MA Public Records Search
← Back to Search

D’Ambrosio, Patricia v. Andover, Town of - Public Schools (SPR 20261570)

Massachusetts Public Records Appeal · Public records appeal decision · Filed 04-27-2026

ClosedAppeal

SPR 20261570 is a Massachusetts Public Records Law appeal filed by D’Ambrosio, Patricia concerning records held by Andover, Town of - Public Schools, opened 04-27-2026. Type: Appeal. Status: Closed.

Case Details

Case Number
20261570
Case Type
Appeal
Status
Closed
Requester
D’Ambrosio, Patricia
Custodian
Andover, Town of - Public Schools
Date Opened
04-27-2026
Date Closed
04-28-2026

PDF Document

Extracted Text (searchable & copyable)

The Commonwealth of Massachusetts William Francis Galvin, Secretary of the Commonwealth Public Records Division Manza Arthur Supervisor of Records April 28, 2026 SPR26/1570 Nicole L. Kieser Records Access Officer Andover Public Schools 30 Whittier Court Andover, MA 01810 Dear Ms. Kieser: I have received the petition of Patricia D’Ambrosio appealing the nonresponse of the Andover Public Schools (School) to a request for public records. See G. L. c. 66, § 10A; see also 950 C.M.R. 32.08(1). On April 9, 2026, Ms. D’Ambrosio requested the following records from September 1, 2024 to April 9, 2026: [1] Policies and Procedures[;] [a] Written information security program (WISP) required under 201 CMR 17.00[;] [b] Policies governing student education records under FERPA[;] [c] Data governance, access control, and vendor management policies governing the use of student records[;] [2] Third-Party Systems and Compliance[;] [a] List of all third-party platforms/systems used to store or process student records including email[;] [b] Contracts, data sharing agreements, or memoranda of understanding with such vendors[;] [c] Documentation demonstrating vendor compliance with FERPA and 201 CMR 17.00[;] [3] Incident and Risk Documentation[;] [a] Any incident reports, risk assessments, or internal reviews concerning the upload or storage of student records in systems that may not meet FERPA or 201 CMR 17.00 requirements[;] [b] All communications (internal or external, emails, letters, text messages....) discussing such issues[;] [4] Corrective Actions[;] One Ashburton Place, Room 1719, Boston, Massachusetts 02108 • (617) 727-2832• Fax: (617) 727-5914 sec.state.ma.us/pre • pre@sec.state.ma.us

Nicole L. Kieser SPR26/1570 Page 2 April 28, 2026 [a] Records showing steps taken or planned to correct inaccuracies in student records[;] [b] Plans, policies, or communications describing how the district will remediate improper disclosure or storage of student data[;] [c] Timelines and responsible parties for corrective action[;] [5] Training and Oversight[;] [a] Documentation of oversight, audits, or compliance review[;] [b] Audit trails for all our student records[;] [6] [T]he district’s plan to[;] [a] Correct our specific erroneous student records both those in Crest Collaborative and in Aspen[;] [b] Ensure future compliance with FERPA and 201 CMR 17.00. [;] [c] Prevent further unauthorized disclosure or use of student data[;] [7] System Inventory & Data Mapping[;] [a] Inventory of all internal systems/databases containing student[;] education records including email servers where sensitive student info is often shared unencrypted[;] [b] Data flow diagrams or documentation showing how student data is collected, stored, accessed, and transmitted internally[;] [8] Access Controls[;] [a] Policies and technical controls governing role-based access to student records[;] [b] Audit logs or summaries showing access to student records (redacted as necessary)[;] [c] Procedures for provisioning and deprovisioning user access[;] [9] Encryption & Safeguards[;] [a] Documentation of encryption practices for data at rest and in transit[;] [b] Endpoint security controls (e.g., laptops, staff devices accessing student data)[;] [c] Network security measures protecting internal systems[;] [10] Monitoring & Auditing[;] [a] Internal audit reports or compliance reviews of all student information systems[;] [b] Reports or summaries of unauthorized access attempts or policy violations[;] [11] Error Handling & Record Integrity[;] [a] Policies and procedures for identifying, correcting, and documenting errors in student records[;] [b] Records showing how erroneous data entries are tracked, corrected, and communicated[;] [12] Incident Response[;] [a] Incident response plans specific to unauthorized access or disclosure of student records of internal systems[;]

Nicole L. Kieser SPR26/1570 Page 3 April 28, 2026 [b] Documentation of any incidents involving internal systems and resulting remediation[;] [13] Data Retention & Destruction[;] [a] Policies governing retention and secure destruction of student records within internal systems[;] [14] Training & Accountability[;] [a] Staff training materials specific to internal system use and student data protection[;] [b] Documentation of disciplinary or corrective actions for misuse of internal systems (appropriately redacted)[;] [15] Identification of System Involved and Compliance Determination[;] [a] Please identify the specific internal or external system(s) in which the erroneous student record(s) were created, stored, or uploaded. For each such system, provide[;] [i] The system name, owner, and whether it is internally managed or vendor-provided[;] [ii] The date(s) the student record(s) were entered, modified, or transmitted[;] [iii] A determination of whether the system was approved under the district’s Written Information Security Program (WISP) at the time of use[;] [iv] Documentation showing the system’s security classification, risk assessment, and authorization for use with student education records[;] [v] Any data protection impact assessment, privacy review, or security review conducted prior to deployment or use[;] [16] Compliance Gap and Remediation Plan[;] [a] For the system(s) identified above, please provide records sufficient to show[;] [i] Whether the parties have determined that the system failed to meet FERPA and/or 201 CMR 17.00 requirements[;] [ii] The specific nature of any compliance gaps (e.g., access control failures, lack of encryption, improper permissions, unauthorized disclosure)[;] [iii] Immediate corrective actions taken (including correction of the student record and containment of any unauthorized disclosure) reference our 3/26/26 email to crest for these purposes public records: no response to-date[;] [b] A detailed remediation plan, including[;] [i] The plan to bring the system into compliance or discontinue its use[;] [ii] Measures to correct and validate all affected student records[;] [iii] Steps to notify affected parties, if applicable[;]

Nicole L. Kieser SPR26/1570 Page 4 April 28, 2026 [iv] Timelines and responsible officials for each corrective action[;] [17] Accountability and Oversight[;] [a] The name/title of the district employee responsible for data privacy compliance (e.g., Data Protection Officer or equivalent)[;] [b] Records of any internal review, disciplinary action, or escalation related to this issue[;] [c] Any notifications made or planned to oversight bodies, including the Massachusetts Attorney General or the U.S. Department of Education[.] Claiming to not yet have received responsive records, Ms. D’Ambrosio petitioned this office and this appeal, SPR26/1570, was opened as a result. Subsequently, I learned that the School provided Ms. D’Ambrosio with a response on April 24, 2026. Where this appeal was opened as a result of the School’s lack of a written response, I will now consider this administrative appeal closed. Ms. D’Ambrosio may appeal the substantive nature of the School’s response within ninety (90) days. See 950 C.M.R. 32.08(1). Sincerely, Manza Arthur Supervisor of Records cc: Patricia D’Ambrosio