Chapter I - Health and Safety
Part 4.0 Privacy and School Safety
Section 4.7 Data Governance Policy
Data governance is an organizational approach to data and information management that is formalized as a set of policies and procedures that encompass the full life cycle of data, from acquisition, to use to disposal. American Preparatory Academy takes seriously its moral and legal responsibility to protect student privacy and ensure data security. Utah's Student Data Protection Act (SDPA), UCA 53A-1-1401, requires that American Preparatory Academy adopt a Data Governance Plan.
2 SCOPE AND APPLICABILITY
This policy is applicable to all employees, temporary employees, and contractors. The policy must be used to assess agreements made to disclose data to third-parties. In accordance with agency policy and procedures, this policy will be reviewed and adjusted on an annual basis or more frequently, as needed. This policy is designed to ensure only authorized disclosure of confidential information. The following subsections provide data governance policies and processes for American Preparatory Academy:
1. Data Advisory Committee
2. Non-Disclosure Assurances
3. Data Security and Privacy Training for Employees
4. Data Disclosure
5. Data Sharing
6. Data Breach
7. Record Retention and Expungement
8. Data Quality
Furthermore, this American Preparatory Academy Data Governance Plan works in conjunction with the Technology Security Policy, which:
— Designates American Preparatory Academy as the steward for all confidential information maintained within American Preparatory Academy.
— Designates Data Steward's access for all confidential information.
— Requires Data Stewards to maintain a record of all confidential information that they are responsible for.
— Requires Data Stewards to manage confidential information according to this policy and all other applicable policies, standards, and plans.
— Complies with all legal, regulatory, and contractual obligations regarding privacy of Agency data. Where such requirements exceed the specific stipulation of this policy, the legal, regulatory, or contractual obligation shall take precedence.
— Provides the authority to design, implement, and maintain privacy procedures meeting American Preparatory Academy standards concerning the privacy of data in motion, at rest and processed by related information systems.
— Ensures that all American Preparatory Academy's board members, employees, contractors, and volunteers comply with the policy and undergo annual privacy training.
— Provides policies and process for
- Systems administration,
- Network security,
- Application security,
- Endpoint, server, and device Security
- Identity, authentication, and access management,
- Data protection and cryptography
- Monitoring, vulnerability, and patch management
- High availability, disaster recovery, and physical protection
- Incident Responses
- Acquisition and asset management, and
- Policy, audit, e-discovery, and training.
3 DATA SECURITY COMMITTEE
The Data Security Committee develops procedures and guidelines concerning the collection, storage, and use and safekeeping of data by the school and its staff. The committee is also responsible to update as necessary this policy and to direct the responsive actions in the event of any material violation of this policy or any Security Breach.
The Data Security Committee shall, from time to time, consult with Data Steward to review the implementation and compliance with this policy.
The District Technology Director leads the Data Security Committee. The District Technology Director monitors internet use for potentially malicious traffic and security logs of network security gateways and advises the Data Security Committee on these matters.
The Data Security Committee shall periodically review identifiable risks to the security, confidentiality, and integrity of data and shall review this policy at least annually to assess its effectiveness and determine whether any changes are warranted by legislation or regulation. Training resources will also be adjusted to keep up to date with policy changes and best practices in data security.
The Data Security Committee is comprised of the following:
— Student Data Manager and District IT Director
— District Records Management Officer
— Data Stewards
— A Member of the Governing Board
— Policy Facilitators
3.2 Individual and Group Responsibilities
The following table outlines the responsibilities of the Data Advisory Committee members and other staff members.
Student Data Manager
- authorize and manage the sharing, outside of the student data manager's education entity, of personally identifiable student data for the education entity as described in this section
- provide for necessary technical assistance, training, and support
- act as the primary local point of contact for the state student data officer
- ensure that the following notices are available to parents:
District IT Director
1. Ensures compliance with security systems laws throughout the public education system, including:
- Oversee adoption of the CIS controls
- Provide for necessary technical assistance, training, and support as it relates to IT security
- producing resource materials, model plans, and model forms for LEA systems security;
- Investigates complaints of alleged violations of systems breaches.
District Records Management Officer (RMO)
1. With assistance from the Enrollment/Assessment Director, the RMO is responsible for collecting, maintaining, and transmitting student enrollment verification data, general assessment data, and other confidential student information.
2. The RMO is required to be state certified in records management.
3. Provides adequate training to school secretaries, administrators, and other staff in appropriate and acceptable records security processes.
Data Stewards (one per campus)
1. Perform formal and informal campus audits and provide results to the Student Data Manager and District IT Director.
2. Work directly with other School Directors, the Student Data Manager, and the District IT Director to communicate this policy and monitor the security of data.
Policy Facilitator 1. Maintains Data Governance Policy and Technology Security Policy.
