Data Privacy and Security

NCLDS’s privacy and security is guided by an overarching philosophy of accessing the minimum amount of data necessary to address questions of greatest importance to the state.

Privacy

NCLDS governance reflects all applicable state and federal laws that safeguard the privacy of an individual’s personal information. These laws include:

  • The federal Privacy Act
  • The federal Family Educational Rights and Privacy Act (FERPA)
  • The federal Individuals with Disabilities education Act (IDEA)
  • The federal Health Insurance Portability and Accountability Act (HIPAA)
  • The federal Criminal Justice Information System (CJIS)
  • The federal Internal Revenue Code (IRC)
  • Various other applicable state privacy policies and laws

NCLDS guidelines and policies prohibit personally-identifiable data from being made public, in compliance with the state and federal laws cited above. For more details about how NCLDS currently approaches data privacy, see the Data Privacy/Security section of the NCLDS FAQs.

 

Security

NCLDS’s data management protocols and processes provide guardrails for three connected facets of data security: Data Transfer, Storage, and Destruction.

Servers with arrows in a cycle

Transfer – Data transfer (or movement of data from its original location to a new location) is handled currently via Secure File Transfer Protocol.

See the Statewide Information Security Policies System and Communications Protection Policy (SC-8 – Transmission Confidentiality and Integrity; SC-40 – Wireless Link Protection) and Media Protection Policy (MP-5 – Media Transport).

 

A house over data servers

Storage – The NCLDS Request Approval Process includes completion of privacy and security checks of a Data Requester’s data storage space. All Data Use Agreements also include procedures for addressing data security issues after data have been shared with a Data Requester.

See the Statewide Information Security Manual (Sections 3 and 5) and the Statewide Information Security Policies Access Control Policy (AC-1—Policy and Procedures), System and Information Integrity Policy (SI-1—Policy and Procedures), and Media Protection Policy (MP-4—Media Storage).

 

File being shredded

Destruction – The legal agreement a Data Requester signs before receiving access to data includes a commitment on the part of the Data Requester to thoroughly and completely eliminate from its storage facility all data received from NCLDS upon completion of the project for which the data were requested. The Data Requester also must verify formally that the destruction has taken place.

See the Statewide Information Security Policies Media Protection Policy (MP-6—Media Sanitization [sub-section: Media Disposal]).

 

For more details about how NCLDS currently approaches data privacy and security, see the Data Privacy/Security section of the NCLDS FAQs. You also can read the complete set of NCLDS Data Privacy and Security policies.