Student Data Protection

Student Data Protection (6)

Wednesday, 11 September 2019 10:09

Student Data Collection Notice

Written by

Necessary Student Data

Necessary student data means data required by state statute or federal law to conduct the regular activities of the school.

  • Student Name, Date of birth, and Sex
  • Parent and student contact information and Custodial parent information
  • A student identification number (including the student’s school ID number and the state-assigned student identifier, or SSID)
  • Local, state, and national assessment results or an exception from taking a local, state, or national assessment (click here for more information on assessments)
  • Courses taken and completed, credits earned, and other transcript information
  • Course grades and grade point average
  • Grade level and expected graduation date or graduation cohort
  • Degree, diploma, credential attainment, and other school information
  • Attendance and mobility
  • Drop-out data
  • Immunization record or an exception from an immunization record
  • Race, Ethnicity, or Tribal affiliation
  • Remediation efforts
  • An exception from a vision screening required under Section 53G-9-404 or information collected from a vision screening described in Utah Code Section 53G-9-404
  • Information related to the Utah Registry of Autism and Development Disabilities (URADD), described in Utah Code Section 26-7-4
  • Student injury information
  • A disciplinary record created and maintained as described in Utah Code Section 53E-9-306
  • Juvenile delinquency records
  • English language learner status
  • Child find and special education evaluation data related to initiation of an IEP

Optional Student Data

We may only collect optional student data with written consent from the student’s parent or from a student who has turned 18.

  • Information related to an IEP or needed to provide special needs services
  • Biometric information used to identify the student
  • Information required for a student to participate in an optional federal or state program (e.g., information related to applying for free or reduced lunch)

Certain sensitive information on students collected via a psychological or psychiatric examination, test, or treatment, or any survey, analysis, or evaluation will only be collected with parental consent. You will receive a separate consent form in these cases. See our Protection of Pupil Rights Act (PPRA) notice for more information.

Prohibited Collections

We will not collect a student’s social security number or criminal record, except as required by Utah Code Section 78A-6-112(3).

Data Sharing

We will only share student data in accordance with the Family Educational Rights and Privacy Act (FERPA), which generally requires written parental consent before sharing student data. FERPA includes several exceptions to this rule, where we may share student data without parental consent. For more information on third parties receiving student information from us, see our Metadata Dictionary.

Student data will be shared with the Utah State Board of Education via the Utah Transcript and Records Exchange (UTREx). For more information about UTREx and how it is used, please visit the Utah State Board of Education’s Information Technology website.

Benefits, Risks, and Parent Choices

The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly. Parents are given the following choices regarding student data:

  • Choice to request to review education records of their children and request an explanation or interpretation of the records (see our annual FERPA notice for more information)
  • Choice to contest the accuracy of certain records (see our annual FERPA notice for more information), potentially leading to the correction, expungement, or deletion of the record
  • Choice to opt into certain data collections (see the section above on optional data collections)
  • Choice to opt out of certain data exchanges
    • Information that has been classified as directory information (see our directory information notice for more information)
    • Parents of students with an IEP may have their information shared with the Utah Registry of Autism and Developmental Disabilities (URADD). If included in this data exchange, parents will receive a separate notice within 30 days of the exchange, informing them of their right to opt out, per Utah Code Section 53E-9-308(6)(b)
  • Choice to file a complaint if you believe the school or its agents are violating your rights under FERPA or Utah’s Student Data Protection Act. If you have a complaint or concern, we recommend starting locally and then escalating to the state and US Department of Education

Your local school district or charter school

(insert contact information of the LEA data manager here)

The Utah State Board of Education

Report your concern with the USBE hotline

The US Department of Education

Report your concern here

Storage and Security

In accordance with Board Rule R277-487-3(14), we have adopted a cybersecurity framework called the CIS Controls.  

[Note:  Per 34 C.F.R. § 99.37(d), a school or school district may adopt a limited directory information policy.  If a school or school district does so, the directory information notice to parents and eligible students must specify the parties who may receive directory information and/or the purposes for which directory information may be disclosed.]

