One way to address concerns is that as the risk goes higher, the access is more highly limited. "We have public data sets of K-12 student interactions that anybody can access because they are so de-identified," Koedinger said.
According to Koedinger, the National Academy of Education is starting to have these conversations, but there needs to be some way to get the word out to the schools that they should be putting pressure on the developers and vendors.
"The school should be demanding that security. A school could say to a vendor 'we will use your product, but only if you guarantee that the data you keep is fully de-identified'," Koedinger said.
Having clear data governance policies that establish procedures for the responsible use of data will help to mitigate risk. "Make sure you are clear what permissions people have to see, analyze, and download data so that folks aren't getting all kinds of data into places where it shouldn't be," Saxberg said.
The risk is people doing things that are convenient for them and putting things where they ought not to be. "There are tiers of data security thinking that all people in education should be thinking about and should be sensitive to, and a lot of folks aren't thinking about that responsible use of data," said Saxberg.
As it is across most sectors, Ritter said, the majority of people don't think about security until they have a problem. "Those in education who are doing security well are asking for specifics about data privacy and security. They want to know how a vendor collects and stores data, what their policy is for correcting data, and whether they have a breach response policy?"
At this point where the vast majority of schools are already operating with a sizable amount of data being collected, it's not feasible to come to a dead halt in order to write policies and procedures. The best most can do is move forward with security in mind and take precautionary measures before a major breach occurs.
Sign up for Computerworld eNewsletters.