School District Privacy Self-Assessment – A Checklist for Evaluating District-Wide Privacy Practices
Ensuring strong student data privacy protections requires ongoing evaluation and improvement of district-wide policies, security controls, and compliance with federal and state privacy laws. A privacy self-assessment helps schools and districts identify vulnerabilities, assess risks, and implement best practices for safeguarding student information.
The National Student Data Privacy Association (NSDPA) provides a comprehensive self-assessment checklist that helps districts evaluate their privacy policies, data security practices, and vendor management strategies to ensure full compliance with FERPA, COPPA, and state-specific student privacy laws.
Why School Districts Need a Privacy Self-Assessment
A privacy self-assessment allows districts to:
Identify gaps in student data protection policies.
Ensure compliance with FERPA, COPPA, PPRA, and state privacy laws.
Evaluate vendor contracts and third-party data-sharing agreements.
Improve staff training and awareness of student privacy risks.
Strengthen cybersecurity controls to prevent unauthorized access and breaches.
Key Areas Covered in the Privacy Self-Assessment
The following checklist provides a structured framework for districts to evaluate their privacy and data security practices:
1. Privacy Policies & Compliance
Does the district have a written student data privacy policy?
Are staff, parents, and students informed of their rights under FERPA, COPPA, and state laws?
Does the district have a documented process for handling parental data requests and opt-outs?
2. Data Collection & Minimization
Is student data collection limited to only necessary information for educational purposes?
Are data minimization practices enforced when using EdTech tools and third-party platforms?
Are unnecessary data elements regularly reviewed and removed from school systems?
3. Vendor & Third-Party Management
Does the district have Data Privacy Agreements (DPAs) in place with all vendors?
Are all third-party vendors evaluated for compliance with student privacy laws?
Does the district maintain a public list of approved EdTech tools and software vendors?
4. Cybersecurity & Data Protection
Is student data encrypted both in transit and at rest?
Are multi-factor authentication (MFA) and role-based access controls (RBAC) enforced?
Does the district conduct regular security audits and penetration testing?
5. Staff Training & Privacy Awareness
Are teachers, administrators, and IT staff trained annually on student data privacy best practices?
Do staff members know how to recognize phishing attacks, social engineering, and cyber threats?
Are privacy and security policies included in new staff onboarding and ongoing professional development?
6. Data Retention & Deletion Policies
Are student records only retained for the legally required time period?
Does the district have a defined process for securely deleting outdated student records?
Are vendors required to delete student data upon contract termination?
7. Incident Response & Breach Notification
Does the district have a Data Breach Response Plan in place?
Are schools required to notify parents and affected parties within legal timeframes?
Are IT staff trained to respond to data security incidents effectively?
How to Conduct a Privacy Self-Assessment
Districts should perform an annual self-assessment using a structured approach:
Step 1: Assign a Privacy Task Force
Appoint a Chief Privacy Officer (CPO) or Data Protection Lead.
Form a district-wide privacy task force including IT, legal, and administrative staff.
Step 2: Review Existing Privacy Policies
Compare current policies against federal and state privacy laws.
Update policies to align with best practices and new regulations.
Step 3: Audit Student Data Handling Practices
Assess how data is collected, stored, and shared within the district.
Ensure data minimization and encryption standards are enforced.
Step 4: Evaluate Vendor & EdTech Compliance
Review vendor contracts to confirm compliance with DPAs and security policies.
Require vendors to submit annual privacy and security compliance reports.
Step 5: Train Staff & Improve Awareness
Ensure all staff members complete annual privacy and cybersecurity training.
Host privacy awareness workshops for parents, students, and educators.
Step 6: Implement Data Security Improvements
Enhance access controls, encryption, and network security measures.
Schedule regular security audits and penetration testing.
NSDPA’s Privacy Self-Assessment Resources
NSDPA provides privacy self-assessment tools and compliance resources to help districts evaluate and improve their student data protection policies:
School District Privacy Self-Assessment Checklist.
Model Data Privacy Policy Template for Schools.
FERPA & COPPA Compliance Audit Guide.
Cybersecurity Risk Assessment Toolkit for K-12 Schools.
Vendor Data Privacy Agreement (DPA) Review Checklist.
Start Evaluating & Strengthening Your District’s Privacy Practices
Conducting a privacy self-assessment is essential for ensuring compliance, protecting student data, and improving cybersecurity. Schools and districts should regularly review their data privacy policies, staff training, and vendor contracts to minimize risks and safeguard sensitive student information.
Download NSDPA’s School District Privacy Self-Assessment Toolkit! Access compliance checklists, risk assessment guides, and policy templates to strengthen privacy and security practices in your district.
