Employee Information

Loving data is good. Respecting and safeguarding data is equally important!

Data Classification

As public servants, any information PV has or produces may be subject to discovery, in compliance with law. Employees have an authentic responsibility to safeguard student data as defined more herein.

(A) PV Schools Schools System Data shall be classified into three major classifications as defined in this section. Requests for changes to the established data sensitivity classification or individual permissions shall come from the above identified Authorized Requestors to the Information Technology Department.

Class I - Public Use This information is targeted for general public use. Examples include lnternet website content for general viewing and press releases.

Class ll - lnternal Use Non-Sensitive (See Class lll) information not targeted for general public use.

Class lll- Sensitive This information is considered private and must be guarded from unauthorized disclosure; unauthorized exposure of this information could contribute to identity theft, financial fraud, breach of contract and/or legal specification, and/or violate State and/or Federal laws.

(B) FERPA Directory Information disclosed as 'directory information' may fall into either Class I or Class ll, depending on the purpose of the disclosure. The following is the District's list of which student information is to be considered 'directory information'.

A parent's guide to student/data privacy

Bytes of Life - Helpful Tips for Parents, Students and Employees.

Digital Citizen is a site maintained by PV's IT, which has much to use at home, at work and at school.

Parents want to know how their child’s data is being collected, used, and protected, but may not have more than 10 minutes to search out answers. There are many resources that can help districts and schools communicate better with parents.

Be Able to Answer Parent Questions

Parents may come to you or their child’s teacher with questions. While some questions may require more investigation, you can prepare in advance for some of the most common parent questions, such as:

• What kind of data is collected about students?

• How is student data used?

• Who has access to data about my child?

• Who is in charge of privacy in our district?

• What apps are our district using?

• How does our district hold ed tech companies and other service providers accountable for maintaining the confidentiality of the student data they receive?

• Can parents access their child’s education records?

Create an FAQ handout (you can always adapt the one on pages 16-18 of this Student Data Privacy Communications Guide and provide it to parents at least once annually. You could also print out or link to our Parents’ Guide to Student Data Privacy.

Directory Information

Information regarding FERPA and Directory Information can be found in PVSchool's Student/Parent Handbook on pages 11-12. Specifically, and importantly, under FERPA, PV can determine and provide the following student record data, called Directory Information, unless requested in writing by the parent/guardian not to do so. This information can be requested by third-parties, under a "public request".

If you do not want Paradise Valley Unified School District to disclose any or all of the types of information designated below as directory information from your child’s education records without your prior written consent, you must notify your school’s principal in writing by September 10th of each school year. The Paradise Valley Unified School District has designated the following information as Directory Information:

• • Student's name

  • Address

  • Telephone listing

  • Electronic mail address

  • Date and place of birth

  • Major field of study

  • Dates of attendance

  • Participation in officially recognized activities and sports

  • Weight and height of members of athletic teams

  • Awards received

Directory Information on User ID (e.g., username in email address)

FERPA regulations define directory information as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Directory information includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors and awards received; and the most recent educational agency or institution attended. Directory information does not include a student's: (1) Social security number; or

(2) Student identification (ID) number, except when a student ID number, user ID, or other unique personal identifier is used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the authorized user.

For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf.

Compliance

(A) Data Users are expected to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to Class lll (Sensitive) data; and to abide by applicable laws, policies, procedures and guidelines with respect to access, use, or disclosure of information. The unauthorized use, storage, disclosure, or distribution of System Data in any medium is expressly forbidden; as is the access or use of any System Data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy one's personal curiosity or that of others.

(B) Each employee of the System will be responsible for being familiar with the System's Data Security Policy and these Security Measures as job duties. It is the express responsibility of Authorized Users and their respective supervisors to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and related procedures.

(C) Employees, whether or not they are Authorized Users, are expressly prohibited from installing any program or granting any access within any program to Class III data without notifying the Information Technology Department.

(D) Violations of these Data Security Measures may result in loss of data access privileges, administrative actions, andlor personal civil and/or criminal liability.

