Weber School District Data Governance Plan

1. Governing Principles

Weber School District (hereafter referred to as the LEA) takes its responsibility to safeguard student data very seriously. This governance plan incorporates the following Generally Accepted Information Principles (GAIP):

• Risk: There is risk associated with data and content. The risk must be formally recognized, either as a liability or through incurring costs to manage and reduce the inherent risk.
• Due Diligence: If a risk is known, it must be reported. If a risk is possible, it must be confirmed.
• Audit: The accuracy of data and content is subject to periodic audit by an independent body.
• Accountability: An organization must identify parties which are ultimately responsible for data and content assets.
• Liability: The risks in information means there is a financial liability inherent in all data or content that is based on regulatory and ethical misuse or mismanagement.

2. Data Maintenance and Protection Policy

The LEA acknowledges the risks and liabilities associated with maintaining student data and other education-related data, and will implement reasonable data industry best practices to mitigate these risks.

2.1 Process

In accordance with R277-487, the LEA shall do the following:

• Designate an individual as an Information Security Officer
• Adopt the CIS Controls or comparable
• Report to the USBE by October 1 each year regarding the status of the adoption of the CIS controls or comparable and future plans for improvement.

3. Roles and Responsibilities Policy

The LEA acknowledges the need to identify parties who are ultimately responsible and accountable for data and content assets. These individuals and their responsibilities are as follows:

3.1 Data Manager roles and responsibilities

• manage the sharing of personally identifiable student data (PISD) outside of the education entity, as described in this section, and obtain authorization for such sharing.
• provide necessary technical assistance, training, and support.
• serve as the primary local point of contact for the state student data officer.
• ensure that the following notices are available to parents:
  • annual FERPA notice (see 34 CFR 99.7),
  • directory information policy (see 34 CFR 99.37),
  • survey policy and notice (see 20 USC 1232h and 53E-9-203),
  • data collection notice (see 53E-9-305)

3.2 Information Security Officer

• Oversee adoption of the CIS controls
• Provide for necessary technical assistance, training, and support as it relates to IT security

4. Training and Support Policy

The LEA acknowledges that training and supporting educators and staff on federal and state data privacy laws is essential for legal compliance.

4.1 Procedure

1. The data manager will ensure that all educators with access to student records receive annual training on student data confidentiality, based on the Data Sharing Policy.
2. The data manager will report the completion status of the annual confidentiality training to USBE by October 1 each year, and provide a copy of the training materials used.
3. The data manager will maintain a list of all employees who are authorized to access student education records, after they have completed training that meets the requirements of 53E-9-204.
4. Effective August 1st of each year, all staff with access to student records must complete the Student Data Privacy course and quiz located in TalentEd with a perfect score. A list of those who complete the course and quiz successfully will be submitted to the Weber School District Board of Education.

5. Audit Policy

In accordance with the risk management priorities of the LEA, the LEA will conduct an audit of:

• The effectiveness of the controls used to follow this data governance plan; and
• Third-party contractors, as permitted by the contract described in 53E-9-309(2).

6. Data Sharing Policy

There is a risk of redisclosure whenever student data are shared. The LEA shall follow appropriate controls to mitigate the risk of redisclosure and to ensure compliance with federal and state law.

6.1 Procedure for App/Website Approval

1. To request approval for a new app, staff must submit a request through LearnPlatform.
2. A Review Committee, composed of Directors and DT&L personnel, will assess the app to determine whether it aligns with Weber School District's learning methods and objectives.
3. If the Review Committee approves the app or website, they will submit it to the Student Data Privacy Manager.
4. The data manager is responsible for approving all data sharing or designating other trained individuals to do so.
5. For external research, the data manager must ensure that the study complies with the FERPA study exception described in 34 CFR 99.31(a)(6).
6. After sharing student data, the data manager must record the exchange in the LEA Metadata Dictionary on LearnPlatform.
7. Any Data Privacy Agreements must be uploaded to the SDPC Resource Registry.
8. After sharing from student records, the data manager shall make a note in the student record of the exchange in accordance with 34 CFR 99.32.

7. Expungement Request Policy

The LEA acknowledges the risk of using student data to mistreat students, as this data can follow them year after year. To mitigate this risk, the LEA will review all requests for records expungement from parents and make a determination based on the following procedure.

7.1 Procedure

The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, and assessment information.

The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.

1. If a parent believes that a record is misleading, inaccurate, or in violation of the student’s privacy, they may request that the record be expunged.
2. The LEA shall decide whether to expunge the data within a reasonable time after the request.
3. If the LEA decides not to expunge the record, they will inform the parent of their decision as well as the right to an appeal hearing.
4. The LEA shall hold the hearing within a reasonable time after receiving the request for a hearing.
5. The LEA shall provide the parent notice of the date, time, and place in advance of the hearing.
6. The hearing shall be conducted by any individual that does not have a direct interest in the outcome of the hearing.
7. The LEA shall give the parent a full and fair opportunity to present relevant evidence. At the parents’ expense and choice, they may be represented by an individual of their choice, including an attorney.
8. The LEA shall make its decision in writing within a reasonable time following the hearing.
9. The decision must be based exclusively on evidence presented at the hearing and include a summary of the evidence and reasons for the decision.
10. If the decision is to expunge the record, the LEA will seal it or make it otherwise unavailable to other staff and educators.

8. Data Breach Response Policy

The LEA will implement and maintain CIS v8 and NIST SP 800-122-compliant data security controls to protect personally identifiable information (PII). In the event of a data breach or inadvertent disclosure of PII, the LEA staff will follow the LEA's incident response plan.

