Privacy and Protection of Confidential Student Information
The Board is committed to protecting the confidentiality of student information obtained, created and/or maintained by the district. Student privacy and the district's use of confidential student information are protected by federal and state law, including the Family Educational Rights and Privacy Act (FERPA) and the Student Data Transparency and Security Act (the Act). The Board directs district staff to manage its student data privacy, protection and security obligations in accordance with this policy and applicable law.
"Student education records" are those records that relate directly to a student. Student education records may contain, but are not necessarily limited to, the following information: identifying data ; academic work completed; level of achievement (grades, standardized achievement test scores); attendance data; scores on standardized intelligence, aptitude and psychological tests; interest inventory results; health and medical information; family background information; teacher or counselor ratings and observations; discipline reports and any Individualized Education Program (IEP) or 504 Plan.
"Student personally identifiable information" or "student PII" means information that, alone or in combination, personally identifies an individual student or the student's parent or family, and that is collected, maintained, generated, or inferred by the district, either directly or through a school service, or by a school service contract provider or school service on-demand provider.
"Security breach" means the unauthorized disclosure of student education records or student PII by a third party.
“School Service” means an internet website, online service, online application, or mobile application that:
a) Is designed and marketed primarily for use in a preschool, elementary school, or secondary school;
b) Is used at the direction of teachers or other employees of a local education provider; and
c) Collects, maintains, or uses student personally identifiable information. A school service does not include an internet website, online service, online application, or mobile application that is designed and marketed for use by individuals or entities generally, even if it is also marketed to a United States preschool, elementary school or secondary school.
“School service contract provider” or “contract provider” means an entity, other than a public education entity or an institution of higher education, which enters into a formal, negotiated contract with a public education entity to provide a school service.
“School service on-demand provider” or “on-demand provider” means an entity, other than a public education entity, that provides a school service on occasion to a public education entity, subject to agreement by the public education entity, or an employee of the public education entity, to standard, non-negotiable terms and conditions of service established by the providing entity.
Access, Collection and Sharing Within the District
District employees shall ensure that confidential information in student education records is disclosed within the district only to officials who have a legitimate educational interest, in accordance with applicable law and Board policy.
Outsourcing and Disclosure to Third Parties
District employees shall ensure that student education records are disclosed to persons and organizations outside the district only as authorized by applicable law and Board policy. The term "organizations outside the district" includes school service on-demand providers and school service contract providers.
Any contract between the district and a school service contract provider shall include the provisions required by the Act, including provisions that require the school service contract provider to safeguard the privacy and security of student PII.
The district shall post the following on its website:
- a list of the school service contract providers that it contracts with and a copy of each contract; and
- to the extent practicable, a list of the school service on-demand providers that the district uses.
Privacy and Security Standards
The security of student education records maintained by the district is a high priority. The district shall maintain an authentication and authorization process to track and periodically audit the security and safeguarding of student education records.
Security Breach or Other Unauthorized Disclosure
Employees who disclose student education records in a manner inconsistent with applicable law and Board policy may be subject to disciplinary action, up to and including termination from employment. Any discipline imposed shall be in accordance with applicable law and Board policy.
Employee concerns about a possible security breach shall be reported immediately to the building supervisor (i.e. principal). If the building supervisor is the person alleged to be responsible for the security breach, the staff member shall report the concern to the district Chief Operating Officer.
When the district determines that a school service contract provider has committed a material breach of its contract with the district, and that such material breach involves the misuse or unauthorized release of student PII, the district shall follow this policy's accompanying regulation in addressing the material breach.
Nothing in this policy or its accompanying regulation shall prohibit or restrict the district from terminating its contract with the school service contract provider, as deemed appropriate by the district and in accordance with the contract and the act.
Data Retention and Destruction
The district shall retain and destroy student education records in accordance with applicable law and Board policy.
The district shall provide periodic in-service trainings to appropriate district employees to inform them of their obligations under applicable law and Board policy concerning the confidentiality of student education records.
In accordance with this policy's accompanying regulation, a parent/guardian of a district student may file a written complaint with the district if the parent/guardian believes the district has failed to comply with the Act.
Parent/Guardian Requests to Amend Student Education Records
Parent/guardian requests to amend his or her child's education records shall be in accordance with the district's procedures governing access to and amendment of student education records under FERPA, applicable state law and Board policy.
Oversight, Audits and Review
The Chief Operating Officer shall be responsible for ensuring compliance with this policy and its required privacy and security standards.
The district's practices with respect to student data privacy and the implementation of this policy shall be periodically audited by the Chief Operating Officer or designee.
A privacy and security audit shall be performed by the district on an annual basis. Such audit shall include a review of existing user access to and the security of student education records and student PII.
The Chief Operating Officer or designee shall annually review this policy and accompanying regulation to ensure it remains current and adequate to protect the confidentiality of student education records in light of advances in data technology and dissemination. The Chief Operating Officer shall recommend revisions to this policy and/or accompanying regulation as deemed appropriate or necessary.
Compliance with Governing Law and Board Policy
The district shall comply with FERPA and its regulations, the Act, and other state and federal laws governing the confidentiality of student education records. The district shall be entitled to take all actions and exercise all options authorized under the law.
In the event this policy or accompanying regulation does not address a provision in applicable state or federal law, or is inconsistent with or in conflict with applicable state or federal law, the provisions of applicable state or federal law shall control.