When picking a student transportation and vehicle tracking app, school districts should think about data privacy and data security just as much as the tracking and routing features. These apps handle a large amount of sensitive data, including children’s names, bus stop locations and times when children wait for the school bus. Data security is a critical aspect of the product itself. The SafeStop app, for instance, achieves all five Service Organization Control (or SOC2) principles in a way that keeps parents’ information safe and helps administrators manage accounts securely.
When choosing an app, think about these five security principles covered by SOC2, and then consider the related questions to ensure all bases are covered.
- Availability: Every app and software vendor that a school district works with should offer a Terms & Conditions statement to users. For instance, parents download the app and should have access to the terms. Don’t forget these related systems management questions: What is the app’s user and password management requirements? Where are the access points for parents and school administrators? What are the lockout and password recovery procedures?
- Confidentiality: Student education records should be secure, according to the federal Family Educational Rights and Privacy Act (FERPA), and third-party apps should not release student information. Inquire about these integration practices: How does the app interact with the school district’s student information system, as well as other vendor information systems? Where are the points of vulnerability if systems aren’t fully integrated?
- Privacy: Personal information should be protected as well and used only when needed, including names, credit card information and location data. Importantly, apps should be able to guarantee that information is never sold or distributed to outside parties at any time. Consider these questions: How is data used, and where does it go when it leaves the system? How is it monitored? Is data encrypted when transferred over a public network?
- Processing Integrity: As part of the app functioning, data should be processed in an accurate, timely and authorized manner. This also applies to the physical office where the app employees work, ensuring that they manage accounts and personal information in a secure manner on a daily basis. Question these personnel management practices: Who creates and manages users? How does the company train employees on security and privacy? How are the company’s data practices evaluated? Does the company “stress test” roles, permissions and users, and how often is this done?
- Security: Apps should guarantee protection against unauthorized access and data breaches, both in the digital and physical realms. School district staff and transportation directors should know about the technical backend that keeps data and analytics information secure. Ask these questions: What antivirus protocol is offered? If an incident occurs, what is the response plan? What are the backup and disaster recovery processes? Are there auditable logs of system activities?