Report on Student Data Security in Online Assessment OHIO DEPARTMENT OF EDUCATION DECEMBER 2014



Similar documents
Missouri Student Information System Data Governance

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Federal Trade Commission Privacy Impact Assessment. Conference Room Scheduling PIA

The Winnipeg Foundation Privacy Policy

BERKELEY COLLEGE DATA SECURITY POLICY

LOUISIANA S PLAN TO PROTECT STUDENT PRIVACY

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Privacy Policy Version 1.0, 1 st of May 2016

WEBSITE PRIVACY POLICY. Last modified 10/20/11

American Institutes for Research Systems Presentation

ENROLLMENT DATA SHARING AGREEMENT Between «Institution» and the Minnesota Office of Higher Education

Contact: Henry Torres, (870)

Frequently Asked Questions: Early Education Student

3Degrees Group, Inc. Privacy Policy

Supplier IT Security Guide

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

EXHIBIT 2. CityBridge Privacy Policy. Effective November 4, 2014

California State University, Sacramento INFORMATION SECURITY PROGRAM

You can view the policy in full, or select a specific privacy topic from the links below.

Spring 2014 Ohio Online Science and Social Studies Field Tests Frequently Asked Questions December 3, 2013

Student Administration and Scheduling System

Texas English Language. Proficiency Assessment System (TELPAS)

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Bodywhys Privacy Policy

New York State Electronic Signatures and Records Act

PRIVACY POLICY. The effective date of this Privacy Policy is December 15, Last Updated September 29, Overview

Supplier Information Security Addendum for GE Restricted Data

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Estate Agents Authority

Maximum Global Business Online Privacy Statement

PII Personally Identifiable Information Training and Fraud Prevention

Privacy Impact Assessment Forest Service Computer Base Legacy

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

MIS Privacy Statement. Our Privacy Commitments

Website Privacy Policy Statement York Rd Lutherville, MD We may be reached via at

Department of the Interior Privacy Impact Assessment

tell you about products and services and provide information to our third party marketing partners, subject to this policy;

Federal Trade Commission Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment for:

K12 FLORIDA LLC POLICIES AND PROCEDURES RELATED TO PARTICIPATION IN STATE TESTING

PBGC Information Security Policy

Office 365 Data Processing Agreement with Model Clauses

CASE MATTER MANAGEMENT TRACKING SYSTEM

SART Data-Sharing Manual USAID Ed Strategy Goal 1

Mobilebits Inc. Privacy Policy

Test Coordinator s Manual

Pacific Smiles Group Privacy Policy

Online Lead Generation: Data Security Best Practices

NORTH CAROLINA DEPARTMENT OF PUBLIC INSTRUCTION. Division of Data, Research and Federal Policy July 29, 2013

Federal Trade Staffing and Employment Express (FT-SEE) Privacy Impact Assessment. August 2007

PII Compliance Guidelines

K-20 Network Acceptable Use Guidelines/Internet Safety Requirements

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

PTAC Toolkit for LEAs: Staff Policies and Teacher Access March 24, 2014

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Data Management Policies. Sage ERP Online

We use such personal information collected through this Site for the purposes of:

Privacy Policy Last Modified: April 3,

Troy Cablevision, Inc. Subscriber Privacy Policy

Top Ten Technology Risks Facing Colleges and Universities

Data Compliance. And. Your Obligations

Privacy Impact Assessment

Protected Critical Infrastructure Information Management System (PCIIMS) Final Operating Capability (FOC)

Federal Trade Commission Privacy Impact Assessment

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Privacy Policy and Notice of Information Practices

Standard: Information Security Incident Management

Website Privacy Policy Statement

CITY UNIVERSITY OF HONG KONG

HIPAA Privacy & Security White Paper

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

Crew Member Self Defense Training (CMSDT) Program

HIPAA Compliance Guide

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Privacy Policy. Effective Date: November 20, 2014

Privacy Impact Assessment (PIA)

Department of the Interior Privacy Impact Assessment

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

POLICIES AND REGULATIONS Policy #78

Privacy Impact Assessment for the. E-Verify Self Check. March 4, 2011

Veson Nautical Website Privacy Policy

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

July 2013 Report No

SIMS Version 2.0 Data Standards Handbook for the Massachusetts Student Information Management System Reference Guide Version 3.3.

