Step 9 : Determine your procedures for providing access to the system.
In this step, the regulations, policies, and procedures detailed in Step 2 are implemented. Specific guidelines are set forth as a part of the Family Educational Rights and Privacy Act of 1974 (FERPA). This law prohibits disclosure of information in student records, other than directory information, without student or parental permission except to:
- School employees who have a need-to-know;
- Other schools to which a student is transferring;
- Certain government officials in order to carry out lawful functions;
- Appropriate parties in connection with student financial aid to a student;
- Organizations doing certain studies for the school;
- Accrediting organizations;
- Individuals who have obtained court orders or subpoenas;
- Persons who need to know in cases of health and safety emergencies; and
- State and local officials or authorities if specifically required by a state law that was adopted before November 19, 1974.
Both policies and procedures are needed to ensure that only those with a "need-to-know" have access to student records. Policies should state who has access to specific types of data, particularly data of a sensitive nature that may be a part of the student record (either specific individuals or categories of staff, such as principals and teachers, etc.). In addition, they should state who will be allowed to update and revise student records, what security measures will be used to ensure limited access, and any penalties that will be imposed for abuse of this privilege. Policies should also address procedures for identifying and discarding information that need not be maintained permanently.
Procedures will include the assignment of passwords to allow access to data (either to particular data elements or categories of data) and to restrict unauthorized access. Distinctions should be made as to whether access is limited to viewing the data or being allowed to enter, update, and revise the data contained in the records. Your procedures should include cautions to ensure data cannot be accessed if the user leaves his or her desk for a few minutes. These procedures need to be documented and training provided to persons who have access.
FERPA guarantees every student and/or his or her parents the right to inspect and review all of the education records maintained about the student by the school or school district. In addition, it guarantees the student and/or his or her parents the right to request that a school correct records believed inaccurate or misleading. This law further restricts the school or district from providing individuals or institutions with information from the student record without the permission of the student/parents. Schools must adopt a written policy about complying with FERPA, and notify parents and eligible students of their rights under this law. Information about FERPA requirements is included in the previously mentioned document, Protecting the Privacy of Student Records: Guidelines for Education Agencies.
Getting access to the data to use the information is a key aspect of a system. Earlier decisions about storage media and format are relevant to this step. Here it is important to describe how different users will gain access to and use the records. For example, if the storage medium is a file on a computer's disk, then access would be through a terminal or client computer, and users would have to have passwords giving them access to the file or portions of a file. The processing necessary to create reports would be done through software programs loaded on the host computer or on the user's computer.
Security also includes the measures put in place to ensure that records are not lost, stolen, vandalized, or otherwise rendered useless. Because physical security can never be assured with complete certainty, all data must be backed up by storage on a duplicate medium in a safe, fire-proof storage area. This could be as simple as storing a separate paper copy off-site, in a location not likely to experience the same disaster as the primary location. Computerized files lend themselves well to back-ups generated periodically and stored off site. You should check to see if your state has requirements about the storage of back-up data, as many states do. Extensive information about computer security can be found in the NCES document, Safeguarding Your Technology. This document contains guidelines for securing access to confidential files as well as guarding the technology itself.
It is important to ensure that individuals who need access to the student records have the equipment necessary to do their work, along with the security measures needed to restrict access to authorized users only. Whether in a paper or an automated system, policies need to be developed regarding access to the records to safeguard them from improper use.