2. Creates and maintains the Data Privacy training module.
3. Provides Student Data Privacy Training to general staff.
4. Attends conferences, training, and webinars provided by the state regarding student data privacy. Information gathered from these meetings are shared with the Data Advisory Committee and implemented in American Preparatory Academy's policies.
4 EMPLOYEE NON-DISCLOSURE ASSURANCES
Employee non-disclosure assurances are intended to minimize the risk of human error and misuse of information.
All American Preparatory Academy board members, employees, contractors, and volunteers must sign and obey the American Preparatory Academy Employee Non-Disclosure Agreement, which describes the permissible uses of state technology and information.
Non-compliance with the agreements may result in consequences up to and including removal of access to American Preparatory Academy's network; if this access is required for employment, employees and contractors may be subject to dismissal.
4.3 Non-Disclosure Assurances
All student data utilized by American Preparatory Academy is protected as defined by the Family Educational Rights and Privacy Act (FERPA) and Utah statute. This policy outlines the way American Preparatory Academy staff is to utilize data and protect personally identifiable and confidential information. A signed agreement form is required from all American Preparatory Academy staff to verify agreement to adhere to/abide by these practices and will be maintained in American Preparatory Academy Human Resources. All American Preparatory Academy employees will:
1. Complete Security and Privacy Training.
2. Consult with American Preparatory Academy's Compliance Team when creating or disseminating reports to external entities containing data.
3. Use password-protected LEA-authorized computers when accessing any student-level or staff-level records.
4. DO NOT share individual passwords for personal computers or data systems with anyone.
5. Log out of any data system/portal and close the browser after each use.
6. Store sensitive data on appropriate-secured location. Unsecured access and flash drives, DVD, CD-ROM or other removable media, or personally owned computers or devices are not deemed appropriate for storage of sensitive, confidential or student data.
7. Keep printed reports with personally identifiable information in a locked location while unattended and use the secure document destruction service provided at American Preparatory Academy when disposing of such records.
8. NOT share personally identifying data during public presentations, webinars, etc. If users need to demonstrate student/staff level data, demo records should be used for such presentations.
9. Redact any personally identifiable information when sharing sample reports with general audiences, in accordance with guidance provided by the student data manager, found in Appendix B (Protecting PII in Public Reporting).
10. Delete files containing sensitive data after using them on computers or move them to secured servers or personal folders accessible only by authorized parties.
11. Password protect any e-mail attachments containing student PII or data.
12. NOT transmit student/staff-level data externally unless reviewed and approved by American Preparatory Compliance Team, and then only transmit data via secure methods.
13. Limit use of individual data to the purposes authorized within the scope of job responsibilities.
4.4 Data Security and Privacy Training
American Preparatory Academy recognizes that training and supporting educators and staff regarding federal and state data privacy laws is necessary to ensure legal compliance.
American Preparatory Academy will provide a range of training opportunities for all American Preparatory Academy staff and temporary employees with access to student educational data or confidential educator records in order to minimize the risk of human error and misuse of information.
Within the first week of employment, all American Preparatory Academy employees must sign and follow the American Preparatory Academy's Employee Acceptable Use Policy, which describes the permissible uses of school technology and information.
New employees that do not comply may not be able to use American Preparatory Academy's networks or technology. Within the first week of employment, all American Preparatory Academy employees also must sign and obey the American Preparatory Academy Employee Non-Disclosure Agreement, which describes appropriate uses and the safeguarding of student and educator data.
All current American Preparatory Academy employees are required to complete the Security Data Privacy self-study module and assessment annually. Participation in the training as well as a signed copy of the Employee Non-Disclosure Agreement, will be annually monitored by supervisors. Supervisors will annually report all American Preparatory Academy employees who do not have these requirements completed to the IT Security Manager.
The data manager will ensure that educators with access to student records will receive an annual training on confidentiality of student data to all employees with access to student data. The content of this training will be based on the Data Sharing Policy.
By October 1 each year, the data manager will report to USBE the completion status of the annual confidentiality training and provide a copy of the training materials used.
The data manager shall keep a list of all employees authorized to access student education records after completing training that meets the requirements of 53E-9-204.
5 DATA DISCLOSURE
Providing data to persons and entities outside of the American Preparatory Academy increases transparency, promotes education in American Preparatory Academy, and increases knowledge about Utah public education. This policy establishes the protocols and procedures for sharing data maintained by American Preparatory Academy. It is intended to be consistent with the disclosure provisions of the Federal Family Educational Rights and Privacy Act (FERPA), 20 USC 1232g, 34 CFR Part 99 and Utah's Student Data Protection Act (SDPA), UCA 53A-1-1401.