Federal Trade Commission Privacy Impact Assessment. for the: Secure File Transfer System

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Access Control Policy

Quick Start Guide for Examiners (Oral Tests)

Authorized. User Agreement

Transcription:

Report on Student Data Security in Online Assessment OHIO DEPARTMENT OF EDUCATION DECEMBER 2014 Page 1 Student Data Security in Online Assessment December 2014

PURPOSE OF REPORT This report responds to Not later than December 31, 2014, the Superintendent of Public Instruction shall submit a report of recommendations to the Governor and the General Assembly, in accordance with section 101.68 of the Revised Code, on the security of student data with regard to the administration of online assessments. The Ohio Department of Education defines the scope of this report to be the potential impact of unintentional or unlawful release of personally identifiable student information through online assessments. The scope does not include issues of test security. This is, for the most part, the responsibility of the local school district, which includes issues of archival record retention. Ohio law, as well as current authorization of the federal Elementary and Secondary Education Act, also known as No Child Left Behind, requires academic performance testing of students. INTRODUCTION The focus of this report is on the general assessments for students in grades kindergarten through 12. This assessment includes skills primarily related to English language arts (reading and writing), mathematics, science and social studies. The Ohio Department of Education contracts with assessment vendors to provide a range of services in support of the administration of assessments. This includes, but is not limited to, student registration, assessment login, scoring and reporting (see Appendix A Test Process). The department requires that vendors agree to specific terms and conditions in their contracts for services to ensure the protection of student data and to ensure vendors are following state and federal privacy laws (see Appendix B for Contractual Safeguards). Ohio is transitioning from exclusive administration of assessments via paper and pencil to use of online methods for administration of assessments. The department is committed to ensuring protection of student data through both paper and pencil and online methods of assessment administration. There are three main phases of the operation of Ohio testing programs for both paper-pencil and online methods that involve personally identifiable information at the student level. Those phases are: (1) test registration; (2) test administration; and (3) test reporting (see Appendix A Test Process for additional detail). As required by state law, this report describes each phase in the following sections followed by a concluding section on the recommendations. TEST REGISTRATION Most students are preregistered for testing by the local district. The local district preregisters students by submitting the student s name, statewide student identification number (SSID), the student s date of birth, student demographic data, such as gender and ethnicity, and special student status such as an individualized educational program or migrant status. Students also are associated with a classroom roster during preregistration. The proper assignment of scores to the correct student requires some of these data. Some of these data are necessary for showing the performance of student groupings in required reports. The essence of preregistration is unaffected by whether the student takes an online test or through paper and pencil test booklets. The collection of information is the same by both means. Online assessments do not require districts to submit more student information to the vendor than paper and pencil assessments. Online assessments do not require any additional personally identifiable data than in paper and pencil assessments. Same-day test registration also is possible and can happen, for example, when a student is new to a district. At present, paper test documents require the input of the student s name, date of birth, ethnicity and identifiers for districts and school buildings using machine-scanned bubbles and written answers. Online testing also will support same-day registration. Additionally, the expectation is that online registration will reduce errors, such as those occurring with the submission of answer documents for scoring. The transition from paper and pencil to online assessment does not introduce any additional risk of disclosure of student information. Page 2 Student Data Security in Online Assessment December 2014