Vendor Risk Assessment Framework – A Toolkit for Schools to Assess the Privacy Practices of EdTech Vendors
As school districts increasingly adopt EdTech solutions, ensuring that vendors follow strong student privacy and security practices is critical. Schools must assess how vendors collect, use, store, and share student data to prevent unauthorized access, data breaches, and misuse of personally identifiable information (PII).
The National Student Data Privacy Association (NSDPA) provides a Vendor Risk Assessment Framework to help schools and districts evaluate the privacy practices of EdTech vendors before adoption, ensuring compliance with FERPA, COPPA, and state privacy laws.
Why Schools Need a Vendor Risk Assessment Framework
Without proper oversight, vendors may collect excessive student data, fail to secure it properly, or share it with unauthorized third parties. Conducting a structured risk assessment helps schools:
Ensure compliance with FERPA, COPPA, and state privacy laws.
Identify potential risks associated with student data collection and storage.
Hold vendors accountable for their privacy and security practices.
Prevent unauthorized third-party data sharing.
Require vendors to sign Data Privacy Agreements (DPAs) that align with district policies.
Key Areas Covered in the Vendor Risk Assessment Framework
The NSDPA Vendor Risk Assessment Framework is designed to help schools evaluate vendors using a structured approach that includes the following categories:
1. Data Collection & Minimization
What student data elements does the vendor collect?
Does the vendor collect only the minimum data necessary for educational purposes?
Does the vendor limit behavioral tracking, profiling, or unnecessary analytics?
2. Compliance with Privacy Laws
Does the vendor comply with FERPA, COPPA, PPRA, and applicable state laws?
Has the vendor signed a Data Privacy Agreement (DPA) with the district?
Does the vendor require verifiable parental consent for students under 13 (COPPA compliance)?
3. Data Security & Encryption
Does the vendor encrypt student data at rest and in transit (AES-256 or higher)?
Does the vendor require multi-factor authentication (MFA) for school administrators?
Does the vendor conduct regular security audits and penetration testing?
4. Third-Party Data Sharing
Does the vendor disclose any subcontractors or third parties with access to student data?
Are third parties prohibited from using student data for advertising, profiling, or resale?
Are third-party agreements aligned with district and state privacy laws?
5. Data Retention & Deletion Policies
Does the vendor define data retention timelines for student records?
Does the vendor delete student data upon request or at contract termination?
Are deletion requests processed within a reasonable timeframe (e.g., 30-90 days)?
6. Breach Notification & Incident Response
Does the vendor have a defined data breach response plan?
Is the vendor required to notify the district and affected individuals in case of a breach?
Does the vendor offer identity protection services for students affected by breaches?
7. Transparency & Accountability
Does the vendor provide regular privacy compliance reports to the district?
Does the vendor publish a transparent, easy-to-read privacy policy?
Are school administrators able to configure and manage student data privacy settings?
Steps for Conducting a Vendor Risk Assessment
Before adopting an EdTech tool, schools should follow a structured risk assessment process:
Step 1: Review Vendor Privacy Policies
Check whether the vendor clearly outlines their data collection, security, and sharing practices.
Ensure the policy aligns with FERPA, COPPA, and state privacy laws.
Step 2: Require Vendors to Sign a Data Privacy Agreement (DPA)
Mandate that vendors sign a legally binding DPA outlining data protections.
Use NSDPA’s Model Vendor DPA Template for district-wide consistency.
Step 3: Conduct Security & Privacy Testing
Request a security audit report from the vendor to confirm compliance.
Ensure that the vendor follows industry-standard encryption and security measures.
Step 4: Monitor Vendor Compliance
Require vendors to submit annual privacy compliance reports.
Regularly review vendor contracts and update them based on evolving laws.
Step 5: Train School Staff on Vendor Privacy Risks
Educate teachers and administrators on how to evaluate EdTech privacy practices.
Provide a vendor privacy evaluation checklist before approving new software.
NSDPA’s Vendor Risk Assessment Resources
To help districts assess vendor privacy and security risks, NSDPA provides customizable tools and compliance guides, including:
Vendor Risk Assessment Checklist for Schools & Districts.
Model Data Privacy Agreement (DPA) Template for Vendors.
Vendor Security & Privacy Compliance Audit Guide.
FERPA & COPPA Compliance Assessment Toolkit.
Best Practices for Vendor Data Sharing & Third-Party Management.
Start Evaluating Vendor Privacy Practices Today
A structured vendor risk assessment framework helps schools and districts select EdTech vendors that prioritize student data protection, comply with privacy laws, and maintain transparency.
Download NSDPA’s Vendor Risk Assessment Toolkit! Access risk assessment checklists, compliance templates, and best practice guides to ensure EdTech vendors meet strict data privacy and security standards.
