Student data privacy and security are consistently at the top of school district priorities, but not all employees charged with overseeing data privacy programs feel prepared for the responsibility.
According to the COSN 2025 Data Privacy Report—Part 1, 73% of those who reported they were responsible for the district’s student data privacy program said it wasn’t mentioned in their job description, and 17% reported that they had not received any training on student data privacy. In addition, 60% of leaders cited time and staffing as their greatest barriers to improving data protection.
Combined with an uncertain legal landscape surrounding educational technology regulations, it’s no surprise that some district employees feel overwhelmed by the responsibility of protecting student data. The good news is that a few simple questions—and a focus on key privacy practices—can go a long way. Regardless of the specific laws or jurisdiction, there are foundational principles that every educational institution and edtech provider should prioritize. And in my experience, responsible providers are more than willing to comply.
- Data Minimization: Does the provider only collect the information absolutely necessary for the tool to function? Less data means less risk in the event of a breach.
- Purpose Limitation: Is data only used for the original, clearly stated purpose? Any new uses must require new consent or communication.
- Transparency in Data Collection: Is the provider upfront about how and from where data is collected, including third-party sources?
- Privacy by Design: Are privacy protections built into the product from the very beginning, not as an afterthought?
- Consent and Communication: Does the provider have appropriate consent and communication practices to help prevent problems before they happen? This can be particularly important with AI and data-driven tools.
These questions are also covered in 1EdTech’s Data Privacy Vetting Certification. Results of the vetting, as well as self-assessment results from 1EdTech’s Security, Accessibility, and Generative AI Data rubrics can be found in 1EdTech’s TrustEd Apps™ Directory for members, as well as the TrustEd Apps Management Suite (TAMS).
The rubrics give edtech providers the opportunity to showcase their commitment to student data privacy and other areas important to educators. It’s not just about compliance—it’s about trust. Suppliers who exceed privacy expectations will stand out in the marketplace.
About the Author
Kevin Lewis
Kevin Lewis is 1EdTech’s Data Privacy Officer. He started his career in education as an IT customer service representative where he was responsible for the break-fix process at two high schools. Kevin then moved on to work as an Education Technology Specialist and headed the district’s student data privacy, Internet safety and security initiative. At 1EdTech he vets data privacy policies and provides guidance for consortium members.
