School districts can be vulnerable against hackers without the proper safeguards, and Galloway has said information could be at risk that parents might not even consider: authorized bank debits for a lunch plan, for example, or health records provided to a school nurse.
"Missouri schools have access to a lot of information on students and their families, which means they have a responsibility to keep that information protected," Galloway said.
The audit was part of an initiative out of Galloway’s office aimed at preventing unauthorized access to students’ records.
Certain practices can put student information at risk. Last fall, an audit of the state’s education department found the department was unnecessarily storing students’ social security numbers. The department has since ended the practice.
Lawmakers have also recognized that student data can easily fall into the wrong hands. In 2014, the Missouri Legislature passed a bill requiring the state’s education department to put provisions in contracts that would keep student data from being sold or used to target advertisements.
The audit released Thursday provides guidelines for schools throughout the state, but assessed five school districts specifically as part of the initiative: in Booneville R-1, Waynesville R-VI, Park Hill, Cape Girardeau and Orchard Farm R-V, in St. Charles County.
Too often, the audit found, staff can be part of the problem. While employees should be the “first line of defense” for students privacy, there’s little done to ensure they change passwords on a regular basis.
To combat this, the audit recommends schools establish privacy training for their employees and stricter policies for handling student information.
It also suggests schools appoint someone to serve as a security administrator for a district and create a plan outlining a response to any potential data breaches.
The audit also revealed some schools did business with third-party vendors, with nothing in place in a written contract dictating what information was available to them.
©2016 the St. Louis Post-Dispatch. Distributed by Tribune Content Agency, LLC.
