The state Department of Education will stop collecting students’ Social Security numbers except when it has to have them, after a state auditor’s review.
State Auditor Nicole Galloway looked at the Department’s handling of its Student Information System. That system collects information from school districts for the administration of state and federal programs for students and for providing the public with feedback on district and charter school performance.
It found the Department unnecessarily collected and kept personal information from students, including Social Security numbers.
“What we’re saying is, collect it at the time you need it, and then don’t collect it again, don’t type it in the system again, don’t type it in a spreadsheet and upload it to DESE’s system again,” said Galloway. “Only do it when you need to because every time you do it, it creates an opportunity for it to fall into the wrong hands.”
Galloway said the Department has agreed to collect only “absolutely necessary” information, destroy unneeded sensitive data from its systems, and to maintain the information it does need safely and securely.
It has also agreed to create policies for dealing with data breaches and to update its policy for recovering from one.
Galloway said DESE does not have a comprehensive data breach policy that would allow, “a quick and effective response when a data breach occurs.” She said the Department’s plan for recovery after a breach has not been updated since 2004.
The audit also recommends DESE end the sharing between personnel of user names and passwords. Such sharing makes identifying those responsible for unauthorized or inappropriate changes difficult or impossible.
Galloway says the Department should be implementing changes in practice now.
“DESE has been cooperative throughout the audit process. They started making changes immediately when we brought them to their attention,” said Galloway.
In a statement the Department said it will remove optional social security numbers in Student Information System data collection by June 30, 2016.
“Department staff agrees that this is no longer a necessary collection field as it was historically collected for determining A+ scholarship eligibility, but that responsibility now falls within the Department of Higher Education,” the statement reads. “However, the auditor acknowledged the need for SSN in certain records ‘because of the importance of using the data when linkages are needed to other record systems, such as across education levels within a state.'”
DESE said it will also conduct periodic reviews to ensure that any personally identifiable information collected is necessary. It agreed with the auditor’s recommendations and says it has already implemented or is implementing changes.
The overall rating of the Department’s management of the Student Information System was “Good.” It found no deficiencies in internal controls and no significant noncompliance with legal provisions.
Galloway’s office recently launched a review of five school districts’ cyber security status, and says those reviews are ongoing with more to start once those are finished.