Thousands of vendors and schools in the Student Data Privacy Consortium addressing student data privacy AND security
Washington, DC, 11 August 2022 — The recent data breach from Illuminate Education impacting millions of students has accelerated the conversation around information security for our most vulnerable citizens. While there are many mechanisms for marketplace providers to prove their adherence to general “best practices”, security adherence has been more complicated than ever for companies and for the limited resources of school personnel who serve as student data stewards.
The Student Data Privacy Consortium (SDPC) of the non-profit Access 4 Learning (A4L) Community has been successful in bringing the educational technology (EdTech) marketplace players and school districts/states together in addressing student data privacy obligations. The SDPC Resource Registry is a set of “on the ground and real world” privacy tools allowing schools to manage and communicate on the software solutions and the implementation of needed protections. The Registry is in use by over 10,000 schools with over 70,000 signed data privacy agreements including a common National Data Privacy Agreement (NDPA) in use by schools and over 80 vendors across 4 countries. The NDPA streamlines application contracting and sets common expectations between schools/districts and marketplace providers in addressing legal obligations on student privacy.
While the SDPC has been successful establishing common expectations around student data privacy, there are few mandated requirements for providers to adhere to specific security benchmarks. Some states have legislated their own set of security requirements but in the absence of any framework to audit PK-20 providers against, it is impossible to certify any application is meeting privacy and security obligations. The new Global Education Security Standard (GESS) Project Team, which consists of members and partners from across the globe, is developing a crosswalk of all commonly used security frameworks to create a core set of controls applicable to PK-20 data. GESS will help close the existing gaps in EdTech security by establishing an industry adopted Education Security Framework that all vendors can adhere to. This will enable auditing and tighter uniform controls protecting ALL student data reducing the likelihood of a breach. The group is at a point now that they would like to share this work with industry experts to obtain feedback to further guide their work.
The SDPC continues to expand the work in supporting providers and schools meeting their security and privacy obligations to safeguard student data. GESS is just another step in setting common expectations between the two. It is challenging work that this continuously growing Community is addressing for all learners. To join in the work, GESS or other SDPC Projects, please visit https://privacy.a4l.org or contact the A4L Community Executive Director/CEO, Dr. Larry Fruth firstname.lastname@example.org.