Ensuring Student Data Privacy with CPSI Tools
Last week, I talked about the Student Digital Privacy Act and stated my opinion that it was not enough. I received some detailed explanations about the Act from Amelia Vance (Twitter: @ameliaivance), who is the Director of Education Data & Technology at NASBE . Thank you for taking the time to respond in such a detailed manner, Amelia! I learned a lot about how policy is created. I understand now what is meant by “reasonable” and I have an understanding of why 45 days was chosen in one area of the Act and one year was chosen in another area of the Act.
The most astounding point is that policy makers consider it reasonable to allow for deletions to occur 45 days after a request because it takes some vendors several days to clean out data for a student. It appears that there is not one spot where they can go and just delete a student’s data, and that they have to rummage through many databases to ensure that the data is all cleaned up. Plus, it is anticipated that a vendor might take several days to get started due to time constraints. I understand the issues, but it doesn’t make me feel much better about data privacy.
For many years, I have had concerns about student privacy and issues surrounding it. I have been working with my staff at CPSI to on a new product, code-named “Data Steward”. The new product is is aimed at helping districts and states ensure data privacy when sharing data between the schools and third party vendors….
By the end of the summer of 2015, we will be releasing our newest product offering, code-named Data Steward (we are still working on it’s official name). This tool will run on any MS SQL database or data warehouse. The Data Steward will help educational organization to discover and identify personally identifiable information, or PII, and guide organizations through the complicated process of deciding what data needs governed as well as govern the outgoing data by masking PII data to make it invisible to users and applications who are not allowed to see it.
How does this process help with ensuring student data privacy and what are the benefits?
For one, the governance board can truly see what data is sitting in their data systems. This means that the governance board can make sound decisions based on actual facts. Data administrators in charge of implementing the governance will have an easy-to-use and efficient way to manage it all. It also means that PII data no longer has to go to third party vendors. In the end, data is secured across fields, roles, and applications so student data is safe and sound, making parents and guardians at ease as to where their children’s information is going.
So how does the student data privacy tool, Data Steward, work?
First, you need to discover your data and identify it. It helps to assign friendly names to the fields and categorize the data for reports. This preparation will allow you, as your organization’s data administrator or data security person, to give your Data Governance Board or school board a full listing of all data that is available in your data store, where that data comes from, and what data is missing between the data sources and the data storage area (gap analysis). The reports will allow your Governance Board to decide who gets to see what data, and what types of roles need to be created for data usage and storage. Some of the data preparation items include:
- Searches through the database and discovers the metadata existent in your data collection
- Allows you to assign descriptions and friendly names to you data elements
- Allows you to assign data to categories for ease of management and reporting
- Provides you with the tools to perform a gap analysis between the source data and the storage area
- Provides you with the ability to create reports for your Governance Board
- Define the data governance requirements
- Definitions of the data by categories and fields
Once you have provided reports to your Governance Board or School Board, they can proceed to make decisions on the data usage and viewing. The Data Steward from CPSI then allows you to easily implement the decisions made by the Board. These steps include:
- Assign PII markers on certain data for privacy purposes as per the legal department, FERPA, and the Board decisions.
- Define the roles for data usage and viewing based on the Board decisions.
- Define the roles for data access down to the field level.
- Define standard roles, such as teacher, administrator, third party vendor, etc.
- Define PII prohibited roles.
- Set Security and Business Rules
- Set security of elements by role
- Apply governance rules to data fields and data sets
- Prohibit certain roles from globally accessing PII data
All in all, what really matters is that student data stays safe. Stay tuned for the official release data and the new name of our Data Steward. In the meantime, check out our other product offerings on our website.