Return to List of Exhibits and Figures
Exhibit 4–1: Some Ways to Promote Secure Maintenance of Automated Student Records5
- Document the date and reason for collecting information for each form and each data element, so that files may be kept current and not used for unintended or inappropriate purposes.
- System security is a complex enterprise that is best left to professionals rather than to school faculty or technology staff. However, when resources dictate the use of teachers/technology coordinators to implement security, the provision of adequate professional development and written policies is critical.
- Identify education record files and data elements within the files as restricted (confidential) or unrestricted (e.g., directory information).
- Develop a filing system for records, so that they can be retrieved easily and accurately when needed. The practice will minimize the possibility of misplacing confidential information and thereby allowing unauthorized access. This is true for either automated or paper-record systems.
- Maintain complete and well-documented records on all changes and additions to files. Keep a list of changes and additions, note who made them, and note when they were made.
- Application and operating system software can be protected by using passwords and by eliminating access to those who have no need to use particular software. Passwords also can be used to limit access to parts of student files or to specific data elements. Systems operators should monitor access closely through a recordkeeping system. In addition, they should require users to change their passwords frequently; at a minimum, every 3 months.
- Where possible, a warning statement should appear on the computer screen before access is permitted. This statement should stay on the screen for at least 10 seconds to ensure that it is readable. It should be worded to convey the following message: “Unauthorized access to personally identifiable in formation is a violation of federal (and/or state) law and will result in (prosecution or a maximum fine of $ ___ and/or imprisonment of up to ___ years, where applicable).” Users should be prompted to select whether to proceed. If it is not feasible for this statement to appear on the screen of the computer, it should be typed and attached to the monitor in a prominent location.
- The transmission of data from one agency to another creates additional security risks that can be minimized through the use of standardized protocols, various encryption technologies, and digital signatures. When encryption and decryption are used to ensure security of data, the algorithm required to encrypt and decrypt must receive the same protection as the data. When not in use, it must be secured at all times. Refer to Weaving a Secure Web Around Education: A Guide to Technology Standards and Security (National Forum on Education Statistics 2003) for guidelines in securing hardware, operating systems, applications, and the network.
- Extreme care should be exercised to ensure that the data are not inadvertently made available through use of networking technology. For example, password protection of access to the data file should be required in addition to access to the computer.
- Ensure that people involved in coding, entering, and processing the information have the necessary training and background to perform their tasks accurately and maintain strict confidentiality, and that they understand the criteria, context, penalties, and other considerations.
- Avoid making excessive copies of back-up records. If back-up copies are made, label documents as “original” or “copy.”
Return to List of Exhibits and Figures
5Included in this checklist are basic considerations for maintaining automated student records. Readers should refer to two documents that provide further guidelines in this area: Safeguarding Your Technology: Practical Guidelines for Electronic Education In formation Security (1998) and Weaving a Secure Web Around Education: A Guide to Technology Standards and Security (2003).