Managing your piece of the Pii

Computer keyboard with red caution cone resting on keyboard

This is the next in a series of monthly articles about digital records management from Digital Records Supervisor David LaGarde.

Personally Identifiable Information (Pii) 2CFR 200.79 is an integral part of all business operations, especially public schools whose records incorporate student files, financial documents, transportation records, health records and more.

Information that would disclose the personal identity of an individual to whom the information applies, or that could be reasonably inferred by either direct or indirect means, falls under the scope of (Pii).

Records containing (Pii) are generated everyday during the normal course of business in the district through paper and electronic records. Desktop files, Emails, Skyward, Alchemy, TreeNo and dozens of other programs and applications are all mediums used to generate and house data that must be managed and stored on a daily routine basis.

What constitutes Personally Identifiable Information?

Pii is defined as information:

(a) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or

(b) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator and other descriptors).

Additionally, information that would permit the physical or online contact of a specific individual is the same as personally identifiable information(Pii). This information can be maintained in paper, electronic or other media.

School employees who come in contact with data containing (Pii) are considered stewards of these records when conducting school business. It is the collective responsibility of all school employees to protect data that may contain sensitive information during the course of conducting school business or activities whether it be in paper, electronic or other district provided technology mediums. The important factor with all data is to remember that only individuals who have a “need to know” in their official duties capacity should have access to sensitive student or employee information not subject to The Washington State Public Records Act or other laws governing the disclosure of Public Information.

Consequences of inappropriate access or sharing of Pii

The loss of (Pii) can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Because regular school employees and contracted staff may have access to personally identifiable information concerning individuals and other sensitive data, we have a responsibility to protect that information from loss and misuse. There have been an increasing number of lawsuits over data breaches and sharing of (Pii) in recent years and interestingly enough, the legal landscape has focused on organizations keeping too much data which can lead to greater opportunities for records to be compromised.

Best Practices:

5 ways to protect (Pii) in daily records management

  1. Simply take inventory

Identify the documents that you create in your daily workflow that contain Pii (these can be paper or electronic). Know what records are housed in other systems or locations and avoid reproducing paper copies if you can manage your work electronically. Printing out documents creates additional opportunities to open the door to improper disclosure issues and also creates additional storage concerns in determining how a paper copy is to be managed and whether it must be saved or archived.

2. Downsize

Let’s face it. Paper costs a lot to purchase, as does the process to copy, store and dispose of. Paperwork is slowly becoming obsolete. Keeping too many records poses a higher risk of a data breach and can complicate the process of retrieval when records are needed.

Knowing the records retention policies for your assigned workflow, and getting yourself in the habit of managing only those documents you need to keep is part of a “Best Practice” of daily task management philosophy.  Identifying documents that you can easily manage and file electronically, as opposed to printing out, scanning and resaving will greatly reduce generating unnecessary paperwork and your need to manage it a second or subsequent time. The less times a document is handled, the less opportunity for improper disclosure of (Pii). A good place to start is to ask yourself, “Is there a value in printing this document?”

3. Protect

Take precautions to secure paper and electronic records containing Pii by restricting access. When you leave your work area, be sure to lock your computer and close files in use. Manage your emails to delete those without a direct business relevance. Create folders to sort and store emails and documents for business reference and learn to redact information when forwarding items to other parties where sensitive information is not pertinent. Keep sensitive information locked waiting for shredding so it is not left out for others to see. Shred bins should not be left open or be kept in areas where sensitive information can readily be accessed.

4. Don’t hoard

Learn to save your records to labeled folders on your computer to move routinely to archival records as you create them or get in the habit of filing records electronically during your processes. Process paper documents regularly that need to be shredded according to established OSD procedures. This is done by shredding documents if they contain any (Pii), recycling or discarding/recycling if there is no (Pii). This can be done on your own terms but should be routinely managed to avoid accumulating records under your desk for shredding.

5. Map your files

Are you prepared to reproduce a document if needed? The reality is that nearly 90% of stored records are never referenced again once they are filed. However, the 10% that are needed should be readily accessible. If you have a sound records management procedure and workflow in place, this should never be an issue. Consistency and continuity is key, and knowing what gets saved, where it should be filed, how to properly label the file for search and retrieval are all essential.

If you have questions about Pii (Personally Identifiable Information) in regard to student records, please contact Chief Information Officer, Marc Elliott, at Ext. 6172.

For additional information on records management, please contact Digital Records Supervisor David LaGarde at help-records@osd.wednet.edu.

New records management supervisor launches first monthly blog post

This is the first in a series of monthly articles planned by new OSD Records Management Supervisor David LaGarde. David can be reached at Ext. 8570 or dlagarde@osd.wednet.edu. Welcome David!

MISSed Information Tip

What is FERPA?

Family Educational Rights to Privacy Act

FERPA is a Federal law that is administered by the Family Policy Compliance Office (Office) in the U.S. Department of Education (Department). 20 U.S.C. § 1232g; 34 CFR Part 99.

FERPA applies to all educational agencies and institutions (e.g., schools) that receive funding under any program administered by the U.S. Department of Education.

Parochial and private schools at the elementary and secondary levels generally do not receive such funding and are, therefore, not subject to FERPA. Private postsecondary schools, however, generally do receive such funding and are subject to FERPA. Additionally, general information that a school official obtains through personal knowledge or observation, or heard orally from others, is not protected under FERPA. Olympia School District receives federal funding, and all grades and schools in our district are subject to FERPA.

FERPA is intended to protect a student’s right to privacy with regard to personally identifiable information (Pii) contained within educational records. Such records may not be released without the student or parent/legal guardian consent when a student is under the age of 18 years of age.  Such records include but are not limited to grades, transcripts, class lists, student schedules, health records, and student discipline records.

School employees usually have the best intentions when it comes to protecting student information.  There are occasions when violations occur and it was done without the knowledge that the employee did anything wrong.  Restricted information such as grades, GPA, or personally identifiable information (Pii) such as Social Security numbers should never be sent through email. Take care not to forward or reply to emails which are sent to you containing sensitive data without removing such data prior to transmission. Here is one such example:

Example:  Group email from teachers to multiple students

The Blind Carbon Copy  (BCC) feature is a frequently misunderstood and often misused function of an email system.

BCC sends a single email to a group without the recipient email addresses being visible. It is easy to forget to use the BCC field or to misuse this technology which can quickly lead to a teacher or school employee inadvertently sharing protected information among multiple students.

For example, there could be a case in which a teacher sends an email to students who are in danger of failing the class.  For ease of distribution, the teacher creates one email and sends it to a list of students who are failing.  Without realizing, the teacher has disclosed the list of failing students to everyone on the list by using Carbon Copy (CC).  If the teacher used the BCC feature, the students would never know who else received the email.  This is a simple error, but would be a violation under FERPA.

Note: If staff have questions about FERPA Personally Identifiable Information in regards to student records, please contact Chief Information Officer Marc Elliott at Ext. 6172 or melliott@osd.wednet.edu.