Protecting personally identifiable information seems complex and can feel like an overwhelming task. We hear everyday about data breaches and leaks from all sectors of business and government.

“It’s a cornucopia of security exposures,” said Serena E. Sacks, CIO of FCS, in a session at the Future of Education Technology Conference on Jan. 24 in Orlando, Fla. “Technology alone can’t protect our students and our data.”

While Sacks noted that next-generation security solutions can do some heavy lifting with protecting data, data privacy comes down to user behaviors.

“Technology alone can’t protect our students and our data.” -@Serena1027’s #FETC session on protecting PII

— Meghan Cortez (@megbcortez) January 24, 2018

With the alphabet soup of federal privacy regulations and increased collection of data by tech tools, protecting students’ personally identifiable information (PII) may seem like a daunting process.

Sacks and Linnette Attai, president of PlayWell, LLC, a compliance consulting organization that helps businesses and schools navigate the required protections for student data, offered up tips for keeping data private.

1. Understand That Data Privacy is Ongoing

Safeguarding employee data is not a simple process. As companies introduce new tools and work with new vendors, privacy concerns will , concerns for privacy will always be fluid.

“It’s an ongoing muscle you need to build,” said Attai. “As school systems, you are obligated to protect students. In today’s world that obligation extends to their data.”

.@PlayWell_LLC says data privacy in school is an “ongoing muscle you need to build.” #FETC

— Meghan Cortez (@megbcortez) January 24, 2018

2. Develop Basic Data Governance Best Practices
To make sure that your company is complying with federal regulations and community expectations of data privacy. Leaders have to create a plan for data governance.

To promote data privacy, districts should follow these guidelines:

Be transparent about what data is being collected.
Have a purpose for the data collected.
Don’t collect data that you don’t need. For example, in a lot of cases, Attai said schools don’t actually need social security numbers.
Use data only for your purpose.
Create reasonable and appropriate security policies for data. For example, a grade doesn’t need the same protections as a social security number.
3. Identify What PII Is and Know the Exceptions
One of the biggest K–12 privacy regulations, the Family Educational Rights and Privacy Act (FERPA) requires that school districts need to keep PII safe and get parental consent to share it with technology vendors.

But, what exactly is PII? Attai said that FERPA’s definition of PII is incredibly broad, requiring protections on everything from names and emails to birthdays.

Directory information, info contained in a student’s record that in most cases would not be considered harmful if disclosed, is an exception to FERPA and only requires that schools let parents have the option to opt their student out.

“What you have to do as a school system is define what you consider to be directory information,” said Attai. District leaders should share that definition with parents, she said, and explain how they intend to use the info.

When contracting with a tech vendor, Attai noted that districts must also identify the minimally required PII the vendor needs for students to use a tool.

Uncertain about what you need to keep protected? Check out our explainer of federal privacy regulations.

4. Lay the Groundwork for Compliance with Teachers
In spite of a district’s best efforts, unknowing educators might make use of online educational tools without considering privacy ramifications.

Attai and Sacks agreed that school leaders can keep data private without stifling innovative use of new apps and tools.

For example, Attai suggested that districts require educators who want to use a new tool to print out the tool’s terms of use and answer a questionnaire that addresses the privacy concerns of the tool.

“This serves as kind of an ‘aha moment’ for teachers,” said Attai.

5. Build Policies Around Digital Citizenship
Digital citizenship lessons for students and teachers can be incredibly helpful to support data privacy initiatives. When rolling out its new tech, Sacks said that Fulton County Schools not only required that students have digital citizenship lessons, but also offered some to parents.

Her district also wove in mandatory security lessons for educators, including some on FERPA regulations.

Personally Identifiable Information.