Skip Navigation
Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies

4.A. Management Responsibilities

Assign a data steward

As part of the overall effort to ensure the quality of data maintained at an agency, it is important to identify a data steward who will serve as the primary contact for such purpose. This person is abreast of the latest federal and state requirements in maintaining the privacy of student records, and is knowledgeable about the data collection activities within his or her agency. He or she is involved in policymaking and possesses good communication skills. The data steward monitors the activities of other staff who work with the data collection activities and plans periodic reviews of the data collection process to ensure that data quality requirements are being met. More importantly, this person ensures that data are made available to all persons who have a need to know, including agency staff and other personnel, and are protected from unauthorized access and unintentional release.

Regardless of the position, a person with responsibility for the confidentiality of education records (e.g., the data steward or the records manager who works closely with him or her) has serious responsibilities for ensuring that all who work with the data will help him or her in guarding the privacy of education records. In addition, the records manager should ensure that the equipment and procedures will protect the security of the records. The manager should develop and enforce a written policy that describes what data are maintained and what procedures are in place to ensure that access to personally identifiable data is restricted to those persons with a legitimate educational interest as defined by the system.

Conduct a security risk assessment

Security risks can be found in different components of the systems: hardware, operating systems, software, networks, databases, and people from both inside and outside the agency. A risk assessment identifies the assets of an agency, potential threats to those assets, vulnerable points in an agency, probabilities of threats striking a vulnerable point, and cost estimates of losses should a potential threat be realized. Security threats can come from both inside and outside an agency. Hacking, unauthorized copying, user error, programming errors, lost encryption keys, lost documentation, computer viruses, flood, and rain or water damage are just a few examples of security threats. The risk assessment will assist an agency in its effort to develop countermeasures against perceived threats. Chapter 2 of Safeguarding Your Technology: Practical Guidelines for Electronic Education In formation Security (National Forum on Education Statistics 1998) provides step-by-step procedures and a checklist for a security assessment. Another publication, Weaving a Secure Web Around Education: A Guide to Technology Standards and Security (National Forum on Education Statistics 2003), also discusses the security assessment in a web environment. These two documents provide further guidelines for maintaining a secure electronic and network environment that protects sensitive information.

Once risks are identified, the agency may select equipment that has the appropriate mechanical configuration, provides access to authorized users, and has software that restricts access to authorized persons only. Among the procedures used to ensure the privacy and security of computer records are password protection applications that restrict access to data elements and files, frequent password changes to guard against break-ins, and the use of encryption. Exhibit 4–1 contains basic information about securing automated records.

Develop written policies and procedures

To carry out these management responsibilities, the records manager has to know who is authorized to see and modify personally identifiable student data. A written policy can define the appropriate school officials and what constitutes a legitimate educational interest. This policy states who is allowed to change data and what procedures are needed to ensure that all records are updated when changes are made.

Management has a responsibility to inform staff members of their rights and responsibilities with regard to student data. One commonly used procedure is to have persons granted access to personally identifiable data sign an oath of nondisclosure. This agreement should list all types of information that must be kept confidential and forbid staff from discussing security aspects of the data system, such as a locked filing cabinet or a computer, with unauthorized individuals. The acknowledgment of specific legal penalties required by law should be included in this oath. While this may seem extreme, it can help to ensure that staff members know exactly what the requirements and their responsibilities are.

Written policies also could cover the current legal restrictions for disclosure or nondisclosure. For example, the Patriot Act of 2001 allows disclosure under certain conditions, while the National Defense Authorization Act allows military recruiters to obtain directory information of secondary school students. Procedures should be updated periodically to reflect recent changes in federal and state laws. See section 2 for a discussion of these recent changes. The web site of the Family Policy Compliance Office also contains updated information about changes in federal requirements.

Sample policies can be found in Weaving a Secure Web (mentioned above). These include an acceptable-use policy, technology resource use agreement, electronic mail policy, dial-in access policy, password policy, and web contents accessibility. These samples can be adapted to state or district use, and are the integral parts of the overall policy.