STUDENT DATA PRIVACY AND SECURITY
The Smithfield School Committee and school district understand the importance of keeping student data private and secure, takes its responsibility to protect student information seriously and adheres to all local policies and state and federal laws regarding student and staff data privacy. The rapid development and progress of new technology tools and applications, especially online and “cloud-based” services, introduces new challenges and concerns about the safety and security of student information. Managing student data privacy and security is an ongoing and dynamic process that will require regular review and revision. The goal of this policy is to ensure that student data is kept private and handled securely in accordance with the law, while at the same time allowing for the efficiency and value that technology tools can provide.
District Privacy Official
The Director of Technology shall serve as the person responsible for ensuring accountability for privacy laws and policies.
District Online Privacy and Safety Committee
The Director of Technology shall convene and chair a District Online Privacy and Safety Committee that shall serve in an advisory capacity to review requests for new applications and online services for student use, as well as provide oversight as to the District’s compliance with the Children’s Internet Protection Act (CIPA), the Family Education Rights and Privacy Act (FERPA), Protection of Pupils’ Rights Amendment (PPRA) and the Children’s Online Privacy Protection Act (COPPA) .
It is the intent of the District that any new applications and online services that teachers wish to use with students are reviewed to ensure that the application or service meets student privacy and security standards, as well as be in compliance with all applicable local, state and federal policies and laws. In addition, it is the intent of the District to review applications and online services used by students to guarantee that they are rigorous and of high quality. As such, the District Online Privacy and Safety Committee shall be granted the authority to recommend the approval of the use of educational applications, as requested electronically on the appropriate form by a member of the District's certified staff. The purchase and implementation of approved applications and services shall depend upon the availability of funding. Recommendations of the District Online Privacy and Safety Committee are subject to the approval of the Superintendent of Schools.
Contracts with Third Party Vendors
All contracts with third party vendors who have access to student information shall adhere to relevant state and federal law.
- The District shall obtain parental consent prior to allowing any third party vendors access to personally identifiable information as defined under the FERPA, through online educational services or web-based apps, with the exception of information that is excepted from the FERPA and/or when the personally identifiable information that can be accessed by third party vendors falls under one of the following exceptions:
- Performs an institutional service or function for which the school or district would otherwise use its own employees;
- Has been determined to meet the criteria set forth in in the school’s or district’s annual notification of the FERPA rights for being a school official with a legitimate educational interest in the education records;
- Is under the direct control of the school or district with regard to the use and maintenance of education records; and
- Uses education records only for authorized purposes and may not re-disclose Personally Identifiable Information (PII) from education records to other parties (unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by the FERPA.
- If the District determines that any vendor or third-party operator does not meet the FERPA requirements, the District shall notify the vendor and request that they make changes to ensure the FERPA compliance within a specified period of time. If the vendor or third-party operator does not make the necessary changes to ensure the FERPA compliance, the District shall transition to an alternative service or vendor to ensure compliance.
- The District shall ensure that all agreements with third party vendors who have access to personally identifiable information provides requesting parents or eligible students with access to all personally identifiable information and/or student records. The District shall ensure that its agreements with providers include provisions to allow for direct or indirect parental access and specify how they gain that access.
- The District shall ensure that all agreements with third party vendors shall include a provision prohibiting any student data, including directory information, from being utilized for commercial purposes pursuant to Rhode Island General Laws and with the COPPA.
- The District shall ensure that its Agreements with third party vendors are in compliance with the COPPA and that the operators of websites or online services directed to children obtain verifiable parental consent prior to the collection, use or disclosure of certain personal information from children under the age of thirteen.
- Pursuant to COPPA, the District shall act in lieu of parents in providing consent for students under the age of thirteen to use an online educational services or websites under the following conditions and circumstances:
- The District shall assess how the operator of the website or online service will collect, use and disclose student information, and they must confirm that the data will solely be used for the benefit of the District and its students and will not be used by the operator for any other commercial purpose.
- The District shall assess the privacy policies and practices for each website and online service being considered for use in the classroom.
- The District shall ensure that all agreements with third party vendors include security and stewardship provisions making clear whether data collected belongs to the District or the Vendor.
- The District shall ensure that all agreements with third party vendors shall include collection provisions which specify the specific Information that the vendor will collect. (forms, logs, cookies, tracking, pixels, etc.)
- The District shall ensure that all agreements with third party vendors shall include data use, retention, disclosure and destruction provisions.
- The District shall ensure that all agreements with third party vendors shall prohibit ad serving and the possibility that a service provider will require ad serving to be turned on in the future.
- The District shall ensure that all agreements with third party vendors have modification, duration and termination provisions.
District Data Storage Responsibilities
- The District shall ensure that its storage of any personally identifiable information shall be in compliance with the FERPA, as detailed in the aforementioned “Contracts with Third Party Vendors” subsection.
- The District shall distribute an annual FERPA notice to parents using the “Model Notification” templates provided by the U.S. Department of Education. These notices shall include notification about student directory information, as well as notification of parents’ and eligible students’ rights under the FERPA. In addition, the District shall post these notices on the District website.
- The District shall not utilize any student information or data for commercial purposes pursuant to Rhode Island General Laws.
- As best practice, the District shall decide whether a particular site’s or service’s information practices are appropriate, rather than delegating that decision to individual teachers. The District shall use the process set forth by the District Privacy Official and District Online Privacy and Safety Committee to assess the COPPA compliance of online educational services and websites.