TEST ADMINISTRATION Using the paper and pencil forms, district personnel affix a pre-id label to test materials prior to distribution at the testing time. The label includes the student s name, date of birth, ethnicity and gender, as well as a bar code for use by the test vendor. District personnel already have access to this student information, which is necessary to ensure the correct materials are associated with the correct student. This information does not include the SSID of the student or the home address of the student. Online testing also involves a method of identifying the student at the computer terminal through the use of the SSID. District personnel will need to distribute passwords for each student to log in and test. Using the paper and pencil method, schools collect, pack and ship the student answer documents to the test vendor for processing. As previously described, there is limited personally identifiable information on the ID label or on the bubble section used for same-day registration. Schools have, for the most part, been reliable at returning answer documents because Ohio school accountability measures reward evidence that the student has tested. Online testing will make submittal of student responses paperless and accessible only to the test vendor or the test vendor s subcontractors. Digital data security practices required by the department, outlined in Appendix B Contractual Safeguards, will prevent the interception of these records either for purposes of alteration or disclosure in the same way that online purchases are protected. Assessment vendors may distribute student-constructed responses (i.e. student written responses, such as short answers, using the Internet for scoring purposes). This already happens with paper and pencil tests. Vendors scan paper and pencil tests and then share in this manner currently to facilitate scoring. The transition from paper and pencil to online assessment does not introduce any additional risk of disclosure of student information. Use of online assessments reduces the manual processes in paper and pencil assessment and meets the requirements for handling of student data while reducing the risk of human error, including those that could be a security issue. REPORTING OF TEST RESULTS The reporting of test results is unaffected by the use of online testing. Regardless of online or paper and pencil administration, the vendor will generate the same reports and distribute them either electronically or in printed format. Printed family reports remain a necessity as well as a prudent practice. CONCLUSION In summary, Ohio is transitioning from exclusive administration of assessments via paper and pencil to use of online methods for administration. The department is committed to ensuring protection of student data through both paper and pencil and online methods of assessment administration. The department requires that assessment vendors follow all state and federal laws to protect student data. Online assessment does not provide any new personally identifiable student information to the vendor. The vendor receives the same student data for online assessment as in paper and pencil administration. Use of online assessment reduces manual steps that are associated with student information and data transfer in paper and pencil methods. It helps to eliminate human error and improves data security. Online assessment does not require any new or additional reporting of student data to the federal government. The United States Department of Education or other federal agencies only receive a summary of student data, not individual student-level data. The department, as well as vendors, must comply with all state and federal laws including Ohio Revised Code, Ohio Administrative Code and the Family Educational Rights and Privacy Act. RECOMMENDATIONS The department recognizes that districts are responsible for ensuring that the appropriate information security safeguards are in place to protect student data at the local level. It is critical that districts implement the appropriate technical controls and provide education and awareness training to district employees on the procedures and policies related to handling confidential student data. If the appropriate information security policies and procedures are not in place, the district inadvertently could be putting student data at risk in any area of the district that uses or accesses student data. Online assessments are only a small portion of this risk. The use of technology for online testing is a rapidly changing field. In order to remain current with changing technology, the department will create a committee consisting of all appropriate department offices with the charge to maintain oversight and keep rules and processes up to date. The department will offer periodic meetings to support the implementation of information security best practices at the districts and Information Technology Centers. Page 3 Student Data Security in Online Assessment December 2014

Additionally, the department recommends the following: 1. A collaborative effort with the state Office of Information Security and Privacy for the following to provide districts with access to resources, such as, but not limited to, professional development, education and awareness training and best practices models, that will support the adoption of information security best practices and compliance with state and federal privacy laws. Resources shall be included on an education-specific Web page for districts and Ohio s Information Technology Centers. 2. A collaboration with the State Office of Information Technology to explore shared services options that would allow districts to procure the same services and products the state uses to support information security programs. Page 4 Student Data Security in Online Assessment December 2014

