The U.S. Department of Education (USED) sent a letter to Superintendent Jennifer McCormick this month outlining problems with the Indiana Department of Education’s security around student data.

The state receives grant money from USED for implementing security systems, which opened the state up to an audit.

According to the USED letter, the audit’s “objective was to determine whether IDOE has internal controls in place to prevent, detect, report, and respond to unauthorized access and disclosure of personally identifiable information” in the state’s data system.

To be clear, the audit didn’t find a breach, and all student data stored by the state is safe.

The audit found the state wasn’t documenting its security procedures to satisfy the federal requirements and state law in place during the time of the audit, from April 2016 to February 2017. The feds found the state wasn’t reporting its systems and practices the way that old state law required – the law was changed this last session.

The student data stored in these systems include test scores and course completions for students across the state.

John Keller is the chief technology officer for the IDOE, and he says this letter opened his eyes to where the department can improve.

“There has always been the highest retention and regard to the safety of student level data from the Department,” Keller says. ”

These findings are only going to help us get better and be even more vigilant around those things.”

Going forward, Keller says the IDOE’s security system around student data will switch from being a separate system managed within the IDOE, to being managed by the same group that secures all state agency data. Keller is also working to compile all relevant materials around student data to create an internal procedure for dealing with these databases.