Policy Number: 6010
Date: May 16th, 2023
Data Governance Policy
Table of Contents
Purpose
American Leadership Academy takes its moral and legal responsibility to protect student privacy and ensure data security seriously. This policy is adopted to comply with requirements found in Utah Code Title 53E, Chapter 9, Student Privacy and Data Protection. This policy is an organizational approach to data and information management and applies to all employees. This policy aims to accomplish the following requirements:
1. Incorporate reasonable data-industry best practices to maintain and protect student data and other education-related data;
2. Provide for necessary technical assistance, training, support, and auditing;
3. Describe the process for sharing student data between an education entity and another person; and
4. Describe the process for an adult student or parent to request that data be expunged.
Definitions
“Access” means to directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, or computer network, or any means of communication with any of them.
“Audit” means the accuracy of data and content is subject to periodic audit by an independent body.
“Authorization” means the express or implied consent or permission of the owner, or of the person authorized by the owner to give consent or permission to access a computer, computer system, or computer network in a manner not exceeding the consent or permission.
“Computer system” means a set of related, connected or unconnected, devices, software, or other related computer equipment.
“Computer network” means the interconnection of communication or telecommunication lines between: computers; or computers and remote terminals; or the interconnection by wireless technology between: computers; or computers and remote terminals.
“Computer property” means electronic impulses, electronically produced data, information, financial instruments, software, or programs, in either machine or human readable form, or any other tangible or intangible item relating to a computer, computer system, computer network, and copies of any of them.
“Confidential,” when applied to data, text, or computer property, means protected by a security system that clearly evidences that the owner or custodian intends that it not be available to others without the owner's or custodian's permission.
“Data breach” means an unauthorized release of or unauthorized access to personally identifiable student data that is maintained by the school.
“Encrypted” means altered or converted into a cipher or code to conceal data in a way that requires a secret key or password to be decrypted, or converted back to an original readable format.
“Personally identifiable information (PII)” means data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
“Security system” means a computer, computer system, network, or computer property that has some form of access control technology implemented, such as encryption, password protection, other forced authentication, or access control designed to keep out unauthorized persons.
Information Technology Systems Security Plan
Data loss can be caused by human error, hardware malfunction, natural disaster, security breach, or other means and is not always preventable. The school strives to maintain network security, including security for all personally identifiable information, whether stored on paper or digitally on school maintained computers and networks. This IT Security Plan provides procedures to mitigate threats that may cause harm to the school, its students, or its employees.
IT Security Officer
The Coordinator of Technical Services is hereby appointed the school IT Security Officer (ISO). The ISO oversees the schools IT security, contributes to the development of data protection policies, and monitors adherence to the standards and procedures set forth in this IT Security Plan.
Computer Security
1. Employees must not leave computers unattended and unlocked, especially when logged into systems or programs that may display student or employee PII. Employees should use an automatic log off, locks, and password screen savers to ensure compliance with this requirement.
2. Employees shall ensure that all equipment that contains sensitive information is secured to deter theft.
Server/Network Room Security
1. The ISO shall ensure that server and telecommunications rooms are protected by appropriate access controls that segregate and restrict access from general school office areas. Access control shall be enforced using either keys, electronic card readers, or similar methods. Only those employees who need it to perform their job functions may be granted access.
2. Telecommunications rooms may only remain unlocked or unsecured if the building design makes it impossible to do otherwise or environmental factors require the door to be opened.
Contractor Access
Before any contractor is allowed access to any computer system, server room, or telecommunications room, the contractor must present a company-issued identification card, and his/her access must be confirmed directly by the authorized employee who issued the service request or by the ISO or his/her designee.
Wireless Networks
1. No wireless access point shall be installed on the school’s computer network that does not conform to current network standards as defined by the ISO.
2. All wireless access networks shall conform to current best practices and shall utilize, at minimum, WPA encryption for any connections. Open access networks are not permitted, except on a temporary basis for events when deemed necessary.
Remote Access
The IT Department shall ensure that any remote access with connectivity to the District’s internal network is achieved using the school’s centralized VPN service that is protected by multiple factor authentication systems. Any exception to this practice must be due to a service provider’s technical requirements and must be approved by the ISO.
Authentication
The IT Department shall provide strong password management for employees, students, and contractors.
Password Protection
1. Employees should not share their passwords with anyone except IT staff who need the password to help the employee with an access or other IT concern. All passwords are to be treated as sensitive, confidential information.