- The District shall ensure that it’s in compliance with the COPPA and that the operators of websites or online services directed to children obtain verifiable parental consent prior to the collection, use or disclosure of certain personal information from children under the age of thirteen.
- The District reserves the right, without notice or consent, to monitor students internet use or access student internet usage logs when there is reason to believe that the student has engaged in school-related misconduct or if there are technical difficulties with the device.
- As required by the CIPA, the District shall educate students about appropriate online behavior, including interacting with other individuals on social networking and in chat rooms and cyberbullying awareness and response.
- The District shall regularly review and revise its internet and online safety procedures as part of the Acceptable Use Policy for Staff and Students.
- As best practice, the District shall use the process set forth by the District Privacy Official and District Online Privacy and Safety Committee to assess the CIPA compliance of educational websites. This process shall consider requests to both block and unblock sites from any member of the school community, including students and parents, so long as the request is submitted electronically on the appropriate form.
- The District shall comply with the Protection of PPRA, which governs the administration to students of a survey, analysis, or evaluation that concerns one or more of the following eight protected areas: political affiliations or beliefs of the student or the student’s parent; mental or psychological problems of the student or the student’s family; sex behavior or attitudes; illegal, anti-social, self-incriminating, or demeaning behavior; critical appraisals of other individuals with whom respondents have close family relationships; legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers; religious practices, affiliations, or beliefs of the student or student’s parent; or, income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).
- The District shall distribute annual Protection of PPRA notices to parents using the notification templates provided by the Federal Family Policy Compliance Office each September of the school year.
- The District shall be committed to communicating with parents about the technology tools and services being used in the classroom and their rights around student data privacy and access to their student’s educational records.
- The District shall utilize a variety of methods and tools to comply with the notification requirements of all applicable state and federal laws. The District shall also clearly list all student data privacy and security notifications and information on the District website. These notifications and all posted information shall be reviewed and updated regularly (as necessary).
- The task of protecting the privacy of student data and ensuring its security shall be the responsibility of each and every staff member.
- The District shall provide annual training to all staff members around the importance of student data privacy and a review of student data privacy and security policies and procedures.
Breach of Student Data
- A “breach” of student data shall be defined as “the unauthorized extraction of data or the manipulation of data.”
- The District shall outline and follow the steps for a formal investigation into the breach and a timeline for said investigation.
- The District shall immediately conduct auditing of its network in order to determine the scope of the breach.
- All external stakeholders, specifically parents and students, shall be notified in the event of a breach as suggested by the Department of Education.
- Training will be held for all School Department employees, and passwords and security measures shall be re-examined by the District Privacy Official and the District Online Privacy and Safety Committee.
District Issued Student Devices
- The District’s policy with respect to district issued student devices shall apply whether the student uses the device on or off school grounds and at any time.
- The District shall utilize technology protection measures to block or filter access to visual depictions that are obscene, pornographic and harmful to minors over the district’s network, applicable on or off school grounds, in accordance with the CIPA.
- Students users shall be responsible for their actions and activities on any District issued device or when utilizing the District network.
- Student users shall be responsible for keeping their passwords secure for any District issued devices, the District network and/or District email.
- Damage to or theft of any District issued device must be reported to the school administrator within twenty-four hours of said damage or theft.
- District issued devices shall not be utilized for the following:
- Inappropriate material
- Illegal activities
- Violation of copyrights
- Misuse of passwords/unauthorized access
- Malicious use/vandalism
- The District shall assume no responsibility for financial charges associated with the device that are not specifically granted in advance, such as the purchase of new peripherals, software or applications or subscriptions to services, online or offline by the user.
- Prior to the issuance of any District issued device, this policy shall be given to parents, who will be required to sign off on said policy prior to device issuance.
Student Owned Devices
- Student owned devices may be used at school/class for educational purposes at the discretion of the teacher.
- The District shall utilize technology protection measures to block or filter access to visual depictions that are obscene, pornographic and harmful to minors over the district’s network in accordance with the CIPA.
- Student users shall be responsible for their actions and activities on their own devices when utilizing the District network.
- Students shall not utilize their own devices on the District network for the following:
- Inappropriate material
- Illegal activities
- Violation of copyrights
- Misuse of passwords/unauthorized access
- Malicious use/vandalism
Device Management by the District
- As noted previously, the District will set policies and procedures to conform with all present laws including the COPPA, the FERPA and the CIPA regarding the use and management of student devices on the District networks. This may include Internet filtering as required by law, of various materials based on age, grade level and appropriate context to student academic progress and materials.
- The District reserves the right, without notice or consent, to monitor the usage/activities of students utilizing the District network on his or her own devices when there is reason to believe that the student has engaged in school-related misconduct or if there are technical difficulties with the device.
Legal References & Glossary of Terms
FERPA: Family Educational Rights and Privacy Act
COPPA: The Children's Online Privacy Protection Act
Rhode Island Educational Records Bill of Rights Act (R.I.G.L. 16-71-1, et seq.)
APRA: Access to Public Records Act (R.I.G.L. 38-2-2)
PII: Personally Identifiable Information - information about a student or staff member that can with relative ease allow a third party to determine their identity.
ADOPTED: February 23, 2015
REVISED: May 6, 2019