The following is cross-posted from PogoWasRight.org:
For Data Privacy Day 2013 on January 28, I’ve tried to compile a list of questions parents should ask their child’s school district about how their child’s personal information is protected. Send your letter to your district’s Superintendent with a cc: to your district’s Board of Education:
Dear ________:
As a parent of a student in this district, I have a number of questions about the protection and security of students’ personal, private, and sensitive information. For purposes of this letter, by “personally identifiable information,” I mean name, contact details, parents’ contact information, Social Security numbers, Medicaid numbers, and/or any other personally identifiable information (PII), regardless of whether the District considers any of the above “directory information” under FERPA. By “private, personal and sensitive information” (PPSI), I mean any health-related information, behavior or discipline records, religion, any financial information such as credit card or debit card numbers or parents’ financial information, and any information or records pertaining to sexual orientation, political views, etc.:
1. Are school district personnel permitted to take paper records containing students’ PII or PPSI off school district premises? If so, I would like to see any and all policies concerning the security and protection of information taken off premises, including, but not limited to, how records are to be secured in personnel’s homes, and whether records may ever be left in unattended vehicles, etc.
2. Are school district personnel permitted to store – either temporarily or long-term – students’ PII or PPSI on their personal devices such as laptops, smart phones, iPads, USB drives, etc.? If they are permitted to do so, I would like to see copies of the policies that inform personnel how they are required to secure the information on their personal devices and how they are to securely delete information or destroy devices. I am also requesting to see any policies as to how the District tracks and monitors students’ PII and PPSI that may be on employees’ personal devices.
3. Does the District provide employees with USB drives or mobile devices to perform their work-related duties? If so, are those USB drives or devices encrypted? I would also like to see all policies concerning the use and security of District-provided drives and mobile devices that may hold students’ PII and/or PPSI. And if the District does provide staff with portable devices, when was the last time the District conducted an audit to determine the location of all District mobile devices? If they were not all accounted for, how many were missing and what types of student information were on them?
4. I would like to see any District policy or policies concerning the use of employees’ personal e-mail accounts for the transmission or storage of students’ PII and/or PPSI.
5. Is there any District policy concerning personnel’s obligations to timely report any breach or potential breach involving students’ PII or PPSI (for both paper and electronic records)? If so, I would like to see the policy or policies.
6. Are students’ Social Security numbers, Medicaid numbers, and/or health insurance policy numbers stored in any electronic databases? If so: (a) are those databases connected directly or indirectly to the Internet, (b) are those databases encrypted, and (c) do any non-District personnel have access to those databases, and if so, who?
7. What is the District’s written policy as to how often the District’s IT personnel audit access logs to determine if electronic databases containing students’ PII and/or PPSI have been compromised or improperly accessed?
8. Under our state’s Freedom of Information law, I am also requesting inspection of any records relating to any privacy breaches or data security breaches the District may have experienced since January 1, 2008, including, but not limited to, hacks of databases containing students’ PII and/or PPSI, employees exceeding authorized access and accessing others’ PII or PPSI improperly, students’ using personnel’s login credentials to access databases containing students’ PII and/or PPSI, loss of USB drives or other devices containing students’ PII or PPSI (regardless of whether they are district-owned or the individual’s personal property), loss or theft of paper records containing students’ PII and/or PPSI, inadvertent web exposure or e-mail exposure of students’ PII and/or PPSI, etc.
9. If the District uses a third party web host or cloud provider, does the District have written contracts in place that cover responsibility for the security of students’ PII and/or PPSI? Who can access that information? If such vendors or contractors are involved in storing or processing students’ PII and/or PPSI, how does the District ensure that the data are not being improperly accessed or compromised?
10. If there are other District policies that I haven’t requested but that relate to data security and protection of student’ PII and/or PPSI, please tell me what they are or provide me with copies of them.
I know that some parents hesitate to do anything that might be perceived as “making waves.” Asking questions about how well your child’s district protects their privacy and the security of their information is not “making waves.” It’s being an informed parent. I would encourage parents to ask that their District devote an entire information meeting for all parents to go over the questions raised above.
It’s quite possible your child’s district may not have written policies for some of the questions raised above. If that’s the case, then your next step may be to ask them why there are no written policies and to ask them to formulate formal policies (not guidelines, but enforceable policies) to address security and protection of students’ PII and PPSI.
Happy Data Privacy Day 2013!
Note: This post may be reproduced for non-commercial use under Creative Commons Attribution-NonCommercial 3.0 Unported License.