Privacy Best Practices

When developing a data privacy program, there are a variety of steps that will make setting this up run smoothly. Determining why your organization needs a program, what should be included in a program and how to go about creating one should all be considered.

The U.S. Department of Education established the Privacy Technical Assistance Center (PTAC) as a one-stop resource to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data. PTAC provides timely information and updated guidance through a variety of resources, including training materials and opportunities to receive direct assistance with privacy, security, and confidentiality of student data systems. More PTAC information is available at

Their Checklist for Developing School District Privacy Programs can be utilized as you are just getting started. It gives a good overview of how to work through the process of setting up a program.

The Data Governance Checklist can assist your organization with establishing and maintaining a successful data governance program to help ensure the individual privacy and confidentiality of records.

Use the steps below to implement your privacy program!

Step One: Policies for Users of Student Data Checklist
The Policies for Users of Student Data Checklist aims to assist schools and districts in crafting data use policies to ensure appropriate protection of students’ data.  While it is not mandatory to develop a data use policy, the U.S. Department of Education recommends doing so as a best practice.
Step Two: Inventory Worksheet
Collecting key information about instructional and administrative systems in one place enables a systems overview that can serve as the starting point for data mapping and consolidation discussions. The worksheet should include the vendor, their contact information — including log in information, their security protocols, data classification of the info within that system and who in your district is the key contact. It should also include links or information about defined protocols, incident response plans and end-user training. 

We have created a template for our members that includes a list of data software systems that include operations, personnel data, learning resources and applications with student-specific data. Download that template here.

Step Three: Data Classification Guide
To help you make informed decisions about managing sensitive data in your organization, we have created this Data Classification Guide.  Download it and utilize it as a reference when determining what software and systems you have with access to various data, as well as the consequences of improper use or sharing of that information.  Here you will find sample security controls as well as framework to who should have access to various levels of sensitivity.
Step Four: Mapping Data Flows Checklist
The Mapping Data Flows Checklist is intended to help create visual “maps” of how your data flows within your systems.  Including maps in data governance plans can help you better understand what data is in your systems, where the data resides, what sources provides the information, why those data points are collected, what limitations or restrictions apply, how it is linked, and what policy questions that data is used to answer.
Step Five: Data Destruction Document
The Data Destruction Document is a best practices guide on properly destroying sensitive data after it is no longer needed.  It details the life cycle of data and discusses various legal requirements relating to the destruction of data under FERPA, while examining a variety of methods for properly destroying data.  The guide also provides some real-world examples of how to implement data destruction within your organization.