How Assessing Information Governance Can Improve Privacy in Schools
- By Mary Ellen Buzzelli
- 02/27/20
For public schools,
technology is an important tool. But establishing strong security
measures to protect student privacy is even more essential.
The K-12
Cybersecurity Act of 2019, a recent bill that has been introduced in
the U.S. Senate, calls for the Department of Homeland Security (DHS)
to initiate a review of the cybersecurity policies at public schools
across the country. This includes developing a more comprehensive set
of guidelines and tools so that schools can better protect
institutional and personal data from ransomware and other breaches.
Being able to
safeguard both school and student data should be apparent, but with
limited resources and funding schools are finding it hard to be
effective. In addition to the DHS guidelines, once available, schools
should look at their records and information management programs.
Creating an approach to
effectively manage the full information lifecycle will ensure that
records — both student and school — are in a better position to
remain protected.
Effective
Information Governance
Student
records and personal data must be strictly governed in educational
institutions, beginning when a record is created and continuing
through its usage, storage, retrieval and maintenance phases.
Information must also be managed with proper security and protection
structures in place, especially when it comes to personal and
confidential information.
Schools need a
formal information governance program to establish a framework that
details roles and responsibilities and identifies how records should
be treated. This allows schools to effectively manage the growing
volumes of information they are seeing and ensures that associated
risks are well understood, documented and then controlled so risk
mitigation can happen appropriately
But what does a
formal information governance program look like?
Privacy
Assessments
The
first step in information governance is identifying where personal
and sensitive data is located throughout a school’s records storage
system, and who is responsible for managing those records. An
in-depth assessment enables schools to identify gaps and prioritize
opportunities for improvement.
As
part of this assessment, it is important to establish a records
retention schedule. At the most fundamental level a retention
schedule dictates how long to keep documents according to the given
regulations that apply to each individual school district.
Information
Governance Framework
While
assessing, and later improving, a privacy program may seem easy,
schools may have constraints that prevent them from making greater
strides in protecting their records and information. Building an
information governance framework should serve as the next step in the
process. Establishing this framework will address issues spanning
risk management, retention, compliance and disposition, and is
important to give schools increased control over their information,
from creating a record to its final disposition. To establish a
framework, schools should identify its complete information inventory
and develop information maps, which are databases that capture an
inventory of what systems, applications and repositories they have,
where they are located, and who is responsible for managing them.
With this in place, they will be able to better understand their
records and information program. Schools can also benefit from an
updated retention management platform, a metric system that will
measure the alignment of information management outcomes to privacy
policies.
Content
Classification
Classifying
content is the last step in ensuring proper management of records and
information. Educational institutions should develop an enterprise
strategy that applies to both the pick-up of new, physical records,
the digitization of these records, and the training of access,
archiving and destruction requirements. This component sees an
establishment of both accurate and fast-processing search engines, a
reduced amount of legacy records and storage costs, improved service
responsiveness, and the identification of records that can be
eliminated to support space management requirements.
Access
Controls
In
addition to the steps outlined above, for privacy purposes it’s
critically important to maintain access control policies and
effective chain of custody procedures. This includes developing a
step-by-step process to ensure complete security and should include
using a unique identifier for location tracking as well as assigning
certain levels of access to individuals depending on roles and
responsibilities.
Conclusion
As
security and privacy of records and information in schools continues
to be one of the most pressing issues today, it is critical that
school systems focus on their information governance program. Privacy
starts with the ability to protect student records that are
constantly being produced and stored. By executing a more detailed
and managed framework, schools can worry less about breaches and more
about their mission of education.