2. Passwords may not be disclosed on questionnaires or security forms.
3. Except when IT staff are providing temporary or initial passwords, employees should not disclose hints that may reveal a password (for example, "my family name").
4. Any user suspecting that his/her password may have been compromised should change the password. If data appears to have been lost or stolen, the user should notify the ISO.
Authorization
1. The IT Department shall ensure that user access is limited to those specific access requirements necessary to perform the user’s job. Where possible, the District may segregate duties to control authorization access.
2. The IT Department shall ensure that a user’s access is granted or terminated promptly upon receipt, and ISO approval, of a documented access request/termination.
Accounting
The IT Department shall ensure that audit files are maintained for at least ninety days for all critical security-related events such as invalid logon attempts, changes to the security configuration, failed attempts to access objects by unauthorized users, etc.
Access Controls
The school shall limit IT privileges (operating system, database, and applications) to the minimum number of staff required to perform these sensitive duties.
Data Breach
Monitoring and responding to a data breach will be designed to provide early notification of events and rapid response and recovery from internal or external network or system attacks.
Malicious Software
The IT department shall install and maintain spyware and virus protection software on all school owned equipment. Computers should be equipped with anti-virus protection.
Internet Content Filtering
1. In accordance with federal and state law, the IT department shall filter internet traffic for content defined in law that is deemed harmful to minors.
2. The school acknowledges that technology-based filters are not always effective at eliminating harmful content. The school will use a combination of technological and supervisory means to protect students from harmful online content.
3. If students take devices home, the IT department will provide a technology-based filtering for those devices. However, the school will rely on parents to provide the supervision necessary to fully protect students from accessing harmful online content.
Student Data Disclosure
Consistent with Utah law the Executive Director will designate an individual to act as the student data manager. The Data Manager Roles and Responsibilities include:
1. Authorize and manage the sharing, outside of the student data manager’s education entity, of personally identifiable student data for the education entity as described in this policy;
2. Provide necessary technical assistance, training, and support;
3. Act as the primary local point of contact for the state student data officer;
4. Ensure that the following notices are available to parents:
a. Annual FERPA notice (see 34 CFR 99.7),
b. Directory information (see 34 CFR 99.37),
c. Data collection notice (see Utah Code Section 53E-9-305).
There is a risk of re-disclosure whenever student data are shared. ALA shall follow appropriate controls to mitigate the risk of re-disclosure and to ensure compliance with federal and state law.
1. The data manager shall approve all data sharing or designate other individuals who have been trained on compliance requirements with FERPA.
2. For external research, the data manager shall ensure that the study follows the requirements of FERPA’s study exception described in 34 CFR 99.31(a)(6).
3. After sharing from student records, the data manager shall ensure that an entry is made in the LEA Metadata Dictionary to record that the exchange happened.
4. After sharing from student records, the data manager shall make a note in the student record of the exchange in accordance with 34 CFR 99.32.
This policy describes the process for sharing student data between the school and another person.
Access by Parents
1. Parents generally have a right to inspect and review the education records of their children. Access to the education records of a student who is or has been in attendance at ALA shall be granted to the parent of the student who is a minor or who is a dependent for tax purposes.
2. The school shall presume that each parent, regardless of custody designation, has authority to inspect and review their student’s records unless the school has been provided a copy of a court order, state statue, or other legally binding document that specifically revokes these rights.
3. A parent’s right to inspect and review his or her student’s education record includes the right to access attendance records, test scores, grades, psychological records, applications for admission to other schools/colleges, and health or immunization information.
4. If material in the education record of a student includes information on another student, only the portion of the material relating to the student whose records were requested may be inspected and reviewed.
Access by Students
1. Notwithstanding the rights afforded to parents, students at ALA may also inspect and review their own educational record in accordance with procedures set forth by the school that maintains the records.
2. When a student reaches eighteen years of age or is attending an institution of post-secondary education, the rights accorded to, and consent required of, parents transfer from the parents to the student.
Access by School Officials
1. School officials who have a legitimate educational interest in a student’s education record may access the record without parental consent.
2. School officials have a legitimate educational interest in a student’s records when they are working with the student, considering disciplinary or academic actions, reviewing an individualized education program (IEP) for a student with disabilities, compiling statistical data, or investigating or evaluating programs that may involve the student.
