9. Safeguard sensitive data to guarantee privacy and confidentiality
A school board member was a personal friend of the principal at the local elementary school. When the board
member needed information, she would email the principal and get a reply with the data attached. Both school
leaders knew they were circumventing official procedures for sharing data, but rationalized that, since they both
had privileges to obtain the data from the data steward, this more direct and informal approach only expedited an
exchange that was otherwise permissible anyway. They didn't see any harm in this practice until the board member
made a public presentation that inadvertently revealed that the one and only Asian female student in the 4th grade
had a learning disability. The student's parents were in the audience and took offense to the public display of private
information. The district's information security officer informed both the board member and principal that sharing
data so haphazardly violated the district's policies and procedures. Had proper procedures been followed, the data
steward would have masked all personally identifiable information and the private information would not have been
Within a data system, there is a distinction between "general information" (i.e.,
those data that are generally helpful to your organization as it carries out its mission)
and "sensitive information" (i.e., those data that are confidential and/or vital to
your organization as it carries out its mission). For example, a data file with "help"
instructions for website users is a "general" support component within your data
system. While the files are important to users facing a web problem, the data are not
vital to running a school or school system; nor are they private in nature or otherwise
subject to confidentiality restrictions. On the other hand, data about class assignments
are both confidential (data about student course selection are private) and vital to the
school's core instructional mission (principals should know where students need to be
at every moment of the day).
Ethical standards for protecting sensitive information are higher than those
for general information. With the exception of some directory information that
may be considered a part of the public record, individual student information (e.g.,
transcripts and other individual records) are substantially a private matter and, as such,
are required to be maintained in a confidential manner. They are not the public's
business, nor a data handlerís business, unless there is a legitimate "need to know" the
information to carry out officially assigned responsibilities.
Canon 3 addresses the need to be aware of laws and policies governing
data collection and reporting, including the confidentiality of private data about
individuals. The principle in canon 9 addresses the responsibility of organizations to
establish and enforce procedures that will put these safeguards in place.
Recommended Practices and Training
- Identify which data are considered to be sensitive (private and/or vital to
- Develop and implement a robust data security plan that includes specific
precautions for sensitive data, such as the following.
- Limit access privileges strictly to data handlers who "need to know" the
information to conduct their official duties and responsibilities.
- Review and reauthorize user access privileges on an annual basis.
- Limit remote access privileges so that data in a secure location cannot be
exported to a site that is not secure (e.g., downloads from a secure database into
an Excel or PDF file at home).
- Maintain high standards for verifying data requests and data sharing. Due
diligence prior to sharing data is more than just identifying who wants the data.
Ask questions such as: Why do they want it? How will they use it? Will they
destroy it properly? How can proper handling be verified? Will they sign an
acceptable use agreement? Note that it is often helpful to have these questions
answered in writing.
- Mandate password rules that make it difficult for hackers to guess. For example,
passwords should be six or more characters in length and include at least one
letter and one number, as well as an asterisk, exclamation point, or other special
character. Passwords should not be names or words that appear in a dictionary.
- Require the use of secure transmission technologies, including secure servers,
authentication tools, and encryption algorithms.
- Store data securely. This requires appropriate physical security, software
security, access security, network security, and related behavioral management
- Establish and enforce security expectations for portable data storage media,
including laptop computers, external hard drives, portable drives, etc.
- Establish and enforce policies governing the release of student data (both private
and directory information) in compliance with FERPA, as well as related state and
local privacy laws and regulations.
- Train all data handlers to understand their responsibilities with respect to
FERPA and other applicable statutes and regulations.
- Require written permission from a parent to release nondirectory
subject to the exceptions identified in FERPA.
- Train all data handlers to identify which data are general information and which are
- Ensure that data handlers understand the expectations and consequences of
FERPA, HIPAA, and related state or local privacy laws.
- Train individuals based on their access privileges to sensitive data. Nontechnical
staff with access privileges—such as teachers, administrators, or data
clerks—need to understand the data system's security safeguards and how they
can follow them. Include discussions about the "why" of security as well as the
"how," so that learners can internalize this ethical principle and apply it to their