Note: OSSE transitioned to using Box for secure data transfer on Thursday, Feb. 1, 2018.
Purpose of This Document
The purpose of this document is to provide background guidance about protecting student privacy while securely transferring data to or receiving information from the Office of the State Superintendent of Education (OSSE). In addition to general background about the importance of data privacy, this document provides specific guidance about protecting student information in ad-hoc or non-recurring data transfers that occur outside of existing OSSE secure platforms.
Why Does Privacy Matter?
OSSE is committed to providing students and families with an excellent education and sustaining, accelerating, and deepening the progress being made in DC education. OSSE has committed to providing high-quality, actionable data as one of four key priorities in its strategic plan.
As DC’s state education agency, OSSE receives and transmits information about students and children from and to local education agencies (LEAs), schools and community-based organizations (CBOs) as permitted by the Family Educational Rights and Privacy Act (FERPA). Staff at all of these entities have an important responsibility to be careful stewards of that information, including ensuring it remains private and protected.
This guidance is part of OSSE’s robust approach to codifying policies and procedures to protect student information and build capacity around data privacy and security for itself and among all public education stakeholders.
What is Personally Identifiable Information (PII)?
Personally identifiable information (PII) is information that, alone or in combination, can be linked to a specific student, including but not limited to:
- Name of student, parents, or other family members.
- Address of student, parents, or other family members.
- Personal identifier, such as a Social Security Number, unique student identifier (such as OSSE’s USI), or biometric record.
- Indirect identifiers, such as date of birth, place of birth, or mother’s maiden name.
Why Does Secure File Transfer Matter?
All staff who use student information bear responsibility for handling it in a responsible and confidential manner. Secure file transfer is one important strategy to protect student information.
Email is not the preferred means to share PII because it can be compromised on devices, networks, servers, and a recipient’s device, including by forwarding or other wide distribution of messages without the consent of the sender.
Using OSSE’s Box: What Do I Need to Know?
What is Box?
OSSE maintains Box, a secure data transfer system, as one method for protecting PII about DC students as data files move electronically between OSSE and other agencies and organizations serving them. This can include data sharing between OSSE staff and staff at the Office of the Deputy Mayor for Education (DME), LEAs, DC Public Schools (DCPS), the District of Columbia Public Charter School Board (PCSB), schools, CBOs, grantees and contractors.
Box contains folders for DCPS, public charter LEAs, PCSB, DME, and early learning CBOs among other entities. Each entity’s folder can contain a number of subfolders for specific projects or tasks for which PII transfer is required. Invitations to these project-specific folders are granted on an individual basis.
Who manages the site?
DAR is the division responsible for operating and maintaining the site.
Shenee Akinmolayan, OSSE Administrator of Box, manages the site for the division, including issuing project folder invitations to users and establishing, maintaining, and deleting all folders and individual access to Box.
Who Can Receive Access?
Box contains folders for entities with which OSSE regularly shares data protected by the Family Educational Rights and Privacy Act (FERPA). This includes District of Columbia local education agencies (LEAs) (both District of Columbia Public Schools, or DCPS, and public charter LEAs), the District of Columbia Public Charter School Board (PCSB), and community-based organizations. OSSE grants permissions to folders and any subfolders on a project-specific basis.
Other users include all vendors, agencies and individuals that securely transfer data with OSSE. Access to the site will be granted to users on a case-by-case basis.
How do I upload or download files?
Please see information in the Box Quick Reference Guide.
How long can the files stay on the site?
The site is for upload, not storage. Data files should be removed as soon as they are downloaded and no longer needed. All files are set for automatic removal after 60 days on Box.
What do I do if a file is inadvertently uploaded to the wrong folder or in the wrong place?
A file inadvertently uploaded to the wrong folder or in the wrong place should be immediately removed to guard against any further potential inappropriate disclosure. Any OSSE staff becoming aware of such an inappropriate upload should immediately notify Shenee Akinmolayan, who can provide assistance with any needed next steps.
Who do I contact if I have questions?
For questions about access to the secure upload site:
Demetrius Brown, Management Analyst
Email: [email protected]
Phone: (202) 545-7243
For questions about this policy:
Gwen Rubinstein, Data Analysis Manager
Email: [email protected]
Phone: (202) 374-3723