Data Privacy Checklist

Use this checklist to evaluate your organization's data privacy practices. Items are organized by functional area to support team-based review.

Data Collection and Minimization

• We collect only the data necessary for defined, documented purposes
• New data collection requires review and approval against a defined purpose
• We have reviewed each data field we collect in the last 24 months for continued necessity
• We do not collect sensitive data (race, health, financial) without specific documented need
• We have a documented data dictionary covering all major data categories we hold

Vendor and Third-Party Contracts

• All technology vendors have signed data use agreements or DPAs
• Vendor contracts explicitly prohibit student data from being used for advertising
• We have reviewed vendor privacy policies for consistency with our contract terms
• We maintain a current list of all vendors with access to sensitive data
• We have a process for reviewing vendor data practices annually

Access Controls

• Access to sensitive data systems is role-based and documented
• We conduct quarterly reviews of who has access to sensitive data
• Departing staff access to data systems is revoked within 24 hours of separation
• We require strong authentication (MFA) for access to systems holding sensitive data
• Administrative access to data systems is logged and periodically reviewed

Retention and Deletion

• We have a documented data retention schedule for all major data categories
• We delete data according to our retention schedule (not "when we get around to it")
• We have a process for deleting student data when students leave the organization
• We confirm with vendors that deleted data is actually deleted, not just de-identified
• We verify that backups are included in deletion (not just primary databases)