8.1 Procedures

1. The Superintendent will work with the information security officer to designate individuals to be members of the cyber incident response team (CIRT)
2. At the beginning of an investigation, the information security officer will begin tracking the incident and log all information and evidence related to the investigation.
3. The information security officer will call the CIRT into action once there is reasonable evidence that an incident or breach has occurred.
4. The information security officer will coordinate with other IT staff to determine the root cause of the breach and close the breach.
5. The CIRT will coordinate with legal counsel to determine if the incident is meets the legal definition of a significant breach as defined in R277-487 and determine which entities and individuals need to be notified.
6. If law enforcement is notified and begins an investigation, the CIRT will consult with them before notifying parents or the public so as to not interfere with the law enforcement investigation.

9. Publication Policy

The LEA recognizes the importance of transparency and will post this policy on the LEA website.

updated 10/17/2024

PURPOSE

• Weber School District is dedicated to protecting the privacy and rights of individuals in accordance with federal, state, and local laws. Certain student data are required, and that data must be strictly maintained to provide the most secure methods of storage. The purpose of the Student Data Protection Policy is to explicitly outline how all student data are collected, managed, maintained, and then expulsed.  It will demonstrate to students and their parent or guardian that all data collected by Weber School District is done so in accordance with all federal, state, and local laws.  Students and their parents or guardians should expect that their personally identifiable data is safe, properly cared for, and used only for appropriate purposes
• This policy applies to all staff and students of Weber School District. Any breach of the Student Data Protection Act, the WSD Student Data Protection Policy, or the Data Governance Plan is considered to be an offence and in that event, Weber School District disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with the district, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments who deal with external agencies will take responsibility for working with the Student Data Compliance Officer to ensure that such agencies sign a contract agree to abide by this policy

SCOPE

• The scope of this Student Data Protection Policy encompasses laws within the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§ 6501–6506), Utah House Bill 358 (2017), and Utah Senate Bill 102 (2017)
• The Student Data Protection Policy applies to electronic and paper records within Weber School District. It also applies to personal data held visually in photographs, video clips, and sound data.  Weber School District collects a large amount of student’s personal data every year, including but not limited to staff records, names and addresses, examination marks, fees, and research data
• The Student Data Protection Policy should be used by all Weber School District employees, both full and part time. It also applies to any agency, subsidiary, join venture, suppliers, and vendors who receive personal data from Weber School District, have access to student data, or who provide information to Weber School District

POLICY STATEMENT

Weber School District is committed to a policy of protecting the rights and privacy of individuals (includes students, staff and others) in accordance with the Student Data Protection Act (HB 358 Utah 2017; SB 102 Utah 2017). The district needs to process certain information about its staff, students, and other individuals it has dealings with for administrative purposes. To comply with the law, information about individuals must be collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.

DATA PROTECTION PRINCIPLES

Weber School District has adopted the following principles to govern its use, collection, storage, transmittal, and deletion of all student data, except as specifically provided by this policy or as required by applicable laws.

• A student’s personally identifiable student data is owned by the student (HB 358 53A-1-1405:472)
  • The student may download, export, transfer, save, or maintain the data, including a document
• Student data, both personally identifiable and otherwise, shall be processed fairly and lawfully
• Appropriate physical, technical, and procedural measures shall be taken to: (i) prevent and/or to identify unauthorized or unlawful collection, processing, transmittal of student data; and (ii) prevent accidental loss or destruction of, or damaged to, student data
• Student data will be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes
• Student data will be adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or processed
• Personal data shall not be kept in a form which permits identification of the student for longer than necessary for the permitted purposes
• The following student data may not be collected by either the district or its schools (HB 358 53A-1-1406:484)

• Social Security Number
• Criminal Record
  • Unless the minor is taken into custody or detention for a violent felony. In that case, law enforcement officers will notify the Superintendent for the purpose of the minor’s supervision and student safety
  • A metadata dictionary will be maintained in compliance with state requirements (HB 358 53A-1-1408:564)
  • Student data will not be collected and/or processed unless:
• The parent or legal guardian has provided a valid, informed consent authorizing the data’s collection and use
• Processing is necessary for compliance with a Weber School District legal obligation
• Processing is necessary in order to protect the vital interest of the student
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorized vest in the student data or in a third party to whom the data is disclosed
• Processing is necessary for legitimate interest of Weber School District or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the student

Consent

• Consent for the collection, management, dissemination, and deletion of student data must be informed, express, and freely given
• To be valid, consent must be in writing
• Consent with regard to Personally Identifiable Information must refer expressly to that data

• Consent must be revocable
• Consent system shall include provisions for determining what disclosures should or must be made in order to obtain a valid consent, documentation of the date, method and content of the disclosures made, as well as the validity, scope, and volition of the consents given

