Back to school

10 best practices to protect student records

Teenagers may put their lives on social media but school administrators are held to a higher standard when it comes to keeping student information private.

00 title studentrecords
Thinkstock

Protecting student information

Law firm Nelson Mullins (with the help of the firm's lawyer David Katz) and partner EducationCounsel LLC released a report last month that indicated what the best practices are for educators to keep student records out of the wrong hands. With school out for summer, it is a good time for school administrators to revisit their network security plan. Here are some tips:

Assess Your Data Collection Practices
Thinkstock

Assess Your Data Collection Practices

At the outset, districts and schools should examine their student data collection and use policies and practices. A student data mapping or inventory exercise should serve as a foundation for this work. Administrators should have an opportunity to determine whether current student data collections and uses are appropriate. The data inventory also will assist districts and schools with identifying data security risks and begin exploring safeguards and supports.

Identify Your Security Objectives
Thinkstock

Identify Your Security Objectives

Districts and schools must identify security objectives when they establish policies and procedures to protect student data. Just as other sectors prompt data managers to set objectives for confidentiality, integrity, and availability of information, the education industry's objectives should conform to legal obligations regarding privacy and security and avoid unnecessary burdens on the appropriate, educational use of data.

Appoint a Data Leader with Responsibility for Privacy and Security Compliance
Thinkstock

Appoint a Data Leader with Responsibility for Privacy and Security Compliance

A practice implemented in the financial services, healthcare, and software sectors involves tasking an individual or committee of individuals with primary oversight authority to ensure student data privacy and security program controls are effective. The data leader coordinates activities associated with the adoption and implementation of privacy and security policies and procedures. And as additional legal requirements change, technology evolves, and new internal and external demands for student data arise, there will need to be close and careful scrutiny applied to each request for access and use of student data.

Conduct a Risk Assessment and Identify Security Needs
Thinkstock

Conduct a Risk Assessment and Identify Security Needs

Before a district or school can develop or refine its data security program, it needs to take stock of current practices and resources. Prior to conducting any risk assessment, the state, district, or school should review the people, processes, and technologies currently utilized for student data governance purposes.

Data‐Mapping Exercises
Thinkstock

Data‐Mapping Exercises

In order to create and adopt the appropriate security safeguards, it is crucial to identify all of the data. This evaluation must be broad and apply across the enterprise and to all systems. Thoughtful security planning includes a determination of what data the district or school holds, the specific risks relating to such data, and the impact of data loss on all of the affected individuals. The understanding of the different data elements collected and used by the educational institution is important in the correct evaluation of the legal requirements that may apply to such collection and use.

Training
Thinkstock

Training

Training is essential to an effective security program. Employees at every level, including teachers, should have a basic understanding and familiarity with the types of issues that create student privacy and data security risks. As with any employee training, there are endless possibilities for creative learning and messaging to help educate and familiarize all employees about good data privacy and data security practices.

Monitoring, Auditing, and Reporting
Thinkstock

Monitoring, Auditing, and Reporting

Across sectors, monitoring is a critical element to any security program and often requires internal and external partners to be effective. The security program must be routinely tested, monitored, and updated for security threats. Continuous monitoring involves a real‐time monitoring and updating process to defend against rapidly evolving and escalating threats. Only through regular internal auditing of the security program by qualified individuals can the data privacy and security program maintain credibility. The development of the internal audit function is a key element to the development and maintenance of the program. Clear protocols must be in place to identify and report data breaches.

Accountability
Thinkstock

Accountability

The drafting and publication of policies and procedures is ineffective unless there is an internal commitment to hold employees accountable for violations. Close coordination with human resources is critical in determining the ways in which data privacy and security policies and procedures will be enforced and how violations will be addressed.

Managing third‐party vendor relationships
Thinkstock

Managing third‐party vendor relationships

Managing third‐party vendor relationships by putting in place a vendor approval and governance framework; executing risk assessments before selecting vendors; relying on legal counsel and a technical expert to draft agreements that include appropriate data protections and constraints on the use of data; establishing baseline standards for privacy and data security of student data; ensuring vendor compliance with security requirements; requiring audits, indemnification, and confidentiality; and establishing responsibilities in the event of data breach.

Establish Procedures for Breaches
Thinkstock

Establish Procedures for Breaches

Districts and schools should require a breach provision addressing, at a minimum, the procedures required for monitoring for breaches and for when a breach is discovered, including who is responsible for notifying affected parties and government authorities. The agreement should specify responsibilities for communications about the breach.