Notification of Rights Under the Protection of Pupil Rights Amendment (PPRA)/Utah FERPA (UFERPA)
PPRA/Utah FERPA affords parents of elementary and secondary students certain rights regarding the conduct of surveys, collection and use of information for marketing purposes, and certain physical exams. These include, but are not limited to, the right to:
• Consent before students are required to submit to a psychological or psychiatric examination, test, or treatment, or any survey, analysis, or evaluation in which the evident intended effect is to cause the student to reveal information concerning one or more of the following protected areas about the student or any family member (“protected information survey”) except as part of a suicide prevention program as described in 53G-9-702, if the protected information survey is administered by the state of Utah, or if there is a reasonable belief that there is an emergency, child abuse, neglect, or a serious threat to the wellbeing of the student
•Receive notice and an opportunity to opt a student out of –
•Inspect, upon request and before administration or use –
These rights transfer from the parents to a student who is 18 years old or an emancipated minor under State law. 2 [School District will/has develop[ed] and adopt[ed]] policies, in consultation with parents, regarding these rights, as well as arrangements to protect student privacy in the administration of protected information surveys and the collection, disclosure, or use of personal information for marketing, sales, or other distribution purposes. [School District] will directly notify parents of these policies at least annually at the start of each school year and after any substantive changes. [School District] will also directly notify, such as through U.S. Mail or email, parents of students who are scheduled to participate in the specific activities or surveys noted below and will provide an opportunity for the parent to opt his or her child out of participation of the specific activity or survey. [School District] will make this notification to parents at the beginning of the school year if the District has identified the specific or approximate dates of the activities or surveys at that time. For surveys and activities scheduled after the school year starts, parents will be provided at least two weeks notification of the planned activities and surveys listed below and be provided an opportunity to opt their child out of such activities and surveys. Parents will also be provided an opportunity to review any pertinent surveys. Following is a list of the specific activities and surveys covered under this direct notification requirement:
Parents who believe their rights have been violated may file a complaint with:
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202
Necessary student data means data required by state statute or federal law to conduct the regular activities of the school.
We may only collect optional student data with written consent from the student’s parent or from a student who has turned 18.
Certain sensitive information on students collected via a psychological or psychiatric examination, test, or treatment, or any survey, analysis, or evaluation will only be collected with parental consent. You will receive a separate consent form in these cases. See our Protection of Pupil Rights Act (PPRA) notice for more information.
We will not collect a student’s social security number or criminal record, except as required by Utah Code Section 78A-6-112(3).
We will only share student data in accordance with the Family Educational Rights and Privacy Act (FERPA), which generally requires written parental consent before sharing student data. FERPA includes several exceptions to this rule, where we may share student data without parental consent. For more information on third parties receiving student information from us, see our Metadata Dictionary.
Student data will be shared with the Utah State Board of Education via the Utah Transcript and Records Exchange (UTREx). For more information about UTREx and how it is used, please visit the Utah State Board of Education’s Information Technology website.
The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly. Parents are given the following choices regarding student data:
Your local school district or charter school
The Utah State Board of Education
Report your concern with the USBE hotline
The US Department of Education
Report your concern here
In accordance with Board Rule R277-487-3(14), we have adopted a cybersecurity framework called the CIS Controls.
[Note: Per 34 C.F.R. § 99.37(d), a school or school district may adopt a limited directory information policy. If a school or school district does so, the directory information notice to parents and eligible students must specify the parties who may receive directory information and/or the purposes for which directory information may be disclosed.]
The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that Weber School District, with certain exceptions, obtain your written consent prior to the disclosure of personally identifiable information from your child’s education records. However, Weber School District may disclose appropriately designated “directory information” without written consent, unless you have advised the Weber School District to the contrary in accordance with Weber School District procedures. The primary purpose of directory information is to allow the Weber School District to include information from your child’s education records in certain school publications. Examples include:
Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent. Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks. In addition, two federal laws require local educational agencies (LEAs) receiving assistance under the Elementary and Secondary Education Act of 1965, as amended (ESEA) to provide military recruiters, upon request, with the following information – names, addresses and telephone listings – unless parents have advised the LEA that they do not want their student’s information disclosed without their prior written consent. [Note: These laws are Section 9528 of the ESEA (20 U.S.C. § 7908) and 10 U.S.C. § 503(c).]