Transfers to Third-Parties

• Student data shall not be transferred to another entity, country, or territory, unless reasonable and appropriate steps have been taken to maintain the required level of data protection
• Student data may be communicated to the third persons only for reasons consistent with the purposes for which the data were originally collected or other purposes authorized by law
• All student personally identifiable information transferred outside of Weber School District or across public communications networks shall be de-identified or shall be protected against unauthorized access by use of encryption
• All transfers of student data to third persons for further processing shall be subject to written agreements
• A third-party contractor shall use PII student data under contract strictly for the purpose of providing the contracted product or services within the negotiated contract terms (HB 358 53A-1-1410:639) (Modified by SB 163 53A-1-1410:289)
• When contracting with a third-party contractor, Weber School District will be required to list the following provisions
  • Requirements and Restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor
  • A description of a person or affiliated third-party contractor with whom the third-party contractor may share student data
  • A provision outlining the deletion of the student data received by the third-party contractor
  • Provisions that prohibit the secondary use of PII student data
  • An agreement by the third-party contractor that Weber School District may audit the third-party contractor to verify compliance of the contract
  • A stipulation that the third-party contractor will share student data as requested by law enforcement
  • A third-party contractor may:
    • Use student data for adaptive learning or customized learning
    • Market an educational application or product to the parent or legal guardian of a student if the third-party contractor did not use student data
    • Use a recommendation engine to recommend to a student:
      • Content that relates to learning or employment if the recommendation is not motivated by payment or other considerations
      • Services that relate to learning or employment if the recommendation is not motivated by payment or other considerations (HB 358 53A-1-1410:668)
    • The third-party contractor may respond to a student’s request for information or feedback, if the content of the response is not motivated by payment or other considerations
    • The third-party contractor may use student data to allow or improve operability and functionality of their internal application (HB 358 53A-1-1410:674) or identify for a student non-profit institutions of higher education or scholarship providers that are seeking students who meet specific criteria (SB 163 53A-1-1410:324)
      • Regardless of whether the identified non-profit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor and
      • Only if the third-party contractor obtains written consent by a legal guardian (SB 163 53A-1-1410:327)
    • A third-party contractor is not required to obtain written consent if the third-party contractor:
      • Is a national assessment provider and
      • Secures the express written consent of the student or legal guardian and
      • Express written consent is given in response to clear and conspicuous notice that the national assessment provider requests consent solely to provide access to information on employment, educational scholarships, financial aid, or postsecondary educational opportunities
    • At the completion of a contract with Weber School District, if the contract has not been renewed, the third-party contractor shall:
      • Return all PII student data or
      • Delete all PII student data under the control of the education entity unless a student or the legal guardian consents to the maintenance of the PII student data
    • The third-party contractor may not:
      • Sell student data
      • Collect, use, or share student data if the data is inconsistent with the contract for Weber School District
      • Use student data for targeted advertising
    • A person may obtain student data through the purchase of, merger with, or otherwise acquiring third-party contractor if the third-party contractor remains in compliance with this section.

Third-Party Contractor Penalties (exact fines/repercussions are TBD) (HB 358 53A-1-1411:699)

• If a third-party contractor knowingly or recklessly permits unauthorized collecting, sharing, or use of student data:
  • Weber School District may not enter into a future contract with them
    • Unless the school board determines that the third-party contractor has corrected the error
    • Unless the third-party contractor demonstrates they are currently compliant with these policies
    • Unless the third-party contractor is able to comply with the requirements listed here
  • May be required to pay a civil penalty up to $XX,XXX
    • The board may bring an action in the Weber County district court, if necessary, to enforce payment of the civil penalty
    • An individual who knowingly or intentionally permits unauthorized collecting, sharing, or use of student data may be found guilty of a class X misdemeanour
  • May be required to pay costs of notifying parents and students of the unauthorized use of student data
  • May be required to pay all expenses incurred by Weber School District and its schools as a result of the unauthorized sharing of student data
• A parent or student may bring an action in a court of competent jurisdiction for damages caused by a knowing or reckless violation of the student data policy by a third-party contractor

Disclosures at the Time of Data Collection (HB 358 53A-1-1406:487)

• Appropriate disclosures will be made at the time a legal guardian is asked to give consent to the collection or processing of student data, and whenever student data are collected.
• The disclosure must be a stand-alone document that is published annually and available on the Weber School District’s website
• Specific information must be disclosed to the legal guardian and/or any other person from whom student data are obtained at the time of collection, unless the legal guardian already has the information. Weber School District must establish technical or administrative means for documenting the fact that the legal guardian already has the information and how.
• These disclosures should be given as soon as possible, and preferably at the first point of contact with the Legal Guardian. The disclosure will include both necessary and optional data that will be collected and include how the district stores and protects student data.
• The disclosures should be made in a manner calculated to draw attention to them. The disclosures may not be given orally. Disclosures may be given electronically via the school district’s intranet or in writing. The receipt or form should be retained along with a contemporaneous record establishing the fact, date, content, and method of disclosure for a period of XXXXXX
• If inadequate disclosures are made initially, additional disclosures may have to be made at a later time, and the fact, date, content, and method of these additional disclosures shall be recorded.
• The Student Data Disclosure must contain the following statement: “The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly.”

Sources of Student Data

• Student data shall be collected only from the legal guardian unless the nature of the business purpose necessitates collection of the data from other persons or bodies, collection from the legal guardian would necessitate disproportionate effort, or collection must be accomplished under emergency circumstances in order to protect an interest of the student or to prevent serious loss.
• Weber School District will create a form or system to document and automate this process as fully as possible.
• If student data are collected from someone other than the Legal Guardian, the student’s guardian must be informed of the following items unless the legal guardian has received the required information by other means, notification would require disproportionate effort, or the law expressly provides for collection, processing or transfer of the student data.

• The fact of the collection, processing or transfer of the data by Weber School District;
• The nature and purposes of the processing;
• The recipients or categories of recipients of the data;
• The origin of the data; and

Student Rights

• Weber School District shall establish a system to enable and facilitate exercise of student data rights of access, blockage, erasure, opposition, rectification, and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of the student data.
• shall be entitled to obtain the following information about student data upon a request made in compliance with reasonable policies and procedures established, and set forth in writing.

