JRAA

STUDENT DATA PRIVACY AND SECURITY POLICY

The Smithfield Public Schools ("the District") understands the importance of keeping student data private and secure, and takes its responsibility to protect student information seriously. The District adheres to all local policies and state and federal laws regarding student and staff data privacy.

Introduction

The Smithfield Public Schools (“The District”) understands the importance of keeping student data private and secure, and takes its responsibility to protect student information seriously. The District adheres to all local policies and state and federal laws regarding student and staff data privacy. The District also understands that the rapid development and progress of new technology tools and applications, especially online and “cloud-based” services, introduces new challenges and concerns about the safety and security of student information. Managing student data privacy and security is an ongoing and dynamic process that will require regular review and revision. The goal of this policy is to ensure that student data is kept private and handled securely in accordance with the law, while at the same time allowing for the efficiency and value that technology tools can provide.

District Privacy Official

The Superintendent shall designate a district administrator as the person responsible for ensuring accountability for privacy laws and policies. This “District Privacy Official” will need to work closely with the District’s legal counsel, as well as other administrators that have expertise in very specific areas (e.g. special education, human resources, technology).

District Online Privacy and Safety Committee

The District Privacy Official shall convene and chair a District Online Privacy and Safety Committee that shall serve in an advisory capacity to review requests for new applications and online services for student use, as well as provide oversight as to the District’s compliance with the Children’s Internet Protection Act (CIPA), the Family Education Rights and Privacy Act (FERPA), Protection of Pupils’ Rights Amendment (PPRA) and COPPA (Children’s Online Privacy Protection Act).

It is the intent of the District that any new applications and online services that teachers wish to use with students are reviewed to ensure that the application or service meets student privacy and security standards, as well as be in compliance with all applicable local, state and federal policies and laws. In addition, it is the intent of the District to review applications and online services used by students to guarantee that they are rigorous and of high quality. As such, the District Online Privacy and Safety Committee shall be granted the authority to recommend the approval of the use of educational applications, as requested electronically on the appropriate form by a member of the District's certified staff. The purchase and implementation of approved applications and services shall depend upon the availability of funding.

The District must comply with all state and federal student privacy laws.

Recommendations of the District Online Privacy and Safety Committee are subject to the approval of the Superintendent of Schools.

Contracts with Third Party Vendors

All contracts with third party vendors who have access to student information shall adhere to relevant state and federal law.

  1. The District shall obtain parental consent prior to allowing any third party vendors access to personally identifiable information as defined under FERPA, through online educational services or web-based apps, with the exception of information that is excepted from FERPA.
  2. The exception to subsection one (1) shall be when the personally identifiable information that can be accessed by third party vendors falls under one of the following exceptions:
    • Performs an institutional service or function for which the school or district would otherwise use its own employees;
    • Has been determined to meet the criteria set forth in in the school’s or district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records;
    • Is under the direct control of the school or district with regard to the use and maintenance of education records; and
    • Uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by FERPA).
  3. If the District determines that any vendor or third-party operator does not meet FERPA requirements, the District shall notify the vendor and request that they make changes to ensure FERPA compliance within a specified period of time. If the vendor or third-party operator does not make the necessary changes to ensure FERPA compliance, the District shall transition to an alternative service or vendor to ensure compliance.
  4. The District shall ensure that all agreements with third party vendors who have access to personally identifiable information provides requesting parents or eligible students with access to all personally identifiable information and/or student records. The District shall ensure that its agreements with providers include provisions to allow for direct or indirect parental access and specify how they gain that access.
  5. The District shall post a list of online applications and services that it utilizes on the District website. Included as part of this information will be a list of any student data shared with each vendor or third-party operator, as well as links to the vendors’ Terms of Service and/or Privacy Policy.
  6. The District shall ensure that all agreements with third party vendors shall include a provision prohibiting any student data, including directory information, from being utilized for commercial purposes pursuant to Rhode Island General Laws and COPPA.
  7. The District shall ensure that its Agreements with third party vendors are in compliance with COPPA and that the operators of websites or online services directed to children obtain verifiable parental consent prior to the collection, use or disclosure of certain personal information from children under the age of thirteen.
  8. Pursuant to COPPA, the District shall act in lieu of parents in providing consent for students under the age of thirteen to use an online educational services or websites under the following circumstances:
    • The District shall assess how the operator of the website or online service will collect, use and disclose student information, and they must confirm that the data will solely be used for the benefit of the District and its students and will not be used by the operator for any other commercial purpose.
    • The District shall assess the privacy policies and practices for each website and online service being considered for use in the classroom.
  9. The District shall ensure that all agreements with third party vendors include Security and Stewardship Provisions making clear whether data collected belongs to the District or the Vendor.
  10. The District shall ensure that all agreements with third party vendors shall include Collection Provisions which specify the specific Information that the vendor will collect. (forms, logs, cookies, tracking, pixels, etc.)
  11. The District shall ensure that all agreements with third party vendors shall include data use, retention, disclosure and destruction provisions.
  12. The District shall ensure that all agreements with third party vendors shall prohibit ad serving and the possibility that a service provider will require ad serving to be turned on in the future.
  13. The District shall ensure that all agreements with third party vendors have modification, duration and termination provisions.

