Tips to Create a Comprehensive EdTech Privacy Vetting Process
Evaluating the privacy policies of edtech products is critical for many of LearnPlatform's LEA and SEA organizations. Privacy and data requirements vary state by state, however, there are several best practices that are common among our customers and that we are eager to share below.
Here are a few tips and best practices -shared by our customers- to ensure that your district dots the i's and crosses the t's when it comes to data privacy compliance.
Complete an EdTech Product Audit
Understanding the breadth of edtech tools used in your organization is the first step to ensure you are complying with your state's privacy legislation. By consistently performing audits of your edtech ecosystem, you will readily know what’s used, how often, and for whom it works best.
To conduct an audit, use the LearnPlatform's Usage Dashboard to identify the products being used in your organization. Run reports by time periods, product statuses, and organizations to see the top products used in your organization.
Once you conduct your audit, get started building your product library. You may want to provide some careful consideration to your product statuses to ensure that they are effectively communicating product approval within your organization.
If you decide to set custom statuses, we recommend staying concise and consistent when naming these. Here are some examples.
Prioritizing Your Product Decisions
There may be hundreds of edtech products being accessed by your educators as a result of your audit. In fact, districts are now (post-COVID-19) accessing an average of 1,327 tools per month.
However, not every product holds the same value for students or demands your full attention. Establishing product categories via product tagging allows you to prioritize critical tools and address the privacy requirements of those products first.
Here are some recommended product categorizations for your tools.
Assemble Your Privacy Team
An effective product privacy vetting process requires the involvement of several stakeholders and departments from your organization.
You can create a "Privacy Team" group in LearnPlatform via our user groups feature. The purpose of this group is to safeguard student data privacy, monitor changes to agreements and laws, and act as liaisons between your legal team and providers.
Identify Your Local and State Data Privacy Regulations
Compiling a list of legislative requirements (in consultation with your legal team) will help you determine the action steps needed to be compliant as a district.
Some aspects to look for include:
- Student Data - what data is collected, stored, sold and/or shared;
- Identifiable student data - types of personally identifiable information (PII) collected;
- Data deletion or destroy policy;
LearnPlatform's APIs with SDPC, Project Unicorn, and Common Sense Media in our Privacy tab can provide you with a head start by centralizing the resources you will need to begin your vetting process.
Get Educators Involved in the Vetting Process
Customizing your product request form can help you gather product feedback from educators and serve as the first line of vetting for product vetting.
Including questions in your form such as:
- Does this product capture any student data?
- Does this product sell or share any student data with third parties?
- Is this a free or paid product? and
- Have you discussed the tool's privacy policies with the vendor directly?
can help you gather important information ahead of the vetting process. In addition, these questions can help you filter out products that may not comply with your organization's data privacy policies, and help involve educators in the decision-making process.
Creating a robust and comprehensive form that includes privacy-related questions will help you develop a privacy-centric culture where student data is valued and paid attention to at all levels of the organization.
Document the Process
Once the legislative requirements and departmental teams are identified, document the process and share it internally. Clearly explain responsibilities, criteria used for evaluation, potential hold-ups, timeline.