• Whether Weber School District has stored student data concerning the Legal Guardian.
• Whether any of the data is personally identifiable.
• The source(s) of the data, if known.
• The recipients or categories of recipients to whom the data have been or may be transmitted.
• The purposes of the collection, processing, use and storage of the data.
• A hard copy of the data in an intelligible form.
  • Weber School District shall provide its response to a request for student data within 40 days of the date the school district receives a written request from the legal guardian and appropriate verification that the requestor is the an authorized legal representative.
  • A Legal Guardian shall have the right to require Weber School District to correct or supplement erroneous, misleading, outdated, or incomplete student data.
  • Requests for access to or rectification of student data shall be directed, at the Legal Guardian’s option, to the principal of the school responsible for the student data.
  • Weber School District shall establish a system for logging each request under this Section as it is received and noting the response date.
  • If Weber School District cannot respond fully to the request within the time indicated, then they shall nevertheless provide the following information within the specified time:
• An acknowledgement of receipt of the request.
• Disclosure of responsive information located to date.
• Identification of any requested information or modifications which Weber School District will not provide, the reason(s) for the refusal, and the procedures for appealing the decision within the district, if any.
• An estimate of a date by which the remaining responses will be made.
• A statement or estimate of any costs to be paid by the requestor.
• The name and contact information of the individual who the requestor should contact for follow up.
  • Where providing the information about the requesting student would disclose personally identifiable information about another individual, the school handling the request must review the data and redact or withhold the information as may be necessary or appropriate to protect that person’s rights.
  • Weber School District may establish procedures to screen and deny abusively burdensome or repetitive requests by or on behalf of a Legal Guardian.
  • The rights provided to parents in this policy transfer to the student when the student turns 18 years old or becomes an emancipated minor

Sensitive Data

• Sensitive Data should not be processed unless:
  • Such processing is specifically authorized or required by law
  • The legal guardian expressly consents
  • The processing is required for preventive medicine, medical diagnosis, or health care treatment; provided the data are processed by a health professional subject to national law or rules with an obligation of professional secrecy or by another person with an equivalent obligation of secrecy. If Weber School District is relying upon this medical exemption, all contracts with employees and independent contractors who will have access to the Sensitive Data must contain confidentiality requirements equivalent to those imposed on health professionals.
  • Where the legal guardian is physically or legally incapable of giving consent, but the processing is necessary to protect a vital interest of the student. This exemption may apply, for example, where emergency medical care is needed.
  • Data relating to criminal offenses may be processed only by or under the control of an official authority.
• If Weber School District is relying upon one of the exemptions to authorize processing of Sensitive Data, the exemption relied upon, and the basis for the exemptions should be recorded with the data.

Data Quality Assurance

• Each individual school shall take steps to assure that student data it collects or processes is complete and accurate in the first instance. Data must be accurate and updated in such a way as to give a true picture of the current situation of the student.
• Weber School District shall correct data which it knows to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the legal guardian does not request rectification. Inaccurate data must be erased and replaced by corrected or supplemented data.
• Student data must be kept only for the period necessary for permitted uses. When defining a permitted use for data, the individual school shall establish a remove or review date for the stated purpose.
• Student data should be erased if their storage violates any of the data protection rules or if knowledge of the data are no longer required by Weber School District or for the benefit of the Legal Guardian. See the Student Record Retention section in the Data Governance Plan.
• Student data should be blocked, rather than erased, insofar as the law prohibits erasure, erasure would impair legitimate interests of the Legal Guardian, erasure is not possible without disproportionate effort due to the specific type of storage; or if the legal guardian disputes that the data are correct and it cannot be ascertained whether they are correct or incorrect.

Notice of Non-Compliance

• Weber School District shall notify the Superintendent, directors, and principals that: i) failure to comply with relevant data protection legislation may trigger criminal and civil liability, including fines, imprisonment, and damage awards; and ii) they can be personally liable where an offense is committed by Weber School District with their consent or involvement, or is attributable to any neglect on their part.

Data Security

• Physical, Technical, and Organizational Security Measures
  • Weber School District shall adopt physical, technical, and organizational measures to ensure the security of student data, including the prevention of their alteration, loss, damage, unauthorized processing or access, having regard to the state of the art, the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
  • Adequate security measures should include all of the following:
• Entry Control: Prevention of unauthorized persons from gaining access to data processing systems in which student data are processed or stored.
• Access Control: Prevention of data processing systems from being used by unauthorized persons.
• Disclosure Control: Preventing persons entitled to use a data processing system from accessing data beyond their needs and authorizations. This includes preventing unauthorized reading, copying, modifying or removal during processing and use, or after storage.
• Input Control: Ensuring that it can be subsequently checked and established whether and by whom student data has been entered into, modified on, or removed from data processing systems.
• Job Control: Ensuring that in the case of commissioned processing of student data, the data can be processed only in accordance with the instructions of the school district.
• Availability Control: Ensuring that student data are protected against undesired destruction or loss.
• Use Control: Ensuring that data collected for different purposes can and will be processed differently
• Longevity Control: Ensuring that data is not kept longer than necessary, including by requiring that data transferred to third persons be returned or destroyed.

5. DISPUTE RESOLUTION

• Employees
  • Employees with inquiries or complaints about the processing of student data should first discuss the matter with their Principal or Supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate supervisor, or if the supervisor and the employee are unable to reach a satisfactory resolution of the issues raised, the employee should bring the issue to the attention of their Director.
• Parents, Legal Guardians, and Adult Students
  • Parents, legal guardians, and adult students with inquiries or complaints about the processing of student data should bring the matter to the attention of the Student Data Compliance Officer in writing. Any disputes concerning the processing of the personal data of non-employees will be resolved through arbitration.