District Data Storage Responsibilities

  1. The District shall ensure that its storage of any personally identifiable information shall be in compliance with FERPA, as detailed in the aforementioned “Contracts with Third Party Vendors” subsection.
  2. The District shall distribute an annual FERPA notice to parents using the “Model Notification” templates provided by the U.S. Department of Education. These notices shall include notification about student directory information, as well as notification of parents’ and eligible students’ rights under FERPA. In addition, the District shall post these notices on the District website.
  3. The District shall not utilize any student information or data for commercial purposes pursuant to Rhode Island General Laws.
  4. As best practice, the District shall decide whether a particular site’s or service’s information practices are appropriate, rather than delegating that decision to individual teachers. The District shall use the process set forth by the District Privacy Official and District Online Privacy and Safety Committee to assess COPPA compliance of online educational services and websites.
  5. The District shall ensure that it’s in compliance with COPPA and that the operators of websites or online services directed to children obtain verifiable parental consent prior to the collection, use or disclosure of certain personal information from children under the age of thirteen.
  6. In accordance with CIPA, the District shall be responsible for monitoring the online activities of minors by utilizing technology tools and services for students connected to the District’s network and for students using District owned or assigned devices while away from the District’s networks.
  7. The District reserves the right, without notice or consent, to monitor students internet use or access student internet usage logs when there is reason to believe that the student has engaged in school-related misconduct or if there are technical difficulties with the device.
  8. As required by CIPA, the District shall educate students about appropriate online behavior, including interacting with other individuals on social networking and in chat rooms and cyberbullying awareness and response.
  9. The District shall regularly review and revise its internet and online safety procedures as part of the Acceptable Use Policy for Staff and Students.
  10. As best practice, the District shall use the process set forth by the District Privacy Official and District Online Privacy and Safety Committee to assess CIPA compliance of educational websites. This process shall consider requests to both block and unblock sites from any member of the school community, including students and parents, so long as the request is submitted electronically on the appropriate form.
  11. The District shall comply with the Protection of Pupil Rights Amendment (PPRA), which governs the administration to students of a survey, analysis, or evaluation that concerns one or more of the following eight protected areas: political affiliations or beliefs of the student or the student’s parent; mental or psychological problems of the student or the student’s family; sex behavior or attitudes; illegal, anti-social, self-incriminating, or demeaning behavior; critical appraisals of other individuals with whom respondents have close family relationships; legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers; religious practices, affiliations, or beliefs of the student or student’s parent; or, income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).
  12. The District shall distribute annual PPRA notices to parents using the notification templates provided by the federal Family Policy Compliance Office.
  13. The District shall be committed to communicating with parents about the technology tools and services being used in the classroom and their rights around student data privacy and access to their student’s educational records.
  14. The District shall utilize a variety of methods and tools to comply with the notification requirements of all applicable state and federal laws. The District shall also clearly list all student data privacy and security notifications and information on the District website. These notifications and all posted information shall be reviewed and updated regularly (as necessary).
  15. The task of protecting the privacy of student data and ensuring its security shall be the responsibility of each and every staff member.
  16. The District shall provide annual training to all staff members around the importance of student data privacy and a review of student data privacy and security policies and procedures.

