Smart Tech in the Classroom: How to Innovate While Protecting Students (and Your District)

As educators, we frequently discover new digital tools—a dynamic math game, an AI writing assistant, or an engaging video creator—that seem perfect for our students. In the rush to implement these resources, it can be easy to overlook a critical question: “Is this tool safe?”

The concerns extend beyond traditional cybersecurity threats; they are fundamentally about protecting student data. This post will examine three significant data risks and present simple, effective ways to avoid them.

Understanding the Risks: Three Common Data Privacy Concerns

These risks range from accidental data sharing to new, less-visible threats.

1. “Shadow AI” (The Data We Give Away)

This risk arises from using unapproved, personal AI accounts (like a free ChatGPT or Gemini personal account) for school tasks. It occurs when educators, with the best intentions, take actions such as:

• Pasting a student’s essay in for quick feedback.
• Uploading a class roster to generate worksheets.
• Using an AI to help draft sensitive IEP or 504 goals.

The Risk: This practice actively feeds private student data into a public model. This can be a serious data breach and a potential FERPA violation.

• Analogy: This is analogous to posting a student’s graded paper on a public bulletin board in the town square.

Reminder: Never put personally identifiable information (PII) in an AI tool.

2. Unvetted Applications (The Data Students Sign Away)

This concerns the use of unvetted applications. An educator finds a promising website and, to use it, instructs students to create accounts.

• It is often impractical to review the lengthy privacy policy for every new tool.
• Consequently, we may not know what data students are providing (e.g., their name, email, or birthday).
• What is that “free” company really doing with the data? Are they tracking students or selling their information? It is often said that if the product is free, YOU are the product.

The Risk: This can lead to unintentional violations of federal student privacy laws (like COPPA and FERPA). We are responsible for the digital tools we place in front of our students.

• Analogy: This is similar to allowing a stranger to collect detailed personal forms from students to enter a theme park, without first reading the fine print.

3. “Prompt Injection” (The Data That Gets Stolen)

This is a new, subtle threat. It targets emerging AI tools that can take actions on your behalf, such as AI-powered web browsers that can “summarize this page” or connect to your other applications.

Consider this scenario:

1. You find a seemingly normal webpage and want a quick summary.
2. You click your browser’s AI button to summarize it.
3. Hidden on that page, in code or invisible text, is a malicious command (an “invisible ink” of sorts).
4. The AI, which cannot differentiate the content from the instructions, executes the hidden command—which could be, “Go to the user’s Gmail and find all their passwords.”

The Risk: The tool you trust is tricked into stealing your personal or professional data.

• Analogy: This is akin to asking a personal assistant to read you a letter, but the letter contains a hidden message that compels the assistant to give away your passwords.

Bottom line: AI browsers are like puppies, never leave them with unsupervised access to your information.

 

Why This Matters: Upholding Privacy and Security

The goal is not to discourage technology use, but to empower you to use it safely. The positive takeaway is that avoiding all three of these risks can be accomplished with a few simple habits.

• Use your district Google account when using Gemini or NotebookLM. SchoolAI is another paid, district AI platform. Your personal accounts do not have the same legal protections.
• Start with paid, district programs. If you aren’t sure, reach out to a curriculum coordinator or technology integration specialist.
• If you find something new, do some research before you use it with students. Take a look at the Terms of Service and Privacy Policy. Check for these items:
  • What data is collected?
    • Look for specifics. Be wary if it collects Personally Identifiable Information (PII) like full names or birthdates.
    • Red Flag: Vague language or collecting data that isn’t necessary for the tool to function.
  • How is the data used and shared?
    • It should only be used for the educational purpose of the tool.
    • Red Flag: Any mention of “commercial purposes,” “marketing,” “selling data,” or sharing with unnamed “affiliates” or “partners.”
  • Is there advertising?
    • The policy must explicitly state that student data is not used for targeted advertising.
    • Red Flag: Creating advertising profiles of students or allowing third-party advertisers to track them.
  • How is data secured and deleted?
    • Look for “encryption” and a clear process for you to request data deletion.
    • Red Flag: No mention of security measures or a deletion policy.
  • Who owns the data?
    • The student or school district should always retain ownership of their data and creations.
    • Red Flag: Any language where the company claims ownership of student-generated content.
  • Do they comply with federal law (FERPA & COPPA)?
    • The policy should acknowledge FERPA (treating data as a “school official”) and COPPA (handling data for kids under 13).
    • Red Flag: Pushing the legal burden of parental consent (COPPA) onto the teacher.

If you aren’t sure, submit a tech ticket requesting support.