6. TRAINING

• Each school and/or building will provide training to teach or re-emphasize privacy and security related procedures. These procedures should be set forth in written guidelines to employees and shall include at least the following.

• Each employee’s duty to use and permit the use of student data only by authorized persons and for authorized purposes;
• The contents of this Policy;
• The relationship between this Policy and other Weber School District policies;
• The need for and proper use of the forms and procedures adopted to implement this Policy;
• The correct use of passwords, security tokens and other access mechanisms;
• The importance of limiting access to student data, such as by using password protected screen savers, logging out when the information is not being used and attended by an authorized person;
• Securely storing manual files, print outs and electronic storage media;
• A general prohibition on the transfer of student data outside of the internal network and physical office premises unless otherwise stated in this Policy;
• Proper disposal of confidential data by shredding, etc.;

7. COMPLIANCE MEASUREMENT

7.1 Current Compliance Assessment

Weber School District shall establish a schedule for and implement a data protection compliance audit for all locations. Weber School District, in cooperation with individual locations, shall devise a plan and schedule for correcting any identified deficiencies within a fixed, reasonable time.

7.2 Annual Data Protection Audit

Each location shall review annually its data collection, processing, and security practices. This annual review shall consist of at least the following:

• The school or building shall determine what student data they are collecting, or intends to collect, the purposes of the data collection and processing, any additional permitted purposes, the actual uses of the data, what disclosures have been made about the purposes of the collection and use of such data, the existence and scope of any legal guardian consents to such activities, any legal obligations regarding the collection and processing of such data, and the scope, sufficiency, and implementation status of security measures.
• The school or building shall determine what student data it has in manual systems that constitute “relevant filing systems.”
• Each school shall identify all transferees of student data in its possession or control. The school shall determine where the transferee is located, the purposes of the transfer, what physical, technical, and procedural systems are in place to maintain at least the existing level of data protection and to prevent or control further transfers.
• The information collected in this annual review shall be delivered to the Data Security Officer for review and appropriate action including, without limitation, the following:
  • Making recommendations for improvement to policies and procedures in order to improve compliance with this policy and applicable law.
  • Satisfying the requirements of all federal, state, and local laws in relation to transferring, storing, and deleting student data.

8. IMPLEMENTATION

• Publication

This Policy shall be available to employees through the Human Resources Department and shall be made available to non-employees through posting to http://wsd.net.

• Effective Date

This Policy is adopted as of July 1, 2017. Weber School District, in cooperation with the schools, will develop a timeline and program for implementing this Policy. This implementation program will include the resolution of any conflicts between this Policy and other existing policies. (HB 358 53A-1-1409:568)

• Revisions

This Policy may be revised at any time. Notice of significant revisions shall be provided to employees through the Human Resources Department and to others through the Weber School District website, located at http://wsd.net.

9. PARENT NOTIFICATION OF THREATS AND INCIDENTS

• For the purpose of this section, ‘parent’ includes a student’s guardian, or if the student is over 18 years old, the student
• If a school or the school district notifies a parent of a threat or incident, the school or school district shall produce and maintain a record that verifies a parent was notified
• At the request of a parent, the school may provide information or make recommendations related to the threat or incident
• A school shall:
  • Provide a student a copy of a record maintained in accordance with this section as it relates to the student
  • Expunge the record maintained in accordance with this section when the student
• Has graduated from High School and
• Requests that the record be expunged
  • Notify a parent if the parent’s student threatens to commit suicide
  • Notify the parent of each student involved in an incident of:
• Bullying
• Cyber-Bullying
• Harassment
• Hazing
• Retaliation

10. SURVEYS, ANALYSIS, AND EVALUATION RESTRICTIONS (PPRA)

• Written consent from a Legal Guardian must be obtained prior to a student being required to take any type of survey, analysis, or evaluation that reveals information concerning the following. Parents must have an opportunity to opt out of any survey concerning one of these areas also:

• Political affiliations;
• Mental and psychological problems potentially embarrassing to the student and his/her family;
• Sex behavior and attitudes;
• Illegal, anti-social, self-incriminating and demeaning behavior;
• Critical appraisals of other individuals with whom respondents have close family relationships;
• Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
• Religious practices, affiliations, or beliefs of the student or student's parent*; or
• Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program.)
  • Weber School District must notify the Legal Guardian, at least annually at the beginning of the school year, of the specific or approximate dates during the school year when activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes or to sell or otherwise provide the information to others for marketing purposes
  • Exception to the requirement of written notification and authorization by the Legal Guardian
    • Requirements concerning activities involving the collection and disclosure of personal information collected from students for marketing purposes does not apply to the collection, disclosure, or use of personal information collected for the exclusive purpose of developing, evaluating, or providing educational products or services such as:
  • College or post-secondary education recruitment
  • Military recruitment
  • Book clubs, magazines, and programs providing access to low-cost literary products
  • Curriculum and instructional materials used by elementary and secondary schools
  • Tests and assessments used by schools to provide cognitive, evaluative, diagnostic, clinical, aptitude, or achievement information about students
  • The sale by students of products or services to raise funds for school-related or education-related activities
  • Student recognition programs
    • The legal guardian has the right to inspect any type of instructional material or instrument used in the collection of personal information used as part of the educational curriculum for the student.
    • Any request for inspection of instructional material or instrument used in the collection of personal information must be granted within a reasonable period of time after the request is received
    • Weber School District must offer an opportunity for parents to opt out of participating in any of the activities outlined in this section

11. DEFINITIONS

• Terms and Definitions (HB 358 53A-1-1402)

Adult Student: Student’s 18 years old or older, emancipated students, or students qualified under the McKinney-Vento Homeless Education Assistance

Aggregate Data: Totalled and reported at the group, school, district, region, or state level with at least 10 individuals at the level

Data Authorization: Written authorization to collect or share student’s data

Data Governance Plan: Comprehensive plan for managing education data

Education Entity: Weber School District and its individual schools

Expunge: Seal or permanently delete data

Instructional Material: Instructional content that is provided to a student, regardless of its format, including printed or representational materials, audio-visual materials, and materials in electronic or digital formats (such as materials accessible through the Internet). The term does not include academic tests or academic assessments.

