Data Governance
There have been 1,619 publicly reported incidents of cyber-attacks in schools within the US from 2016 to 2024 according to The K – 12 Cybersecurity Resource Center. Because of this, it is important for school districts to have strong plans in place for data governance, data security and data privacy.
Data governance refers to the overall management of data including; availability, usability, integrity, quality and security. Aligning policies, procedures, responsibilities and controls for each step of the data lifecycle ensures that student data is collected and used in ways that protects students and their family’s rights to privacy, security and timely and accurate data.
All school districts should have in place a data governance program that encompasses the following:
- Privacy Policies with adherence to legal and ethical requirements for protecting student data
- Define the data to be protected (PII or sensitive)
- Develop policies for acceptable use of the data
- Identify authorized users of the data
- Procedures to protect data released in public reports
- Process for destroying data no longer needed
- Security policies and procedures focused on technical aspects of protecting data
- Protecting data within technology infrastructure
- Protecting data within user applications and tools
All privacy and security programs should address the phases of the information life cycle.
DEFINE – Identify and define data elements needed to comply with reporting requirements, inform decision-making and business processes. Only data needed for a legitimate purpose should be collected.
COLLECT – Some data will only need to be collected once and will remain constant over time. Examples are student name and birth date. Other data will be collected on a recurring basis. Examples are testing data and course enrollments.
STORE AND PROTECT – Some data will be saved in the statewide longitudinal system other data will be saved within the district’s data system or both. No matter where the data is stored the agency housing the data is responsible for the security of that data. Protecting data at any level should include both privacy and security considerations including defining user roles and access rights.
USE – Most important part of the lifecycle. Effective systems facilitate the use of the data to support the district’s work and the students’ educational outcomes. Authorized users will need a variety of tools to access and analyze data.
SHARE – Policies should be in place to guide how, when, under what circumstances and with whom the data will be shared while adhering to privacy laws and regulations.
RETIRE – Timelines for when data should be destroyed or moved into archives for future use (like transcripts).
DATA GOVERNANCE COMMITTEES
At the district level, data governance is typically focused on student K – 12 data. Many districts also share this data among non-profits and other local area community resources, for these districts having a cross-agency data governance structure can be helpful. Whether the data governance is only done within the district or done in a cross-agency structure, a data governance structure should incorporate various levels of responsibility and decision-making. Here is an example is a model for data governance with 4 levels of responsibility.
- Level 1 – A district’s IT department is responsible for the infrastructure and manages the data within the data system. This department also usually manages the technical security of the data.
- Level 2 – Data managers representing a variety of program areas meet regularly and discuss data needs and usage. Ideal participants of this group would represent programs like Assessment, Special Education, Career and Technical Education, Migrant Education and other district chosen programs based on community make-up. In addition, to these participants, several district support staff that maintain or collect student data should be included and can provide greater perspective around the data.
- Level 3 – A lead group of data managers should be appointed to coordinate activities among the data managers, IT staff and other stakeholders. This work should be communicated regularly with district leaders and school building leaders.
- Level 4 – A data policy committee should be put in place to set policies for federal and state legal directives and state and local board policies. A district should consider including local board members and legal counsel or legal advisor, and senior-level administrative staff to this committee. If the district is using the cross-agency structure then community representatives should also be included.
Another way to structure a data governance committee is to identify focus areas of responsibility within a committee. In this model, the data governance committee is responsible for the assignment of roles and responsibilities related to a focus area and ensure all four responsibility levels mentioned above for their focus area.
- Data Inventory – This work entails keeping a complete inventory of all data collected, all data systems for storage and processing data and identifies targeted security and privacy management policies in an effort to protect that student data.
- Data Quality – This work entails providing strategies for preventing, reviewing, detecting and correcting errors within the data system. In addition, they should identify misuse of reported data or apparent breaches of data to unauthorized personnel.
- Data Use and Access – This work entails specifying approved uses of data and identifying authorized users of specific data.
- Data sharing and reporting – this work entails being sure data that is shared complies with federal, state and local laws. Also making sure any data that is shared adheres to policies and regulations, this includes protecting direct and indirect PII in agency shared reports and public reports. This work should also include procedures for regular stakeholder notification about their rights under federal, state and local law.
- Data security and risk management – Creating procedures that will ensure the security of PII and sensitive data by protecting against the risk of unauthorized disclosure should also be a component of the data governance program.
NOTE – Electronic data is often the focus of data governance programs but, paper records must also be protected from misuse and unauthorized access. Paper records can also only be shared according to federal, state and local policies. Paper records should always be stored securely and disposed of properly when no longer needed according to the district’s records retention policy.