The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that Weber School District, with certain exceptions, obtain your written consent prior to the disclosure of personally identifiable information from your child’s education records.  However, Weber School District may disclose appropriately designated “directory information” without written consent, unless you have advised the Weber School District to the contrary in accordance with Weber School District procedures.  The primary purpose of directory information is to allow the Weber School District to include information from your child’s education records in certain school publications.  Examples include:

  • A playbill, showing your student’s role in a drama production;
  • The annual yearbook;
  • Honor roll or other recognition lists;
  • Graduation programs; and
  • Sports activity sheets, such as for wrestling, showing weight and height of team members.

Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent.  Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks.  In addition, two federal laws require local educational agencies (LEAs) receiving assistance under the Elementary and Secondary Education Act of 1965, as amended (ESEA) to provide military recruiters, upon request, with the following information – names, addresses and telephone listings – unless parents have advised the LEA that they do not want their student’s information disclosed without their prior written consent.  [Note:  These laws are Section 9528 of the ESEA (20 U.S.C. § 7908) and 10 U.S.C. § 503(c).] 

If you do not want Weber School District to disclose any or all of the types of information designated below as directory information from your child’s education records without your prior written consent, you must notify the Weber School District in writing by September 15th.  Weber School District has designated the following information as directory information: 

  • Student's name
  • Address
  • Telephone listing
  • Electronic mail address
  • Photograph
  • Date and place of birth
  • Major field of study
  • Dates of attendance
  • Grade level
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • The most recent educational agency or institution attended
  • Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the authorized user
  • A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a PIN, password, or other factor known or possessed only by the authorized user.

The Family Educational Rights and Privacy Act (FERPA) affords parents and students who are 18 years of age or older ("eligible students") certain rights with respect to the student's education records.  These rights are:

  1. The right to inspect and review the student's education records within 45 days after the day [Weber School District (“District”)] receives a request for access.

Parents or eligible students who wish to inspect their child’s or their education records should submit to the school principal [or appropriate school offi­cial] a written request that identifies the records they wish to inspect.  The school official will make arrangements for access and notify the parent or eligible student of the time and place where the records may be inspected.

  1. The right to request the amendment of the student’s education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.

Parents or eligible students who wish to ask the “District” to amend their child’s or their education record should write the school principal [or appropriate school official], clearly identify the part of the record they want changed, and specify why it should be changed.  If the school decides not to amend the record as requested by the parent or eligible student, the school will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment.  Additional information regarding the hearing procedures will be provided to the parent or eligible student when notified of the right to a hearing.

  1. The right to provide written consent before the school discloses personally identifiable information (PII) from the student's education records, except to the extent that FERPA authorizes disclosure without con­sent.

One exception, which permits disclosure without consent, is disclosure to school officials with legitimate educational interests.  The criteria for determining who constitutes a school official and what constitutes a legitimate educational interest must be set forth in the school’s or school district’s annual notification for FERPA rights.  A school official typically includes a person employed by the school or school district as an ad­ministrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personnel) or a person serving on the school board.  A school official also may include a volunteer,  contractor, or consultant who, while not employed by the school, performs an institutional service or function for which the school would otherwise use its own employees and who is under the direct control of the school with respect to the use and maintenance of PII from education records, such as an attorney, audi­tor, medical consultant, or therapist; a parent or student volunteering to serve on an official committee, such as a disciplinary or grievance committee; or a parent, student, or other volunteer assisting another school official in performing his or her tasks.  A school official typically has a legitimate educational interest if the official needs to review an educa­tion record in order to fulfill his or her professional responsibility.

