Authors: Denise Mauzy and Bruce Bull, DaSy
You have heard it before: Formal data governance is important. It establishes responsibility for Part C and/or Part B 619 data, enables program staff to improve the effectiveness of data processes, and supports greater use of data through the systematic creation and enforcement of data policies, roles, responsibilities, and procedures. Good data governance policies and procedures address key areas (e.g. data quality, data security, intended uses of data). These policies and procedures need to be formalized—written—and communicated to appropriate stakeholders.
You might be thinking that’s all good, but you are busy and it feels like more paperwork. You might be wondering whether data governance is really that essential. The answer is yes—formal data governance policies are a must-have. Data governance policies are essential because they (1) provide guidance to team members and (2) support agency and program risk management efforts.
Let’s consider two possible scenarios and then review how data governance policies enable effective responses.
|Diane, a Part C coordinator, received a call from a parent who was adamant about having her child’s initial evaluation deleted from the data system. Although the child was evaluated and found eligible for services, the family declined Part C services and sought services privately. The child’s mother does not want any record of the evaluation in her child’s education record. Diane wants to honor this parent’s request but is not sure if it is appropriate to delete the record or if she has the authority or access to delete a record from the state data system.|
This scenario is about data retention and destruction. A data retention/destruction policy would provide clarity about whether Diane can comply with the parent’s request and the process for responding, and it would provide consistency for those in the agency (current and future) in handling such a request. The absence of this policy would create risks regardless of which action Diane chose to take. If Diane deleted the record, it could negatively impact reporting processes or administrative functions. If Diane declined the request without proper authorization, the program and Diane might end up responding to a complaint by the parent.
Let’s look at another potential scenario, this one concerning a data breach.
|Jana received notification that training materials posted on an unsecure web page included identifiable progress information about actual children. Jana’s boss, the state special education director, has called a meeting in an hour and Jana is expected to present 619 data policies and a possible mitigation strategy for the situation. Jana is concerned because there are no policies that address this situation.|
Data breaches are significant risks for programs given that they have potential legal and financial implications. Handling a data breach can be very stressful for team members. The team will need to explore how the breach occurred as well as take the next steps for addressing it. Without policies, Jana will be in the hot seat to provide these answers and next steps. Of course, even with formal data governance policies, data breaches can happen. While a data breach response policy will not prevent the breach, it can increase awareness about potential data breaches, provide clear guidance on how to proceed, and help minimize the potential impact of the breach.
We hope these scenarios illustrate that data governance policies are a must-have. Are you ready to get started? First, you need to explore what data governance structure, policies, and procedures your state agency may have in place already. The DaSy Data Governance Toolkit contains information, guidance, and templates to assist Part C and Part B 619 program staff with creating or enhancing their formal data governance policies and procedures. The toolkit supports policy development in the following areas:
- Purpose, Structure, and Process
- Data Breach Response
- Data Quality
- Data Security and Access
- Data Systems Changes
- Public Reporting
- Electronic Communications
- Data Requests
- Data Retention/Destruction
- Data Partnerships