Modelos evolutivos

The SLDS Technical Brief Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records (Seastrom, 2010b) describes specific internal controls that assist in managing personally identifiable data. Although this document focuses on SLDS, techniques that can be applied to any student data collection include the following:

• assigning new unique student identifiers to replace students’ PII in longitudinal electronic data systems;

• implementing procedures for workforce security to ensure that only authorized staff members are given access to personally identifiable student records;

• ensuring that access to each student’s education record is available on a “need-to-know” basis;

• developing operating rules for the conditions of use, such as rules concerning permissible uses and prohibiting unauthorized uses,

procedures for protecting PII, and procedures for ensuring destruction of copies of records at the end of a period of authorized use; and

• planning for possible data breaches by establishing procedures for reporting known or suspected breaches, analyzing the causes and impact of breaches, and notifying affected individuals.

A more detailed discussion of each of these steps is provided in the subsequent section.

Assigning New Unique Student Identifiers

As noted in the Identifying Data section, following the experiences and outcomes of students as they move through the education system requires you to have a unique student record identifier, which allows student data collected from different sources and different points in time to be linked together. You

can create a randomized unique student identifier that is not related to the student’s SSN or other personal information. Only a limited number of staff should have access to the secured sensitive information and information about the process for creating the randomized identifier or permission to use the unique student identifier to link data from different sources.

Implementing Procedures for Workforce Security

Procedures for workforce security include the use of security screenings, training, and binding confidentiality pledges (Seastrom, 2010b). You are recommended to perform security screenings, such as background checks, for new employees and for staff members whose job duties include accessing PII in student record data. You should also provide regular data security training for employees and cover a variety of topics, including:

• roles and responsibilities (the student information each employee is authorized to access and what is considered appropriate and inappropriate use of the data);

• legal and regulatory requirements that apply to the access and handling of PII;

• internal security practices and policies (where data can be accessed, use of passwords and firewalls, and how to detect and respond to breaches in security); and

• penalties for violating the laws, requirements, or internal security policies.

Finally, you should have each person working with data sign a pledge or Affidavit of Nondisclosure. The pledge should indicate that the data user acknowledges the purpose, restrictions, and appropriate uses of student record data; promises to protect each student’s PII; is aware of relevant laws, regulations, and rules; and understands the penalties for violations.

Establishing Need-to-Know Access to Student Record Data

Data access needs will vary across employees. Although a few employees, such as those who set up the data system, will need full access to the data, most will only need access to select data fields. Limiting each employee’s access to need-to-know data fields, data records, and data files will reduce the risk of inappropriate disclosure of PII. Policies and procedures should outline who is authorized to access the student record data and the conditions under which they may be accessed and released (Seastrom, 2010b).

Developing Operating Rules for the Use of Student Record Data

Once you have authorized data users and analysts and granted them access to student education records, they must abide by established rules and procedures for using the data consistently with the terms agreed to in the Affidavit of Nondisclosure. Security controls for using the data involve access and use procedures and electronic security.

Data Access. Policies should specify where people can physically access student records. Access to the most sensitive student information should be limited to a secure location, such as a locked room that is accessed only by authorized users or on a nonnetworked computer. Access to the files should be protected by strong passwords. Although less sensitive information could be accessed on a wider range of computers, data files including PII should not be stored on public computers that might be used by staff who are not authorized to access the student record data. Also, identified data should not be put on a portable medium such as a CD or flash drive.

Firewalls can be used to protect a server, network, or individual computer from viruses and unauthorized access. A firewall refers to a network device that blocks certain kinds of network traffic, forming a barrier between a trusted and an untrusted network. It protects networks from unauthorized access while permitting legitimate communications to pass. If data that contain PII are transferred to an external location, secure networks and electronic encryption should be used.

Using Student Data for Reporting Aggregate Statistics. When combining or aggregating student-level data, you should use techniques to protect the identity of individual students. For example, if reporting student outcomes for different student subgroups results in groups with a small number of students, someone might deduce the identities of people in those groups. You can establish a minimum reporting size, such as at least three members in a group, to protect confidentiality. You can report tabulations with zero cases because they have no data to protect. Seastrom (2010c) provides a detailed discussion of approaches to protecting identifiable student information in aggregate reported data.

Electronic Data Security. All of the surveys and data you collect should reside on servers that meet security standards. You can find best practices for establishing secure protocols through the US Department of Education’s Privacy Technical Assistance Center’s website, which includes a toolkit with issue briefs and checklists.8

Plan for Possible Data Breaches

Every privacy and data protection plan should include a response plan for the appropriate handling of a breach of PII. The Guide to Protecting the Confidentiality of Personally Identifiable Information (McCallister et al., 2010) includes a detailed discussion of how to handle data breaches. In particular, you should develop a clear description of what constitutes a breach and inform all staff members who are authorized to access sensitive data. Staff members should also be informed about the immediate steps that need to be taken in the event a security breach occurs or is suspected.

Summary

Student-level longitudinal data systems are essential to policy, program, and instructional decisions. However, the use of such data systems should be balanced with appropriate protections for student record data. That is, those who use student data have ethical and legal responsibilities to respect the privacy and confidentiality of each student’s PII. Implementing internal procedural controls to protect the privacy and security of student records mitigates risks related to the intentional and unintentional misuse of student data.