If you do not want Weber School District to disclose any or all of the types of information designated below as directory information from your child’s education records without your prior written consent, you must notify the Weber School District in writing by September 15th. Weber School District has designated the following information as directory information:
The Family Educational Rights and Privacy Act (FERPA) affords parents and students who are 18 years of age or older ("eligible students") certain rights with respect to the student's education records. These rights are:
Parents or eligible students who wish to inspect their child’s or their education records should submit to the school principal [or appropriate school official] a written request that identifies the records they wish to inspect. The school official will make arrangements for access and notify the parent or eligible student of the time and place where the records may be inspected.
Parents or eligible students who wish to ask the “District” to amend their child’s or their education record should write the school principal [or appropriate school official], clearly identify the part of the record they want changed, and specify why it should be changed. If the school decides not to amend the record as requested by the parent or eligible student, the school will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the parent or eligible student when notified of the right to a hearing.
One exception, which permits disclosure without consent, is disclosure to school officials with legitimate educational interests. The criteria for determining who constitutes a school official and what constitutes a legitimate educational interest must be set forth in the school’s or school district’s annual notification for FERPA rights. A school official typically includes a person employed by the school or school district as an administrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personnel) or a person serving on the school board. A school official also may include a volunteer, contractor, or consultant who, while not employed by the school, performs an institutional service or function for which the school would otherwise use its own employees and who is under the direct control of the school with respect to the use and maintenance of PII from education records, such as an attorney, auditor, medical consultant, or therapist; a parent or student volunteering to serve on an official committee, such as a disciplinary or grievance committee; or a parent, student, or other volunteer assisting another school official in performing his or her tasks. A school official typically has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202
FERPA permits the disclosure of PII from students’ education records, without consent of the parent or eligible student, if the disclosure meets certain conditions found in § 99.31 of the FERPA regulations. Except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the parent or eligible student, § 99.32 of the FERPA regulations requires the school to record the disclosure. Parents and eligible students have a right to inspect and review the record of disclosures. A school may disclose PII from the education records of a student without obtaining prior written consent of the parents or the eligible student –
Weber School District (referred to as the LEA throughout) takes its responsibility toward student data seriously. This governance plan incorporates the following Generally Accepted Information Principles (GAIP):
The LEA recognizes that there is risk and liability in maintaining student data and other education-related data and will incorporate reasonable data industry best practices to mitigate this risk.
In accordance with R277-487, the LEA shall do the following:
The LEA acknowledges the need to identify parties who are ultimately responsible and accountable for data and content assets. These individuals and their responsibilities are as follows:
The LEA recognizes that training and supporting educators and staff regarding federal and state data privacy laws is a necessary control to ensure legal compliance.
In accordance with the risk management priorities of the LEA, the LEA will conduct an audit of:
There is a risk of redisclosure whenever student data are shared. The LEA shall follow appropriate controls to mitigate the risk of redisclosure and to ensure compliance with federal and state law.
The LEA recognizes the risk associated with data following a student year after year that could be used to mistreat the student. The LEA shall review all requests for records expungement from parents and make a determination based on the following procedure.
The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, assessment information.
The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.
The LEA shall follow industry best practices to protect information and data. In the event of a data breach or inadvertent disclosure of personally identifiable information, the LEA staff shall follow industry best practices for responding to the breach.
The LEA recognizes the importance of transparency and will post this policy on the LEA website.
Weber School District is committed to a policy of protecting the rights and privacy of individuals (includes students, staff and others) in accordance with the Student Data Protection Act (HB 358 Utah 2017; SB 102 Utah 2017). The district needs to process certain information about its staff, students, and other individuals it has dealings with for administrative purposes. To comply with the law, information about individuals must be collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.
Weber School District has adopted the following principles to govern its use, collection, storage, transmittal, and deletion of all student data, except as specifically provided by this policy or as required by applicable laws.
