GLOVERSVILLE — The Gloversville Enlarged School District is reviewing the accessibility of students’ personal information and implementing measures to secure transmissions of the sensitive data in accordance with a recent education law amendment.
Lauri Kent, the district’s director of elementary curriculum and instruction, in a report to the Board of Education on Monday discussed ongoing efforts to respond to an amendment to Education Law Section 2-D adopted by the state Board of Regents on Jan. 13 aimed at strengthening data privacy and security at educational agencies to protect personally identifiable information.
The amendment clarifies requirements of data security and privacy plans, what should be included in annual data privacy and security awareness training and restrictions on the use or disclosure of personally identifiable information. It also requires educational agencies to verify that only authorized individuals inspect and review student data.
Educational agencies have until July 1 to adopt and publish data security and privacy policies in compliance with the amendment.
Additionally, each educational agency must designate a data protection officer to be responsible for implementing the policies and procedures of the amended law and to serve as the agency’s point of contact for data security and privacy.
Kent was named the school district’s data protection officer and has been working closely with the district’s director of information technology William Cooper to review access to students’ personal information in consultation with the Northeastern Regional Information Center.
Superintendent David Halloran thanked Kent for taking on the position that is outside of her normal scope of expertise.
“NERIC actually recommends a person like her, as opposed to a person like Bill Cooper,” Halloran noted. “Bill works obviously hand-in-hand with Lauri on that, but to have an administrator who is not necessarily completely familiar with all aspects of our technology infrastructure is good, because now somebody can ask questions; why do we do this, what’s this for?”
Kent reported that NERIC is currently auditing access by district staff members to various pieces of personal information and whether access is required by those individuals. Access will be rescinded if it is found to be unnecessary.
“It’s a long process, it’s a lot of information, you have to see how all of the systems in the whole district are connected and what program is sharing information with which programs and that all has to be mapped out and then we have to have a plan,” Kent explained.
Additionally, Kent reported that in response to requirements that personal information be protected during transmission, the district has purchased a program to encrypt emails containing sensitive information called Serv-U. District officials are currently determining where access to the program will be required and training staff members who will use the program.
Kent pointed to instances of district staff members being contacted by colleges seeking student transcripts via email as an example of information that will now require encryption before transmission. She noted that discussion among state officials surrounding the amendment implementing and updating policies around personal information data security was centered primarily around minors who had their identities stolen without their knowledge.
Board of Education member Vincent Salvione reacted with surprise upon learning that school districts were not previously required to encrypt emails containing personal information.
Halloran noted that data protection processes were already in place for the district’s student management systems, highlighting requirements of the amended law as providing protection over seemingly innocuous personal information such as full names, dates of birth and addresses.
“When a teacher sees a cool app that they could use in their classroom and they sign up and go here is a list of my students … they don’t realize that there’s sensitive personal information going through with that,” said Halloran.
Now, Kent said, all of the programs used throughout the entire district will be reviewed to determine where students’ names are stored.
Salvione voiced support for stepping up efforts within the district to protect students’ personal information. Kent noted that district policy updates associated with the amended law will be brought before the Board of Education in the future.