To respond to new demands to protect student data, the education system would benefit from deploying a strategy that has been successful in other sectors and industries: hiring a chief privacy officer (CPO) who is responsible for the organization’s privacy policies and practices.
The current model distributes privacy duties across an education organization and has resulted in excessive data collection and access, untrained staff with little support in protecting student data, retaining data past its usefulness, and lax controls on third party management and use of student data. Everyone plays a role in protecting student privacy, but a CPO can improve privacy protections by centralizing the strategy, policies, roles, and responsibilities for protecting data that ultimately result in preventing data incidents, establishing trust, and ultimately ensuring that information is not used to harm students.
This issue brief focuses on a variety of practices that can support such a role, and is divided into two sections: first, the role that education organizations can play in making CPOs successful, and second, the role that CPOs should play in protecting student privacy across the organization. Specifically, organizational leadership should establish the CPO as a senior position, ensure multi-disciplinary support for the CPO, and provide financial resources. Once hired, the CPO should serve as a resource to staff, collaborate with the chief information security officer, cultivate privacy advocates, and respond to current events.