State audit finds Missouri education department needs tighter data protections

The student information system for the Missouri department of education this month received a “good,” rating in a state audit that also found the system may not be prepared to respond quickly to a data breach.

Missouri’s Department of Elementary and Secondary Education, “has not established a comprehensive data breach response policy, as recommended by the U.S. Department of Education,” the audit report said. “Without a comprehensive data breach response policy, management may not be sufficiently equipped to respond quickly and effectively in the event of a breach, increasing the risk of potential harm to affected individuals.”

The Missouri Student Information System is used by DESE to collect information from school districts in order to administer state and federal programs for students. It also allows the department to provide the public with feedback on district and charter school performance.

Audit findings released on Tuesday reviewed the system related to data governance, security and privacy controls and found “no significant noncompliance with legal provisions.”

However, the state auditor’s office, did recommend that the education department stop collecting social security numbers as part of the system’s data collection, and securely remove all data that is no longer needed. DESE agreed to remove “optional social security numbers” in the system’s data collection component by June 30, 2016.

DESE said it also will conduct periodic reviews to ensure that any personally identifiable information collected is necessary and will be making additional changes to secure student information including implement the data breach policy.

This story was originally published October 21, 2015 at 11:39 AM with the headline "State audit finds Missouri education department needs tighter data protections."