Protection of Personally Identifiable Information in the Commonwealth of Virginia’s Longitudinal Data System

We identified internal control weaknesses in the system that increase the risk that Virginia will be unable to prevent or detect unauthorized access and disclosure of personally identifiable information. Specifically, we found that although Virginia classified the Single Sign-on Web System as a sensitive system, it did not ensure that it met the minimum State requirements for a system classified as sensitive. This meant that Virginia also was not in compliance with the Statewide Longitudinal Data Systems grant requirements. We determined that Virginia has policies and procedures that address reporting and responding to unauthorized access and disclosure of data, but we could not determine whether Virginia effectively implemented the procedures because Virginia has not reported any system breaches in the Virginia Longitudinal Data System or the Single Sign-on Web System.