Invasive Physical Examination: Any medical examination that involves the exposure of private body parts, or any act during such examination that includes incision, insertion, or injection into the body, but does not include a hearing, vision, or scoliosis screening.

Legal Guardian: Parent, Legal Guardian, or Adult Student

Necessary Student Data: Data required by the statute or federal law to conduct the regular activities (HB 358 53A-1-1402:314)

• Name
• Date of birth
• Sex
• Parent contact information
• Custodial parent information
• Contact information
• Student ID number
• Local, state, and national assessment results
• Courses taken and completed, credits earned, other transcript information
• Course grades and grade point average
• Grade level and expected graduation date or cohort
• Degree, diploma, credential attainment and other exit information
• Attendance and mobility
• Drop-out data
• Immunization record or exception from one
• Race
• Ethnicity
• Tribal affiliation
• Remediation efforts
• Except from vision screening
• Information from vision screening
• Utah registry of Autism and Developmental Disabilities
• Student injury information
• Cumulative disciplinary record created and maintained by district
• Juvenile delinquency records
• English language learner status
• Child find and special education evaluation data related to initiation of IEP

Optional Student Data: Data not included in the Necessary category (HB 358 53A-1-1402:346)

• Related to IEP or needed to provide special needs
• Biometric information
• Information that is not necessary student data and that is required for a student to participate in federal or other program

Personally Identifiable Information (PII): Information that identifies a student (HB 358 53A-1-1402:359)

• Student’s first and last name
• First and last name of student’s family member
• Home or physical address
• E-mail address or other contact information
• Student’s phone number
• Student’s social security number
• Student’s biometric identifier
• Health or disability data
• Education entity student ID number
• Social media username and password or alias
• Customer number held in a cookie
• Combinations
  • Student’s last name with a photograph
  • Student or their family member’s information combined with Personally Identifiable student information
  • Any information that would allow a reasonable person in the community to identify a student with reasonable certainty

Survey: An evaluation

12. RELATED LEGISLATION AND EXISTING POLICIES

• Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
• Children’s Online Privacy Protection Act (COPPA) (15 U.S. Code § 6506)
• Protection of Pupil Rights Amendment (PPRA)
• Utah House Bill 358 (2017)
• Senate Bill 102 (2017)

13. FEEDBACK

• Weber School District staff, students, parents, and legal guardians may provide feedback about this document by emailing
  

1. Purpose

The purpose of this policy is to ensure the secure use and handling of all district data, computer systems and computer equipment by District students, patrons, and employees.

2. Policy

2.1 Technology Security                                                                                               

It is the policy of the Weber School District to support secure network systems in the district, including security for all personally identifiable information that is stored on paper or stored digitally on district-maintained computers and networks. This policy supports efforts to mitigate threats that may cause harm to the district, its students, or its employees.

The district will ensure reasonable efforts will be made to maintain network security. Data loss can be caused by human error, hardware malfunction, natural disaster, security breach, etc., and may not be preventable.

All persons who are granted access to the district network and other technology resources are expected to be careful and aware of suspicious communications and unauthorized use of district devices and the network. When an employee or other user becomes aware of suspicious activity, he/she is to immediately contact the district’s Information Security Officer with the relevant information.

This policy and procedure also covers third party vendors/contractors that contain or have access to Weber School District critically sensitive data. All third party entities will be required to sign the Restriction on Use of Confidential Information Agreement before accessing our systems or receiving information.

It is the policy of Weber School District to fully conform with all federal and state privacy and data governance laws.  Including the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 (hereinafter “FERPA”), the Government Records and Management Act U.C.A. §62G-2 (hereinafter “GRAMA”), U.C.A. §53A-1-1401 et seq and Utah Administrative Code R277-487.

Professional development for staff and students regarding the importance of network security and best practices are included in the procedures. The procedures associated with this policy are consistent with guidelines provided by cyber security professionals worldwide and in accordance with Utah Education Network and the Utah State Office of Education. Weber School District supports the development, implementation and ongoing improvements for a robust security system of hardware and software that is designed to protect Weber School District’s data, users, and electronic assets.

3. Procedure

3.1. Definitions:

3.1.1.  Access: Directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, computer network, or any means of communication with any of them.

3.1.2. Authorization: Having the express or implied consent or permission of the owner, or of the person authorized by the owner to give consent or permission to access a computer, computer system, or computer network in a manner not exceeding the consent or permission.

3.1.3. Computer: Any electronic device or communication facility that stores, retrieves, processes, or transmits data.

3.1.4. Computer system: A set of related, connected or unconnected, devices, software, or other related computer equipment.

3.1.5. Computer network: The interconnection of communication or telecommunication lines between: computers; or computers and remote terminals; or the interconnection by wireless technology between: computers; or computers and remote terminals.

3.1.6. Computer property: Includes electronic impulses, electronically produced data, information, financial instruments, software, or programs, in either machine or human readable form, any other tangible or intangible item relating to a computer, computer system, computer network, and copies of any of them.