5.2 Policy for disclosure of Personally Identifiable Information (PII)
5.2.1 Student or Student's Parent/Guardian Access
In accordance with FERPA regulations 20 USC 1232g (a)(1) (A) (B) (C) and (D), American Preparatory Academy will provide parents with access to their student's education records or an eligible student access to his or her own education records, within 45 days of receiving a written request. American Preparatory Academy is not required to provide data that it does not maintain, nor is American Preparatory Academy required to create education records in response to an eligible student's request.
5.2.2 Third-Party Vendor
Third-party vendors may have access to students' personally identifiable information if the vendor is designated as a "school official" as defined in FERPA, 34 CFR 99.31(a)(1) and 99.7(a)(3)(iii). A school official may include parties such as: professors, instructors, administrators, health staff, counselors, attorneys, clerical staff, trustees, members of committees and disciplinary boards, and a contractor, consultant, volunteer, or other party to whom the school has outsourced institutional services or functions.
All third-party vendors contracting with American Preparatory Academy must be compliant with Utah's Student Data Protection Act (SDPA), UCA 53E-9-300. Vendors determined not to be compliant may not be allowed to enter into future contracts with American Preparatory Academy without third-party verification that they are compliant with federal and state law and board rule.
5.2.3 Internal Partner Requests
Internal partners to American Preparatory Academy include LEA and school officials that are determined to have a legitimate educational interest in the information.
5.2.4 Governmental Agency Requests
American Preparatory Academy may not disclose personally identifiable information of students to external persons or organizations to conduct research or evaluation that is not directly related to a state or federal program reporting requirement, audit, or evaluation. In order to satisfy FERPA disclosure exceptions to data without consent, the government agency must provide evidence demonstrating that the request is made in the case of a federal or state:
a) reporting requirement
5.3 Policy for External disclosure of Non-Personally Identifiable Information (PII)
External data requests from individuals or organizations that are not intending on conducting external research or are not fulfilling a state or federal reporting requirement, audit, or evaluation.
5.3.2 Student Data Disclosure Risk Levels
American Preparatory Academy has determined three levels of data requests with corresponding policies and procedures for appropriately protecting data based on risk: Low, Medium, and High. The Student Data Manager will make final determinations on classification of student data requests.
18.104.22.168 Low-Risk Data Request
Definition: High-level aggregate data
— Graduation rate by year for low student count
— Percent of third-graders scoring proficient on the SAGE ELA assessment
22.214.171.124 Medium-Risk Data Request
Definition: Aggregate data, but because of potentially low n-sizes, the data must have disclosure avoidance methods applied.
— Graduation rate for small graduating class
— Percent of third-graders scoring proficient on the SAGE ELA assessment by classroom and demographic
— Child Nutrition Program Free or Reduced Lunch percentages by classroom
126.96.36.199 High-Risk Data Request
Definition: Student-level data that are de-identified.
— De-identified student-level graduation data
— De-identified student-level SAGE ELA assessment scores for grades 3-6.
All external data requests (low-risk, medium-risk, and high-risk) are processed through the Student Data Manager under American Preparatory Academy's Compliance Team. The Student Data Manager will determine whether to grant or deny access to the requested data and ensure the proper protocol or procedure for sharing the requested data is followed. Appeals may be made to the Compliance Director.
5.5 Data Disclosure to a Requesting External Researcher or Evaluator
Responsibility: The Student Data Manager will ensure the proper data are shared with an external researcher or evaluator to comply with federal, state, and board rules.
American Preparatory Academy may not disclose personally identifiable information of students to external persons or organizations to conduct research or evaluation that is not directly related to a state or federal program audit or evaluation. Data that does not disclose PII may be shared with an external researcher or evaluators for projects unrelated to federal or state requirements if:
1. An American Preparatory Academy Director or board member sponsors an external researcher or evaluator request.
2. Student data are not PII and are de-identified through disclosure avoidance techniques and other pertinent techniques as determined by the Student Data Management.
3. Researchers and evaluators supply American Preparatory Academy with a copy of any publication or presentation that uses American Preparatory Academy's data 10 business days prior to any publication or presentation.
6 DATA SHARING
There is a risk of re-disclosure whenever student data are shared. American Preparatory Academy shall follow appropriate controls to mitigate the re-disclosure risk and ensure compliance with federal and state law.
1. The data manager shall approve all data sharing or designate other individuals who have been trained on compliance requirements with FERPA.
a. Teachers must contact the Data Manager and IT Security Officer to request to use educational apps or websites before use in the classroom in order to minimize the risk of student data misuse.
b. APA may enter into a Data Privacy Agreement with third-party entities before use to ensure the proper protections for Student Data.
2. For external research, the data manager shall ensure that the study follows the requirements of FERPA's study exception described in 34 CFR 99.31(a)(6).
3. After sharing from student records, the data manager shall ensure that an entry is made in the LEA Metadata Dictionary to record that the exchange happened.