  1. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the “District” to comply with the requirements of FERPA. The name and address of the Office that administers FERPA are:

Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC  20202

FERPA permits the disclosure of PII from students’ education records, without consent of the parent or eligible student, if the disclosure meets certain conditions found in § 99.31 of the FERPA regulations.  Except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the parent or eligible student, § 99.32 of the FERPA regulations requires the school to record the disclosure.  Parents and eligible students have a right to inspect and review the record of disclosures.  A school may disclose PII from the education records of a student without obtaining prior written consent of the parents or the eligible student –

  • To other school officials, including teachers, within the educational agency or institution whom the school has determined to have legitimate educational interests. This includes contractors, consultants, volunteers, or other parties to whom the school has outsourced institutional services or functions, provided that the conditions listed in § 99.31(a)(1)(i)(B)(1) - (a)(1)(i)(B)(3) are met. (§ 99.31(a)(1))
  • To officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer, subject to the requirements of § 99.34. (§ 99.31(a)(2)) 
  • To authorized representatives of the U. S. Comptroller General, the U. S. Attorney General, the U.S. Secretary of Education, or State and local educational authorities, such as the State educational agency (SEA) in the parent or eligible student’s State. Disclosures under this provision may be made, subject to the requirements of § 99.35, in connection with an audit or evaluation of Federal- or State-supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.  These entities may make further disclosures of PII to outside entities that are designated by them as their authorized representatives to conduct any audit, evaluation, or enforcement or compliance activity on their behalf, if applicable requirements are met.  (§§ 99.31(a)(3) and 99.35)
  • In connection with financial aid for which the student has applied or which the student has received, if the information is necessary for such purposes as to determine eligibility for the aid, determine the amount of the aid, determine the conditions of the aid, or enforce the terms and conditions of the aid. (§ 99.31(a)(4))
  • To State and local officials or authorities to whom information is specifically allowed to be reported or disclosed by a State statute that concerns the juvenile justice system and the system’s ability to effectively serve, prior to adjudication, the student whose records were released, subject to § 99.38. (§ 99.31(a)(5))
  • To organizations conducting studies for, or on behalf of, the school, in order to: (a)  develop, validate, or administer predictive tests; (b)  administer student aid programs; or (c)  improve instruction, if applicable requirements are met.  (§ 99.31(a)(6))
  • To accrediting organizations to carry out their accrediting functions. (§ 99.31(a)(7))
  • To parents of an eligible student if the student is a dependent for IRS tax purposes. (§ 99.31(a)(8))
  • To comply with a judicial order or lawfully issued subpoena if applicable requirements are met. (§ 99.31(a)(9))
  • To appropriate officials in connection with a health or safety emergency, subject to § 99.36. (§ 99.31(a)(10)
  • Information the school has designated as “directory information” if applicable requirements under § 99.37 are met. (§ 99.31(a)(11))
  • To an agency caseworker or other representative of a State or local child welfare agency or tribal organization who is authorized to access a student’s case plan when such agency or organization is legally responsible, in accordance with State or tribal law, for the care and protection of the student in foster care placement. (20 U.S.C. § 1232g(b)(1)(L))
  • To the Secretary of Agriculture or authorized representatives of the Food and Nutrition Service for purposes of conducting program monitoring, evaluations, and performance measurements of programs authorized under the Richard B. Russell National School Lunch Act or the Child Nutrition Act of 1966, under certain conditions.  (20 U.S.C. § 1232g(b)(1)(K))
Monday, 13 November 2017 10:26

Data Governance Plan

Written by


  • SCOPE 
  • APPENDIX A (Physical and Security Controls Procedures) 
  • APPENDIX B (Password Control Standards) 
  • APPENDIX C (Purchasing and Disposal Procedures) 
  • APPENDIX D (Memorandum of Agreement)

Data Governance Committee

  • Dr. Jeff Stephens, Superintendent
  • Lynn O. Raymond, Director of Technology / Data Security Officer
  • Nick Harris, Technology Supervisor
  • Tanya N. Miller, Student Data Security Manager
  • Heidi Alder, Legal Counsel



Protecting our students’ privacy is an important priority, and Weber School District (“District”) is committed to maintaining strong and meaningful privacy and security protections. It is the policy of the District that data or information in all its forms--written, electronic, or printed--is protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle.  This protection includes an appropriate level of security over the equipment, software, and practices used to process, store, and transmit data or information.


The Data Governance Plan (“Plan”) formally outlines how operational and instructional activity shall be carried out to ensure the District’s student data is accurate, accessible, consistent, and protected. The Plan establishes who is responsible for information under various circumstances and specifies what procedures shall be used to manage and protect it.


