Data Privacy Policy | Questions one must ask ed-tech vendors

As the education sector prepares to go completely tech-borne in the coming few years; parents and teachers have growing concerns regarding data privacy — especially in the K-12 segment.

The increased use of technology in the classrooms and in the administration of schools has opened cracks through which cyber criminals sneak and infiltrate district computer networks and access sensitive information of students and staff.

Cyberattack threats are looming over the education sector and it is even more important than ever that we ensure the data is secure and that any existing digital tool they use has good privacy policies. However, institutes can evade them by asking the right questions from the vendor regarding their data privacy policies before buying their product.

The biggest mistake institutes make

Before signing any contract with the vendor you must enquire about the companies. Most education institutes subscribe or buy products from a 3rd party, without knowing who owns the applications. There are usually different parent companies and then there are affiliates, subordinate companies, and partners. So, if you are not directly connecting with the owners of the product you may never know what rabbit hole you may fall into.

Now, it is not necessary that you must directly come into contact with the owner but research is a must about every single of these companies. At least you should know what companies would have open access to your data.

Also, privacy policies are a lawyer’s playground. They may mean different with respect to different organizations and where and on what they apply. Look for a privacy policy that includes definitions. This should give you more clarity and you are less likely to get muddled up in the legal lingo.

The right way to review a privacy policy

If this is the first time you are reviewing a privacy policy you would find yourself jumbled in the legal jargon. Here is a simple hack.

1. Start with what data is collected.
2. Learn how it is being collected.
3. Learn what type of controls the users have over that data.
4. Check if the policy or product allows data deletion requests, data retention requests, etc.
5. Learn the time taken or the process involved when asked by you to delete the data.
6. Learn how the product is securing the data once they start collecting it.
7. Learn about the third parties involved that have access to data and what type of data.

Concerns regarding privacy policies

Education institutes use a variety of applications in their ecosystem. People in the ICT team have a hard time keeping track of the app’s behavior and monitoring the district network. They have to be on the watch out for malicious applications are sites being accessed over the devices and network. Keeping track of all the applications becomes hectic for the ICT teams and hence it is best to restrict the number of applications that are being used in the ecosystem and try to use only secure and reliable solutions that serve as a one-stop solution for all institute operations such as Education ERP software.

Closing Note

The education sector is taking baby steps toward digital transformation and it is great to see how well they are doing with respect to adoption. Unfortunately, they are also one of the biggest targets of cyber criminals.

Meanwhile, the product’s innate ability to hedge itself from cyber attacks is something to see primarily, we cannot ignore that decision-makers at schools, colleges, and universities unknowingly sometimes make a mistake and do not check the data privacy policies.

Using free web tools, not giving access to data without reading privacy policies, not thinking about permissions they are providing to the apps and many more are some of the minute mistakes that result in big consequences.

One of the best ways to protect your institute from becoming a host for cyber attacks is by restricting the apps that are being used over the district network. Schedule events and webinars to educate your administrative and academic staff about data privacy policies. Keep them involved in the process and make them more aware of the risks involved in using unvetted applications and software in the institutes.