Requires the Texas Education Agency and technology vendors doing work with schools in Texas to de-identify students by masking all student data.
Impact
LISD is charged with safeguarding the personal data of more than 41,000 students without state-level guidance or requirements of vendors or agencies, such as the Texas Education Agency (TEA).
Driving Question
How do we ensure that LISD and our vendors comply with national and state data safety standards and best practices during the transfer of student records and programs?
Background
School districts contract with third party vendors that have access to student data. There is currently no standard of data protection statewide such as the use of a unique ID (to assist in masking a student's identification), nor a standard statewide data sharing agreement. Vendors range from small local companies to large national firms. These companies possess differing standards of protection and request varying degrees of student information, sometimes much more than necessary to perform their function.
There are concerns that this lack of standard is creating a large digital footprint for a child before they reach adulthood, and that this data is vulnerable to theft and malicious use. A child’s data is some of the most sought after data by hackers. There have been recent cyber attacks against school districts in the US where hackers obtained student data from third-party vendors and sent ransom notes or threatening personal messages to parents and teachers.
This resulted in school closures, as well as student data (including addresses, phone numbers, grade levels, etc…) being published on public platforms.
LISD seeks to require all vendors with student data to protect it with the unique ID, and adhere to an agreement which requires them to uphold a high standard of protection, while limiting the data to only what is necessary for the vendor’s contracted purpose.