Article

Managing Vendors and Vetting New Products

In the labyrinthine world of K–12 educational technology, independent school technologists face a unique challenge. Balancing the needs of a modern curriculum with the safety and privacy of student data requires a meticulous approach to IT vendor vetting. Tech leaders do not just choose the best tools but ensure they align with the school’s mission, values, and legal obligations.

To complicate matters, tech leaders must also navigate the human side of compliance. Ensuring that a software vetting process is in place and systematically followed has always been complicated — then COVID-19 hit. Schools did what they could to keep classrooms functioning. In 2020, the ATLIS community came together with monthly meetups, and a big topic was a worry over the loss of control over what software was being put into place. The saying around here is that the “horses were let out of the barn” during the pandemic, and schools have been struggling with software vetting ever since.

As a general rule, independent schools offer a high level of autonomy for their faculty. This can be a wonderful opportunity in which faculty members can craft bespoke lessons and curricular experiences. The downside of this freedom is often a culture that rejects oversight.

From a parent and student perspective, navigating the myriad tools each faculty member chooses can be a confusing and overwhelm- ing process. Think of the families who might have multiple children, each with different platforms to navigate, and the problem is compounded even more.

While autonomy in the classroom is valued, it must be balanced with oversight to safeguard student privacy and maintain consistency across the school. Teachers may have joined your faculty after working at another school where different tools were in vogue. They may be very familiar and attached to particular software and could have a hard time letting go. Maybe they took part in external professional development or heard about new ways to engage their students with the latest technology. Although technology leaders appreciate that their faculty members want to experiment with technology tools, it’s important to explain why teachers can’t sign up for every platform that comes out.

A common misconception is that if the platform is free, no approval is needed. Tristan Harris, a former Google design ethicist and co-founder of the Center for Humane Technology, is famous for the phrase, “If you aren’t paying for the product, you are the product.” It’s important to be able to communicate the “why” behind software decisions. As mentioned before, it’s hard to take tools away when they’re already in use.

To overcome this, a technology leader is wise to create strategic alliances. There needs to be buy-in from the administration to support the systematic approach of software vetting. A critical ally could be the chief financial officer or business manager. They can help look for purchase requests and steer the requisitioner through the official process. Aligning with division heads or department chairs could also be useful. Of course, there are often people in organizations who hold great influence, even without a flashy title.

Technology Review Committee

Assemble a technology committee to help review privacy policies. Nathan Still, director of technology and innovation at York House School in Vancouver, British Columbia, Canada, shared, “At our school, we have a team conduct a privacy impact assessment for potential software/apps. If there’s a request to use an app, we actually get the person who makes the request to partner with us in that process. I find it helpful in the change management process. The person making the request starts to dive into some of the questions from our team such as ‘How comfortable are you with the fact that this company is going to be selling your data or is involving these advertisers?’ As I brought teachers through that process, a lot of the time the ‘no’ has come from them rather than from me, which is helpful.”

Legal, Ethical and Reputational Risks

The first step in vendor vetting is recognizing the stakes. In an era where data is as valuable as currency, protecting student information from misuse is paramount. The consequences of a lapse can range from legal repercussions to a loss of trust within the school community if a breach were to occur. Furthermore, the tool must enhance the educational experience without creating unnecessary complexity or being burdensome for teachers and students.

Aside from inclusive accessibility and a streamlined experience for families, schools should understand that when signing up for platforms, a legal contract is entered. Bill Fitzgerald, director of research and development for the Advanced Education Research and Development Fund, explained why this is important. “One thing that you can look for that a lot of ed tech companies include is a clause that says if a teacher is using it with students, they warrant that they have the right to legally bind the school to a contract. And a lot of teachers don’t know that this language exists.”

A faculty member could inadvertently enter into a contract they don’t have the authority to execute. That doesn’t mean the school is off the hook if data is misused.

This past fall, Google Workspace for Education administrators received notification that they were “required to confirm third-party app settings for third-party apps currently accessible by users in their institution by October 23, 2023, to avoid disrupting access to third-party applications for users designated as under 18.” This move shifted responsibility to the schools to verify permission in an unprecedented way.

Additionally, cyberattacks are becoming increasingly prevalent, and K–12 schools have become a lucrative target for malicious actors. This vulnerability underscores the importance of meticulously crafted vendor contracts for independent schools. Contracts must clearly delineate the roles and responsibilities of the school and the vendors. Clarity is essential not only for ensuring the smooth operation and maintenance of technological infrastructures but also for establishing accountability and protocols in the event of a cyber incident. If there were to be a breach, who would send out notices to the community? Who is responsible for paying for credit monitoring of the impacted parties? In addition to cybersecurity, data privacy is paramount.

Technology leaders must decipher complex legalese just to see if a platform can be a good fit for a school’s ecosystem. Even if a contract states that vendors “do not sell personal information,” it’s important to dive deeper. Investigate the types of information collected by vendors and aim to clearly understand the permitted uses of this information as outlined in their terms. Check to see if the contract has an appendix detailing the types of data collected and the entities with whom this data may be shared.

Developing a Vetting Framework

A structured vetting framework is essential. Start by defining clear criteria for selection, which may include compliance with data protection laws (like the Children’s Online Privacy Protection Rule and the Family Educational Rights and Privacy Act in the U.S.), cost-effectiveness, ease of integration with existing systems, and educational value. Vendor contracts will spell out the age requirements for usage, typically in the terms of service. Be sure your school is following these restrictions, especially for users younger than 13. Individual states have their own requirements to be aware of, as well.

Accessibility and inclusivity are tenets of DEI that should be considered as criteria in the software vetting process. Additionally, consider the longevity of the vendor and their reputation in the market. After that is complete, consider a framework from William Stites, director of technology at Montclair Kimberley Academy in Montclair, New Jersey, for further guidance, available at community.theATLIS.org. In addition, ATLIS has a list of key resources on its website to aid in your decision-making.

By taking these steps, technology leaders can help create a culture of cybersecurity and an awareness of the important of data privacy. As a community, we can work together to better protect our students and safeguard our schools.