Steps Canadian schools can take today to better protect student data

While Canadian educators are calling for better safeguards in data privacy, there are actions that schools can take right now. Clever’s Director of Security provides recommendations for vetting vendors and building a culture of cybersecurity within Canadian schools.

As Canadian educators start the 2023-24 school year, they’re speaking out on one of the most important issues to come out of the COVID-19 pandemic: data security. In July, both the 365,000-member Canadian Teachers’ Federation (CTF) and the regional Alberta Teachers’ Association issued strong, clear statements about the imperative to protect student information from what the CTF called “unchecked monetization.” Both statements call on policymakers to pass legislation preventing edtech companies from selling the data they collect to third parties. 

But as schools look to implement better safeguards for student data privacy, it’s critical to ensure cybersecurity is embraced comprehensively – with commitment not just from lawmakers but at every level of school systems, from individual teachers and staff to leadership.  

A 2023 study by researchers from the University of Chicago and New York University underscored the serious lifelong impacts data breaches can have on students, highlighting why robust cybersecurity measures are essential to safeguard student privacy amid the rapid increase in edtech. Compounded by several recent incidents in Canada, it’s imperative that cybersecurity and student data privacy remains at the forefront of ongoing conversations. 

Protecting student data: What can schools do right now?

One solution for schools outside of legislation involves carefully vetting the privacy policies of edtech companies, something that was impractical during the mad rush in March 2020 to transition to in-person learning. This requires that school systems perform privacy impact assessments of all tools being used within the system — and, ideally, performing this assessment before implementing a given solution.

Administrators should work with companies to ensure that there are necessary controls to reduce privacy violations and data security. Many edtech companies, including mine, only partner with platforms that have agreed to abide by relevant laws and the company’s rules about data collecting and sharing. 

When evaluating potential edtech partners, there are a few key steps schools can take:

• Closely review vendor privacy and security protocols. Ask detailed questions about data encryption, access controls, breach responses, logical segregation and other safeguards.

• Establish clear vetting standards tailored to your school’s policies and priorities. Rigorously evaluate each vendor against those benchmarks for the data they are handling.

• Conduct ongoing monitoring, reassessing vendor relationships at least annually. Check policies for changes, audit data flows, and re-verify controls as risks evolve.

But vetting edtech vendors is only one part of the solution. Truly securing student data requires engagement across the entire school community. Cybersecurity cannot fall solely to IT staff—it must become a shared priority through training and open conversations that empower all stakeholders. 

We encourage schools to engage community voices in open discussions about cybersecurity risks and collectively build layered defenses through informed and vigilant staff, training, and technologies like multi-factor authentication. Activating the whole school is key, as cybersecurity is too critical and widespread an issue to silo. 

With collective action across all levels, schools can help safeguard both student privacy and continued learning amidst the growing role of edtech.