IT Trends

How Assessing Information Governance Can Improve Privacy in Schools

For public schools, technology is an important tool. But establishing strong security measures to protect student privacy is even more essential.

The K-12 Cybersecurity Act of 2019, a recent bill that has been introduced in the U.S. Senate, calls for the Department of Homeland Security (DHS) to initiate a review of the cybersecurity policies at public schools across the country. This includes developing a more comprehensive set of guidelines and tools so that schools can better protect institutional and personal data from ransomware and other breaches.

Being able to safeguard both school and student data should be apparent, but with limited resources and funding schools are finding it hard to be effective. In addition to the DHS guidelines, once available, schools should look at their records and information management programs. Creating an approach to effectively manage the full information lifecycle will ensure that records — both student and school — are in a better position to remain protected.

Effective Information Governance

Student records and personal data must be strictly governed in educational institutions, beginning when a record is created and continuing through its usage, storage, retrieval and maintenance phases. Information must also be managed with proper security and protection structures in place, especially when it comes to personal and confidential information.

Schools need a formal information governance program to establish a framework that details roles and responsibilities and identifies how records should be treated. This allows schools to effectively manage the growing volumes of information they are seeing and ensures that associated risks are well understood, documented and then controlled so risk mitigation can happen appropriately

But what does a formal information governance program look like?

Privacy Assessments

The first step in information governance is identifying where personal and sensitive data is located throughout a school’s records storage system, and who is responsible for managing those records. An in-depth assessment enables schools to identify gaps and prioritize opportunities for improvement. 

As part of this assessment, it is important to establish a records retention schedule. At the most fundamental level a retention schedule dictates how long to keep documents according to the given regulations that apply to each individual school district.

Information Governance Framework

While assessing, and later improving, a privacy program may seem easy, schools may have constraints that prevent them from making greater strides in protecting their records and information. Building an information governance framework should serve as the next step in the process. Establishing this framework will address issues spanning risk management, retention, compliance and disposition, and is important to give schools increased control over their information, from creating a record to its final disposition. To establish a framework, schools should identify its complete information inventory and develop information maps, which are databases that capture an inventory of what systems, applications and repositories they have, where they are located, and who is responsible for managing them. With this in place, they will be able to better understand their records and information program. Schools can also benefit from an updated retention management platform, a metric system that will measure the alignment of information management outcomes to privacy policies.

Content Classification

Classifying content is the last step in ensuring proper management of records and information. Educational institutions should develop an enterprise strategy that applies to both the pick-up of new, physical records, the digitization of these records, and the training of access, archiving and destruction requirements. This component sees an establishment of both accurate and fast-processing search engines, a reduced amount of legacy records and storage costs, improved service responsiveness, and the identification of records that can be eliminated to support space management requirements.

Access Controls

In addition to the steps outlined above, for privacy purposes it’s critically important to maintain access control policies and effective chain of custody procedures. This includes developing a step-by-step process to ensure complete security and should include using a unique identifier for location tracking as well as assigning certain levels of access to individuals depending on roles and responsibilities.


As security and privacy of records and information in schools continues to be one of the most pressing issues today, it is critical that school systems focus on their information governance program. Privacy starts with the ability to protect student records that are constantly being produced and stored. By executing a more detailed and managed framework, schools can worry less about breaches and more about their mission of education.

About the Author

Mary Ellen Buzzelli is Director State, Local and Education Strategy at Iron Mountain Government Solutions.