How to identify risk while building a student data privacy compliance program

Commentary: A pre-assessment can be useful in helping schools address the policies, processes and risks of building a student data privacy program.

If you’ve been following along with my recent series on building a student data privacy compliance program, you know there is a lot to consider before tackling your existing risks. It may be tempting to rush headfirst into the issues, but the truth is that if you haven’t done all the pre-work and built a solid foundation on which to launch your program, the risks will persist, despite best efforts.

That’s because a compliance program depends on not just identifying and mitigating risks, but on addressing the behaviors that created the risks in the first place. It can also often mean changing the existing culture in an organization, which requires that a well-informed framework for change be in place before anything else.

If you’ve already laid the groundwork for the change to come, you’re likely eager to get started on identifying and addressing your risks, but the question of where to begin can bring even more questions.

There are so many areas of student data privacy to consider: who in your school organization has access to what data, how do you monitor for security issues, how do you ensure that parents receive the required information about privacy rights for their children, how do you share data with education technology companies and more. Trying to tackle everything at once would only lead to frustration. There are simply too many policies, processes, requirements and risks to address, and only so many resources to go around. So, how do you get started?


A useful tool is a pre-assessment or threshold assessment. This is a process through which you identify and benchmark existing practices and assess the current state of affairs in comparison to where you want things to be.

The simplest way to conduct a pre-assessment is to design a questionnaire for each team that is responsible for managing a system, overseeing a policy or implementing a process. The questions should be drafted to elicit information about how the individuals actually function in relation to expectations, and whether or not the actions and expectations are in alignment. This then allows you to identify where your more pressing risks lie so that you can prioritize solutions accordingly.

See more from Linnette Attai’s student data privacy series in EdScoop

As with all tools in the toolbox, a pre-assessment is only useful if you’re prepared to leverage it properly. To set yourself up for success, start here:

Identify your goals : It’s impossible to identify gaps in a data privacy program if you don’t know what strong protections should look like. There needs to be a goal in place, or a target that you want to reach. To establish that, you first need to know what protections should be in place.


Do you understand the laws, your district policies and community norms? Do you understand how those translate into action that protects the privacy of student data? Use this information to establish the target level of privacy protections that you want to have in place around your student data.

Ask the right questions : A pre-assessment questionnaire should be designed to identify where a policy, process, procedure or training have failed your teams, not where your teams have failed. Tailor the questions to identify what elements of the data privacy program are not working well and avoid getting caught up in identifying which individual may be doing something incorrectly. By shining a light on that information, you’ll learn not only where your biggest risks lie, but why.

Answers to a well-designed questionnaire should tell you what employees know about the requirements, if your existing training is effective or not, how well existing policies and processes are followed and how robust your controls are over student personal information when it’s shared with third parties.

Gather the right materials : The questionnaire is only part of the puzzle. Existing policies and procedures also need to be assessed for alignment with the goals you established as well as with the answers to the questionnaires. Interview the teams to understand how a process on paper really comes to life and where the team believes that the process is inefficient or otherwise ineffective. Compare what you learn with the answers to the questionnaire and any existing documented policies and processes to pinpoint gaps and to begin to identify potential solutions.

The pre-assessment should also help you identify why things are out of alignment. There may be a policy gap, a procedure that is simply inadequate to meet the policy requirement, training that is lacking or perhaps there is guiding policy and procedure that is missing in certain areas. Start to consider what the teams would need in order to meet the goals you’ve established for your data privacy program.


At the end of the process, you may find that you have a long list of gaps to address and issues that create concern. Looking at the risks is a rather uncomfortable part of the process, but it’s important. Knowing the truth ensures that you are not blind-sided by risk in the future, and it is the first step toward putting solutions in place to better protect the privacy of your student data.

Linnette Attai is the founder of PlayWell, LLC, through which she advises private and public companies, schools and districts, trade organizations, lawmakers and policy influencers. Attai has been helping clients navigate data privacy matters for over 25 years. She is the author of ” Student Data Privacy: Building a School Compliance Program .”

Latest Podcasts