The Plan shall be a living document.   It is reviewed annually, along with the Weber School District Data Protection Policy.    The Plan and all modifications shall be posted on the District’s website.



    1. Incorporate reasonable data industry best practices to maintain and protect student data and other education-related data;
    2. Provide for necessary technical assistance, training, support, and auditing;
    3. Describes the process for sharing student data between an education entity and another person;
    4. Describes the process for an adult student or parent to request that data be expunged;
    5. To define data classification and related safeguards. Applicable federal and state statutes and regulations that guarantee either protection or accessibility of student data, found in student records, will be used in the classification process.
    6. To provide a list of relevant considerations for the District’s personnel responsible for purchasing or subscribing to software that will utilize and/or expose student data.
    7. Provide a structured and consistent process for employees to obtain necessary data access for conducting the District’s operations.


The District is authorized to establish, implement, and maintain data and information security measures.  Weber District Data Protection Policy and this Plan apply to all students and employees of the district, contractual third parties, visitors, contract workers, and agents of the district, and volunteers who have access to district data systems or data. The Policy and this Plan also  applies to all forms of education data owned and maintained by  the District , including but not limited to:

  • Communicated by phone or any current and future technologies
  • Hard copy data printed or written
  • Cumulative records, as defined in the Utah Code 53A-1-1402 (7) that is sent by post/courier, fax, electronic mail, text, and/or chat
  • Data stored and/or processed by PCs, laptops, servers, tablets, mobile devices, etc
  • Data stored on any type of internal, external, or removable media or cloud based services


  The District  complies with all applicable regulatory acts, including but not limited to the following:

  • Children’s Internet Protection Act (CIPA)
  • Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §6501 – 6506)
  • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.§1232g; 34 CFR Part 99)
  • Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1320d; )
  • Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. §1232h; 34 CFR Part 98)
  • Student Data Protection Act  (Utah Code 53A-1, Part 14)
  • Utah FERPA and recent amendments (Utah Code 53A-13, Part 3)


    1. A thorough risk analysis of all the District’s ’s data networks, systems, policies, and procedures shall be conducted on an annual basis or as requested by the Superintendent or Technology Director.  The risk assessment shall be used as a basis for a plan to mitigate identified threats and risk to an acceptable level.
    2. The Data Security Officer administers periodic risk assessments to identify, quantify, and prioritize risks.  Based on the periodic assessment, measures will be implemented that mitigate the threats by reducing the amount and scope of the vulnerabilities.

    1. Firewalls and antivirus software must be installed on all desktops, laptops and workstations that access or store sensitive information, and a procedure must be implemented to ensure that critical operating system security patches are applied in a timely manner.
    2. Storage of sensitive information on laptops, mobile devices, and devices that are not used or configured to operate as servers is prohibited, unless such information is encrypted in a Technology Department-approved encryption format.
    3. The user responsible for the device shall take proper care to isolate and protect files containing student data from inadvertent or unauthorized access.
    4. Assistance with securing sensitive information may be obtained from school-level Technicians with input from the Technology Department, as necessary.

Classification is used to promote proper controls for safeguarding the confidentiality of data. Regardless of classification, the integrity and accuracy of all classifications of data are protected. The classification assigned and the related controls applied are dependent on the sensitivity of the data. Data are classified according to the most sensitive detail they include. Data recorded in several formats (e.g., source document, electronic record, report) have the same classification regardless of format.

