School districts manage a great deal of sensitive information and records including items such as student records and transcripts, personnel records financial information, administrative and legal records, minutes and other various documents that constitute sensitive information records, and in some cases, public records.
Properly supervising and controlling that information begins by securing access to the data through layers designed to protect and safeguard those records.
In order to determine access, a key concept to consider is “need to know.” It is this “need to know” basis that governs access to various records such as legal matters or personnel files. This protocol is used to protect some of the most highly sensitive and confidential records in existence, as used by intelligence agencies and national armed forces as an integral part of their operational security. While administrative rights to the information often carry a greater degree of access than clerical or supervisory rights, it is still important to limit access to those administrators who actually work with the data. Most computer systems permit certain online files and folders to only be accessible to permitted individuals. Such access permissions can be an important element in preserving privacy and confidentiality where necessary.
School districts must provide access to these records in accordance with the Family Educational Rights and Privacy Act (FERPA) and the New Jersey Open Public Records Act (OPRA). FERPA is a complex and technical law that was originally passed in 1974. Primarily it provides parents and eligible students the right to inspect and correct education records, and to keep those records private. What is commonly referred to as “FERPA” is in actuality both the law found in 20 U.S.C. § 1232g, as well as the regulations promulgated by the U.S. Department of Education and codified at 34 C.F.R. § 99. According to the law, student records are defined as records directly related to a student; and maintained by an educational agency or institution or by a party acting for the agency or institution.
As stated in the Act, parents have the right to:
- Inspect and review student records maintained by the school
- Request corrections to the records they believe to be inaccurate or misleading
- A formal hearing; and
- Place a statement(s) setting forth their view about the contested information in the records.
Safeguarding Information in Transit
Records containing confidential and sensitive information should be safeguarded while in transit as onlookers who do not possess the appropriate clearance, or the “need to know,” can often read documents from a desk or inbox. Cover sheets clearly indicating confidentiality can easily be put into practice to alleviate this concern. A statement to the effect of, “The material contained herein is confidential and its use is strictly prohibited beyond the individual provided access” strengthens the overall integrity of the material and places individuals on notice that they are not to view, discuss or disseminate its contents.
It is also useful to include such a security statement on any emails with sensitive attachments or information. I have found that just putting someone on notice that there is private or sensitive information present goes a long way toward maintaining confidentiality by putting the onus on the individual.
Organizations should also take care to educate employees about the importance of respecting information privacy and confidentiality.
Records Management assures the appropriate tracking and storage of records created and maintained by the school district. It provides for the timely destruction of records which have reached their legal retention period and ensure the preservation of records which have been determined to have continuing value. However, many district records management programs lack a detailed reference and retrieval system in servicing the district schools, offices and the general public, adding additional time for retrieval of records.
As a result districts are beginning to look beyond manual records management systems (file storage) in consideration of automated document management systems (electronic storage) that provide a districtwide process of inputting records such as scanned images, web forms and electronic documents into a long term storage collection. These documents are indexed by the end user and are easily retrievable anywhere in the district with the desktop or web client. Capabilities of these new technologies allow for the capture, processing and routing of paper and electronic documents from virtually any source and in any format.
With the emergence of eDiscovery and other issues related to OPRA and statutory compliance, districts may be forced to consider deployment of an automated document management system sooner than later. As technology continues to advance the concepts of synergy, document management software (DMS) is evolving to incorporate records management software (RMS) allowing the end user to access and manage documents through an interactive repository within the system. This provides real-time access and editing capabilities based on approved user access.
In the Summit public schools, we have already begun that discussion with our information technology representatives. Like most districts, the vehicle is already in place, the multifunctional product, also known as “the copier.” We, like many organizations, have the capability to scan documents to preserve them electronically.
We do not currently have the back end software that makes it easy to catalog, track and easily search these types of digitized records, but we are in discussions about such capabilities.
Technology can make it easier to store and retrieve data; it can also help to make it possible to ensure only those with a need to know access the information.