Schools handle a wide variety of sensitive information concerning students and their families. Laws, regulations and ethical obligations require administrators to take active measures to protect that information from unauthorized disclosure.
That warrants a combination of technical and process controls designed to facilitate legitimate use of student records while safeguarding them against intruders. Let’s take a look at five ways that schools can better protect their student records.
MORE FROM EDTECH: Check out these five ways K–12 schools can adhere to privacy laws.
1. Minimize Data Collection of Student Information
The single most important step schools can take to lower the risk of unintentional or malicious disclosure of sensitive student information is to reduce the amount of information collected in the first place.
That’s a tried-and-true practice known in the privacy field as minimization. When schools don’t collect sensitive data elements, there is no risk they will lose control of that information if a data breach occurs.
Social security numbers are low-hanging fruit for minimization efforts. Many schools began a practice years ago of collecting student and/or parent SSNs for identification purposes. While almost every school has moved beyond the use of SSNs as a student identifier, many still ask for student and parent SSNs on registration forms. There is no good reason to do that.
Guidance from the U.S. Department of Education clearly states that parents are not required to disclose SSNs to schools. The risks associated with storing such sensitive information are too great, and there is no clear benefit. Schools should review all of their data collection practices and remove any fields not required for a specific, legitimate business purpose.
2. Purge Unnecessary Student Records
In addition to minimizing the information collected, schools should also take actions to purge sensitive information when it's no longer used for its original purpose. Purging old records serves a similar purpose as minimizing data collection: lowering the impact of a potential breach.
Schools should set standardized record retention policies that specify the length of time different categories of records should be preserved. For example, a school might decide to retain course-level grades permanently to generate transcripts, but purge student disciplinary records seven years after graduation. Exceptions might be made for students who were expelled from school or other specific circumstances.
Some retention periods might be quite short. For example, public schools often collect documentation from parents to prove their residency in a particular school district.
Once those records are validated and approved by an administrator, is there any valid reason to maintain copies of the records themselves? It may suffice to maintain a record created by the administrator documenting the evidence was received, reviewed and validated.
MORE FROM EDTECH: Review K–12 student privacy best practices issued by the FBI.
3. Encrypt Data at Rest and in Transit
After completing minimization and purging efforts, chances are schools will still need to retain some sensitive information about students and their parents. Those records should be secured carefully, using a mix of technical and administrative controls.
The most important technical control schools may apply to information is the use of strong encryption technology to protect information that is either at rest; stored on a server or device; or in transit, being sent over a network. Schools should identify devices that store sensitive information and apply encryption at both the file and disk level.
That is particularly important for notebooks and other mobile devices that might be lost or stolen when outside of school. Schools should also identify cases where they send or receive sensitive information over a network connection and ensure that the connection is encrypted.
For example, standard email does not use encryption and should never be used for sending sensitive information to parents or students. Secure messaging portals that use HTTPS-encrypted websites are a much better alternative.
4. Follow the Principle of Least Privilege
The security principle of least privilege states that each user should be assigned the minimum level of access necessary to perform his or her job functions. That principle is often unintentionally violated in schools as a matter of convenience.
For example, a school IT administrator might grant all faculty and staff access to student records stored on a server. That may make administrative tasks easier, but it also exposes those records to unnecessary risk.
A least-privilege approach here would create access control groups that limit each user’s access to only those records required for his or her job. For example, the school nurse and principal might be the only two individuals with access to health records.
A student’s current course grades might be available only to teachers who have that student in class, the student’s guidance counselor and senior administrators. It may seem obvious but reducing the number of people with access to sensitive information helps keep that information more secure.
MORE FROM EDTECH: Here are three ways K–12 schools can improve their security practices in 2019.
5. Monitor User Activity on School Networks
Finally, schools should monitor the activity of any users granted access to sensitive information. That doesn’t require elaborate monitoring systems; most likely, changes to settings in existing software will be sufficient. For example, Windows file servers include robust auditing capabilities that allow tracking and logging of all successful or unsuccessful attempts to access files.
Any records gathered through user monitoring can also help to identify suspicious activity and also aid in tracking down the source of leaks of sensitive information. For example, if a high-profile student’s educational records are leaked to the media, administrators may look at the access logs to determine who recently viewed those records.
Schools must exercise more caution and discretion to protect students' and families’ information from unauthorized uses. Following a few simple security practices will go a long way toward preserving the public trust in educational institutions.
