Written by Debbie Karcher
The previous article (Three C’s of Cybersecurity) discussed creating a cybersecurity plan and the importance of having one in place. Many different terms were mentioned that are sometimes used interchangeably. This article will demonstrate the differences, drivers, and dependencies between Data Privacy, Data Security, Data Governance, Data Ownership, Policies and Procedures. It will discuss how new and changes to existing data privacy laws drives the need for data governance resulting in a data review cycle that will create changes to your cybersecurity plan. The following is an overview of each of the terms.
Data privacy laws, in K-12 school districts, started with The Family Educational Rights and Privacy Act (FERPA) which was established in 1974 giving parents the right to student records and allowing parents the decision to provide student information to different agencies. The Children’s Online Privacy Protection Act (COPPA) established in 1998 guides the collection of students’ personally identifiable information by operators of websites and online services. The Health Insurance Portability and Accountability Act (HIPPA) was originally intended to combat waste and fraud in the health industry but has been extended to include the protection of medical records. There are also state and local data retention, distribution and privacy laws.
All these mandates have resulted in school policies regarding data protection and distribution. Personally Identifiable information (PII) is generally defined as information that can be used to trace an individual’s identity. Because students do not use this information until they are much older stealing their information, especially social security numbers, has been on the rise and not caught until much later in a student’s life.
Data Governance is the overall management of data in the organization. It includes, but is not limited, to the availability, usability, integrity, authorized use, and security of data. The Data Governance Framework was established in 2004 and until recently developing a framework has not been a priority for school districts. There is good reason. As in many compliance efforts, establishing a comprehensive data governance framework will take an organizational effort, involving many stakeholders and resources. This is yet another non-academic requirement that districts must address with decreasing budgets and resources. However, because of the data privacy laws mentioned above and cyber threats data governance is no longer a good business practice; but a must. Keeping track of data, its use, distribution, and destruction is essential because of the cyber threats and privacy laws enacted.
Data Ownership is the responsibility and control of information. It allows the owner to access, create, modify and assign access privileges to others. However, school districts may not have true property rights (in the sense that the data can be sold or distributed). For school districts this has more to do with being the custodian or accountable for the data and records use, storage, distribution, and retention. The district will have data creators and data consumers or both. Data governance can help determine the appropriate people and organizational units that should have create and use data.
For the purposes of this article, polices are generally driven by the laws mentioned above. A policy is adopted by the school board or governing committee to implement a plan to comply with government regulations. They include the process for managing the regulation or law within the school district. This can include who can access the data, a description of the data, data retention and disposal. As a result, procedures are developed that specify the steps and rules necessary to enforce the policies within the organization.
Data security refers to the protection of data and applies to the unauthorized use or access to the data. It too can be driven by laws. There are many ways of protecting data. Data security is not only about passwords and encryption technologies. Data security also includes records destruction procedures, data backups, and having alerts in place when there is unauthorized use of data. Data security should drive much of the cybersecurity plan as it is the key to safeguarding students and employees from identify theft, ransomware, and data leakage that could be harmful or embarrassing.
K-12 school districts should begin the steps to implement a Data Governance Framework that includes a continuous review cycle. The governance group can develop and review existing policies and procedures, assign data ownership, define distribution rules, validate data access granularity, data distribution, and determine minimum levels of security that are required in the cyber security plan.
This is an ongoing activity that can require many resources. As there are limited resources the review activities can be triggered based on the following:
- Changes to laws and regulations
- Systems additions, decommissioned systems, or changes to existing systems
- Data ownership changes
- New cyber threats
As the above events occur then those areas impacted in the Governance Framework can be addressed and drive changes to policies, procedures, ownership and security.