Student Data Usage Student Data Protections Security Differences Paper-Pencil Online Paper-Pencil Online Paper-Pencil Online Step 1: Districts register students to take the statewide assessment. The district uploads student name, SSID, date of birth, school district, grade and other demographics to be transmitted to the testing vendor to build a student profile. All transmissions of student data are required to use a secure file transfer method. The process is identical for both testing methods Appendix A Test Process Step 2: Test resources are generated for the students. Identification labels are generated and sent to the district to be put on the paper assessment. A testing login account is generated for each test taker. The login name and password is provided to the school for each student and the student must reset the password on the first login. When the student logs in, the student should verify the account belongs to him or her. Student identification labels with a limited amount of personally identifiable information and testing materials are shipped to the school district. The district is required to secure the materials and ensure anyone with access to the materials is trained to securely handle them. PII is not required to be shared to manage the login credentials for test takers. Students use their individual logins to take the test. Labels with a limited amount of student data must be stored and handled. Many people are involved in the handling of the data which increases the risk for human error The list of test login IDs and passwords is handled electronically and the dissemination of information can be secured, controlled, and audited. Step 3: Tests are administered to the students. Test materials and identification labels are distributed to students. Students take the tests. Each day, materials are collected and then re-distributed the next day. When the test is complete, the materials are collected and shipped to the testing vendor. Students login with their individual IDs to take the tests on PCs or tablets. Once completed with each test portion, the student logs out of the test application and responses are recorded and can be instantly scored. The student identification labels have a limited amount of personally identifiable information on them. The district is required to secure the materials and ensure anyone with access to the materials is trained to securely handle them. The testing vendor has minimum system requirements that include a securely configured PC or tablet for test delivery. These requirements include malware protections, access restrictions for students and secure Web browsers. Students are prohibited from sharing login credentials and their usage is monitored during the test. No personally identifiable information is used or shared during the test. Labels with a limited amount of student data must be stored and handled daily during the testing. Many people are involved in the handling of the data which increases the risk for human error No student PII is required to be used or shared during the testing process. Additional quality control steps can be carried out on data during the testing to monitor for testing anomalies Step 4: Compilation and scoring. The district ships the testing materials back to the school and the test score sheets are scanned, processed and matched against the student data that was uploaded during the registration step. Score results are recorded. Student responses are recorded upon finishing the test. The results are automatically matched to the student information based on the test login ID and scores are generated. Test data is instantly available for near real-time quality assurance. Student score sheets with student personally identifiable information are shipped to a secure testing center and stored until processed. There are several manual handling steps which may result in human error. The test is delivered and taken through a secure web application. Responses are returned to the vendors secure data center and scored automatically upon submission Labels with a limited amount of student personally identifiable information are stored at the district until ready to be packaged and shipped to the testing vendor. The sheets are shipped to the test vendor and then stored till they can be processed. There are many manual handling steps in the process. All data is transmitted via secure communication methods. There are no manual handling steps and scoring happens automatically. Step 5: Student assessment result data. The test results are generated and returned to the district student information system for review and distribution to the families of the students. The results are returned to the district using a secure file transfer method. All transmissions of student data are required to use a secure file transfer method. The process is identical for both testing methods. Step 5: Districts provide assessment results to the department via EMIS. Districts upload the testing results from their student information system to the Ohio Department of Education via EMIS reporting. All student data is anonymized and the department only receives the SSID score results. No other personally identifiable information is provided. All transmissions of student data are required to use a secure file transfer method. The process is identical for both testing methods. Page 1 of 1

Appendix B Contractual Safeguards The Ohio Department of Education requires that vendors agree to specific terms and conditions in contracts for services. A contract requires that the vendor comply with federal privacy regulations, and State of Ohio security standards specify how to protect student data. A typical agreement requires that the vendor agree to: Comply with federal privacy regulations including FERPA and requires their employees and contractors to comply as well. Comply with the State of Ohio security standard, the National Institute of Standards and Technology (NIST) 800-53 Rev. 3 publication and operate at the Moderate Baseline. The moderate baseline specifies how entities implement security controls including items such as: o Access Control How communication access to data and systems is controlled. o Awareness and Training How employees are trained for security policies and procedures. o Audit and Accountability How systems, events and data usage are monitored. o Security Assessment How system security is continually monitored. o Incident Response How the vendor must respond to security events. o Maintenance procedures How systems are maintained to reduce vulnerabilities. o Media Protection How data and the systems that store it are protected. o Physical Security How physical access to data and systems is controlled. o Business Continuity and Disaster Recovery How systems and data are returned to service in the event of an interruption of availability (disaster or outage). o Personnel Security How personnel are screened, hired, and terminated and the security controls pertaining to these events. o Risk assessments How entities manage security vulnerabilities. o System and Communications Protection How systems interact and securely communicate. o System and Information Integrity How systems and data are protected from malware. Specific terms for how the vendor may use, store and share data. Specific terms for the destruction of data once the contract ends or the data are no longer required to carry out the services in the contract. Not disclose or share any data received as a result of the agreement without consent from the department of education. Maintain logs of all data requested and transmitted and make the logs available to the department upon request. Appendix B Student Data Security in Online Assessment December 2014

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information