Data Mapping & Inventory Templates – Tools for Tracking What Student Data is Collected, Stored, and Shared
As schools and districts adopt more digital learning tools and student information systems, it is critical to track and manage student data effectively. Many privacy risks arise from schools not fully understanding what data they collect, where it is stored, and how it is shared with vendors and third parties.
A data mapping and inventory system helps schools create a clear picture of student data flows, identify potential risks, and ensure compliance with FERPA, COPPA, and state privacy laws.
The National Student Data Privacy Association (NSDPA) provides data mapping templates and inventory tracking tools to help districts document, monitor, and secure student data across all systems.
Why Schools Need Data Mapping & Inventory Management
Without proper data mapping, schools may unintentionally expose student data to security risks or non-compliant data sharing. A structured data inventory helps districts:
Identify what types of student data are collected and stored.
Determine who has access to student data within the school and vendor systems.
Ensure compliance with FERPA, COPPA, and state privacy laws.
Reduce security risks by detecting unauthorized data collection and storage.
Improve transparency for parents, students, and school administrators.
Key Components of a Student Data Inventory
A student data inventory should track the following essential information about student data collection and storage:
1. Data Collected
What types of student data are collected? (e.g., names, grades, attendance, behavioral data, health records)
Is the data personally identifiable information (PII)?
Is the data optional or required for educational purposes?
2. Data Storage & Security
Where is student data stored? (e.g., local servers, cloud platforms, third-party EdTech vendors)
Is the data encrypted at rest and in transit?
Who has access to the data? (Teachers, administrators, IT staff, vendors)
3. Data Sharing & Third-Party Vendors
Which vendors and platforms receive student data?
Do third parties have signed Data Privacy Agreements (DPAs) in place?
Does the vendor share data with subcontractors or external organizations?
4. Data Retention & Deletion Policies
How long is student data retained before it is deleted?
Is there an automatic data deletion policy after students leave the district?
Are vendors required to delete student data upon contract termination?
5. Compliance & Risk Management
Does the school’s data collection align with FERPA, COPPA, and state laws?
Has the district conducted a privacy risk assessment of student data usage?
Are there staff training programs on data handling and security?
Steps to Implement Data Mapping & Inventory Tracking
Schools should follow a structured process to implement a data inventory and mapping system:
Step 1: Conduct a Data Audit
Identify all student data collection points across school systems and EdTech platforms.
Document where the data is stored, who has access, and how it is used.
Step 2: Use a Standardized Data Inventory Template
Complete NSDPA’s Student Data Inventory Template to track data elements, storage locations, and sharing agreements.
Ensure all departments and vendors participate in the inventory process.
Step 3: Categorize Data Sensitivity Levels
Classify data by sensitivity (e.g., low risk = directory information, high risk = PII).
Prioritize higher-security protections for highly sensitive student data.
Step 4: Implement Vendor Data Sharing Controls
Ensure vendors follow Data Privacy Agreements (DPAs) that restrict data usage, retention, and third-party sharing.
Regularly review vendor compliance and update contracts as needed.
Step 5: Establish Data Retention & Deletion Policies
Ensure student data is only retained for the legally required period.
Schedule automatic deletion of outdated student records.
Step 6: Train Staff on Data Inventory Management
Educate staff on how to securely manage and track student data.
Provide privacy and cybersecurity training to teachers and administrators.
NSDPA’s Data Mapping & Inventory Resources
To assist schools and districts in tracking and managing student data, NSDPA provides customizable templates and compliance tools, including:
Student Data Inventory Tracking Template.
Data Mapping Worksheet for Schools & Districts.
Vendor Data Sharing Compliance Checklist.
FERPA & COPPA Compliance Guide for Student Data Handling.
Best Practices for Secure Data Storage & Deletion.
Start Tracking & Protecting Student Data Today
A comprehensive student data inventory is critical for ensuring data privacy, security, and compliance. Schools and districts should implement data mapping tools and inventory management practices to prevent data misuse, unauthorized access, and privacy violations.
Download NSDPA’s Data Mapping & Inventory Toolkit! Access tracking templates, compliance checklists, and security guides to help schools and districts manage student data effectively and securely.
Discover NSDPA
Our Vision and Mission
Data Privacy Resources
01
Data Privacy Resources
Access a wealth of resources designed to help you implement best practices in data privacy.
01
Training and Workshops
02
Training and Workshops
Participate in our training programs and workshops to stay updated on the latest in data privacy.
02
Partnerships
03
Partnerships
We collaborate with various organizations to enhance data privacy standards in education.
03
Get Involved
04
Get Involved
Learn how you can become a part of our mission to promote student data privacy.