    1. “Necessary student data” means data required by state statute or federal law to conduct the regular activities of an education entity, including:
      1. name;
      2. date of birth;
      3. sex;
      4. parent contact information;
      5. custodial parent information;
      6. contact information;
      7. a student identification number;
      8. local, state, and national assessment results or an exception from taking a local, state, or national assessment;
      9. courses taken and completed, credits earned, and other transcript information;
      10. course grades and grade point average;
      11. grade level and expected graduation date or graduation cohort;
      12. degree, diploma, credential attainment, and other school exit information;
      13. attendance and mobility;
      14. drop-out data;
      15. immunization record or an exception from an immunization record;
      16. race;
      17. ethnicity;
      18. tribal affiliation;
      19. remediation efforts;
      20. an exception from a vision screening required under Section 53A-11-203 or information collected from a vision screening required under Section 53A-11-203;
      21. information related to the Utah Registry of Autism and Developmental Disabilities, described in Section 26-7-4;
      22. student injury information;
      23. a cumulative disciplinary record created and maintained as described in Section 53A-1-1407;
      24. juvenile delinquency records;
      25. English language learner status; and
      26. child find and special education evaluation data related to initiation of an IEP.
    2. “Optional student data” means student data that is not:
      1. necessary student data; or
      2. student data that an education entity may not collect under Section 53A-1-1406.
      3. “Optional student data” includes:
        1. information that is:
          1. related to an IEP or needed to provide special needs services; and
          2. not necessary student data;
        2. biometric information; and
        3. information that is not necessary student data and that is required for a student to participate in a federal or other program.
    3. “Personally identifiable student data” includes:
        1. a student's first and last name;
        2. the first and last name of a student's family member;
        3. a student's or a student's family's home or physical address;
        4. a student's email address or other online contact information;
        5. a student's telephone number;
        6. a student's social security number;
        7. a student's biometric identifier;
        8. a student's health or disability data;
        9. a student's education entity student identification number;
        10. a student's social media username and password or alias;
        11. if associated with personally identifiable student data, the student's persistent
        12. identifier, including:
        13. a customer number held in a cookie; or
        14. a processor serial number;
        15. a combination of a student's last name or photograph with other information that
        16. together permits a person to contact the student online;
        17. information about a student or a student's family that a person collects online and
        18. combines with other personally identifiable student data to identify the student; and
        19. other information that is linked to a specific student that would allow a
        20. reasonable person in the school community, who does not have first-hand knowledge of the student, to identify the student with reasonable certainty.
    4. “Biometric information” means information, regardless of how the information is collected, converted, stored, or shared:
      1. based on an individual's biometric identifier; and
      2. used to identify the individual.

Any computer, laptop, mobile device, printing and/or scanning device, network appliance/equipment, AV equipment, server, internal or external storage, communication device or any other current or future electronic or technological device may be referred to as Weber District “systems”.  All involved systems and student data maintained on these systems are assets of the District’s   and shall be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.


    1. Ownership of Software: All computer software developed by the District’s  employees or contract personnel on behalf of  the District’s  , and all software licensed or purchased for  the District’s  use is the property of  the District  and shall not be copied for use at home or any other location, unless otherwise specified by the license agreement.
    2. Software Installation and Use: All software packages that reside on technological systems within or used by the District  shall comply with applicable licensing agreements and restrictions and shall comply with  the District’s ’ acquisition of software procedures.
    3. Virus, Malware, Spyware, Phishing and SPAM Protection: Virus checking systems and software approved by the District Technology Department are deployed using a multi-layered approach (computers, servers, gateways, firewalls, filters, etc.) that ensures all electronic files are appropriately scanned for viruses, malware, spyware, phishing and SPAM. Users shall not to turn off or disable Weber School District’ protection software.
    4. Access Controls: Physical and electronic access to student data on District systems (Student Information System or SIS) that contain student data as defined in Utah Code 53A-1-1402.  To ensure appropriate levels of access by District employees, contracted workers, volunteers, and other agents of the District, a variety of security measures are instituted as recommended by the Data Security Officer and approved by the District .  In particular, the Data Security Officer shall document roles and rights to the SIS and other like systems.  Mechanisms to control access to Personally Identifiable Student Data and computing resources include, but are not limited to, the following methods: 
      1. Authorization: Access shall be granted on a “need to know” basis and shall be authorized by the superintendent, principal, immediate supervisor, or Data Security Manager with the assistance of the Technology Director.  Specifically, on a case-by-case basis, permissions may be added in to those already held by individual users in the SIS, again on a need-to-know basis and only in order to fulfil specific job responsibilities, with approval of the Data Security Officer.  The principle of least privilege will be adopted to ensure no employee has access beyond what they need to fulfil their daily duties.
        1. All schools or other District facilities are responsible for the student data they create, update, and/or delete.
        2. Any individual granted access to student data is responsible for the ethical usage of that data. Access will be granted only in accordance with the authority delegated to the individual to conduct the District’s   operations.
        3. It is the express responsibility of authorized users to safeguard the data they are entrusted with, ensuring compliance with all aspects of this Plan.
        4. These security measures apply to student data regardless of location.
        5. The Superintendent and/or his designees shall determine appropriate access permissions based on local policies, applicable laws, best practices, and the Utah Student Data Protection Act.
      2. Identification/Authentication: Unique user identification (user ID) and authentication are required for all systems that maintain or access student data. Users shall be held accountable for all actions performed on the system with their User ID.  User accounts and passwords shall NOT be shared.
      3. Data Integrity: The District provides safeguards so student data is not altered or destroyed in an unauthorized manner. Core data is backed up to a private cloud for disaster recovery.  In addition, listed below are methods that are used for data integrity in various circumstances:
  • Transaction audit
  • Core data private cloud backup
  • Disk redundancy (RAID)
  • ECC (Error Correcting Memory)
  • Checksums (file integrity)
  • Data encryption
  • Data wipes
      1. Transmission Security: Technical security mechanisms are in place to guard against unauthorized access to data that are transmitted over a communications network, including wireless networks. The following features are implemented:
  • Integrity controls
  • Encryption, where deemed appropriate

