NCNE

This article started as a response to the power school cyber security incident announced around Christmas 2024. As the scope of the incident became public more and more school districts reported the exposure of personally identifying information.

So let's go back to the basics and start understanding data. In a school district. data comes into classes: protected and unprotected. Unprotected data could be public record information or potentially directory information or any other kind of data that's not otherwise protected by data privacy standards. In a school district there are usually three data privacy standards, in some schools there's also a fourth. The first two privacy standards come from federal law. FERPA and HIPAA. FERPA is the privacy standard attached to educational records. HIPAA is the privacy standard attached to medical records. A student may have both medical and educational records that are protected. A staff member is a little different, a staff member's data is both protected and unprotected. As we know a staff member has a SSN. This piece of data is protected because it identifies that staff member as it is part of what is known as personally identifying information (PII). That same staff member also works for a government agency so their salary is public record. Sometimes free and reduced lunch status is considered PII as it could identify a particular student. The last data standard has to do with payment card information should a school allow payment by card for various fees.

For any specific data point we need to ask several questions about the risk associated with storing that piece of data in an electronic system. In order to do this we must first understand the data life cycle. The data lifecycle consists of five steps and each piece of data we choose to collect needs to go through each step. The first is data creation. Their rules associated with data creation: Is it correct? Does it make sense? Is there a context for this data? If you think about it, these rules make sense because the reason we are creating the data is to use it in some process and if the data is incorrect, the process will yield poor results. The next three steps in the data lifecycle have to do with the handling of the data as you process it and use it and report on it. Factors to consider in these three stages range from data storage parameters, to who can see it. who shouldn't see it, and how long it should be retained. The last stage in the data lifecycle is destruction.

This last step seems to be the one that gets left out the most. What happens when access to the data is no longer required? This step seemed to catch a lot of schools during the Powerschool incident. Schools that at one time used as staff SSNs to provide unique staff IDs had long abandoned the practice, but they never went back and removed the SSNs from the records of former staff members.

The mere possession and use of digital records obligates schools to include the data lifecycle in an understanding of their processes. For any particular data point a combination of the data lifecycle and the protection status of that data will determine the time that the data needs to spend in each state and how the data should be destroyed when the time comes.