7.1 Current Compliance Assessment
Weber School District shall establish a schedule for and implement a data protection compliance audit for all locations. Weber School District, in cooperation with individual locations, shall devise a plan and schedule for correcting any identified deficiencies within a fixed, reasonable time.
7.2 Annual Data Protection Audit
Each location shall review annually its data collection, processing, and security practices. This annual review shall consist of at least the following:
This Policy shall be available to employees through the Human Resources Department and shall be made available to non-employees through posting to http://wsd.net.
This Policy is adopted as of July 1, 2017. Weber School District, in cooperation with the schools, will develop a timeline and program for implementing this Policy. This implementation program will include the resolution of any conflicts between this Policy and other existing policies. (HB 358 53A-1-1409:568)
This Policy may be revised at any time. Notice of significant revisions shall be provided to employees through the Human Resources Department and to others through the Weber School District website, located at http://wsd.net.
Adult Student: Student’s 18 years old or older, emancipated students, or students qualified under the McKinney-Vento Homeless Education Assistance
Aggregate Data: Totalled and reported at the group, school, district, region, or state level with at least 10 individuals at the level
Data Authorization: Written authorization to collect or share student’s data
Data Governance Plan: Comprehensive plan for managing education data
Education Entity: Weber School District and its individual schools
Expunge: Seal or permanently delete data
Instructional Material: Instructional content that is provided to a student, regardless of its format, including printed or representational materials, audio-visual materials, and materials in electronic or digital formats (such as materials accessible through the Internet). The term does not include academic tests or academic assessments.
Invasive Physical Examination: Any medical examination that involves the exposure of private body parts, or any act during such examination that includes incision, insertion, or injection into the body, but does not include a hearing, vision, or scoliosis screening.
Legal Guardian: Parent, Legal Guardian, or Adult Student
Necessary Student Data: Data required by the statute or federal law to conduct the regular activities (HB 358 53A-1-1402:314)
Optional Student Data: Data not included in the Necessary category (HB 358 53A-1-1402:346)
Personally Identifiable Information (PII): Information that identifies a student (HB 358 53A-1-1402:359)
Survey: An evaluation
The purpose of this policy is to ensure the secure use and handling of all district data, computer systems and computer equipment by District students, patrons, and employees.
It is the policy of the Weber School District to support secure network systems in the district, including security for all personally identifiable information that is stored on paper or stored digitally on district-maintained computers and networks. This policy supports efforts to mitigate threats that may cause harm to the district, its students, or its employees.
The district will ensure reasonable efforts will be made to maintain network security. Data loss can be caused by human error, hardware malfunction, natural disaster, security breach, etc., and may not be preventable.
All persons who are granted access to the district network and other technology resources are expected to be careful and aware of suspicious communications and unauthorized use of district devices and the network. When an employee or other user becomes aware of suspicious activity, he/she is to immediately contact the district’s Information Security Officer with the relevant information.
This policy and procedure also covers third party vendors/contractors that contain or have access to Weber School District critically sensitive data. All third party entities will be required to sign the Restriction on Use of Confidential Information Agreement before accessing our systems or receiving information.
It is the policy of Weber School District to fully conform with all federal and state privacy and data governance laws. Including the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 (hereinafter “FERPA”), the Government Records and Management Act U.C.A. §62G-2 (hereinafter “GRAMA”), U.C.A. §53A-1-1401 et seq and Utah Administrative Code R277-487.
Professional development for staff and students regarding the importance of network security and best practices are included in the procedures. The procedures associated with this policy are consistent with guidelines provided by cyber security professionals worldwide and in accordance with Utah Education Network and the Utah State Office of Education. Weber School District supports the development, implementation and ongoing improvements for a robust security system of hardware and software that is designed to protect Weber School District’s data, users, and electronic assets.
3.1.1. Access: Directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, computer network, or any means of communication with any of them.
3.1.2. Authorization: Having the express or implied consent or permission of the owner, or of the person authorized by the owner to give consent or permission to access a computer, computer system, or computer network in a manner not exceeding the consent or permission.
