Under Miss. Admin. Code 7-3: 55.1, State Board Policy,
Chapter 55, Rule 55.1, the
Mississippi Department of Education (MDE) Office of Technology and Strategic
Services (OTSS) established - and supports - the agency-wide Data Governance
program, implemented through the Data Governance Committee (DGC). The DGC
develops and promulgates processes, as well as rules and regulations governing
the data that apply to all program offices within the MDE.
To protect the privacy of students and school/district
personnel, and ensure that all data is properly stored, maintained, and
disseminated, the following Data Classification Policy shall be implemented
through all data systems, processes, and procedures under the supervision of
the DGC, under the authority reflected in the Data Governance Charter.
1. Roles and Responsibilities
A. The Data Governance Committee shall review
the Data Governance Charter and the Data Governance Procedure Manual to ensure
that the responsibilities of key roles - including the Data Governance Manager,
Data Owners, and Data Technicians - appropriately address the established data
classification policy.
B. The Data
Governance Committee shall advise OTSS how the implementation of the data
classification policy impact end users to ensure their level of access and
acknowledgement of their data privacy obligations and aligned to the data they
access and use.
C. The Data User is
the person, organization or entity that interacts with, accesses, uses, or
updates data for the purpose of performing an authorized task. Data Users must
use data in a manner consistent with the purpose intended and comply with this
policy and all policies applicable to data use.
2. Levels of Classification
The DGC establishes three (3) categories for data
classification according to their sensitivity and importance to the functional
compliance with state and federal laws, and policies, under which all data will
be classified:
A. Public Data: Public
(or Low Risk) Data is defined as information with no existing local or national
legal restrictions on access or usage. Public data includes information that
may be or currently is released to the public. It does not require protection
from unauthorized disclosure. This information is available to the public, and
illustrative (but non exhaustive) examples to show the nature of this data
include:
i. posted programs and
services;
ii. information regarding
institution and facility characteristics;
iii. announcements, advertisements, district
and school contact information, and other freely available data.
B. Protected Data: Protected (or
Moderate Risk) Data may not be specifically protected from disclosure by law
but cannot be released in combination with any identifying information such as
student identifiers or demographic data. Protected information is generally not
released to the public unless requested and must be de-identified in compliance
with state and federal laws. The FERPA standard for de-identification assesses
whether a "reasonable person in the school community who does not have personal
knowledge of the relevant circumstances" could identify individual students
based on reasonably available information, including other public information
released by an agency, such as a report presenting detailed data in tables with
small size cells (34 CFR
§
99.3 and §
99.31(b)(1)).
Illustrative examples of de-identified data to show the nature of protected
data include:
i. de-identified individual
assessment results;
ii.
de-identified individual attendance records;
iii. de-identified individual course
selection and enrollment data for students.
C. Sensitive Data: Sensitive (or High-Risk)
Data is considered confidential, privileged, or personal information protected
by statutes, regulations, state and federal policies or contractual language
(FERPA, PPRA, IDEA, etc.). Sensitive information includes Personally
Identifiable Information (PII). Exposure or breach could result in liability
issues, fines/penalties, identify theft and/or financial fraud. Sensitive
information is specifically protected from disclosure by law. It may include,
but is not limited to:
i. Personal
information about individuals, regardless of how that information is
obtained;
ii. Unique identifiers,
including Social Security Numbers;
iii. Information concerning employee
personnel records;
iv. Information
regarding IT infrastructure and security of computer and telecommunications
systems;
v. Individual Student
National School Lunch Status.
D. Data compiled from multiple sources is to
be classified with the most secure classification level designation of any
individually classified data or source.