3.1.7. Confidential: Data, text, or computer property that is protected by a security system that clearly evidences that the owner or custodian intends that it not be available to others without the owner's or custodian's permission.

3.1.8. Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.

3.1.9. Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered protected data

3.1.10. Security system: A computer, computer system, network, or computer property that has some form of access control technology implemented, such as encryption, password protection, other forced authentication, or access control designed to keep out unauthorized persons.

3.1.11. Sensitive data - Data that contains personally identifiable information.

3.1.12. System level – Access to the system that is considered full administrative access.  Includes operating system access and hosted application access.

3.2. Security Responsibility

3.2.1. Weber School District shall appoint, in writing, an IT Security Group (ISG) responsible for overseeing District-wide IT security with duties that include development of District policies and adherence to the standards defined in this document.

3.3. Training

3.3.1. Weber School District, led by the ISG, shall ensure that all District employees having access to sensitive information undergo annual IT security training which emphasizes their personal responsibility for protecting student and employee information. - Training resources will be provided to all District employees.

3.4. Physical Security

3.4.1. Computer Security

3.4.1.1. Weber School District shall ensure that any user’s computer must not be left unattended and unlocked, especially when logged into sensitive systems or data including student or employee information. Automatic log off, locks and password screen savers should be used to enforce this requirement.

3.4.1.2. Weber School District shall ensure that all equipment that contains sensitive information will be secured to deter theft.

3.4.2. Server/Network Room Security

3.4.2.1. Weber School District shall ensure that server rooms and telecommunication rooms/closets are protected by appropriate access control which segregates and restricts access from general school or District office areas. Access control shall be enforced using either keys, electronic card readers, or similar method with only those IT or other staff members having access necessary to perform their job functions are allowed unescorted access.

3.4.2.2. Telecommunication rooms/closets may only remain unlocked or unsecured when because of building design it is impossible to do otherwise or due to environmental problems that require the door to be opened.

3.4.3. Contractor access

3.4.3.1. Before any contractor is allowed access to any computer system, server room, or telecommunication room the contractor will need to present a company issued identification card, and his/her access will need to be confirmed directly by the authorized employee who issued the service request or by Weber School District’s Technology Department. 

3.5. Network Security

3.5.1. Network perimeter controls will be implemented to regulate traffic moving between trusted internal (District) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.

3.5.2. Network Segmentation

3.5.2.1. Weber School District shall ensure that all untrusted and public access computer networks are separated from main district computer networks and utilize security policies to ensure the integrity of those computer networks.

3.5.2.2. Weber School District will utilize industry standards and current best practices to segment internal computer networks based on the data they contain. This will be done to prevent unauthorized users from accessing services unrelated to their job duties and minimize potential damage from other compromised systems.

3.5.3. Wireless Networks

3.5.3.1. No wireless access point shall be installed on Weber School District’s computer network that does not conform with current network standards as defined by the Network Manager.  Any exceptions to this must be approved directly in writing by the Information Security Group.

3.5.3.2. Weber School District shall scan for and remove or disable any rogue wireless devices on a regular basis.

3.5.3.3. All wireless access networks shall conform to current best practices and shall utilize at minimal WPA encryption for any connections.  Open access networks are not permitted, except on a temporary basis for events when deemed necessary.

3.5.4. Remote Access

3.5.4.1. Weber School District shall ensure that any remote access with connectivity to the District’s internal network is achieved using the District’s Palo Alto Global VPN service that is protected by multiple factor authentication systems.  Any exception to this policy must be due to a service provider’s technical requirements and must be approved by the Information Security Officer.

3.6. Access Control

3.6.1. System and application access will be granted based upon the least amount of access to data and programs required by the user in accordance with a business need-to-have requirement.

3.6.2. Authentication

3.6.2.1. Weber School District shall enforce strong password management for employees, students, and contractors. 

3.6.2.2. Password Creation

3.6.2.2.1. All server system-level passwords must conform to the Password Construction Guidelines posted on the Weber School District Technology Website.

3.6.2.3. Password Protection

3.6.2.3.1. Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information.

3.6.2.3.2. Passwords must not be inserted into email messages or other forms of electronic communication.

3.6.2.3.3. Passwords must not be revealed over the phone to anyone.

3.6.2.3.4. Do not reveal a password on questionnaires or security forms.

3.6.2.3.5. Do not hint at the format of a password (for example, "my family name"). 

3.6.2.3.6. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

3.6.2. Authorization

3.6.2.1. Weber School District shall ensure that user access shall be limited to only those specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.

3.6.2.2. Weber School District shall ensure that user access should be granted and/or terminated upon timely receipt, and management’s approval, of a documented access request/termination.

3.6.3. Accounting

3.6.3.1. Weber School District shall ensure that audit and log files are maintained for at least ninety days for all critical security-relevant events such as: invalid logon attempts, changes to the security policy/ configuration, and failed attempts to access objects by unauthorized users, etc.

3.6.4. Administrative Access Controls

3.6.4.1. Weber School District shall limit IT administrator privileges (operating system, database, and applications) to the minimum number of staff required to perform these sensitive duties.

3.7. Incident Management

3.7.1. Monitoring and responding to IT related incidents will be designed to provide early notification of events and rapid response and recovery from internal or external network or system attacks.

3.8. Business Continuity

3.8.1. To ensure continuous critical IT services, IT will develop a business continuity/disaster recovery plan appropriate for the size and complexity of District IT operations.

