’t get rid of the thing you’ve done in the past…Finally build on it,” said Elizabeth Laird who leads the Student Privacy Project at the Center for Democracy and Technology [CDT]. Privacy, security and cybersecurity issues are not new to school districts. Federal laws around student privacy have existed for decades. Laird said districts should use lessons learned over time to better understand what processes and practices best protect student and staff privacy and information.

Know which online services are being used, for how long and how collected data will be used

Communicate clearly with employees about the legal, privacy and document retention implications of your organization’s new collaboration tools, including any data sharing. Be specific with students, parents and staff about the information the provider will collect.

Districts should be aware of which online services are being used and what access to information they have. Districts should also check and vet all third-party providers and platforms thoroughly.

Laird also said districts should ensure data isn’t kept longer than it is needed. A privacy concern she hears often from families and advocates is that students will accumulate an education record that follows them, with or without context, and that something from elementary school, for example, could be used to limit opportunities.

Establish or update policies and procedures to evaluate and approve online educational services

Prior to its implementation, schools should establish school and district-wide procedures to evaluate services that may be used. Schools and districts should be clear with both teachers and administrators about how proposed online educational services can be approved, and who has the authority to enter into agreements with providers.

Clearly articulate to employees the legal, privacy and document retention implications of your organization’s collaboration tools, including any data sharing or utilization of participation or attention tracking features.

Create more and better teacher training about student privacy and best practices

One way school districts can protect themselves against cybersecurity threats is “really enabling our teachers and our workforce across the teacher spectrum to really be cyber educated and cyber-savvy so that as they’re doing their work, that they’re protecting information, they’re handling information properly,” said Erik Avakian, chief information security officer for the Commonwealth of Pennsylvania.

Improving teacher training on student policy was also a key finding in a recently released CDT report. “With the range of privacy and security incidents regularly happening in schools and the expansion of technology use from COVID-19, teachers urgently need additional training and support to assist them in navigating these issues and protecting students’ privacy, safety, and well-being,” the report said.

Be transparent with parents and students and meet them where they are

“With parents being more concerned than teachers (and with students having spent little time contemplating the privacy of their data), policymakers and practitioners can protect student privacy most effectively by acknowledging that various stakeholders approach these issues from different places and would benefit from information and engagement that is tailored to their specific interests and concerns,” the CDT report said.

The U.S. Department of Education also in 2014 encouraged schools and districts to “be as transparent as possible with parents and students about how the school or district collects, shares, protects, and uses student data.”

According to the CDT report, privacy is not generally a top concern for teachers, parents, or students, relative to other concerns. Parents in particular often trust schools to collect and safeguard student information. However, worry spikes as they learn more details on student privacy risks and other incidents or external events.

TyLisa C. Johnson covers education for PublicSource. She can be reached at

Know more than you did before? Support this work with a MATCHED gift!

Through Dec. 31, the Wyncote Foundation, Loud Hound Foundation and our generous local match pool supporters will match your new monthly donation 12 times or double your one-time gift, all up to $1,000. Now that's good news!

Readers tell us they can't find the information they get from our reporting anywhere else, and we're proud to provide this important service for our community. We work hard to produce accurate, timely, impactful journalism without paywalls that keeps our region informed and moving forward.

However, only about .1% of the people who read our stories contribute to our work financially. Our newsroom depends on the generosity of readers like yourself to make our high-quality local journalism possible, and the costs of the resources it takes to produce it have been rising, so each member means a lot to us.

Your MATCHED donation to our nonprofit newsroom helps ensure everyone in Allegheny County can stay up-to-date about decisions and events that affect them. Please make your gift of support now.

TyLisa C. Johnson is the Audience Engagement Editor at PublicSource. She’s passionate about telling compelling human stories that intersect with complex issues affecting marginalized groups. Before joining...