Note: Only WSD district-supported email accounts shall be used for communications to and from school employees, to and from parents or other community members, to and from other educational agencies, to and from vendors or other associations, and to and from students for school business.

      1. Remote Access: Access into the District’s ’ network from outside is allowed using the Palo Alto Global Protect VPN.  All other network access options are strictly prohibited without explicit authorization from the Technology Director.  Further, student data that is stored or accessed remotely shall maintain the same level of protections as information stored and accessed within the District’s network.  Student data shall only be stored in cloud storage if said storage has been approved by the Technology Director.
      2. Physical and Electronic Access and Security: Access to areas in which information processing is carried out shall be restricted to only appropriately authorized individuals.  At a minimum, staff passwords shall be changed annually.
  • All student data shall be stored on servers/computers which are subject to network/workstation controls and permissions. It shall not be stored on portable media that cannot be subjected to password, encryption, or other protections.  No technological systems that may contain information as defined above shall be disposed of or moved without adhering to the appropriate disposal of electronic equipment procedures. 
  • It is the responsibility of the user to not leave these devices logged in, unattended, and open to unauthorized use.
  • Servers storing sensitive information shall be operated by professional network system administrators, in compliance with all Technology Department security and administration standards and policies, and shall remain under the oversight of Technology Department managers and physically located in the Technology Department’s data center.
  • All servers containing system data will be located in the secured data center with limited access.
  • District staff who must print reports containing student data shall take responsibility for keeping this material in a secure location – vault, locked file cabinet, etc. In addition, all printed material containing student data shall be shredded when no longer in use.
  • Network and Computer Access Permissions
        1. The Director of Technology and Network Administrator shall be responsible for implementing network protection measures that prevent unauthorized intrusions, damage, and access to all storage and transport mediums; including, but not limited to:
          1. Maintaining firewall protection access to the network and/or workstations.
          2. Protecting the network from unauthorized access through wireless devices or tapping of wired media, including establishing ‘guest’ wireless networks with limited network permissions.
          3. Implementing virus and malware security measures throughout the network and on all portable computers.
          4. Applying all appropriate security patches.
          5. Establishing and maintaining password policies and controls on access to the network, workstations, and other data depositories.
        2. The Director of Technology and Network Administrator will apply protection measures that include:
          1. Categorizing and/or re-classifying data elements and views.
          2. Granting selective access to District systems and software and student data contained therein.
          3. Documenting any deviation from mandatory requirements and implementing adequate compensating control(s).
          4. Conducting periodic access control assessments of any sensitive information devices or services.
  • Data Transfer/Exchange/Printing
      1. Electronic Mass Data Transfers: Downloading, uploading or transferring student data between systems shall be strictly controlled. Requests for mass download of, or individual requests for, information for research or any other purposes that include student data shall be in accordance with this policy and be approved by the data security officer. All other mass downloads of information shall be approved by the data security officer and include only the minimum amount of information necessary to fulfil the request. A Memorandum of Agreement (MOA) shall be in place when transferring student data to external entities such as software or application vendors, textbook companies, testing companies, or any other web based application.
      2. Other Electronic Transfers and Printing: Student data shall be stored in a manner inaccessible to unauthorized individuals. Student data shall not be downloaded, copied or printed indiscriminately or left unattended and open to compromise. Student data that is downloaded for educational purposes where possible shall be de-identified before use.
    1. Oral Communications: The District  staff shall be aware of their surroundings when discussing student data.  This includes but is not limited to the use of cellular telephones in public areas.  ’ staff shall not discuss student data in public areas if the information can be overheard.  Caution shall be used when conducting conversations in:  semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.

