Within Australia, there appears to be no clear standards in any State relating to when and why we should secure school records.
As a result, the level of security varies from school to school, and sometimes within an institution itself. The size of the school and the attitudes of the head administrators can affect to some extent whether it limits access to all student records or opens them to a broader group.
Individual teachers can also further restrict their files on each student, often because this is where they place their notes, which may be of a sensitive nature.
So, we all have to ask ourselves:
- When do we secure records so that only select persons can view them
- When do we secure files so that all can see that they exist but cannot gain access and
- What data is considered sensitive?
The answers to these questions will vary, but as a general rule we should consider that all information should be open and only secured by exception.
If we are securing a large volume of information, we will need time and resources to ensure that records remain secure and accessible to whatever select group has authority. If we only secure information that is considered sensitive or needs to be protected, it makes administration much easier.
Examples of sensitive information include human resource records, student grading records or records of student counselling sessions. Protected files are those which could cause harm or damage if released, for example, security codes for buildings, credit card details or commercially sensitive tender documentation.
Undertaking a risk assessment of all known record types held in your office against some defined criteria is the first step to determine which records need to be secured. If the files are not considered sensitive or protected, then they should remain accessible to all staff. Staff will be more efficient in their roles if they have access to all required information.
If you are still unsure, and would rather err on the side of caution, most electronic records can usually have controls applied, where all staff can see that it exists but are unable to read or modify it. In this case, the staff member can contact the record owner and request access.
Take action today
There are some easy steps that you can take today that will start you on the journey of securing your data correctly.
Firstly, as an administrative team, you should determine security levels or access criteria for your information. Once you have decided on the access levels, you can prepare a risk matrix of all known record types within your school data infrastructure.
The key to success is to communicate the criteria and procedure to all staff. This may include any contractors or third-party suppliers that might need to access or work with your information.
By: Anne Cornish, CEO and Owner of Records Solutions
Anne has over 35 years’ experience in data and records’ management specialising in the government and education sector. Like most other industries, information management has undergone a significant change in recent years. There are new and unique challenges associated with digitisation and moving to the Cloud. Anne has been instrumental in leading schools through this transition and navigating current trends.
She has worked on projects that include:
- statewide implementation of an eDRMS, electronic document and records management system for all offices and schools in Queensland
- school archiving and disposal projects in both NSW and Victoria
- capture and digitisation of records in large independent schools in Queensland.
Anne represented Australia in developing International Information Standards (ISO 15489) and continuously lobbies to promote the importance of records’ management in all schools