My name is Elizabeth, and I’m a recovering bureaucrat. For five years, I led seemingly wonky but deeply important student privacy work in two vastly different state education agencies. I joined the Louisiana Department of Education shorty after it withdrew from national data initiative InBloom, and as a result, the state passed one of the most restrictive student privacy bills in the country, the implementation of which became my full-time job. Then, I became the privacy officer at DC’s Office of the State Superintendent of Education (OSSE) after they suffered two public data breaches in less than a year.
Looking back on my time in government, there are tools and resources that I wish I’d had. I recently joined the Student Privacy Project here at CDT to create some of these, and today, we’re releasing a new resource about why education leaders need chief privacy officers to protect student data. Once a chief privacy officer is hired, what can ensure their success? Based on my experiences, here are some tips, tricks, and rules of the road that informed this resource:
- Leadership matters: The issue brief focuses on important steps that leadership can take to support a CPO in their efforts to protect student data. In particular, positional authority and resources—people, time, and money—are important assets that only leadership can provide, and they have the potential to make or break a CPO. In my experience, leadership plays a critical role in helping, or hindering, a CPO.
- See something, say something: Rarely was there a data incident where someone didn’t intuit that something was wrong. But employees are often afraid to say something, or don’t know who to tell. My colleagues and I tried to encourage employees to speak up when something didn’t seem right, but to do that, employees need to view a CPO as a resource, not someone who is solely concerned with compliance. The CPO should establish a culture that values and believes in protecting students’ privacy.
- Everyone plays a role in protecting student privacy: I made it very clear that it wasn’t just my job to protect student privacy. The issue brief talks specifically about the importance of Chief Information Security Officer (CISO), but even if an organization has a CPO and CISO, they still need to develop privacy advocates and ensure that every employee who might encounter student information understands their obligation to protect it and is trained on how to do that.
- Keep calm and carry on: I found that the more successful I was, the fewer issues there were and the less my work was visible, a side effect of which was that employees, even organizational leadership, could grow complacent. However, the reality is that policy and technology continue to evolve, creating new questions that need answers, and any organization with student data is one mistake away from a data breach. A CPO’s work is never finished, and it is important to utilize current events to both learn and share ongoing risks to maintain a sense of urgency and remain vigilant in protecting student data.
Serving as a chief privacy officer is not for the faint of heart. It was an incredible privilege, though, to be charged with leading hundreds of people toward a single goal of protecting students’ privacy, while ensuring that data and technology can be and are used to give every student the education that they deserve.