Breach of Student Data

  1. A “breach” of student data shall be defined as “the unauthorized extraction of data or the manipulation of data.”
  2. The District shall outline and follow the steps for a formal investigation into the breach and a timeline for said investigation.
  3. The District shall immediately conduct auditing of its network in order to determine the scope of the breach.
  4. All external stakeholders, specifically parents and students, shall be notified in the event of a breach as suggested by the Department of Education.
  5. Training will be held for all School Department employees, and passwords and security measures shall be re-examined by the District Privacy Official and the District Online Privacy and Safety Committee.

District Issued Student Devices

  1. The District’s policy with respect to district issued student devices shall apply whether the student uses the device on or off school grounds and at any time.
  2. The District shall utilize technology protection measures to block or filter access to visual depictions that are obscene, pornographic and harmful to minors over the district’s network, applicable on or off school grounds, in accordance with CIPA.
  3. Students users shall be responsible for their actions and activities on any District issued device or when utilizing the District network.
  4. Student users shall be responsible for keeping their passwords secure for any District issued devices, the District network and/or District email.
  5. Damage to or theft of any District issued device must be reported to the school administrator within twenty-four hours of said damage or theft.
  6. District issued devices shall not be utilized for the following:
    • Inappropriate material
    • Illegal activities
    • Violation of copyrights
    • Misuse of passwords/unauthorized access
    • Malicious use/vandalism
  7. The District shall assume no responsibility for financial charges associated with the device that are not specifically granted in advance.
  8. Prior to the issuance of any District issued device, this policy shall be given to parents, who will be required to sign off on said policy prior to device issuance.
  9. The District reserves the right, without notice or consent, to monitor the usage/activities of students utilizing District issued devices when there is reason to believe that the student has engaged in school-related misconduct or if there are technical difficulties with the device.

Student Owned Devices

  1. Student owned devices may be used at school/class for educational purposes at the discretion of the teacher.
  2. The District shall utilize technology protection measures to block or filter access to visual depictions that are obscene, pornographic and harmful to minors over the district’s network in accordance with CIPA.
  3. Students users shall be responsible for their actions and activities on their own devices when utilizing the District network.
  4. Students shall not utilize their own devices on the District network for the following:
    • Inappropriate material
    • Illegal activities
    • Violation of copyrights
    • Misuse of passwords/unauthorized access
    • Malicious use/vandalism
  5. The District reserves the right, without notice or consent, to monitor the usage/activities of students utilizing the District network on his or her own devices when there is reason to believe that the student has engaged in school-related misconduct or if there are technical difficulties with the device.

Social Media

  1. Social media may be used by students for educational purposes at the discretion of the district. Student use of social media must comply with all state and federal student privacy laws.
  2. Pursuant to Rhode Island General Laws, the District shall not require, coerce or request a student or prospective student to disclose the password or any other means for accessing a social media account, or require, coerce or request that they access said account in the presence of a District employee or representative.
  3. Pursuant to Rhode Island General Laws, the District shall not require or coerce a student or prospective student to divulge any personal social media account information.
  4. Pursuant to Rhode Island General Laws, the District shall not compel a student or applicant, as a condition of acceptance or participation in curricular or extra-curricular activities, to add anyone, including a coach, teacher, school administrator, or other school employee or school volunteer to his/her list of contacts associated with a personal social media account or require, request or cause a student applicant to alter settings that affect a third party’s ability to view the contents of a social media account.
  5. Pursuant to Rhode Island General Laws, the District shall not discharge, discipline, or otherwise penalize a student for his or her refusal to provide access to add a coach, teacher, administrator or other volunteer to his/her list of contacts associated with a personal social media account or to alter the settings on his or her social media account.


ADOPTED: February 23, 2015