DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

10 Questions to Ask Your Child’s School District on Data Privacy Day 2013

Posted on January 29, 2013 by Dissent

The following is cross-posted from PogoWasRight.org:

For Data Privacy Day 2013 on January 28,  I’ve tried to compile a list of questions parents should ask their child’s school district about how their child’s personal information is protected.  Send your letter to your district’s Superintendent with a cc: to your district’s Board of Education:

Dear ________:

As a parent of a student in this district, I have a number of questions about the protection and security of students’ personal, private, and sensitive information. For purposes of this letter,  by “personally identifiable information,” I mean name, contact details, parents’ contact information, Social Security numbers, Medicaid numbers, and/or any other personally identifiable information (PII), regardless of whether the District considers any of the above “directory information” under FERPA. By “private, personal and sensitive information” (PPSI),  I mean any health-related information, behavior or discipline records, religion, any financial information such as credit card or debit card numbers or parents’ financial information, and any information or records pertaining to sexual orientation, political views, etc.:

1. Are school district personnel permitted to take paper records containing students’ PII or PPSI off school district premises? If so, I would like to see any  and all policies concerning the security and protection of information taken off premises, including, but not limited to, how records are to be secured in personnel’s homes, and whether records may ever be left in unattended vehicles, etc.

2. Are school district personnel permitted to store – either temporarily or long-term – students’ PII or PPSI on their personal devices such as laptops, smart phones, iPads, USB drives, etc.? If they are permitted to do so, I would like to see copies of the policies that inform personnel how they are required to secure the information on their personal devices and how they are to securely delete information or destroy devices. I am also requesting to see any policies as to how the District tracks and monitors students’ PII and PPSI that may be on employees’ personal devices.

3. Does the District provide employees with USB drives or mobile devices to perform their work-related duties? If so, are those USB drives or devices encrypted? I would also like to see all policies concerning the use and security of District-provided drives and mobile devices that may hold students’ PII and/or PPSI.  And if the District does provide staff with portable devices, when was the last time the District conducted an audit to determine the location of all District mobile devices? If they were not all accounted for, how many were missing and what types of student information were on them?

4. I would like to see any District policy or policies concerning the use of employees’ personal e-mail accounts for the transmission or storage of students’ PII and/or PPSI.

5.  Is there any District policy concerning personnel’s obligations to timely report any breach or potential breach involving students’ PII or PPSI (for both paper and electronic records)? If so, I would like to see the policy or policies.

6. Are students’ Social Security numbers, Medicaid numbers, and/or health insurance policy numbers stored in any electronic databases? If so: (a) are those databases connected directly or indirectly to the Internet, (b) are those databases encrypted, and (c) do any non-District personnel have access to those databases, and if so, who?

7. What is the District’s written policy as to how often the District’s IT personnel audit access logs to determine if electronic databases containing students’ PII and/or PPSI  have been compromised or improperly accessed?

8. Under our state’s Freedom of Information law, I am also requesting inspection of any records relating to any privacy breaches or data security breaches the District may have experienced since January 1, 2008, including, but not limited to, hacks of databases containing students’ PII and/or PPSI, employees exceeding authorized access and accessing others’ PII or PPSI improperly, students’ using personnel’s login credentials to access databases containing students’ PII and/or PPSI, loss of USB drives or other devices containing students’ PII or PPSI (regardless of whether they are district-owned or the individual’s personal property), loss or theft of paper records containing students’ PII and/or PPSI, inadvertent web exposure or e-mail exposure of students’ PII and/or PPSI, etc.

9. If the District uses a third party web host or cloud provider, does the District have written contracts in place that cover responsibility for the security of students’ PII and/or PPSI? Who can access that information? If such vendors or contractors are involved in storing or processing students’ PII and/or PPSI, how does the District ensure that the data are not being improperly accessed or compromised?

10. If there are other District policies that I haven’t requested but that relate to data security and protection of student’ PII and/or PPSI, please tell me what they are or provide me with copies of them.

I know that some parents  hesitate to do anything that might be perceived as “making waves.” Asking questions about how well your child’s district protects their privacy and the security of their information is not “making waves.” It’s being an informed parent. I would  encourage parents to ask that their District devote an entire information meeting for all parents to go over the questions raised above.

It’s quite possible your child’s district may not have written policies for some of the questions raised above. If that’s the case, then your next step may be to ask them why there are no written policies and to ask them to formulate formal policies (not guidelines, but enforceable policies) to address security and protection of students’ PII and PPSI.

Happy Data Privacy Day 2013!

Note: This post may be reproduced for non-commercial use under Creative Commons Attribution-NonCommercial 3.0 Unported License. 

Category: Commentaries and AnalysesEducation SectorOf Note

Post navigation

← Audit cites UIHC for lacking encryption
New HIPAA Requirements for Business Associates and Their Subcontractors →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.