Core Module

Privacy & Security

Protecting the people in your records is the foundation everything else rests on. Build the basics in from the start; they are far cheaper than a breach.

Why security comes first

Before you optimize anything else, protect the people in your records. A data practice that leaks client information can do more harm than the insight it produces is worth. The controls below are the foundation, not the finish line.

The core controls

Encryption

Protect data at rest and in transit. Use full-disk encryption on laptops, encrypted cloud storage, and HTTPS for anything shared online. Encryption is the difference between a lost laptop being an inconvenience and being a breach.

Access Controls

Give each person the least access they need. Use individual accounts, never shared logins, so you can see who did what and revoke access cleanly when someone leaves.

Audit Trails

Keep a record of who viewed, edited, or exported each case. Audit logs deter misuse, help you reconstruct what happened after a mistake, and are often expected by partners who share data with you.

PII Handling

Treat names, dates of birth, addresses, and identifiers as sensitive by default. Collect only what you need, separate identifying details from analytical data where you can, and never paste real client information into a tool you have not vetted.

CJIS Compliance

If you handle criminal justice information, the FBI CJIS Security Policy sets the bar: encryption, access control, auditing, and personnel screening. Full compliance is a journey, but awareness is non-negotiable from day one.

Breach and Retention

Decide in advance how long you keep records and what you do if data is exposed. A short written retention schedule and a simple breach response plan turn a crisis into a procedure.

Governance questions to answer

Security is as much about decisions as about technology. Write down your answers to these, even briefly.

Decide

Ownership

Who owns each dataset, and who is accountable for keeping it secure and accurate?

Decide

Retention

How long do we keep each type of record, and who decides when it is deleted?

Decide

Sharing agreements

When we share data with partners, what is allowed, what is prohibited, and is it written down?

Decide

Staff transitions

When someone joins or leaves, how do we grant and revoke access, and how is institutional knowledge transferred?

For small organizations

You do not need a CISO. Start with strong passwords, two-factor authentication, limited access, and a written one-page policy.