Data Policy

What We Believe

Spotlight exists in order to make data more understandable, meaningful and useful to non-data-oriented users, ranging from parents to teachers and administrators. 

We believe that data can be powerful, enough to shape the way we educate children, if parents, educators, administrators, policymakers and the public are able easily to understand it and put it to use. But if education data isn’t trusted by those very users, it will never be put to full use in educating our kids. It is thus in Spotlight’s core interest to ensure that our use of education data is transparent and trusted.

Meanwhile, as members of the Pearson family, Spotlight adheres to all policies and requirements of our large, well-resourced parent company. In recent years, even as other companies have faced data security challenges, Pearson, has emerged as a proven and consistent leader in this area.

We use identifiable data only for the educational purposes for which it was entrusted to us by our customer education agencies, institutions, and their partners – and for no other purpose.

At base, Spotlight complies with the terms of the Family Educational Rights and Privacy Act (FERPA), as well as the data use requirements of the various states in which we work. Well beyond this, though, Spotlight seeks to elevate the discussion about education data and its proper and effective use.

Who Uses Data at Spotlight

All Spotlight employees are committed to our vision of developing a greater sense of understanding, impact, and trust of education data. All employees sign the Spotlight Data Privacy Pledge immediately upon hiring, and all employees with access to identifiable data are trained in its proper use. 

All employees are trained to ensure that student information is stored, used and transmitted securely, and to maintain its confidentiality by not using or sharing it for any other purpose other than the educational purpose for which it was entrusted to us. While we do not see data privacy as being in conflict with Spotlight’s business objectives, employees are taught that if this ever comes to a decision, they are to prioritize data privacy and security above all other objectives.

Every Spotlight employee and contractor with access to identifiable client data abides by key data security measures, including subscribing to two-factor authentication and regular, enforced password policies. 

Spotlight restricts access and permissions to those for whom student data is relevant and necessary to perform their job functions and to complete work on behalf of school districts or other educational institutions. Spotlight’s founding executive team considers itself the “last line” and ultimately responsible in ensuring that student information is kept confidential.

How Data Is Transmitted and Used at Spotlight

Spotlight’s core technology serves as a reporting layer. This software temporarily makes use of data to derive and communicate insights. Spotlight does not collect data directly from students or other individuals, but only from our client enterprises and their partners. Spotlight is not a data storage platform, and maintains data received from our clients and their partners only for the time period needed to deliver our services. 

Our services are enabled by the secure sharing of data with Spotlight from our clients and their partners. As such, we receive data either from school districts, state education agencies, and other institutions, or otherwise from their service providers (e.g., assessment and curriculum providers). This data is often shared from an agency or institution student information system or, on their behalf, from their vendor’s assessment score report system.

Regardless of the data’s source, though, we enact the simple measures of minimizing the identifiable data we collect and the time that our system holds student data, and we delete all data as soon as possible upon completing a project.

Spotlight only conducts business with companies and organizations with proven policies and records of sound data security, and who share our dedication to providing customers with meaningful, useful information. Spotlight screens all prospective customers through a rigorous review process to ensure that their track records and processes are indeed solid. 

In working with clients and their partners, we provide guidance regarding the best means of securely transmitting identifiable data.  We do so only through a dedicated, encrypted means.  PII is handled only on designated computers with encrypted drives. For State Summative Test projects, these computers are limited to those that are restricted to the office (e.g. no laptops).

We similarly collaborate to minimize our collection of personally identifiable information to only that needed to deliver the service and meet their objectives.

Spotlight also weighs the need for types of personal information that can betray individual students’ identities (e.g., ethnic backgrounds of very small groups in a school or class) against the importance of using such information to derive useful insights. 

In general Spotlight does not collect, use, or share personally identifiable information for any purposes beyond those necessary to deliver our services or as otherwise directed by a school or other educational institution, or by a student or parent.  Spotlight never uses student information for advertising purposes, either its own or on behalf of other organizations.

Spotlight’s Security Measures & Practices

Spotlight carries out rigorous security measures and practices to meet industry standards and best practices and meet legal requirements.

Spotlight’s system including data storage and production is built on Amazon Web Services, known for its “data center and network architecture built to satisfy the requirements of the most security-sensitive organizations.” We run our platform and store customer data on AWS largely because of its proven security protections. 

When developing new reporting instances, Spotlight’s production environments only use “dummy” data, up until the final testing phase. During this phase Spotlight obtains securely-transmitted, anonymized sample data from a partner organization; testing is completed by approved Spotlight staff and results are released to approved partner personnel. We then delete all student data.

Spotlight receives and sends identifiable data as encrypted files. These files are accessible only to approved users; personally identifiable information is stripped out of the files and replaced by unique, anonymous student identifiers. Student data is uploaded to Spotlight’s analysis system through a Secure Sockets Layer to ensure security throughout its use.

Spotlight has developed the ability to mass-text unique video links to as many as a million phone numbers. This ability is in and of itself a secure one, as every link is an unguessable string of numbers and letters. However, we have added an extra feature to this mass-texting capability: users must reply to a prior prompting text, asking them to reply accurately to a “challenge question”, such as the student’s birthdate. Three incorrect guesses locks the user out. 

Most of all, though, Spotlight’s video reports themselves include virtually no personally identifiable information — just a first name and test results. Further, our system omits very unusual — and thus identifiable first names. Thus, even if a video report somehow is viewed by someone other than the student’s parent, all that user learns is a first name and test scores -- far less than in a traditional, paper-based report!

Thanks to the limited scope of our data use and to the security measures that we have put in place, Spotlight does not anticipate a security breach. Should there be a breach resulting in unauthorized release of identifiable data, we will comply with relevant state and other data breach laws and promptly notify our impacted customer(s), both electronically and by telephone. If our partners’ jurisdictions require written notification, we will immediately comply. After this initial contact, we will work closely with any and all affected partners and parties to minimize the impact of the breach, and until its effects have been resolved.

Data & Spotlight’s Future

As technology changes the way technology collects, stores, secures and communicates data, so must privacy policies adapt to reflect these new practices. When Spotlight makes a change to our privacy policy, we will update our customers via email. When Spotlight makes material changes, we will provide our customers the opportunity to review and newly approve our modified policy. We will also support our customers in their effort to inform their impacted stakeholders such as parents, guardians, and students 18 and over or otherwise attending a postsecondary institution.

Should Spotlight merge with or be acquired by another company or organization, we will first require that the new “partner” abide by this policy. 

At Spotlight, we look forward to a time when data is no longer mysterious or difficult to put to use, regardless of who you might be – a data analyst, or a software engineer, or a teacher, principal, superintendent or parent. We know that this time will arrive only once education data are framed in a way that all of these users can easily put it to use, and only when we can all feel entirely confident in its security and anonymity. We work every day to move closer to that new paradigm.

For Spotlight’s full Data Protection policy, including technical specifications, please contact us at info@spotlight-education.com