At first glance it may not seem that schools – especially public elementary schools – would necessarily be in grave danger of having sensitive data compromised. After all, the majority of individuals in and out of the building on a daily basis are under the age of 12, don’t have bank accounts, and probably aren’t using computers to access any sensitive information.

school data theft

However, when you consider that the full name, data of birth, social security number, and address of every student (and their parents!) enrolled in a school district is kept on file, in addition to school and town banking information, as well as the personal information of teachers, administrators, custodians, librarians, volunteers, and pretty much anyone else who has regular contact with the school it becomes overwhelmingly apparent that schools – from public elementary schools all the way up through universities and colleges – must take the exact same precautions as other organizations in protecting and destroying their sensitive data.

Staying Compliant With FERPA

In fact, not only does it become apparent – it’s also the law. The Family Education Rights and Privacy Act (FERPA) dictates that schools must protect the personally identifiable information (PII) of students from being disclosed which means that it is the responsibility of each school to properly dispose of the information once it is no longer necessary.

While there are a variety of requirements and restrictions as to how long schools must maintain certain data, the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) advises that some data “may become unnecessary or irrelevant the moment a student graduates or otherwise leaves the school, and can be destroyed immediately.” They also point out that, per the Fair Information Practice Principles, “minimizing the amount of data you retain, by destroying them when no longer needed” is considered a best practice in terms of data security.

To ensure that your school district is complying with all local and national laws regarding data retention and storage, it’s important to also understand the intricacies of data destruction. Simply deleting files from a hard drive or server doesn’t permanently remove them. In fact, in most cases files can be retrieved quite easily by someone diligent (or desperate) enough to go looking for the information. The best – and proper – way to ensure that data is no longer accessible is to destroy it by either completely blanking the hard drives containing the information (meaning having the existing data overwritten with information that ends up being an unreadable scramble of characters) or physically cross-shredding the hard drive so that there is literally no way it can be put back together again. Ideally, your organization will do both.

At Data Recycling New England, we not only perform hard drive blanking and shredding, but we provide these services for free, will pick up the materials at your location, and will provide your organization with a certificate of data destruction. For more information call us at (508) 822-2054 or email us at pickup@datarecyclingne.com.