Policy

DRAFT

I. Introduction

The DISTRICT NAME ISD collects and works to safeguard sensitive data, such as personally identifiable information (PII), as well as data classified as Family Educational Rights Protection Act (FERPA) and/or Health Insurance Portability and Accountability Act (HIPAA) protected data. This can include data such a person’s name, physical address, phone number, e-mail address, social security (SSN), credit card numbers, driver’s license numbers, passport numbers, data of birth, savings account, checking account insurance policy or health account or financial account number or information, and health or disability information. Unauthorized access, use, or disclosure of sensitive data can seriously harm individuals by enabling the opportunity for identity theft, blackmail or embarrassment. The disclosure of sensitive data can also cause the DISTRICT NAME ISD to suffer a reduction in public trust and can create a legal liability.


Sensitive data collected and/or used should be considered protected data and must be protected when in digital format and/or print format. This policy covers students, employees and others on whom the DISTRICT NAME ISD may have such information. The policy applies to all persons exposed to sensitive data, its storage mechanisms (how the information is stored, e.g. paper, electronic, other media) and modes of transmission.


II. Purpose and Scope

The purpose of this policy is to ensure (a) that employees understand the need to safeguard this information, and (b) that adequate procedures are in place to minimize this risk of improper disclosure of sensitive data. Access to sensitive data may only be granted to authorized individuals on a need to know basis. This policy seeks to ensure the security, confidentiality, and appropriate use of all sensitive data processed, stored, maintained, or transmitted on the DISTRICT NAME ISD’s computer systems and networks. This includes protection from unauthorized modification, destruction, or disclosure, whether intentional or accidental.


III. Policy

  1. The DISTRICT NAME supports the protection of individual privacy. As such, it will comply with all applicable laws that govern the collection, storage, transfer, use of, and access to sensitive data.

  2. The DISTRICT NAME ISD shall strive to minimize collection of sensitive data to the least amount of information required to complete a particular transaction or to fulfill a particular purpose related to the academic or business needs of the institution. Employees should limit any request for sensitive data to the minimum necessary or appropriate to accomplish the District’s purpose for which it is requested.

  3. All sensitive data in the possession of the DISTRICT NAME ISD is considered confidential unless:

    1. The data owner has authorized the release of information designated as “Directory Information” by the District; or

    2. The data owner has otherwise authorized its disclosure.

  4. The DISTRICT NAME ISD requires that sensitive data--such as that listed below--must be stored and transferred in encrypted format when digital, and kept secure when in paper form.

  5. Consistent with applicable law and District policy, custodians of sensitive data shall take reasonable and appropriate steps to:

    1. limit access to and further use of or transfer of such information

    2. ensure that the information is maintained in a form and manner that is appropriately secure in light of the nature and sensitivity of the information.

  6. How to Protect Sensitive Data

    1. Electronic Storage and Disposal

      1. Do not store sensitive data on a portable, mobile device (e.g. USB drive, CD, laptop) in decrypted format.

      2. Do not store sensitive data in public files accessible via the Internet (e.g. Dropbox, non-District GoogleDrive).

      3. Do not download sensitive data from District databases (e.g. Eduphoria, Data Dashboard) unless legally required or for standard district practice.

      4. Do not transmit sensitive data to external parties via email or the Internet unless the connection is secure and/or the information encrypted. Refer to tutorial on this site for help on how to encrypt/decrypt information).

      5. Safely wipe (a.k.a. “digital shredding”) storage media when disposing of equipment.

      6. Contracts with third party entities for storage of District’s data in the cloud will be signed to ensure protected storage, security and disposal of data in alignment with District policy is assured. The District will require the vendor to detail in the contract how data is securely stored, who has access and use of the data, as well as how data is transferred or shared among users internal to the third party and/or other authorized users. Third party entities will also be expected to detail how data will be destroyed at the end of the contract term and a copy returned to the District.

    2. Physical Storage and Disposal

      1. Do not publicly display sensitive data or leave sensitive data unattended, even on your desk or on the desk of a co-worker.

      2. Do not take sensitive data home.

      3. Do not discard sensitive data in the trash. Shred sensitive data when it is no longer needed.

    3. Security

      1. Lock your computer when unattended.

      2. Lock offices, desks, and files that contain sensitive data when unattended.

      3. Eliminate the use of forms that ask for sensitive data whenever possible.

      4. Password-protect all accounts with access to sensitive data.

      5. Do not share passwords and do not document passwords.

    4. Legal Disclosure Requirements

      1. Do not share sensitive data with anyone unless required by law, specific job responsibilities, or business requirements. Be prepared to say “no” when asked to provide that type of information.

      2. Do not communication sensitive data designated by the Family Educational Rights and Privacy Act (FERPA).

      3. Notify your supervisor immediately if you suspect sensitive data may have been compromised. The Texas Association of School Boards (TASB) will be notified of any situations in which sensitive data is compromised, and apprised of the details of that situation.

  7. Laws and Regulations relating to Sensitive Data

    1. FERPA -- Family Educational Rights and Privacy Act. Limits the disclosure of “education records” defined as those records that are: (a) directly related to a student, and, (b) maintained by or on behalf of the District.

      1. A record is “directly related” to a student if it is “personally identifiable” to the student.

      2. A record is “personally identifiable” to a student if it expressly identifies the student by name, address, birth date, social security number, ID number, or other such common identifier.

      3. Examples of “education records” include registration records, transcripts, papers, exams, individual class schedules, financial aid records, disability accommodation records, individualized education plans, and placement records.

    2. HIPAA -- Health Insurance Portability and Accountability Act. Imposes privacy and security standards addressing the use, disclosure, storage and transfer of “protected health information.”

      1. “Protected health information (PHI)” means “individually identifiable health information,” which is any information that identifies an individual and relates to the individual’s past, present, or future physical or mental health or condition.

      2. Examples of information that should be treated as “protected health information” at the District include employee benefit information, worker’s compensation claim information, student health services information, and student counseling information.

    3. GLB -- Gramm-Leach-Bliley Act. Requires implementation of a written information security program for “customer information.”

      1. “Customer information” means any record containing “nonpublic personal information” handled or maintained by or on behalf of the institution about a customer of that institution.

      2. Examples of “customer information” at the District include financial records of employees, students and/or their parents (such as cashier’s accounts, or information related to financial aid), and donors.

    4. PCI-DSS -- Payment Card Industry Data Security Standards. Requires implementation of security standards surrounding the authorization, processing, storage, and transmission of credit card data. The security standards apply to electronic and paper credit card data. Credit card data is defined as the first six and/or the last four digits of any credit card provided by a customer to conduct business. If all digits of credit card are used, then name, card expiration date, and source code are considered credit card data and must be protected.

    5. Texas Identity Theft Enforcement and Protection Act. Requires implementation and maintenance of reasonable procedures to protect information collected or maintained in the regular course of business from unlawful use or disclosure, including personal identifying information and sensitive personal information.


IV. Disciplinary Action

Violation of this policy may result in disciplinary action, up to and including termination of employment pursuant to the District’s Employee Handbook and Responsible Use Agreement.


V. Review and Responsibilities


Responsible Party:


Review: Every 2 years, on or before September 1


VI. Approval


_________________________________________________

Superintendent of Schools


_________________________________________________

Effective Date

Adapted from the Texas Southern University Personally Identifiable Information Policy 04.06.28. Available online at http://tinyurl.com/qyb3xww 10/15/2015
Comments