Maintaining Security of Personnel and Student Records

Did you receive the latest Cyber Alert from the Texas Education Agency regarding the popular Kaspersky antivirus software?  If not, it can be located at the link below. But the alert does raise the importance of keeping the information of your students and staff safe.  In fact, as an educational entity, the security of obtained information regarding your staff and students is a legal requirement.  But maintaining such security is not always easy.

  • In California, on October 6, 2017, the Palo Alto High School student information system was breached resulting in a faux website being created and allowing students to see class ranking, GPA, and student identification numbers.
  • On October 4, 2017, the Secret Service and Georgia Bureau of Investigation announced an investigation into a phishing scam that potentially affected over 6,000 of its employees and the theft of over $56,000 in staff salaries.
  • The Texas Association of School Boards announced that on May 22, 2017, some its data was left unsecured and open on the internet. Potentially breached data included the names and social security numbers of several Texas education agency and school district employees.

Knowing the risks, it is important for your charter to take appropriate steps in securing received data.

Legal Requirements

To put it mildly, Texas and Federal Law are relatively straightforward regarding the security of records maintained by government entities:

  • According to §521.052 of the Business Commerce Code, a business has the duty to protect sensitive personal information.
  • Business Commerce Code §521.053 outlines the expectations of a business if a breach of security compromises the records maintained by the organization.
  • The Student Attendance Accounting Handbook 2.2.3 outlines the security requirements of an LEA’s Student Information System including a short timeout period, logging of teacher access, and distinctly secret passwords.
  • FERPA, or the Family Educational Rights and Privacy Act, provide additional protections to parents regarding their children’s education records.
  • Texas Government Code §552.352, a district cannot allow others who do not have educational or professional authorization to view private records nor disclose information within private records to individuals who do not have educational or professional authorization.

Maintaining Security

The possibility of a security breech and the potential of inadvertently releasing the records of either your students or staff is anyone’s nightmare.  And though no guarantee can be made, there are a few points to remember to maintain your charters security and peace of mind.

  • Be sure that records are separated by individual responsibilities.Student Cumulative folders are to be maintained separately from human resource files and some special programs.
  • Personnel who oversee records should be provided a secure place to work with records.PEIMS Coordinators, HR Directors, Payroll Clerks, and other similar roles should not be required to complete tasks where folders can easily be viewed by passing individuals.
  • Not only should filing cabinets be kept locked when the individual responsible is away from the office, but office doors should also lock with limited access.
  • Provide security training to your staff.Teachers should only discuss student progress with faculty who have an educational need regarding the student.Such conversations should never occur in the hallway, teacher’s lounge, or other public locations.
  • All student records transferred between Texas public schools MUST be completed using the Texas Record Exchange System (TREx).Utilization of the TREx system is required by Texas Education Code 7.010.
  • Campus and District administration must exercise caution regarding information shared about other faculty members. Administrators should also be trained regarding personnel folders, open record request requirements, and how to maintain records to prevent the inadvertent release of private information.
  • If operating an online record storage system, be sure that the chosen system aligns with FERPA guidelines.Also, be sure that the system limits an individual’s access based on responsibility and educational need.
  • Evaluate your WIFI and internet access.Ensure that password protection is utilized and that firewalls maintain the security of data shared within your network.
  • Refrain from using any unsecured method of communicating sensitive information.This especially holds true for email.As best practice, use some form of encryption software that prevents data from being intercepted between parties.

Additional Resources

The Texas Education Agency has additional resources online to assist schools evaluating their online security.  A link to those resources are located below or you can click here.  If you have additional questions, please contact us at 682-841-1183 and we will help you get the answers you need to ensure a safe environment for your students and staff.

To learn more regarding the referenced information, please use the links below:

Cyber Alert: DHS Issues Binding Operational Directive on Kaspersky Products

Data breach exposes hundreds of Palo Alto High records

Atlanta schools says confidential data for all employees ‘potentially exposed’

Security breach exposes school district employee data

Internet Safety: Security

Share this Post