Audit Controls: Hardware, software, services and/or procedural mechanisms that record and examine activity in information systems that contain or use student data are reviewed by the Data Security Officer annually.  Further, the Data Security Officer also regularly reviews records of information system activity, such as audit logs, access reports, and security incident tracking reports.  These reviews shall be documented and maintained for six (6) years.  

    1. Evaluation: The District   requires that periodic technical and non-technical evaluations of access controls, storage, and other systems be performed in response to environmental or operational changes affecting the security of electronic student data to ensure its continued protection.
    2. IT Disaster Recovery: Controls shall ensure that  the District  can recover from any damage to critical systems, data, or information within a reasonable period of time. Each school, department, or individual is required to report any instances immediately to the Superintendent and Technology Director for response to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages data or systems.  The IT Disaster Plan shall include the following:
  • A prioritized list of critical services, data, and contacts
  • A process enabling the District  to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure
  • A process enabling the District  to continue to operate in the event of a fire, vandalism, natural disaster, or system failure
  • Procedures for periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary

    1. Roles and Responsibility of Student Data Manager
      1. Will act as main point of contact for the Utah State Board of Education Student Data Officer
      2. Will not share, outside of  the District, student data without authorization
      3. May share student data with the student or legal guardian (HB 358 53A-1-1409:584)
      4. May share a student’s data from a cumulative record with:
        1. A school official
        2. An authorized caseworker or other representative of the Department of Human Services
          1. if the Department of Human Services is legally responsible for the care and protection of the student or
          2. is providing services to the student
          3. a person to whom the District   has outsourced a service or function
      5. May share aggregate data if:
        1. The Student Data Manager receives a request for the purpose of external research or evaluation and the following steps have been taken
          1. Submit the request to  the District research review process
          2. Fulfil the instructions that result from the research review process
        2. May share student data in response to a subpoena issued by a court (HB 358 53A-1-1409:623)
    2. The Department of Human Services, Weber School District Officials, the Utah Juvenile Court may share education information, including student data, to improve education outcomes for youth if:
      1. They are in the custody of, or guardianship of, the Department of Human Services
      2. Is receiving services from the Division of Juvenile Justice Services
      3. Is in custody of the Division of Child and Family Services
      4. Is receiving services from the Division of Services for People with Disabilities
      5. They are under the jurisdiction of the Utah Juvenile Court (HB 358 53A-1-1409:615)

    1. Possible disciplinary/corrective action may be instituted for, but is not limited to, the following:
  • Unauthorized disclosure of student data
  • Unauthorized disclosure of login information (Username and Password)
  • An attempt to obtain login credentials that belong to another person
  • An attempt to use another person’s login credentials
  • Installation or use of unlicensed software on the District technological systems
  • The intentional unauthorized altering, destruction, or disposal of  District’s  information, data and/or systems.  This includes the unauthorized removal from the District of technological systems such as but not limited to laptops, internal or external storage, computers, servers, backups or other media, copiers, etc. that contain student data.
  • An attempt to gain access to log-in codes for purposes other than for support by authorized technology staff, including the completion of fraudulent documentation to gain access.

