·

Data Handling SOP Template

Objective: Standardize how ESP staff and partners collect, store, process, and share student data—ensuring privacy, security, and compliance.

1. Scope

This SOP applies to all data assets ingested or generated by ESP’s Student Success Insight Network platform, including academic records, survey responses, model outputs, and reports.

2. Roles & Responsibilities

• Data Custodian (IT Liaison): Manages database security, backups, and encryption.
• Data Steward (Project Lead): Defines data definitions, oversees quality & lineage.
• Data Users (Teachers/Counselors): Access dashboards; act on insights without exporting PII.
• Privacy Officer ([Counselor]): Ensures FERPA compliance; handles consent records and incident response.

3. Data Classification

ClassificationExamplesHandling Rules
PIIStudent names, IDs, DOBNever stored in analytic tables; only in encrypted raw vault
SensitiveHealth notes, counseling logsAccess by Counselor only; encrypted at rest & in transit
Non-PIIAnonymized keys, aggregated metrics, ZIP3Freely used in dashboards and reporting

4. Data Collection

  1. Academic & Attendance Data
    • Exported nightly from the SIS → secure SFTP → raw vault.
    • Raw CSVs validated for schema consistency; then purged after ingest.
  2. Sentiment Surveys
    • Google Forms → Apps Script → direct insert into encrypted Postgres.
    • Consent checkbox required on form; responses without consent auto-deleted.
  3. Assessment Responses
    • Streamlit app logs responses via HTTPS POST → analytic warehouse.
    • Only StudentKey referenced.

5. Data Storage & Access

  • Raw Vault: Encrypted bucket with access limited to Data Custodian.
  • Analytic Warehouse: Postgres (AES-256 at rest); roles defined in pg_hba.conf.
  • Backups: Nightly encrypted snapshots; stored off-site; retention per MOU.

6. Data Processing & Analysis

  • All ETL jobs run under a service account with least privileges.
  • Temporary tables drop automatically after 24 hrs.
  • Model training occurs on anonymized datasets only.

7. Data Sharing & Reporting

  • Teachers/Counselors access view-only dashboards (Metabase).
  • No raw exports of PII allowed; CSV/Excel export disabled for sensitive fields.
  • Any ad-hoc report requests must be approved by the Privacy Officer.

8. Data Retention & Disposal

  • Raw PII Files: Auto-deleted 6 months post-ingest via scheduled job.
  • Anonymized Data: Archived quarterly; destroyed after 2 years.
  • Deletion Verification: Data Custodian runs quarterly logs confirming disposal.

9. Security Measures

  • Encryption: TLS 1.2+ for all data in transit; AES-256 for data at rest.
  • Access Controls:
    • MFA for all accounts.
    • Password rotation every 90 days.
  • Monitoring:
    • Weekly audit of login attempts & access logs.
    • Alert on unauthorized access or anomalous queries.

10. Training & Awareness

  • All new ESP members complete a 1-hour privacy & security onboarding.
  • Annual refresher training covering FERPA, incident response, and SOP updates.

11. Incident Response

  1. Detection: Unusual access or suspected breach triggers an alert.
  2. Containment: Privacy Officer and Data Custodian isolate affected systems.
  3. Notification: Within 24 hrs, notify District IT and impacted stakeholders.
  4. Remediation: Assess root cause, patch, and update SOP accordingly.
  5. Documentation: Incident report archived for 2 years.

12. Review & Updates

Any change to data sources, laws, or architecture requires SOP revision.Between
Early Signal Project (“ESP”)
and
[School District or School Name] (“District”)

SOP reviewed every 6 months by Privacy Officer and IT Liaison.

More from the blog