Part C and Part B 619 programs collect and maintain large amounts of data, including personally identifiable information (PII), on the children and families they serve. To protect and safeguard Part C and Part B 619 PII and other important data, programs should develop and implement policies that address how these data are secured (i.e., making sure that data are protected from unauthorized access) and who may access the data. Securing data and limiting access guard data from loss, corruption, breach, and other compromises such as unintended access.
Data Security: Data security refers to protective digital privacy measures that are applied to prevent unauthorized access to computers, databases, and websites. Data security also protects data from corruption. Data security is the main priority for organizations of every size and type.
Access: Access, in the context of security, is the privilege or assigned permission to use computer data or resources in some manner. Access may restrict the use and distribution of Information*, settings, and the general use of a data system.
Policies supporting data security outline the purpose and requirements of data protection and the roles and responsibilities needed to maintain secure Part C and Part B 619 data. Data security encompasses the technical processes and actions associated with preserving data existence and integrity.
Policies supporting data access establish processes for managing access to Part C and Part B 619 data. These are the technical approaches to limiting data access, including differentiated access, to all those with a legitimate need for the data—in some cases other data systems—based on agency, role, established agreements, and the like. Policies should describe procedures in detail and, where applicable, refer to federal and state laws and regulations.
Whether Part C and Part B 619 programs are considering developing new data security and access policies or are revisiting existing policies, it is important to review relevant federal and state agency regulations related to data security and access.
Part C and Part B 619 programs operate within the state agency in which they are housed. Thus, the structure and content of any data governance already within an agency is of particular importance. Before developing a data security and access policy, Part C and Part B 619 programs should review any policies regarding data security and access developed by the agency in which their program resides. Existing policies might need to be updated with specific references or provisions related to Part C or Part B 619, in which case the considerations and the template below may be helpful in proposing language for this purpose.
Where no policy on data security and access exist or a separate policy related to Part C or Part B 619 is needed, the template following the Considerations section is fully editable and prepopulated with language to expedite writing new data security and access policies.
Use the questions below to discuss, consider, and develop a comprehensive data security and access policy. Where appropriate, procedures and operational manuals that detail specific actions supporting implementation of this policy should be created.
1. Data Security and Access Policy: General Provisions
- What federal laws/regulations (e.g., IDEA/FERPA) related to data security and access apply to the Part C or Part B 619 program?
- Are there additional state agency policies related to security and data access that apply to your Part C or Part B 619 program? If yes, what are they?
- What specific Part C or Part B 619 data security and access policies or procedures, if any, exist and apply?
- What established data sharing agreements, if any, pertain to support data access and data security?
- Which participating agencies, if any, will be required to follow this policy and under what mechanisms (e.g., contracts, subgrants, or interagency agreements)?
- Which role, within what agency/program should be contacted with questions about this policy?
- Which role, within what agency/program is responsible for ensuring adherence to this policy?
- Which role, within what agency/program is responsible for monitoring adherence to this policy, and how will the monitoring be conducted?
- Which role, within what agency/program is responsible for managing the implementation of this policy including provision of training and technical assistance?
- What consequences, if any, will apply when this policy is not followed?
- How often will this policy be reviewed for necessary revisions?
- How will the public be informed about this policy? Where will it be posted on the state’s website?
2. Data Security and Access Policy: Security
- What technical security measures (e.g., firewalls, secure laptops, password, management, etc.) will be used to secure the Part C or Part B 619 data?
- What nontechnical security measures will be used to increase data security? For example:
- Data access and sharing restrictions
- Regular staff trainings
- Ensuring correct access and administrative rights are granted for staff and authorized data users
- Under what circumstances should a security assessment or audit be conducted and security risks be evaluated? Which role, within what agency/program conducts the security assessment?
- How does the organization maintain inventory of all computer equipment, software, and data files associated with Part C or Part B 619 data? Where is this located?
- Have data records been classified in accordance with the level of risk for disclosure of PII?
3. Data Security and Access Policy: Access
- How are users approved for and assigned access? How and when is this access terminated?
- What methods are used to restrict authorized users’ access to the minimum amount of data needed to complete their job duties?
- Which role, within what agency/program is responsible for maintaining system access controls in coordination with the IT team?
- What privacy, confidentiality, and data protection trainings exist for individuals with access to data?
- What policies are in place to guide decisions about data exchanges and reporting, including sharing data (either in the form of individual records containing PII or as de-identified aggregate reports) with educational institutions, researchers, policymakers, parents, third-party contractors, and the like?
- What sharing agreements or other appropriate procedures are in place to ensure that protected data are guarded from unauthorized disclosure, once the users are provided access?
- Where are the records maintained that document the access and denial requests for data? Which role, within what agency/program oversees the maintenance of these records?
When analyzing the privacy and confidentiality requirements for children with disabilities, it is critical to begin by examining the IDEA requirements first. If you or members of your staff have questions, please contact your State Lead in OSERS Office of Special Education Program’s (OSEP) Monitoring and State Improvement Planning Division.
Data Security and Access Policy Template
Use, and modify as needed, the template linked below for developing a data security and access policy. Select the highlighted text and replace with your state/program information. We recommend that you consult with relevant staff and stakeholders when developing these policies. Upon completing the template, be sure to follow your state’s processes for finalizing and enacting policy.