Data Access and Data Sharing KDE Employee Training Data Security Video Series 2 of 3 October 2014
Most KDE employees have access to some confidential data. Can include: Personnel data – even its just your own. Student Information School/district – personnel information Financial Information Confidential documents (ex: draft RFPs, legal documents, etc.) Other --- may be subject to open records but not necessarily something that needs to be readily available. Who has access to confidential data?
Access to PII must be approved by Manager, Director, Associate – depending on level of access. “NEED TO KNOW” All employees sign Affidavit of Non-Disclosure as part of their Human Resource paperwork. Agree to: Not permit access to confidential data to unauthorized persons Maintain confidentiality of data Not reveal information for purposes other than statistical purposes authorized by KDE. Report any instances of missing data, data inappropriately used, or taken off-site. Especially keep this last part in mind if you have virtual work agreement. Personally Identifiable Data (PII)
Affidavit of Non-Disclosure also indicates employee understands that: Unauthorized disclosure of confidential information is governed by FERPA and penalty for unlawful disclosure can result in fine and imprisonment. Personal characteristics that could lead to membership in a group such as ethnicity or program area, are protected. Data sets or output reports generated using confidential data are to be protected and not distributed to unauthorized parties. Responsible for access using user id/password – DON’T SHARE. Personally Identifiable Data (PII) Affidavit of Non-Disclosure to become annual requirement for those with system access.
Keep user ID and password secure. Create strong password. Don’t leave computer on and accessible when away. Use VPN when wireless connection is unsecured. Don’t print reports with PII unless absolutely necessary. Shred documents that include PII when finished. Periodically reviewed saved files to purge those no longer needed. Access of PII
Do not include PII in s: If PII received in remove it before responding; delete original . Use SSID without other identifiable information. If PII must be shared, data must be encrypted. Request a secure account. KDE uses through MOVE ITMOVE IT Ensure documents created do not include identifiable data on screen shots. (examples: PowerPoint presentations, training documents) Remove identifiable information or create dummy records that are clearly not real people. Verify documents you receive don’t include PII before forwarding/sharing. Using PII
Storing PII Personally identifiable data should not be saved on SharePoint, One-Drive, local hard drives, flash/thumb/jump drives or other external portable storage devices. Access limited to those with “Need to Know”. Analyze needs for storage of PII and request access to FILP1 for storing data. Work through data governance member to communicate Office needs for data storage. Clean out old files to ensure PII is not being stored inappropriately.
Requests for PII must go through Enterprise Data. On-line data request form on KDE website – access through the Researchers link. Enterprise data responsible for ensuring Release allowable under FERPA exceptions Memorandum of Understanding in place before any data is shared. Data is shared securely. Record of data release is maintained. Contracts that necessitate release of data require same provisions. PII Requests
Avoid sharing PII if at all possible; Discourage districts from sharing PII. When necessary, share only through secure (MoveIt) or Secure FTP. Store data securely Password protect files Store on FILP1 – not on hard drive, external devices, One-Drive or SharePoint. Redact or suppress aggregate level files. Purge old files or documents that contain PII. Contact Office Data Policy Member for guidance on best practices or Enterprise Data division. PII Best Practices