The efficient collection, analysis, and storage of student information is essential to improve the education of our students. As the use of student data has increased and technology has advanced, the need to exercise care in the handling of confidential student information has intensified. The privacy of students and the use of confidential student information is protected by federal and state laws, including the Family Educational Rights and Privacy Act (FERPA) and the Idaho Student Data Accessibility, Transparency and Accountability Act of 2014 (Idaho Data Accountability Act, Idaho Code §33-133).
Student information is compiled and used to evaluate and improve Idaho’s educational system and improve transitions from high school to postsecondary education or the workforce. The Data Management Council (DMC) was established by the Idaho State Board of Education to make recommendations on the proper collection, protection, storage and use of confidential student information stored within the Statewide Longitudinal Data System (SLDS). The DMC includes representatives from K-12, higher education institutions and the Department of Labor.
This policy is required by the Idaho Data Accountability Act. In order to ensure the proper protection of confidential student information, this district is required to adopt, implement and electronically post this policy. It is intended to provide guidance regarding the collection, access, security and use of education data to protect student privacy. This policy is consistent with the DMC’s policies regarding the access, security and use of data maintained within the SLDS. Violation of the Idaho Data Accountability Act may result in civil penalties as set forth in Idaho Code §33-133
Administrative Security consists of policies, procedures, and personnel controls including security policies, training, and audits, technical training, supervision, separation of duties, rotation of duties, recruiting and termination procedures, user access control, background checks, performance evaluations, and disaster recovery, contingency, and emergency plans. These measures ensure that authorized users know and understand how to properly use the system in order to maintain security of data.
Aggregate Data is collected or reported at a group, cohort or institutional level and does not contain PII.
Children are individuals under the age of 13.
Data Breach is the unauthorized acquisition of personally identifiable information (PII) as defined herein.
Directory Information includes but is not limited to: the student’s name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors and awards received; and the most recent educational agency or institution attended. IDLA may disclose directory information if parents do not opt out via writing within 2 weeks of class enrollment. Opting out can be done by emailing email@example.com
Logical Security consists of software safeguards for an organization’s systems, including user identification and password access, authenticating, access rights and authority levels. These measures ensure that only authorized users are able to perform actions or access information in a network or a workstation.
Personally Identifiable Information (PII) includes a student’s name; the name of a student’s family; the student’s address; the students’ social security number; a student education unique identification number or biometric record; or other indirect identifiers such as a student’s date of birth, place of birth or mother’s maiden name; and other information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community who does not have personal knowledge of the relevant circumstances, to identify the student.
Physical Security describes security measures designed to deny unauthorized access to facilities or equipment.
School Officials can include a teacher, school principal, president, chancellor, board member, trustee, registrar, counselor, admissions officer, attorney, accountant, human resources professional, information systems specialist, support or clerical personnel, contractors, consultants, volunteers, or other third party providers that have a legitimate educational interest in a student.
Student Data means data collected at the student level and included in a student’s educational records.
Student Educational Record means all information directly related to a student and recorded and kept in the data system, as that term is defined in this policy, and may include information considered to be personally identifiable. A student educational record shall not include: (1) juvenile delinquency records and criminal records unless required by law; (2) student social security number; (3) student biometric information; (4) gun ownership records; (5) sexual orientation or ; (6) religious affiliation.
Student education unique identification number means the unique student identifier assigned by the state to each student that shall not be or include the social security number of a student in whole or in part.
Unauthorized Data Disclosure is the intentional or unintentional release of PII to an unauthorized person or untrusted environment.
IDLA shall follow applicable state and federal laws related to student privacy in the collection of student data.
Unless prohibited by law or court order, IDLA shall provide parents, legal guardians, or eligible students, as applicable, the ability to review their student’s educational records.
The cybersecurity designee is responsible for granting, removing, and reviewing user access to student data. An annual review of existing access should be performed
Access to PII maintained by IDLA shall be restricted to: (1) the authorized staff of the school district who require access to perform their assigned duties; (2) authorized employees of the State Board of Education (SBE) and the State Department of Education (SDE) who require access to perform their assigned duties; (3) vendors of the SBE, SDE or IDLA who require access to perform their assigned duties; (4) students and/or their parents or legal guardians; (5) the authorized staff of other state agencies in Idaho as required by law and/or defined by interagency data-sharing agreements.
IDLA shall have in place Administrative Security, Physical Security, and Logical Security controls to protect from a Data Breach or Unauthorized Data Disclosure.
IDLA shall immediately notify the Executive Director of the Idaho State Board of Education and the State Superintendent of Public Instruction in the case of a confirmed Data Breach or confirmed Unauthorized Data Disclosure.
IDLA shall notify in a timely manner affected individuals, students, and families if there is a confirmed Data Breach or confirmed Unauthorized Data Disclosure.
Publicly released reports shall not include PII and shall use Aggregate Data in such a manner that re-identification of individual students is not possible.
IDLA contracts with outside school officials involving student data, which govern databases, online services, assessments, special education or instructional supports. IDLA may disclose PII, including that of children, to school officials without parent approval. IDLA should perform due diligence by including the following provisions which are intended to safeguard student privacy and the security of the data:
· Requirement that the school official agrees to comply with all applicable state and federal law;
·Requirement that the school official have in place Administrative Security, Physical Security, and Logical Security controls to protect from a Data Breach or Unauthorized Data Disclosure;
· Requirement that the school official restrict access to PII to the authorized staff of the school official who require such access to perform their assigned duties;
· Prohibition against the school official’s secondary use of PII including sales, marketing or advertising;
· Requirement for data destruction and an associated timeframe; and
· Penalties for non-compliance with the above provisions.
If IDLA chooses to publish directory information which includes PII, parents will be notified annually and given an opportunity to opt out of the directory. If a parent does not opt out, the release of the information as part of the directory is not a Data Breach or Unauthorized Data Disclosure.
A current copy of this policy and any related policies will be posted to IDLA’s website as well as distributed to each IDLA student, teacher, parent, and employee.
♦ ♦ ♦ ♦ ♦ ♦ ♦
Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §1232g)
Electronic Code of Federal Regulations pertaining to FERPA: 34 CFR Part 99
Idaho Student Data Accessibility, Transparency and Accountability Act of 2014 (Idaho Code §33-133)
Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501–6505
Idaho Digital Learning Alliance welcomes your comments regarding this Statement of Privacy. If you believe that Idaho Digital Learning Alliance has not adhered to this Statement, please contact Idaho Digital Learning Alliance at firstname.lastname@example.org. We will use commercially reasonable efforts to promptly determine and remedy the problem.