3.1.3. Computer: Any electronic device or communication facility that stores, retrieves, processes, or transmits data.
3.1.4. Computer system: A set of related, connected or unconnected, devices, software, or other related computer equipment.
3.1.5. Computer network: The interconnection of communication or telecommunication lines between: computers; or computers and remote terminals; or the interconnection by wireless technology between: computers; or computers and remote terminals.
3.1.6. Computer property: Includes electronic impulses, electronically produced data, information, financial instruments, software, or programs, in either machine or human readable form, any other tangible or intangible item relating to a computer, computer system, computer network, and copies of any of them.
3.1.7. Confidential: Data, text, or computer property that is protected by a security system that clearly evidences that the owner or custodian intends that it not be available to others without the owner's or custodian's permission.
3.1.8. Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.
3.1.9. Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered protected data
3.1.10. Security system: A computer, computer system, network, or computer property that has some form of access control technology implemented, such as encryption, password protection, other forced authentication, or access control designed to keep out unauthorized persons.
3.1.11. Sensitive data - Data that contains personally identifiable information.
3.1.12. System level – Access to the system that is considered full administrative access. Includes operating system access and hosted application access.
3.2.1. Weber School District shall appoint, in writing, an IT Security Group (ISG) responsible for overseeing District-wide IT security with duties that include development of District policies and adherence to the standards defined in this document.
3.3.1. Weber School District, led by the ISG, shall ensure that all District employees having access to sensitive information undergo annual IT security training which emphasizes their personal responsibility for protecting student and employee information. - Training resources will be provided to all District employees.
3.4.1. Computer Security
126.96.36.199. Weber School District shall ensure that any user’s computer must not be left unattended and unlocked, especially when logged into sensitive systems or data including student or employee information. Automatic log off, locks and password screen savers should be used to enforce this requirement.
188.8.131.52. Weber School District shall ensure that all equipment that contains sensitive information will be secured to deter theft.
3.4.2. Server/Network Room Security
184.108.40.206. Weber School District shall ensure that server rooms and telecommunication rooms/closets are protected by appropriate access control which segregates and restricts access from general school or District office areas. Access control shall be enforced using either keys, electronic card readers, or similar method with only those IT or other staff members having access necessary to perform their job functions are allowed unescorted access.
220.127.116.11. Telecommunication rooms/closets may only remain unlocked or unsecured when because of building design it is impossible to do otherwise or due to environmental problems that require the door to be opened.
3.4.3. Contractor access
18.104.22.168. Before any contractor is allowed access to any computer system, server room, or telecommunication room the contractor will need to present a company issued identification card, and his/her access will need to be confirmed directly by the authorized employee who issued the service request or by Weber School District’s Technology Department.
3.5.1. Network perimeter controls will be implemented to regulate traffic moving between trusted internal (District) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.
3.5.2. Network Segmentation
22.214.171.124. Weber School District shall ensure that all untrusted and public access computer networks are separated from main district computer networks and utilize security policies to ensure the integrity of those computer networks.
126.96.36.199. Weber School District will utilize industry standards and current best practices to segment internal computer networks based on the data they contain. This will be done to prevent unauthorized users from accessing services unrelated to their job duties and minimize potential damage from other compromised systems.
3.5.3. Wireless Networks
188.8.131.52. No wireless access point shall be installed on Weber School District’s computer network that does not conform with current network standards as defined by the Network Manager. Any exceptions to this must be approved directly in writing by the Information Security Group.
184.108.40.206. Weber School District shall scan for and remove or disable any rogue wireless devices on a regular basis.
220.127.116.11. All wireless access networks shall conform to current best practices and shall utilize at minimal WPA encryption for any connections. Open access networks are not permitted, except on a temporary basis for events when deemed necessary.
3.5.4. Remote Access
18.104.22.168. Weber School District shall ensure that any remote access with connectivity to the District’s internal network is achieved using the District’s Palo Alto Global VPN service that is protected by multiple factor authentication systems. Any exception to this policy must be due to a service provider’s technical requirements and must be approved by the Information Security Officer.
3.6.1. System and application access will be granted based upon the least amount of access to data and programs required by the user in accordance with a business need-to-have requirement.
