Dear DC Community,
I am writing to update you on OSSE’s response to an incident in February in which we inadvertently made personally identifiable student information available via our responses to our DC Council 2015 performance oversight hearing.
As you may have read in my initial open letter about the incident, we took a number of steps to both ensure awareness of the incident and rectify the issue. Since then, we have taken a robust approach to codifying our policies and procedures to ensure the protection of our student information and to build the agency’s capacity around data privacy, security, and confidentiality. Laid out below is summary of those actions.
OSSE POLICIES AND PROCEDURES
Resources and Ongoing Efforts
- Recruited and hired a deputy assistant superintendent of the division of data, assessment, and research to specifically support data privacy and governance, including codifying and implementing OSSE data policies and procedures.
- Dedicated additional resources to support data privacy and security by amending existing contracts with vendors to provide additional third-party support in documenting and developing data policies and procedures.
- Created a cross-functional internal data privacy working group to maintain an ongoing focus on this issue and ensure continued progress on internal process design.
- Updated data request process and instituted an additional layer of review to provide another layer of security prior to release.
- Initiated investigation into development of new policies for contracting, specific to data security and privacy. This includes review of standard contract templates, identifying new requirements for training and assurances, and drafting of additional, more specific language around data security and documenting actions OSSE might take in response to contractor data breach.
- Contacted data privacy experts internal and external to DC government for advice and consultation, including: DC Privacy Officer within the Office of the Attorney General, Office of the Chief Technology Officer, US Department of Education Privacy Technical Assistance Center, and the Data Quality Campaign.
Staff and Training
- Required all data and policy staff to complete data security and privacy training by March 31, 2016.
- Instituted new policy regarding data privacy training, including requiring all current staff at the agency to participate in data privacy training by the end of the fiscal year, all new staff to complete training upon hire, and all staff to be re-trained in data privacy annually.
- Require re-certification of non-disclosure agreement for all staff by May 15, 2016.
- Initiated development of new human resource policies specific to data security and privacy.
COMMUNICATIONS AND OUTREACH
- Issued a public statement on OSSE’s website. Established a hotline and email address dedicated to addressing family and community questions and concerns on this issue: (202) 481-3400 and [email protected]. This phone line and email address remain active.
- Sent automated calls to families with students who receive services through the Department of Student Transportation, and to all parent phone numbers on file in SEDS, OSSE’s data system for special education students.
- Sent parent letters in English and Spanish home with students who receive student transportation services.
- Established credit monitoring contract to provide identity security support to parents and students, as requested.
- Prepared a letter for LEAs to send to the parents/families of students who were affected
- Directed LEA leaders to give notice of the incident and provide information on next steps, including the parent communication described below.
- Communicated to special education LEA points of contact, nonpublic school leaders and community advocates to promote awareness of the incident and resources available.
- Posted translations of the parent letter in Amharic, Chinese (Mandarin), French, Korean, Spanish and Vietnamese to OSSE’s website and emailed them directly to LEA leaders.
- Provided language to the State Board of Education members, the DC Ombudsman, and Chief Student Advocate to provide updates and resources available to families and the community.
- Sent and received acknowledgement of receipt to give notice of the incident and describe the agency’s planned next steps to the U.S. Department of Education.
As I promised in February, OSSE has redoubled our efforts to secure data and prevent this kind of incident in the future. We remain committed to ensuring student privacy is protected. If you have any questions about OSSE’s data security strategy or ideas to share with us, please contact me, Darrell Ashton, or Gwen Rubinstein in the division of Data, Accountability, and Research.