Who’s minding the storage? Data privacy and Saskatchewan schools
A school division holds what may be the largest store of significant personal data about any individual child that can be found in one location. Parents and guardians are compelled by law to send their children to school, and parents are legally required to provide the school with significant amounts of personal information about their children, and about themselves.
In addition to creating attendance reports and grades, schools often need to collect detailed medical information about both physical and mental health issues of students, personal information about family members possibly including income and criminal records, details of custody and access issues, as well as the history of interactions with socials services and the justice system. Not to mention all the personal information voluntarily shared by parents and students with teachers, counsellors and other staff in emails, texts, etc.
As a result, the onus on school divisions to protect student data is extremely high. However, school divisions do not have separate budgets for privacy issues. They have privacy policies but it is usually a staff member, working off the side of their desk, who deals with both privacy and access with little or no formal training in the area. Schools and school divisions understand the need for privacy, but how to keep data secure in order to ensure privacy is sometimes a more difficult process to pin down.
Nevertheless school divisions can put in place practices to assist them in meeting the onus to protect student data, including but not limited to: keeping procedures and practices up to date; allocating resources – time and money – to appropriate security practices; having IT and learning services work together on data security issues; addressing privacy and data security in contracts; including data security as part of digital education for students; providing references to resources for parents; and ensuring that staff have adequate training at both central office level and at the school level.
In the classroom, teachers should consider data security when students access sites, apps, etc. At minimum, the student and/or teacher should be able to answer the following: What personal data is being collected? Who will own the data? Who will have access to the data? How long will the data be retained? Does the student have the right to get the data removed?
Data security must not, however, be the sole concern of the school division.
The Ministry of Education in Saskatchewan is encouraging and supporting school divisions to move to MySchoolSask, a provincial record keeping system for student data that will replace local division systems. In addition, the Ministry requires school divisions to provide significant amounts of student data to the Ministry. The Ministry must ensure that systems and procedures and contracts are in place to protect student data at both the provincial and division level. This can include appropriate funding and education of staff.
Parents must know or ask questions about why and how the data of their children is being collected, used, stored and disposed of. They must educate themselves, and help to educate their children, about the risks of and the defences to misuse of data. Resources available or referenced on school division websites should be reviewed. Parents can also hold the school division to account and, when applicable, work with the school division to hold the Ministry to account.
School divisions need to know a lot about their students. Collecting data that is necessary to help students fully access education services should not be compromised by concerns about data security. This can best be accomplished if all those involved in education work together to ensure the security of student data.