Skip Navigation
The Forum Guide to Data Ethics
NCES 2010-801
March 2010

9. Safeguard sensitive data to guarantee privacy and confidentiality

A school board member was a personal friend of the principal at the local elementary school. When the board member needed information, she would email the principal and get a reply with the data attached. Both school leaders knew they were circumventing official procedures for sharing data, but rationalized that, since they both had privileges to obtain the data from the data steward, this more direct and informal approach only expedited an exchange that was otherwise permissible anyway. They didn't see any harm in this practice until the board member made a public presentation that inadvertently revealed that the one and only Asian female student in the 4th grade had a learning disability. The student's parents were in the audience and took offense to the public display of private information. The district's information security officer informed both the board member and principal that sharing data so haphazardly violated the district's policies and procedures. Had proper procedures been followed, the data steward would have masked all personally identifiable information and the private information would not have been accidentally disclosed.
Sensitive information is that information that, if lost or compromised, might negatively affect the subject of the information.

Within a data system, there is a distinction between "general information" (i.e., those data that are generally helpful to your organization as it carries out its mission) and "sensitive information" (i.e., those data that are confidential and/or vital to your organization as it carries out its mission). For example, a data file with "help" instructions for website users is a "general" support component within your data system. While the files are important to users facing a web problem, the data are not vital to running a school or school system; nor are they private in nature or otherwise subject to confidentiality restrictions. On the other hand, data about class assignments are both confidential (data about student course selection are private) and vital to the school's core instructional mission (principals should know where students need to be at every moment of the day).

A data handler does not have the right to look at her neighbor's child's grades simply because she has access privileges to student information. There must be a legitimate "need to know" that stems from officially assigned work responsibilities.

Ethical standards for protecting sensitive information are higher than those for general information. With the exception of some directory information that may be considered a part of the public record, individual student information (e.g., transcripts and other individual records) are substantially a private matter and, as such, are required to be maintained in a confidential manner. They are not the public's business, nor a data handlerís business, unless there is a legitimate "need to know" the information to carry out officially assigned responsibilities.

Canon 3 addresses the need to be aware of laws and policies governing data collection and reporting, including the confidentiality of private data about individuals. The principle in canon 9 addresses the responsibility of organizations to establish and enforce procedures that will put these safeguards in place.

Recommended Practices and Training

Protecting the confidentiality of individually identifiable data is imperative. The primary difference in how individual student and staff data should be secured stems from protections specific to student data, as detailed in FERPA (see appendix D).
  1. Identify which data are considered to be sensitive (private and/or vital to operations).
  2. Develop and implement a robust data security plan that includes specific precautions for sensitive data, such as the following.
    1. Limit access privileges strictly to data handlers who "need to know" the information to conduct their official duties and responsibilities.
    2. Review and reauthorize user access privileges on an annual basis.
    3. Limit remote access privileges so that data in a secure location cannot be exported to a site that is not secure (e.g., downloads from a secure database into an Excel or PDF file at home).
    4. Maintain high standards for verifying data requests and data sharing. Due diligence prior to sharing data is more than just identifying who wants the data. Ask questions such as: Why do they want it? How will they use it? Will they destroy it properly? How can proper handling be verified? Will they sign an acceptable use agreement? Note that it is often helpful to have these questions answered in writing.
    5. Mandate password rules that make it difficult for hackers to guess. For example, passwords should be six or more characters in length and include at least one letter and one number, as well as an asterisk, exclamation point, or other special character. Passwords should not be names or words that appear in a dictionary.
    6. Require the use of secure transmission technologies, including secure servers, authentication tools, and encryption algorithms.
    7. Store data securely. This requires appropriate physical security, software security, access security, network security, and related behavioral management security.
    8. Establish and enforce security expectations for portable data storage media, including laptop computers, external hard drives, portable drives, etc.
  3. Establish and enforce policies governing the release of student data (both private and directory information) in compliance with FERPA, as well as related state and local privacy laws and regulations.
    1. Train all data handlers to understand their responsibilities with respect to FERPA and other applicable statutes and regulations.
    2. Require written permission from a parent to release nondirectory information subject to the exceptions identified in FERPA.
  4. Train all data handlers to identify which data are general information and which are sensitive.
    1. Ensure that data handlers understand the expectations and consequences of FERPA, HIPAA, and related state or local privacy laws.
    2. Train individuals based on their access privileges to sensitive data. Nontechnical staff with access privileges—such as teachers, administrators, or data clerks—need to understand the data system's security safeguards and how they can follow them. Include discussions about the "why" of security as well as the "how," so that learners can internalize this ethical principle and apply it to their work.