Data Management Plan

Sometimes the most basic concepts can really trip you up. That happened last week when a new school was asked to come up with a Data Management Plan for a grant application.

They reached out to us for insight, and here is our take on the subject. If you are struggling to describe a way to corral those wild 1's and zealous 0's, perhaps this will help. Please feedback your insight and suggestions.

Definitions

Data: digital information in any format utilized by a school for the management of people, processes, and things (resources) associated in any capacity with the school.

Management: awareness, oversight, and control of the aforementioned data.

 

Overview

Data management planning addresses three core components:

1. Ownership and oversight: Managing both the data and the resources that control information systems;
2. Data Security and compliance: Protecting  privacy, controlling access, and securing resources from within and without;
3. Data retention, archiving, backup and disaster recovery planning: Assuring data access in any circumstance for the timeframes specified by law and by policy.

These three core components are intentionally broad to address the wide variety of choice associated with implementing information systems which house, transport, and protect data. However, there are basic standards driven by industry, law, and state education agency guidelines that should be considered standard practice, as individual school boards implement policy.

The purpose of this document is to set forth broad concepts associated with Data Management Planning for Charter Schools and to provide a basic checklist to identify weakness.

Ownership and Oversight

Schools should have direct ownership or contractually delegated control of all resources which are used to store, route, and distribute data. Common examples of these resources are domain names, web hosting accounts, email systems, and hosted applications that store data in the cloud.

The seemingly small matter of legal ownership can cause enormous challenges if mismanaged. It is very common for well-intended parents, volunteers, or even board members to have control of these resources.  However, it can be very difficult to regain control of these resources if problems arise or relationships sour.

Imagine the damage a disgruntled former staff member or parent could inflict if they own your domain name, website hosting account, email system, or other hosted application. Don’t laugh, we have seen it happen.

Checklist:

• Do a simple ”who is” query on the internet and determine who is the registrant of your school's domain name. Is that individual or company still associated with your school? And do you have long-term confidence in that relationship? Is the address and contact information current?
• Determine who hosts your school website. Who owns the hosting account, who has access to control the web server (usually a control panel)? This is not the same as access to the website itself.
• Evaluate the email accounts used to communicate with students, parents, and the community. If your teaching staff is using Hotmail, Yahoo, Gmail, or other consumer based email system you have no control over the contents of those systems. In any kind of Open Records query or legal discovery, you will be unable to search messages without the express permission of the owner of that email account. This could be both embarrassing and costly.
• Review any hosted (Cloud) applications such as a backups, management systems (eRM or IEP), or desktop management systems. Do you have ownership of those accounts and termination processes when managed by a service provider?
• Determine who owns your social media accounts. If it is not you or someone in your organization, takes steps now to gain control of those accounts.

Data Security and Compliance

Fundamental to managing data is controlling access to that data in order to comply with privacy laws, ensure integrity in the education process, protect students and staff from data breaches, restrict sensitive or confidential information to authorized users, and provide safeguards for financial transactions. Infrastructure choices will impact these objectives and should be considered well in advance of any solution implemented.

Many of these challenges can be avoided by using the built in security and access controls provided in a  Microsoft Active Directory based network. But primary schools may find this security model too complicated. Other solutions may need to be considered.

Email systems should have central administrative capacity as well as the ability to do Open Records requests or legal discovery searches. These systems also need to be capable of addressing the wide range of employee changes without difficulty. Confidential email messages need to be archived and retained for the appropriate periods of time, and email destined for former staff needs to be redirected to an administrative user or replacement email account.

Computers and users need to have several layers of security protection starting at the perimeter and ending on the device in order to protect the data sets being accessed. This starts with a CIPA compliant firewall and is enhanced with added layers of protection through security updates or patches and anti-malware services (virus, spyware, malware protection).

Checklist:

• Review the age and feature set of your firewall, new generation firewalls (termed Unified Threat Management devices) provide a wide range of security services that directly impact data management. One of the foundation services is Child Internet Protection Act (CIPA) compliance, which is a basic  component of eRate funding eligibility.
• Review your device based security services (Virus and Malware protection) and consider enforcing security compliance as a condition of internet access. This is a simple process with new generation UTM devices (firewalls).
• Consider implementing Active Directory services into your network environment if you are not doing so already. Couple this with group policies and automatic security patch updates.
• Avoid using personal email for school business, this not only dilutes your brand, but could be very embarrassing in the event of an Open Records Act inquiry or legal proceding.

Data Archiving, Retention, and Disaster Recovery Planning

The most frequent data management deficiency is the lack of planning for the retention of data and the lack of testing backup systems for the recovery of data and associated information systems in the event of a disaster. Typically, retention planning never happens and eventually, hardware failures always occur. Both deficiencies are an important subject for consideration in a data management plan.

Data retention requirements vary by subject matter and user class, each data set should be identified and described in terms of the following four criteria:

1. File format – the format type used to store the data (Word, Excel, pdf, database, image, etc.);
2. Archive length – the time required to retain data;
3. Storage location – the physical location of the stored data;
4. Access control – the security and user permissions associated with the data.

In a well managed environment, data is centrally managed, automatically backed up, and secured with a reasonable level of password protection and/or encryption. Far too often, we see data scattered across a wide variety of staff resources, poorly structured, improperly secured, and inadequately backed up.

The tasks of data archiving, retention, backup, and disaster recovery planning are really connected components of a well structured data management plan. The simplest and most effective way to address these tasks is to view them as a continuum, or a data life cycle – data is created, stored, then deleted at appropriate times, with appropriate security measures during each phase.

Checklist:

• Take inventory of data associated with your school and describe each data set by the above criteria.
•  Seriously question any tape backup systems that are not managed by a highly competent and trained network engineer – 80% of all tape back-up systems fail during recovery.
• Take advantage of the data retention features found in information systems you use. For example, there is no better email archiving, backup, and security solution than Microsoft Exchange Server – the program used to create the email system. Even better is when the Exchange environment is hosted offsite in Tier 3 data centers hosted by Microsoft.
• Consider a single system to manage this process to the extent possible, it will simplify your planning an  execution.
• Test, test, test – always do a full disaster recovery test to validate your plans and document your processes.

Summary

Data management planning need not be an overwhelming project. Rather it should be the logical conclusion to well-designed information systems. When implementing any technology solution, always consider it in light of your data management requirements. Be sure the system compliments your plan, but does not complicate it.

Keep legal and logical control of your data resources, ensure data is secure from all types of threats, and establish clear policies for data lifecycles – including the destruction of data when appropriate.

Contact us if you need assistance drafting a data management plan specific to your school, which may be required for your initial charter application or a grant.