Safeguarding Data

The steps below are best practices for protecting the security of data maintained by your agency.

Develop privacy and security compliance policies, standards, and controls.

Policies are high-level statements about how data should be handled, similar to a vision statement. Standards outline the rules that govern putting policies into action, and controls provide specific instructions about how to implement a standard.

In order to facilitate secure and compliant data sharing:

• Data requesters must understand the privacy and security compliance standards of the data they are requesting
• Data owners must ensure that they clearly define the privacy and security compliance standards that govern the data they own

Establish a privacy policy.

A privacy policy is an externally-facing document for the people from whom you might collect data. It explains how your agency uses personal information that may be collected when the public interacts with the agency. The privacy policy should include the types of information gathered, how the information is used, to whom the information is disclosed, and how the information is safeguarded.

Here are some of the questions to ask when you document a privacy policy:

• Why do we collect personal information?
• What information do we collect? (Review the data dictionary.)
• When and how do we disclose/share information?
• How do we protect personal information, including the administrative, technical, and physical strategies?
• How do we protect the confidentiality, integrity, and availability of confidential information that is created, received, maintained, or transmitted?

Document critical data elements.

Confidential Information (CI) is any non-public information pertaining to the agency’s business. Personally identifiable information (PII) is any data that can be used to identify an individual. Examples of PII include a user’s name, address, phone number, and social security number.

Data owners should also document subsets of PII, such as:

• Payment Card Industry (PCI) data — credit card information
• Protected Health Information (PHI) — information about an individual’s health
• Education records — data maintained by a school about students that includes information like test scores, special education records, courses taken, and attendance

Understand the laws that govern critical data elements.

State agencies need to understand the laws that govern each dataset based on its CI and PII. The standards and laws that govern data are critical in order to know:

• How data should be stored
• How data can be used
• What data can be shared (e.g., individual rows or aggregate totals)
• How data are transferred
• How data are disposed of

For more information about applicable federal and state laws, refer to the Legal Issues in Interagency Data Sharing report and accompanying appendices.

Define acceptable use standards.

Define acceptable use standards based on the laws and regulations that govern the use of your agency’s data. These standards will help define the specific requirements in data sharing agreements for keeping data secure. For example, for sensitive data, the data owner may require that the requesting party dispose of the data after a specific amount of time.

Develop, implement, and maintain a comprehensive data-security program.

Your agency will need legal assistance creating a comprehensive data-security program that adequately protects CI. The program will need to be consistent with and comply with all applicable federal and state laws and written policies related to protecting CI.

The data-security program should cover considerations like:

• A security policy for employees related to the storage, access, and transportation of data containing confidential information
• Reasonable restrictions on access to records containing confidential information, including access to any locked storage where such records are kept
• A process for reviewing policies and security measures at least annually
• The creation of secure access controls to confidential information, including but not limited to passwords
• Encryption of confidential information that is stored on laptops or portable devices or that is being transmitted electronically

Enforce compliance controls.

A control is a safeguard to avoid, detect, or minimize security risks that might compromise the confidentiality, integrity, and accessibility of data. For example, a data owner might require a quarterly review of all users with access to a database or that people working with the data undergo compliance training.