What this is
Once student data is collected and held by the district or its vendors, this checkpoint asks how it is governed. Covers formal policies and operational practices for data collection, storage, sharing, retention, and protection — including vendor data practices, staff data handling, and breach response.
Why it matters
Student data deserves protection beyond the FERPA / COPPA floor. Real-world risks — vendor data sharing, identity theft, algorithmic profiling, AI model training on student work — are why districts invest in data governance.
Connects to
The Framework: Condition #8 (Strategic Tool Selection & Data Governance).
Maturity levels
Not Started
No formal data governance. Vendor agreements signed without privacy review. Staff unaware of what data is collected by which tools.
Emerging
Baseline FERPA/COPPA awareness in the district. Data Privacy Agreements (DPAs) sometimes required but inconsistently enforced. No central record of vendor data practices.
Established
DPA required for all vendors handling student data. Central vendor and data inventory maintained. Staff trained annually on data privacy. Regular compliance audits. Breach response plan documented.
Expanding
Comprehensive data governance program: data inventory, access controls, minimum-necessary data collection, annual third-party privacy audit, vendor sunset process, transparent family-facing data disclosures. Student data use reviewed for AI-training implications specifically.
Go deeper with
Example resource
SDPC National Data Privacy Agreement (NDPA) + CoSN Trusted Learning Environment (TLE) Seal Program
Also consider
- Future of Privacy Forum — Student Privacy Compass
- Privacy Technical Assistance Center (PTAC) — U.S. Department of Education resources
- NIST Cybersecurity Framework 2.0 (CSF, 2024) — federal voluntary cybersecurity framework; pairs with SDPC for comprehensive data governance posture