
December 19, 2024
The ability to combine information from various sectors offers incredible potential for understanding complex social issues and developing effective interventions. For example, integrated data systems can help users better understand ripple effects, such as how foster care placement decisions affect student performance. However, this potential comes with significant responsibility for protecting highly sensitive, personally identifiable information.
According to the U.S. Government Accountability Office, thousands of K–12 students had their personal data compromised in breaches between 2016 and 2020. The data included sensitive information such as reports of bullying incidents and Social Security numbers. These breaches can impact a student’s life, opening them up to emotional, physical, and financial harm. WestEd’s Data Integration Support Center (DISC) specializes in guiding public agencies to securely integrate and utilize cross-sector data—ensuring privacy, building trust, and maximizing impact.
In the fifth blog in our series about DISC’s work, experts Baron Rodriguez, Sean Cottrell, and Omar Alibulla discuss the pivotal role security plays in protecting information and strengthening integrated data systems.
The challenge for public agencies lies in maximizing the insights gained in combining information from sectors such as social services, education, and labor while minimizing the risk to individual privacy. This requires a multifaceted approach that goes beyond simple data anonymization. Failing to adequately protect integrated data can ruin an agency’s reputation among other serious repercussions.
Ensuring privacy in this context demands a robust framework with multiple layers of protection. Strong security measures are paramount, including access controls, encryption, and secure storage. Equally important is a comprehensive legal framework that clearly defines data usage, sets limits on access, and establishes strong penalties for misuse. Staff training is crucial to ensure everyone handling the data understands their responsibilities and follows best practices.
Modern technology also plays a vital role. Privacy-enhancing technologies (PETs) offer innovative solutions to mitigate risk. Secure enclaves, for example, allow analysis of sensitive data in a protected environment, while statistical disclosure control techniques help prevent reidentification of individuals within aggregated data sets.
Public agencies hold a position of trust. Individuals expect their information to be handled responsibly. A breach—whether a data leak, unauthorized access, or perceived misuse—can lead to decreased public confidence, reduced cooperation, and legal challenges. Prioritizing privacy and security isn’t just a legal or ethical obligation; it’s essential for maintaining public trust and ensuring the ongoing effectiveness of public services.
Familiar threats to data systems include cyberattacks, malware, and phishing. While those threats must be addressed, the complexity of integrated data systems introduces specific risks that are frequently overlooked. Since these systems merge data from across sectors and organizations, governance is essential for navigating the layers of laws, regulations, and policies when implementing a robust security program. At DISC, we emphasize the importance of transparency, legal frameworks, and training to address risks that are often overlooked.
- Transparency: Transparent data protection programs clearly document compliance with regulations; provenance and accuracy of data; and the method, management, and detection of potential security threats. Transparency also involves clear communication about the measures in place to protect data across systems. This openness is vital for trust and accountability, especially when data traverse organizational boundaries.
- Legal frameworks: Integrated data systems require navigating a plethora of privacy laws and regulations. When data breaches occur, public agencies likely will face legal consequences. Robust legal requirements for security and privacy measures act as a “shield” for deterring attempts to intercept or manipulate data.
- Training: It’s not just about having security protocols in place; it’s also about ensuring that everyone involved with the data system understands their role in protecting sensitive information. From the IT professionals who safeguard the infrastructure to the end users who access and manipulate the data, everyone needs comprehensive training on data protection best practices, the importance of compliance, and the potential consequences of negligence or malpractice.
This is a great question because at DISC we often see these supports overlap. Often, our legal assistance is in the form of clarifying legal frameworks that include the laws, regulations, policies, and written agreements that provide a structure for data systems to implement security and privacy measures. The legal framework should identify the purpose for the data integration and the enablers and safeguards that support it. A strong legal framework will identify the physical, technical, and administrative safeguards that protect the data system from unauthorized access (security) and prevent identification of the individuals represented by the information in the data system (privacy).
In the case of the Nebraska Statewide Workforce & Educational Reporting System (NSWERS), for example, DISC was able to clarify legal requirements for data sharing so community college leaders could benefit from information on their students’ outcomes in the workforce.
The NSWERS contacted DISC after receiving feedback from a postsecondary partner on potential revisions to an existing data sharing agreement. As an objective third-party partner, DISC discovered that, while the legal requirements were an issue, the postsecondary partner was wary of participating in the NSWERS because of concerns over the quality of their data. As a result of the DISC engagement, the NSWERS was able to identify the established data governance policies and procedures that ensure data are accurate, relevant, and properly interpreted to further alleviate their partner’s concerns.
Ensuring the security of an integrated data system is not a quick or easy process, but it doesn’t have to be a barrier to implementation or modernization. A thoughtful, informed plan and tools that address specific risk factors can help public institutions confidently leverage the benefits of an integrated data system. DISC provides public agencies with resources and expertise, interwoven with a host of other offerings, to bolster the security of your system.