Network/Workstation Controls and Protections and Physical Security

1. Shared Responsibilities

2. The Information Technology Department shall implement, maintain, and monitor technical access controls and protections for the data stored on the System's network.

3. System employees, including Authorized Requestors, shall not select or purchase software programs that will utilize or expose Class lll data without first consulting the Information Technology Department to determine whether or not adequate controls are available within the application to protect that data.

4. The Information Technology Department staff andlor the Authorized Requestor will provide professional development and instructions for Authorized Users on how to properly access data to which they have rights, when necessary. However, ensuring that all employees have these instructions will be the shared responsibility of the supervisor(s) of the Authorized User(s) and the Information Technology Department.

5. Technical controls and monitoring cannot ensure with 100% certainty that no unauthorized access occurs. For instance, a properly Authorized User leaves their workstation while logged in, and an unauthorized person views the data in their absence. Therefore, it is the shared responsibility of all employees to cooperatively support the effectiveness of the established technical controls through their actions.

(B) Authorized Requestors

1. Authorized Requestors (Section lV. A) are responsible for being knowledgeable in all policies, laws, rules, and best practices relative to the data for which they are granting access; including, but not limited to FERPA, HIPAA, PCI, CIPA, etc.

2. Authorized Requestors shall be responsible for informing appropriate Information Technology Department personnel about data classifications in order that the Information Technology Department can determine the best physical and/or logical controls available to protect the data. This shall include:

• Which data should be classified as Class III.

• Where that data resides (which software program(s) and server(s)

• Who should have access to that data (Authorized Users).

• What level of control the Authorized User should have to that data (e.g., read/write, delete, view, print, etc.).

{C) Location of Data and Physical Security

1. Class lll data may be stored on servers/computers (on or off premise) which are subject to network/workstation controls and permissions. lt shall not be stored on portable media that cannot be subjected to password, encryption, or other protections.

2. Serving devices (on premise servers) storing sensitive information shall be operated by professional network system administrators, in compliance with all Information Technology Department security and administration standards and policies, and shall remain under the oversight of Information Technology Department supervisors.

3. Persons who must take data out of the protected network environment (transport data on a laptop, etc.) must have the permission of their supervisor prior to doing so. Permission to do so will be granted only when absolutely necessary, and the person transporting the data will be responsible for the security of that data, including theft or accidental loss.

4. All servers containing system data and all network devices transporting Class III data will be located in secured areas with limited access. At the school or other local building level, the principal or other location supervisor will ensure limited, appropriate access to these physically secured areas.

5. District staff who must permanently maintain all printed reports that contain Class ll or lll data shall take responsibility for keeping this material in a secure location - vault, locked file cabinet, etc. ln addition, all printed material containing Class lll documentation shall be shredded when no longer in use, per appropriate department/school protocols, including applicable state and federal laws/regulations.

(D) Disposal of Hardware containing System Data

1. Prior to disposal of any computer, the user will notify the Information Technology Department, A technician will remove the hard drive from the device and destroy it prior to the device being disposed of or auctioned off.

2. All schools and departments which purchase or lease copy machines or multifunction printers will be expected to include provisions for the destruction of data on the device's hard drive or the destruction of the hard drive itself prior to disposing of the copier or MFP or its return to the leasing agency.

(E) Application of Network and Computer Access Permissions

1. The Information Technology Department staff shall be responsible for implementing network protection measures that prevent unauthorized intrusions, damage, and access to all storage and transport mediums; including, but not limited to:

a. Maintaining firewall protection access to the network andlor workstations

b. Protecting the network from unauthorized access through wireless devices or tapping of wired media, including establishing 'guest' wireless networks with limited network permissions.

c. lmplementing virus and malware security measures throughout the network and on all portable computers.

d. Applying all appropriate security patches.

e. Establishing and maintaining password policies and controls on access to the network, workstations, and other data depositories.

