Organizations that collect data about individuals — students, staff, community members — hold a responsibility that extends beyond legal compliance. The way data is collected, used, shared and protected shapes real outcomes for real people. These eight principles describe what responsible data stewardship looks like in practice.
Principle 1 — We Know What Data We Hold
Responsible organizations maintain a current, accurate inventory of what data they collect, where it is stored, who has access, and for what purpose. Data governance begins with visibility. Organizations that do not know what data they hold cannot protect it, cannot purge it when appropriate, and cannot respond effectively when something goes wrong.
In practice: maintain a data dictionary. Conduct a data audit annually. Know the difference between operational data, reporting data and research data, and govern each appropriately.
Principle 2 — We Collect Only What We Need
Data collection should be proportional to purpose. The discipline of data minimization — collecting only the information genuinely necessary for a defined purpose — reduces risk, simplifies governance and respects the privacy of individuals whose information is held.
Before collecting any new data element, ask: what decision or service does this enable? Could we accomplish the same goal with less sensitive information? What are the risks of holding this information?
Principle 3 — We Are Transparent About Data Use
Individuals whose data is collected — students, families, staff — have a right to know what information is collected, how it is used, who has access, and how long it is retained. Transparency is not just a legal obligation; it is a trust-building practice that reduces harm and supports organizational legitimacy.
Principle 4 — We Require Responsibility from Our Vendors
Organizations bear responsibility for what happens to data they share with technology vendors. This responsibility cannot be fully delegated. Contracts must include specific data use limitations, security requirements, deletion terms and privacy provisions. Organizations should review and enforce these contract terms — not sign them and forget them. See the Responsible Vendor Principles for the corresponding framework for technology providers.
Principle 5 — We Govern Access Carefully
Access to sensitive data should be limited to those with a genuine need for it. Role-based access controls, regular access reviews and documentation of who has access to what are the operational mechanisms of this principle. The question "who can access this data and why?" should always have a clear, documented answer.
Principle 6 — We Protect Data Against Unauthorized Access
Organizations are responsible for implementing appropriate technical and administrative security measures to protect data against unauthorized access, loss or disclosure. This includes encryption at rest and in transit, strong authentication requirements, employee training on data handling, and a documented incident response plan.
Principle 7 — We Have Clear Data Retention and Deletion Policies
Data that is no longer needed should not be retained. Clear retention schedules — defining how long different categories of data are kept and when they are deleted — reduce risk and simplify governance. When a student leaves a district, when a staff member separates, when a program ends: there should be a clear process for handling the data associated with those transitions.
Principle 8 — We Learn from Incidents and Improve
Data governance is not a static compliance exercise. When incidents occur — breaches, unauthorized access, data quality failures — responsible organizations investigate the root cause, communicate transparently with affected parties, implement corrective measures and document what was learned. This cycle of learning is how data governance actually improves over time.
Organizational Self-Assessment
- We have a current data inventory that documents what data we hold and where
- We have a designated data governance lead with decision-making authority
- We conduct vendor contract reviews that include data privacy terms
- We have role-based access controls for sensitive data systems
- We conduct regular access reviews to remove unnecessary permissions
- We have a documented incident response plan for data breaches
- We have data retention schedules for all major data categories
- We provide data privacy training to staff with access to sensitive data
- We have a process for responding to individual data access requests
- We publish a data governance or data privacy policy accessible to stakeholders
- We conduct annual audits of our data practices against our stated policies
- We have data use agreements with all third parties who access our data