.svg)
Learn how Privacy Shield protects your district's data.
In this article
Privacy Shield is a feature designed to help districts protect sensitive information when sharing with a vendor`s application. Privacy Shield helps ensure that sensitive data, such as Personally Identifiable Information (PII), is masked or excluded during data syncing.
To use Privacy Shield, mark the attributes you want to protect as sensitive. These attributes will either be masked or excluded from data sharing, depending on your and vendor's settings. For more details, see how sensitive data is shared. If sensitive data needs to be masked, it will be replaced with a placeholder value before being shared with the vendor. For more details, see how sensitive data is masked.
To apply Privacy Shield settings, enable it in the data-sharing request configuration. Once the vendor approves it, import data from your data source/SIS to apply masking. As a result, only your district will see the original data, while Vendors see only masked information. Learn more about how to use Privacy Shield.
Note: If the vendor marks data as required, it must be synced and can't be excluded. You can check which data is required in the application requirements or contact GG4L Customer Services for help.
This feature acts as an additional layer of protection, to ensure sensitive information is either hidden or securely managed.
How Privacy Shield works
- District Admin sets sensitive data in School Passport.
- District Admin initiates a data sharing request with a Vendor application with an enabled Privacy Shield feature.
- Privacy Shield checks sensitive data and dynamically masks or excludes it from the sync.
- The application vendor validates the request and confirms that they have access to the required data.
- District Admin runs data import from data source/SIS. This mask imported sensitive data according to the masking rules.
- School Passport shares masked imported data with the application.
- School Passport continues to enforce these rules each time district data is accessed by the vendor application.
How sensitive data is shared
Ideally, sensitive data should never be shared without proper protection. In addition to your sensitive data settings, vendors can also enable masking for PII on their end on different levels and manage it within the data-sharing request. For more details, see Privacy Shield level in an application. This ensures that both the district and the vendor handle sensitive data securely.
When you turn on Privacy Shield for a vendor’s app, your sensitive data is compared with the vendor’s data requirements. If the vendor marks certain data as required, it can’t be excluded from syncing. For details on required data, refer to the Application requirements.
The table below shows how sensitive data is handled based on the district's and vendor's settings (when the Privacy Shield toggle is on).
|
District Action |
District Action |
Result |
Example |
|
Marked as sensitive |
Masking enabled |
Shared but masked |
"Smith" becomes "D-ggl'abcdefg" when shared with the vendor. |
|
Marked as sensitive |
Masking disabled |
Excluded from sync |
"Smith" is not shared with the vendor at all. |
|
Marked as sensitive |
Marked as required |
Shared as is |
"John Doe" is shared with the vendor unchanged. |
|
Not marked as sensitive |
Any action by the vendor |
Shared as is |
"123 Main St" is shared with the vendor unchanged. |
Let's explore how sensitive data is shared using the following example. In this case, the district administrator activates a vendor application for the first time. Privacy Shield is enabled by default (toggle on). The Attributes section shows how Privacy Shield settings will be applied to data sharing.
/privacy-pii-shield_request_attributes.png?width=688&height=693&name=privacy-pii-shield_request_attributes.png)
In this case, the data will be protected and shared as follows:
- Last Name (1) is sensitive and masked on the vendor’s side. It is shared but masked.
- First Name (2) is sensitive, required by the vendor, and masked on their side. It is shared but masked.
- Birth Date (3) is NOT sensitive and masked on the vendor’s side. It is shared as is.
- Middle Name (4) is sensitive and NOT required by the vendor. It is NOT shared.
- Username (5) and Email Address (6) are sensitive but required by the vendor. They are shared as is.
- Primary School (7) is NOT sensitive and NOT required by the vendor. It is shared as is.
How sensitive data is masked
Privacy Shield masks the following attributes for students, teachers, and contacts to protect PII data:
| Attribute | Description | Original | Masked |
| Last Name | Exposes the first character, replacing the rest of the string with the -ggl’ and adding a unique set of 7 lowercase letters from a-z. |
Davidson | D-ggl'abcdefg |
| First Name | Exposes the first character, replacing the rest of the string with the -ggf’ and adding a unique set of 7 lowercase letters from a-z. |
John | J-ggf'abcdefg |
| Middle Name | Exposes the first character, replacing the rest of the string with the -ggm’ and adding a unique set of 7 lowercase letters from a-z. |
Michael | M-ggm'abcdefg |
| Username | Exposes the first character, replacing the rest of the string with the -ggu’ and adding a unique set of 7 lowercase letters from a-z. |
DavidsonJ | D-ggu'abcdefg |
| Email Address |
Replaces the email username with a string of 16 random letters, adds the district GUID before the domain, and replaces the domain with Upon activation of the application by a district, returns an empty string before data import. |
jane_example@example.com | AvCakjsdOdIc@11000000-0000-0000-0000-000000000000.gg4l.io |
| Birth Date | Exposes the year of birth and replaces day and month of birth. If a day and month less than 6 months from the current date, replaces with 01/01, or 09/01 if more than 6 months. |
Birth date: February 15, 1990 Current date: May 10, 2024 |
01/01/1990 |
| Phone numbers (Phone, Home Phone, Sms, Phone Number, Work Phone) | Replaces the all characters with +10000000000 |
(555)123-4567 | +10000000000 |
What are the Privacy Shield levels
Applications can support Privacy Shield at different levels, which determines which PII is masked. Each application vendor determines which PII will be masked. The application vendor decides which PII can be masked, and if the data meets the requirements for a specific level, the application will be assigned that level.
Each Privacy Shield level defines a set of user attributes (students, teachers, contacts) that are masked by an application.
Note: The attributes for the Privacy Shield level may differ if they have been removed from the Attributes Mapping.
The Privacy Shield levels are as follows:
- Level 1: The application masks only the Last Name of users. Other PII data, like first names or emails, are visible and accessible to the application.
- Level 2: This level masks the Last Name, First Name, and Email. Other sensitive data, such as phone numbers or birthdates, remain visible and accessible to the application.
- Level 3 (Full OneRoster and Basic Roster PII): At this level, the application masks a complete set of PII based on the OneRoster standard. This includes the Last Name, First Name, Middle Name, Username, Email, Phone Number, and Birth Date. Other PII data remains accessible by an application.
- No Privacy Shield: This indicates that the application does not meet the requirements for any Privacy Shield level, or that no PII data is allowed to be masked. In some cases, it may indicate that only the Last Name is not masked.
If you mask some attributes that lower the application`s Privacy Shield level, your application will be assigned the lower level. For example, if you activate the application with level 3 but only mask the Last Name, the application will automatically be downgraded to level 1.