Are you prepared to answer an e-mail like this?*

As a parent, I am trying to learn about the school's technology: how it works, what is available, and its privacy.

At my child's school, students are using Scootpad and Edmodo. Is this information kept on a local or district server or is it out there in the web or cloud?

How many different sites have students' information such as name, gender, grade etc.

If teachers are using school computers to access these sites, is my daughter's information safe? Can someone get her information off the teacher's computer when sending it?

How secure are the schools' networks?

My child has also been signed up for several sites by special education so that teachers can find adaptive materials and books**. The sites include the state school for the blind, the State of MN, Bookshare.org etc. How are these sites being protected?

Let's face it - data privacy is a hot topic in the media and I am sure part of a lot of conversations among parents. School districts need to take questions like these seriously and be able to give complete, understanable, and honest answers that reflect good data privacy practices.

Here is my response to this parent:

Both Scootpad and Edmodo are hosted applications - in other words the program and data are indeed stored in the cloud (on servers outside our own district that we do not own). Since neither of these programs contains data that are subject to FERPA regulations, we feel comfortable using these cloud-based sites.  For sites that do have data that is covered by FERPA laws, we make sure there is an encrypted (https) connection to those resources - and that the companies are reputable. Studies consistently show that cloud-based security is very good.

Student names and data are also a part of many other databases in the district including Naviance (guidance), Viewpoint (data warehousing and analysis), Moodle (online course management), GoogleApps for Education (email and online productivity tools), the library catalog, and many instructional programs that track student goals in content areas such as reading and math programs. 

The primary database is our student information system (Infinite Campus) and most student information in other databases is imported from it. Infinite Campus is housed within our district, behind our firewall and on our network. The physical server itself sits in rented space at the secure data center of our local telephone company. Our IP addresses are all subnetted - in other words, the outside world only sees a single IP address for all equipment on our network - another security precaution.

We also recognize that school computers are only as secure as the people using them are knowledgeable. We ask that all computers be password protected, that screen-savers that require passwords to disable be used, and that staff change passwords on a regular basis (and of course that they do not leave passwords on sticky notes near their computers.) The district staff technology security guidelines can be found here. Your comment is a good reminder that we need to do a better job of reminding staff members of this document.

We have an independent company do a regular security audit of our networks and processes and have always passed with flying colors. The most recent one was completed last spring.

Our district, of course, is not alone in this use of technology to record student data and we do take data security and privacy seriously. 

I hope this makes sense. Please e-mail or call me if you ever have questions regarding the privacy of your children's data. It's a valid concern to raise.

* An actual letter that I received last week, edited for privacy, etc...

** Even as the all-knowing, all-seeing technology director, I was unware of these databases and had to contact our special education department to learn more about them. It makes me wonder just how many other places staff is storing information about kids without any sort of vetting process - including confidential data. Such realizations always humble me.