22.214.171.124. Weber School District shall enforce strong password management for employees, students, and contractors.
126.96.36.199. Password Creation
188.8.131.52.1. All server system-level passwords must conform to the Password Construction Guidelines posted on the Weber School District Technology Website.
184.108.40.206. Password Protection
220.127.116.11.1. Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information.
18.104.22.168.2. Passwords must not be inserted into email messages or other forms of electronic communication.
22.214.171.124.3. Passwords must not be revealed over the phone to anyone.
126.96.36.199.4. Do not reveal a password on questionnaires or security forms.
188.8.131.52.5. Do not hint at the format of a password (for example, "my family name").
184.108.40.206.6. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.
220.127.116.11. Weber School District shall ensure that user access shall be limited to only those specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.
18.104.22.168. Weber School District shall ensure that user access should be granted and/or terminated upon timely receipt, and management’s approval, of a documented access request/termination.
22.214.171.124. Weber School District shall ensure that audit and log files are maintained for at least ninety days for all critical security-relevant events such as: invalid logon attempts, changes to the security policy/ configuration, and failed attempts to access objects by unauthorized users, etc.
3.6.4. Administrative Access Controls
126.96.36.199. Weber School District shall limit IT administrator privileges (operating system, database, and applications) to the minimum number of staff required to perform these sensitive duties.
3.7.1. Monitoring and responding to IT related incidents will be designed to provide early notification of events and rapid response and recovery from internal or external network or system attacks.
3.8.1. To ensure continuous critical IT services, IT will develop a business continuity/disaster recovery plan appropriate for the size and complexity of District IT operations.
3.8.2. Weber School District shall develop and deploy a district-wide business continuity plan which should include as a minimum:
3.9.1. Server and workstation protection software will be deployed to identify and eradicate malicious software attacks such as viruses, spyware, and malware.
3.9.2. Weber School District shall install, distribute, and maintain spyware and virus protection software on all district-owned equipment, i.e. servers, workstations, and laptops.
3.9.3. Weber School District shall ensure that malicious software protection will include frequent update downloads (minimum weekly), frequent scanning (minimum weekly), and that malicious software protection is in active state (real time) on all operating servers/workstations.
3.9.4. Weber School District shall ensure that all security-relevant software patches (workstations and servers) are applied within thirty days and critical patches shall be applied as soon as possible.
3.9.5. All computers must use the District approved anti-virus solution.
3.9.6. Any exceptions to section 3.9 must be approved by the Information Security Officer.
3.10.1. In accordance with Federal and State Law, Weber School District shall filter internet traffic for content defined in law that is deemed harmful to minors.
3.10.2. Weber School District acknowledges that technology based filters are not always effective at eliminating harmful content and due to this, Weber School District uses a combination of technological means and supervisory means to protect students from harmful online content.
3.10.3. In the event that students take devices home, Weber School District will provide a technology based filtering solution for those devices. However, the District will rely on parents to provide the supervision necessary to fully protect students from accessing harmful online content.
3.10.4. Students shall be supervised when accessing the internet and using district owned devices on school property.
3.11.1. Weber School District considers the protection of the data it collects on students, employees and their families to be of the utmost importance.
3.11.2. Weber School District protects student data in compliance with the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 ( “FERPA”), the Government Records and Management Act U.C.A. §62G-2 ( “GRAMA”), U.C.A. §53A-1-1401 et seq, 15 U.S. Code §§ 6501–6506 (“COPPA”) and Utah Administrative Code R277-487 (“Student Data Protection Act”).
3.11.3. Weber School District shall ensure that employee records access shall be limited to only those individuals who have specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.
3.12.1. Weber School District shall perform routine security and privacy audits in congruence with the District’s Information Security Audit Plan.
3.12.2. District personnel shall develop remediation plans to address identified lapses that conforms with the District’s Information Security Remediation Plan Template.
3.13.1 Employee Disciplinary Actions shall be in accordance with applicable laws, regulations and District policies. Any employee found to be in violation may be subject to disciplinary action up to and including termination of employment with the Weber School District.