Access by Other Persons
Personally identifiable information in education records shall not be released, except to the following:
1. Individuals for whom the parent has given written consent.
2. School officials, including teachers, who have legitimate educational interests.
3. Officials of other schools, or institutions of postsecondary education in which the student seeks to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student’s enrollment or transfer.
4. Personnel involved with the student’s application for, or receipt of, financial aid.
5. Individuals authorized by a judicial order or lawfully issued subpoena.
6. Appropriate persons who, in an emergency, must have such information in order to protect the health or safety of the student or other person.
7. Persons or organizations authorized by the school’s administration to obtain directory information.
8. An agency caseworker or other representative of a state or local child welfare agency who provides documentation showing the right of that caseworker or representative to access the particular student’s case plan.
The parent shall provide a signed and dated written consent before the school discloses personally identifiable information from a student’s education records to any individual, agency, or organization other than the parent, the student, or those listed above. Such consent shall specify records to be released, the reason for such release, and to whom the records are to be released.
Employees may not share student PII during presentations, webinars, or trainings. If an employee needs to demonstrate child/staff level data, demo records should be used rather than actual student PII.
Employees must redact all student PII from any document that is shared with a general audience.
Employees must take steps to avoid disclosure of student PII in reports.
For external research, the data manager shall ensure that the study follows the requirements of FERPA’s study exception described in 34 CFR 99.31(a)(6).
After sharing from student records, the data manager shall make a note in the student record of the exchange in accordance with 34 CFR 99.32.
Training & Technical Assistance
ALA recognizes that training and supporting educators and staff regarding federal and state data privacy laws is a necessary control to ensure legal compliance.
Procedure:
1. The data manager will ensure that educators who have access to student records will receive an annual training on confidentiality of student data to all employees with access to student data. The content of this training will be based on the Data Sharing Policy.
2. By October 1 each year, the data manager will report to USBE the completion status of the annual confidentiality training and provide a copy of the training materials used.
3. The data manager shall keep a list of all employees who are authorized to access student education records after having completed a training that meets the requirements of Utah Code Section 53E-9-204.
4. All employees and independent contractors must sign the Confidentiality and Non-disclosure Agreement, which describes the permissible uses of school technology and information.
Expungement Request
ALA recognizes the risk associated with data following a student year after year that could be used to mistreat the student. ALA shall review all requests for records expungement from parents and make a determination based on the following procedure.
Procedure: The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, assessment information.
The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.
1. If a parent believes that a record is misleading, inaccurate, or in violation of the student’s privacy, they may request that the record be expunged.
2. ALA shall decide whether to expunge the data within a reasonable time after the request.
3. If ALA decides not to expunge the record, they will inform the parent of their decision as well as the right to an appeal hearing.
4. ALA shall hold the hearing within a reasonable time after receiving the request for a hearing.
5. ALA shall provide the parent notice of the date, time, and place in advance of the hearing.
6. The hearing shall be conducted by any individual that does not have a direct interest in the outcome of the hearing.
7. ALA shall give the parent a full and fair opportunity to present relevant evidence. At the parents’ expense and choice, they may be represented by an individual of their choice, including an attorney.
8. ALA shall make its decision in writing within a reasonable time following the hearing.
9. The decision must be based exclusively on evidence presented at the hearing and include a summary of the evidence and reasons for the decision.
10. If the decision is to expunge the record, ALA will seal it or make it otherwise unavailable to other staff and educators.
Data Breach Response
The LEA shall follow industry best practices to protect information and data. In the event of a data breach or inadvertent disclosure of personally identifiable information, the LEA staff shall follow industry best practices for responding to the breach.
Procedure:
1. The Executive Director will work with the information security officer to designate individuals to be members of the cyber incident response team (CIRT).
2. At the beginning of an investigation, the information security officer will begin tracking the incident and log all information and evidence related to the investigation.
3. The information security officer will call the CIRT into action once there is reasonable evidence that an incident or breach has occurred.
4. The information security officer will coordinate with other IT staff to determine the root cause of the breach and close the breach.
5. The CIRT will coordinate with legal counsel to determine if the incident meets the legal definition of a significant breach as defined in Utah Admin Code R277-487 and determine which entities and individuals need to be notified.
6. If law enforcement is notified and begins an investigation, the CIRT will consult with them before notifying parents or the public so as to not interfere with the law enforcement investigation.
References
Utah Code Section 53E-9-309(2)