From something as simple as a sign-in sheet to transcripts and test scores stored in a learning management system (LMS), every training organization gathers and stores personally identifiable information (PII) for their learners. Organizations are expected to manage this private data appropriately and take every precaution to protect it from loss, unauthorized access or theft. Misusing, losing or otherwise compromising this data can carry a steep financial cost and damage an organization's reputation.
One of the requirments of the ANSI/IACET 2018-1 Standards for Continuing Education and Training is ensuring privacy and information security of learners' records and the first step to securing learner data is to identify the PII the organization uses and where the organization stores the data. As basic as it sounds, an organization cannot secure data they do not know about and many do not realize the full breadth of what data they collect, where the data is stored and how it is used.
Data flows through an organization like a river. It has an origin, a place where it is first collected. It then winds its way through various departments and divisions, such as, the training department who uses the data to deliver learning, the finance department who may need to track billing and payment, the marketing department who need to make decisions about promotional spends and the executive division who use the data to make business decisions. Data streams over different processes and procedures, being touched by a variety of software packages and systems along the way. Each one of those individuals and systems is a potential place for data to be misused, lost, stolen or otherwise compromised.
To identify PII, make a list of the data that is collected also identifying where it is collected. This list will include basic contact information like names, phone numbers, addresses and email addresses. Generally, these are collected from registration forms or provided by an employer contracting the training. Other pieces of data, such as transcripts, quiz and test scores, attendance records may be stored in the LMS.
Next, make a list of all the places the data is consumed or used. Walk through your process, from registration to credentialing. List out who uses the data at each step, write down why they use the data and notate which specific data elements are used. Keeping in mind it is important to verify that the data consumer only have access to the data they need to complete the task.
Once you have completed this survey, you will have a “lay of the land” and be ready to take the next step in this series.
To learn more about IACET and the accreditation process, visit us at iacet.org.
Randy Bowman is the Vice President of Technology at IACET. Randy has over twenty years professional experience in project management, software design and development as well as IT operations and IT security for government agencies and non-profit associations.