Skip Navigation
The Forum Guide to Data Ethics
NCES 2010-801
March 2010

8. Treat data systems as valuable organizational assets

The network manager called the chief information officer at 11:00 p.m. "You're never going to believe this, but a tech assistant fried our database." The CIO rolled her eyes. "How many times do we need to tell people they can't touch that equipment?" "Well, to be fair, it was a new employee—but you're right, it is an ongoing problem." The CIO then asked, "But why are you calling me? You know how to access the offsite backup files as well as I do." "That's the second part of the problem," the network manager confessed. "I know there is no excuse for it, but I wanted to leave a little early on Friday and figured I could have the backup tapes sent in on Monday. I meant to do it first thing Monday morning, but a data request from the superintendent came in and I just lost track of time. I know I fouled up, but we don't have an offsite backup for the last two weeks." The CIO was very angry, but knew that the network manager appreciated the magnitude of the mistake and that a reprimand wouldn't help. "Well, we're going to need to hire specialists and get the system fixed." "But that's going to cost several thousand dollars," the network manager interjected. "I know," the CIO said. "But tell me our other options?"

Education organizations spend a great deal of money on systems for collecting, storing, accessing, using, and sharing data. In addition to these infrastructure expenses, there are significant human resource costs for collecting and managing data. Collection instruments, including assessments and survey forms, for example, must be carefully designed by highly skilled professionals. The administration of these assessments and surveys—beginning with the delivery of the materials and ending with verification and validation activities—requires many staff hours and represents a substantial investment. Moreover, many education organizations build or rent climate-controlled facilities, contract with offsite backup storage services, employ elaborate encryption algorithms, mandate restrictive user authentication schemes, conduct criminal background checks on staff, and engage in robust destruction techniques at the end of a piece of data's useful life. Education data are clearly a valued asset or they would not warrant this much attention.

This canon is probably violated unintentionally as often as it is willfully broken. Failure to follow procedures that protect data and data systems—or failure to anticipate potential threats to these—can cause as much damage as any deliberate sabotage.

For more information about data security, see the Forum Unified Education Technology Suite.

In addition to the loss of resources when a data system must be replaced or repaired because of negligent behavior, there is the issue of data security. It is practically impossible to retrieve data after they have been released electronically. Once someone's private information has been shared over the Internet, it will never again be private. Moreover, when information is lost, damaged, or otherwise unavailable when needed, there can be serious effects on the operation of an education organization. What happens when a teacher cannot download a lesson plan in time to inform instructional choices for students sitting in his classroom? Or when a school nurse cannot find a sick kindergartner's home telephone phone number quickly? What would happen in the aftermath of a tornado or other catastrophe if a school principal could not access the morning's attendance information to account for every student after a building evacuation?

A wide range of people and events threaten data, including

  • natural conditions such as fire, flood, lightening, or humidity;
  • intentional acts, including malicious hackers and computer viruses;
  • routine or unintentional actions, such as unwittingly placing a coffee cup on a server or leaving a password taped to a computer monitor.

Data must be protected from these and other threats by means of a wide range of physical, software, hardware, and access security measures. Countermeasures include a host of processes and products intended to prevent, deter, contain, and detect problems, as well as recover data when needed. However, while we rely on traditional technical and data management solutions to security concerns, these security procedures are implemented by individuals who must follow a professional ethic that recognizes their responsibilities as stewards of the organization's information resources.

When information is lost, damaged, or otherwise unavailable when needed, it can have a serious effect on the operations of an education organization.

Recommended Practices and Training

  1. Document all security procedures including
    1. passwords;
    2. system access procedures;
    3. encryption procedures and algorithms;
    4. data exchange protocols with partners (schools, districts, state education agencies, intermediate units, application service providers, etc.);
    5. metadata (data about data) concerning technologies, methods, operations, and data elements; and
    6. other security procedures you may have.
  2. Establish a thorough and robust security plan based on an extensive risk assessment, threat analysis, and countermeasure strategy for the entire organization.
  3. Establish procedures that ensure adherence to security procedures for all forms of data, including digital and print records.
    1. Employ physical security measures without exception. For example, never prop open the door to the server room when it is supposed to stay locked, and install locks and other surveillance tools to prevent unauthorized entry into secure areas.
    2. Follow all security requirements related to the use of mobile data storage devices, including laptop computers, handhelds, portable disk drives (e.g., jump drives), etc.
    3. Use required transmission protocols for all forms of data exchange, including transfers of data tapes and email. This often includes the use of encryption and password privileges.
    4. Back up data responsibly. Although the organization may engage in offsite storage, individual users must be sure to store data in proper formats, in designated locations, and with appropriate testing and verification.
    5. Never allow data handlers to access data that are not required for their work.
    6. Never allow data handlers to share their passwords or other authentication information with other users who may not have the same access privileges.
    7. Never allow data handlers to use shortcuts or unauthorized channels for accessing the organization's systems and networks, whether onsite or remotely.
    8. Destroy data that have reached the end of their useful life.
    9. Review and reauthorize user access privileges at least once a year.
  4. Train all data users about their data security responsibilities.
    1. Thoroughly orient new employees to security procedures, and make sure they understand their responsibilities and repercussions for failing to observe procedures.
    2. Include security training for staff and volunteers who have access to the organization's information system. This should include what to do to protect hardware and software as well as protecting information.