3.8.2. Weber School District shall develop and deploy a district-wide business continuity plan which should include as a minimum:

• Backup Data: Procedures for performing routine daily/weekly/monthly backups and storing backup media at a secured location other than the server room or adjacent facilities. As a minimum, backup media must be stored off-site a reasonably safe distance from the primary server room.
• Secondary Locations: Identify a backup processing location, such as another School or District building.
• Emergency Procedures: Document a calling tree with emergency actions to include: recovery of backup data, restoration of processing at the secondary location, and generation of student and employee listings for ensuing a full head count of all.

3.9. Malicious Software

3.9.1. Server and workstation protection software will be deployed to identify and eradicate malicious software attacks such as viruses, spyware, and malware.

3.9.2. Weber School District shall install, distribute, and maintain spyware and virus protection software on all district-owned equipment, i.e. servers, workstations, and laptops. 

3.9.3. Weber School District shall ensure that malicious software protection will include frequent update downloads (minimum weekly), frequent scanning (minimum weekly), and that malicious software protection is in active state (real time) on all operating servers/workstations.

3.9.4. Weber School District shall ensure that all security-relevant software patches (workstations and servers) are applied within thirty days and critical patches shall be applied as soon as possible.

3.9.5. All computers must use the District approved anti-virus solution.

3.9.6. Any exceptions to section 3.9 must be approved by the Information Security Officer.

3.10. Internet Content Filtering

3.10.1. In accordance with Federal and State Law, Weber School District shall filter internet traffic for content defined in law that is deemed harmful to minors.

3.10.2. Weber School District acknowledges that technology based filters are not always effective at eliminating harmful content and due to this, Weber School District uses a combination of technological means and supervisory means to protect students from harmful online content.

3.10.3. In the event that students take devices home, Weber School District will provide a technology based filtering solution for those devices.  However, the District will rely on parents to provide the supervision necessary to fully protect students from accessing harmful online content.

3.10.4. Students shall be supervised when accessing the internet and using district owned devices on school property.

3.11. Data Privacy

3.11.1. Weber School District considers the protection of the data it collects on students, employees and their families to be of the utmost importance.

3.11.2. Weber School District protects student data in compliance with the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 ( “FERPA”), the Government Records and Management Act  U.C.A. §62G-2 ( “GRAMA”), U.C.A. §53A-1-1401 et seq, 15 U.S. Code §§ 6501–6506 (“COPPA”) and Utah Administrative Code R277-487 (“Student Data Protection Act”).

3.11.3. Weber School District shall ensure that employee records access shall be limited to only those individuals who have specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.

3.12. Security Audit and Remediation

3.12.1. Weber School District shall perform routine security and privacy audits in congruence with the District’s Information Security Audit Plan.

3.12.2. District personnel shall develop remediation plans to address identified lapses that conforms with the District’s Information Security Remediation Plan Template.

3.13. Disciplinary Actions

3.13.1 Employee Disciplinary Actions shall be in accordance with applicable laws, regulations and District policies.  Any employee found to be in violation may be subject to disciplinary action up to and including termination of employment with the Weber School District.

I’ve typically used this column to celebrate positive achievements throughout our school district. And, there is so much to celebrate and so many to recognize! Thank you to remarkable teachers, administrators and support professionals who strive every day to make a difference in the lives of children.

Recently, we have been experiencing an escalation of intolerant behavior in our schools. Instances of fighting, taunting, cyberbullying and harassment are on the rise. One could easily conclude that the current national discourse in areas such as politics, religious tolerance, race relations, free speech, etc. is filtering into our schools and having a substantial impact. 

I’m calling upon every Weber School District employee to be proactive in establishing a climate in each of our schools and in every classroom where tolerance is promoted and bias speech or conduct is eliminated. You can do this on a daily basis by setting a tone in your school and classroom where inclusion is encouraged and tolerance is promoted. Each one of us should find teachable moments to clearly articulate expectations and zero-tolerance policies regarding the denigration of others for any reason—whether that’s clothing, appearance, body size, gender orientation, religious differences, ethnicity or race. Please ensure that potential vulnerable students are protected and feel safe. Creating a safe learning environment is the first key to a whole child education. Inspire students to have the courage to speak up when they see or hear anything that would compromise that safe school climate.

Several years ago, we had the privilege of hosting Elizabeth Eckford, one of the original Little Rock Nine, at one of our schools. Elizabeth recounted the nightmarish experience she had at Central High School in Little Rock, Arkansas, as one of the first students of color to attend a desegregated school in 1957—60 years ago! What she experienced then still haunts her to this day. In fact, she continues to suffer from PTSD (post-traumatic stress syndrome). It was an extraordinary thing to watch our young students interact with Elizabeth, who rarely makes a public appearance. So many students connected with her on a profoundly personal level as they considered their own vulnerabilities and insecurities. It was one of the most memorable days of my professional career. At the conclusion of the day, Elizabeth shared something with me that I’ll never forget. She told me that she was an acquaintance of Dr. Martin Luther King, Jr. On one occasion, Dr. King described for her what he envisioned as a “Beautiful Community.” Then, she paid the highest tribute when she said, “After spending a day in your city and in your district, I believe this is a ‘beautiful community.’” 

I’ve come to realize that keeping our district and our town a “beautiful community” requires constant vigilance. While we may not be able to change the national discourse, we can certainly influence what takes place in our schools. The power of a teacher, principal or support professional should never be underestimated. So, I’m calling on each of you to join with me in saying, “NOT IN OUR DISTRICT!”  Let’s work together to ensure that every student feels safe from bullying and harassment. Let’s re-double our efforts to make sure that every student feels valued. And, let’s fight to ensure that tolerance, inclusion and acceptance become hallmarks of our schools. It truly is “The Weber Way.”