Multiple controversies about data abuse and misuse by companies and institutions, including educational, abound and are only expected to multiply.
The concerns about privacy among users are constantly increasing, oftentimes met with response from authorities. In the European Union, an exemplary case of user data —and rights— protection, websites are obligated to inform users about any form of data collection, as well as their purposes; and allow opting-out, among other things users should be afforded ways that are easy to access and understand. Further protections are available for underage users by the EU, which have been served to model legislation in the U.S. and elsewhere.
When it comes to eLearning, law remains steadfast, which is not to say it’s straightforward across educational scenarios.
Some people refuse to share any personal data anywhere, or use any social media at all, thereby complying, but perhaps missing out on some of the veritable benefits of a personalized internet. However, things get a different angle when it comes teacher personal data, be it on their behalf or from employers.
We start with the fact that employees possess a lot of information about teachers, from their social security numbers and addresses to their credit scores and driver licenses, to salary and payment info. Teachers can be careful, yet at the same way feel pressures or incentives to have a public online presence. Organizations can —and should— also play it safe, by keeping tight access to privileged HR information, leverage the security of third-party services on the cloud like PayStub, and keeping everyone up to code with the latest practices.
And yet, it may only take a small oversight by a human being with enough access, or a couple, for a malicious actor to gather all the piece and mount an attack. Trying ot make sense of rationale of the “hacker” may be a fool’s errand, although weighing costs versus returns from their operation could be a simple and useful heuristic when it comes to deciding on security investments.
There is one clear course of action: Implementing proper security measures, educating employees, and promoting a culture of security that helps keep both measures and training compliant, relevant and timely.
Implementing proper security measures is the most critical step in protecting employee data privacy. This refers to both information stored on the company’s servers and in employees’ individual accounts. The most common strategies and measures include:
№1. Access control
Access control is a security measure that enables you to control who has access to what data and how they can use it. This means that only those authorized employees can access the information in question, and their access can be revoked if necessary.
№2. Breach control
Breach control is a security measure that enables you to protect data from any unauthorized access. It includes regular monitoring of potential threats to safeguard both the company’s information and the privacy of employee information from data breaches.
№3. Passwords and encryption
Passwords are a security measure that enables you to control who can access the company’s information. Setting a password allows users to encrypt their devices and files. This should be done to all devices used in the company, as even a single personal unprotected device can put an entire network at risk. Passwords should be strong enough to prevent data loss due to brute-force attacks and regularly changed, if possible.
Most cloud-based HR management software providers offer a wide range of features to help you manage employee passwords; however, you may also opt for a third-party password manager.
№4. Two-Factor and Multi-Factor Authentication (2FA, MFA)
Two-factor authentication is a security measure that enables you to control who can access the company’s information. It involves requiring users to provide a password and another layer of authentication, such as a security code sent via text or an application that generates random numbers.
Educating teachers on the value of personal data
No matter how secure a Learning Management System is, your accounts and information they contain are a consistent threat to privacy and security. Educating educators on managing their accounts is a crucial step in protecting your network from potential data breaches.
They might not consider their data, nor the one about their students to which they have access, as “valuable.” In this case, it’s worth letting them realize who (the malicious actor) does find the information valuable, and what they are willing to do to steal it.
№1. Set clear and simple guidelines
The first thing you should do is to set clear guidelines for teachers about how to manage their accounts. For example, you should inform them about the importance of strong passwords and setting up two-factor authentication.
An “Educator Privacy Handbook,” containing guidelines and other essential information regarding security measures, is always a straightforward piece of advice. Policies should also include information about standard procedures such as how to report stolen or lost devices, gain access to sensitive information, who to reach in case of questions or an emergency; and so on.
№2. Implement safety protocols
After setting the guidelines, you should implement strict safety protocols for your educators, that covers their own as well as their students’ personal information. For example, you can create a protocol for handling stolen or lost devices, so they know exactly and promptly what to do when they lose access to their account: How to report it, who to contact first, which mitigating actions to take, and so on.
Similarly, they should, as protocol, read up frequently to recognize the latest “social engineering” tricks to avoid falling victim to phishing attacks, scams or other threats.
№3. Practice regular security ‘stress testing’
In addition to setting guidelines and implementing safety procedures, you should practice regular security tests among teachers. This means putting the established guidelines and safety protocols to the test, under controlled environment conditions; and documenting any shortcomings.
If you find any security gaps or other problems, you can work on them right away, therefore preventing potentially catastrophic data breaches. If the flaw is happening on the software, it’s a good idea to include reporting steps on the protocol, to help teachers who are users of the software from other organizations.
№4. Define third-party access policy
To ensure data privacy and security, you should forbid any third-party applications and accounts from accessing sensitive employee information. Your employees should only use official tools to access the company’s data. At the very least, teachers should request the ability to connect to an app, and said request should be evaluated by a top-level system administrator. Depending on the type of app, there might be safer ways to access a given app without providing any personal data.
Each and every interaction with a system is a potential threat to privacy. But education and awareness is the way towards a culture of safety and awareness on the value of privacy, rather than a reactive, farsighted and anxiety-driven one.
To ensure the privacy of teacher information, you should set clear guidelines for how to manage your accounts, implement safety procedures, and practice regular security tests, involving them as much as possible every step of the way. At the same time, you should define clear and simple access policies and exert extreme caution regarding third-party applications from accessing sensitive employee information.
Privacy of personal data is a complex issue that you should address from multiple angles. It is up to teachers to stay vigilant and up-to-date, but it is your responsibility to provide privacy and security of their work-related information.