2) Information Technology Department staff will apply protection measures based on the Data Classifications (see sections lV and V), including:

1. Categorizing and/or re-classifying data elements and views.

2. Granting selective access to System Data

3. Documenting any deviation from mandatory requirements and implementing adequate compensating control(s).

4. Conducting periodic access control assessments of any sensitive information devices or services.

(F) Sensitive Data as it pertains to Desktops/Laptops/Workstations/Mobile Devices

Firewalls and anti-virus software must be installed or managed via cloud techniques on all desktops, laptops and workstations that access or store sensitive information, and a procedure must be implemented to ensure that critical operating system security patches are applied in a timely manner.

Storage of sensitive information on laptops, mobile devices, and devices that are not used or configured to operate as servers is prohibited, unless such information is safeguarded in a Information Technology Department-approved manner.

The user responsible for the device shall take proper care to isolate and protect files containing sensitive information from inadvertent or unauthorized access.

Assistance with securing sensitive information may be obtained from the Information Technology Department, as necessary.

Transfer of Data to External Service Provider

(A) Student Class I data, directory information, and, in some cases Class ll data, may be transferred to an external service provider, such as an online website that teachers wish students to use for educational purposes. Provided that:

1) The teacher follows the protocols for getting approval for the site to be used.

2) The District notifies parents about their right to restrict their child's data from being shared with such sites annually via Code of Conduct/AUP.

3) The transfer of data is handled in a manner approved by the Information Technology Department, or is performed by the Information Technology Department.

(B) No Class lll data, or FERPA protected educational records, will be transferred to an external service provider without prior approval of the Data Governance committee.

(C) No school or department should enter into a contract for the use of any program that requires the import of District data without first consulting and receiving approval from the Data Governance committee.

(D) The Data Governance committee will determine which of the following should be required of the service provider and assist in ensuring these requirements are met prior to any data transfer;

1. Contract

2. Designating the service provider as an "Official" as defined in FERPA

3. Memorandum of Understanding

4. Memorandum of Agreement

5. Non-Disclosure Agreement

(E) Non-Disclosure Agreement (NDA) Information - contact the Information Technology department. Example Needed

(E) Non-Disclosure Agreement Processing

1. The Information Technology Department will keep all NDAs on file. This will eliminate the need for each school to solicit an NDA from companies which already have NDAs on file. Technology will also ensure that the NDA is renewed annually where necessary.

2. What the school should do

3. Get the following specific information from the "entity''to which you want to transfer the information: company name, web address, phone number, fax number, and email address, name of individual you are working with.

4. List the information you wish to transfer to the 'entity'

5. Send this information to the Information Technology Department for referral to the Data Governance Committee.

3) Upon approval by the Data Governance Committee, the Information Technology Department will determine if there is a current NDA already on file with the entity. lf not, one will be prepared and sent to them. Once the agreement has been signed, the Information Technology Department will notify the school and oversee the process of securing uploading the necessary data to the service provider.

4) Note that all confidential data that will be transferred by email, whether in the body of the email or as an attached file, should be encrypted. The Information Technology Department can help you with transporting this data.

(F) Sample Non-Disclosure Agreement - Example Needed

Reporting Security Breaches

All employees shall be responsible for reporting suspected or actual breaches of data security to the Information Technology Department whether due to inappropriate actions, carelessness, loss/theft of devices, or failures of technical security measures.

Data Quality Controls

l. Job Descriptions

(A) Job descriptions for employees whose responsibilities include entering, maintaining, or deleting data shall contain provisions addressing the need for accuracy, timeliness, confidentiality, and completeness. This includes, but is not limited to: school registrars, counselors, special education staff, system administrators, Title staff and any staff regarding handling of free and reduced lunch data, homeless and gender change data.

(B) Teachers shall have the responsibility to enter grades accurately and in a timely manner.

(C) School administrators shall have the responsibility to enter discipline information accurately and in a timely manner.

II. Supervisory Responsibilities

(A) lt is the responsibility of all Supervisors to set expectations for data quality and to evaluate their staff's performance relative to these expectations annually.

(B) Supervisors should immediately report incidents where data quality does not meet standards to their Supervisor and/or Human Resources.