welcome back to student data privacy fundamentals. This lesson is about securing data at rest and transit.
In this video, you'll learn the purpose of securing data at rest and transit certain restrictions to that policy and how to safely store and transmit data in various forms.
All staff and students that log into a district provided computer will be provided with several options for data storage and transmission staff. And students will need to ensure that their securely storing their data staff and students will be able to store data on their local device. It's important to know that this data is not part of the district's continuity plan
and thus will not be backed up by the district's backup solution.
Confidential and critical information will be saved, a maintained in a secure manner using encryption or other password protected security measures. Likewise, when data is transmitted, the district will use encryption or password protected security measures.
Cloud storage is a term used to define all types of remote. Server storage is access by users through the Internet. You'll want to state whether or not staff and her students are provided with cloud storage or file sharing capabilities. If So then you'll say something to the effect of
users are responsible for all digital content on their district provided clouds,
storage or file sharing database.
When using cloud storage, users must adhere to the following guidelines. Staff and students may now access cloud storage through third party applications outside of approved Internet browsers or APS.
Users need to be aware of default sharing settings on folders when they upload files and are required to limit sharing files to an as needed basis.
Staff and students must ensure that any cloud storage providers used are approved by the district and meat district, student data and data security standards. For example, lots of school district's now use Google APS for education, so Google Drive would be their cloud storage.
And an example of sharing settings on folders
would be to Onley share as an ad as needed basis and not share for anyone within the district can access
when exiting the district. Shooting students should responsibly saved their content to their own personal storage solution. Staff should ensure that their only copying personal content that they created outside of district contract time and district job responsibilities
staff are prohibited from copying content that contains confidential information,
student records or district created curricular or operational documentation. Files or data
data with personally identifiable information of staff or students may be posted users. District provided Google Drive with appropriate security settings. Users may not post this data to their cloud sharing platforms without consent of district administration. However,
staff should never post any documents labeled classified, confidential or restricted to any cloud storage accounts without district approval. And all users shall immediately report any cloud storage security problems of the district's technology. Resource is to a teacher or administrator.
Attempting to gain or gaining unauthorized access to cloud storage or the files of another is prohibited. As with other forms of district technology, district employees, students and other users have no expectation of privacy on data stored on district manage platforms.
File sharing is a term used to define all activities that share access to digital information, whether in the cloud or on district administered drives. When file sharing users must adhere to the following guidelines,
users must it by by all policies and procedures regarding professional conduct and communication. When sharing, reviewing, updating, commenting and re sharing
when sharing content, users must ensure that other users accessing the information the files have appropriate access to the information based on job function, for example, did not share confidential information with others that have no approval to access that information in their job role,
all users shall immediately report any inappropriate sharing of the district's technology. Resource is to an administrator.
External storage devices is a term used to define all portable storage devices, including USB drives, rewrite herbal CDs or DVDs, memory cards and external hard drives
that may be used by staff and students. While the district recognises the advantages for staff and students to maintain information on these devices, users are strongly encouraged to rely on their district provided cloud storage account for all storage needs.
When using external storage devices, staff must adhere to the following guidelines. Users are responsible for all content on external storage devices that have been connected to district technology. Resource is,
users must ensure that they will not introduce harmful software, including computer viruses, malware, non district approved software or hacking tools to district technology. Resource is,
users must ensure that the data will remain secure through appropriate encryption or password protection. When transferring files containing P I or protected information to an external storage device.
Users should Onley keep the information stored on the external device for the duration of the project and then promptly remove it.
Staff should never transfer any documents labeled classified, confidential or restricted to any external storage device.
Staff should never transfer or create confidential data or student records on personal storage devices
and was staff leave the different district. They must ensure that they delete any district created, provided curricular or operational documentation, files or data from their personal external storage devices.
Staffer responsible for securing sensitive data for transmission through email or other channels with encryption or a password.
Staff should never include a password in any communication with the actual file attached that is being protected by the password
stuff should never transmit files labeled classified, confidential or restricted through email or third party filed trades for services without district approval
and regular transmission of student data to services such as Learning Management Systems is managed by the Technology Department using a secure data transfer protocol. All such services are approved by district or building administration, along with the director of Technology
Quiz Time. What type of Data Constabulary bors take when they leave the district
Onley data that was created by and is owned by them in the data that was created during their contract time is owned by the district, as well as any data that contains sensitive or confidential information. In other words, depending on how your organization defines data ownership,
this could mean that teachers can take curriculum or any other lessons or resource is that were purchased by the district
or created as part of a teacher's district contract or created on a district owned device.
Whatever possible, district staff should use a confidentiality footer on email communications,
pause the video and read through the example here you can adopt this wording for your own policy.
Users of systems that process Elektronik payments, including but not limited to processing credit card information, must adhere to strict guidelines regarding the protection of payment information and cardholder data.
These users are responsible for adhering to the following requirements and appropriate level of payment card industry, or PC I compliance. When handling such data,
never store cardholder data on district systems or in written form. All cardholder data may only be entered in secure payment systems approved by the district. Any cardholder data collected in written form must be shredded immediately after entry into approved system.
When using a system that processes electronic payments, users should adhere to the following requirements. All payment information will be stored in process by 1/3 party accessible through a secure portal. The district will never maintain a data system for payment information.
Never request cardholder information to be transferred via email or any other electronic communication system.
Payment information shall be entered directly into the approved payment system by individual making payment.
If individual is not able to directly infer the payment, designated staff may gain verbal approval for the payment process either in person or via phone after identification is verified.
If verbal payment information is received, that information must be entered directly into the payment system and not written down during the process.
If payment information is collected via a physical form, that four must be shredded or payment information redacted immediately upon receipt, an entry into payment system.
In today's video, we discussed the purpose of securing data at rest in transit to better protect all users.
Certain restrictions to that policy, especially in regards to confidential and critical information
and how to safely store and transmit data in various forms, including cloud storage, file sharing, external storage devices and electronic payments.
In our next lesson, we will outline best practices with physical security controls. See you soon.