4. After sharing from student records, the data manager shall make a note in the student record of the exchange in accordance with 34 CFR 99.32.
7 DATA BREACH
Establishing a plan for responding to a data breach with clearly defined roles and responsibilities will promote better response coordination and help educational organizations shorten their incident response time. Prompt response is essential for minimizing the risk of any further data loss and, therefore, plays an important role in mitigating any negative consequences of the breach, including potential harm to affected individuals.
School Data Privacy Officers must report any known Security Breach or any incident that is likely to cause a Security Breach. These incidents include thefts of computer devices, viruses, worms, or computer "attacks" that may lead to unauthorized access to confidential information. Breaches also include improper communication of protected information by staff or students.
Systemic breaches should be reported to the IT staff immediately. These staff will investigate the issue and together with the Technology Director resolve the issue. Issues of Data Security will be considered of the highest priority. The breach and solution will be logged and reported to the Data Security Committee for review.
Personnel breaches involve improper handling of confidential or internal data. The School Data Privacy Officer will correct these breaches. The extent of the breach must be determined, and all steps must be taken to reverse or contain the breach. The parents or guardians of a student will be notified if there is an unauthorized public release of a student's personally identifiable data due to a security breach. A report will be submitted to the Data Security Committee for review. The Data Security Committee will watch for trends in policy oversight or lapses and take appropriate action.
Remedies of members of the Data Security Committee may include:
1. Additional training
2. Policy and/or procedural changes
3. Technological safeguards
4. Employee discipline
8 RECORD RETENTION AND EXPUNGEMENT
The LEA recognizes the risk associated with data following a student year after year that could be used to mistreat the student. APA shall review all requests for records expungement from parents and make a determination based on the following procedure
The following records may not be expunged: grades, transcripts, a record of the student's enrollment, and assessment information.
The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.
- If a parent believes that a record is misleading, inaccurate, or in violation of the student's privacy, they may request that the record be expunged.
- APA shall decide whether to expunge the data within a reasonable time after the request.
- If APA decides not to expunge the record, they will inform the parent of their decision as well as the right to an appeal hearing.
- APA shall hold the hearing within a reasonable time after receiving the request for a hearing.
- APA shall provide the parent notice of the date, time, and place in advance of the hearing.
- The hearing shall be conducted by any individual who does not have a direct interest in the outcome.
- The APA shall give the parent a full and fair opportunity to present relevant evidence. At the parents' expense and choice, they may be represented by an individual of their choice, including an attorney.
- APA shall make its decision in writing within a reasonable time following the hearing.
- The decision must be based exclusively on evidence presented at the hearing and include a summary of the evidence and reasons for the decision.
- If the decision is to expunge the record, the LEA will seal it or make it otherwise unavailable to other staff and educators.
9 QUALITY ASSURANCES AND TRANSPARENCY REQUIREMENTS
Data quality is achieved when information is valid for the use to which it is applied, is consistent with other reported data and users of the data have confidence in and rely upon it. Good data quality does not solely exist with the data itself, but is also a function of appropriate data interpretation and use and the perceived quality of the data. Thus, true data quality involves not just those auditing, cleaning and reporting the data, but also data consumers. Data quality is addressed in five areas:
9.1.1 Data Governance Structure
American Preparatory Academy's data governance policy is structured to encourage the effective and appropriate use of educational data. American Preparatory Academy's data governance structure centers on the idea that data is the responsibility of all and that data-driven decision making are the goal of all data collection, storage, reporting, and analysis. Data-driven decision-making guides what data is collected, reported, and analyzed.
9.1.2 Data Requirements and Definitions
Clear and consistent data requirements and definitions are necessary for good data quality. On the data collection side, the Student Data Manager communicates data requirements and definitions through Data Steward List and annual training. The IT Director communicates with LEA IT staff regularly at annual training.
9.1.3 Data Collection
Data elements should be collected only once. Where possible, data is collected at the lowest level available (i.e., at the student/teacher level). Thus, there are no aggregate data collections if the aggregate data can be derived or calculated from the detailed data.
For all new data collections, American Preparatory Academy provides clear guidelines for data collection and the purpose of the data request. American Preparatory Academy also notifies stakeholders as soon as possible about future data collection.
9.1.4 Data Auditing
American Preparatory Academy will utilize appropriate external security audits and stay in compliance with all state requirements regarding network connectivity and data security. The Data Security Committee will review any breaches or findings by external auditors, which will be resolved in the same fashion as internally discovered breaches. Guidelines and suggestions provided by the external audit will be reviewed and adopted as necessary by the Data Security Committee.
10 Data Transparency
American Preparatory will maintain entries in the Metadata Dictionary as described in Utah's Student Data Protection Act (SDPA), UCA 53E-9-301.