    1. Prior to using any tools, programs, websites, software, material, (collectively referred to as “contractor tools”) from a third-party contractor, employees will take the following steps:
      1. The employee must contact their principal or administrator.
      2. The administrator will contact the Student Data Manager (Tanya Miller).
      3. The Student Data Manager will work with the contractor to ensure it is in compliance with the Student Data Protection Policy and this Plan.
      4. The Student Data Manager will then inform the Data Security Officer (Lynn Raymond) of the request..
      5. Once a decision has been made regarding the use of contractor tools, the Student Data Manager will inform the principal and/or administrator of the decision.
      6. If the Student Data Manager approves of the use of the contractor tools, the contractor must enter into the district’s Third Party Contractor Memorandum of Agreement.

    1. The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that the District , with certain exceptions, obtain written consent prior to the disclosure of personally identifiable information from a student’s education records. However,  the District  may disclose appropriately designated ‘directory information’ without written consent, unless a parent, legal guardian, or adult student has advised the district to the contrary in accordance with District procedures. The primary purpose of directory information is to allow the District   to include this type of information from a student’s education records in certain school publications. Publications may be in print or digital format. Examples include, but are not limited to, the following:
  • A playbill, showing a student's role in a drama production;
  • The annual yearbook;
  • Honor roll or other recognition lists;
  • Graduation programs
  • Sports activity sheets, such as for wrestling, showing weight and height of team members.
    1. Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without prior written consent. Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks, take school pictures, or process data.
    2. In addition, two federal laws require  the District, receiving assistance under the Elementary and Secondary Education Act of 1965 (ESEA), to provide military recruiters, and institutions of higher learning, upon request, with three directory information categories- names, addresses and telephone listings- unless parent, legal guardian, or adult student has advised the District  that they do not want their student’s information disclosed without their prior written consent.
    3. If a parent, legal guardian, or adult student does not want  the District  to disclose ‘directory information’ from a student’s education records without prior written consent, the parent, legal guardian, or adult student  must notify the school principal in writing within five (5) school days of the student's first day of attendance.
    4. The District may disclose the following information as directory information:
  • Student’s name
  • Address
  • Telephone listing
  • Electronic mail address
  • Photograph
  • Date and place of birth
  • Major field of study
  • Dates of attendance
  • Grade level
  • Participation in officially  recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • The most recent educational agency or institution attended
  • A student number assigned by the District
    1. In order to make certain software applications available to students and parents, the District may need to upload specific ‘directory information’ to the software provider in order to create distinct accounts for students and/or parents. In these cases, the District will provide only the minimum amount of ‘directory information’ necessary for the student or parent to successfully use the software service.



APPENDIX A (Physical and Security Controls Procedures)


Physical and Security Controls


The following physical and security controls shall be adhered to:


  1. Network systems shall be installed in an access-controlled area. The area in and around the computer facility shall afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations.
  2. Monitor and maintain data centers’ temperature and humidity levels.
  3. File servers and/or storage containing PII, Confidential and/or Internal Information shall be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
  4. Computers and other systems shall be secured against use by unauthorized individuals. It is the responsibility of the user to not leave these devices logged in, unattended, and open to unauthorized use.
  5. Ensure network systems and network equipment are properly secured to prevent unauthorized physical access and data is properly safeguarded to protect from loss. A record shall be maintained of all personnel who have authorized access.
  6. Maintain a log of all visitors granted entry into secured areas or areas containing sensitive or confidential data (e.g., data storage facilities). Record the visitor’s name, organization, and the name of the person granting access. Retain visitor logs for no less than 6 months. Ensure visitors are escorted by a person with authorized access to the secured area.
  7. Monitor and control the delivery and removal of all asset-tagged and/or data-storing technological equipment or systems. Maintain a record of all such items entering or exiting their assigned location using the district approved technology inventory program. No technology equipment regardless of how purchased or funded shall be moved without the explicit approval of the technology department.
  8. Ensure that technological equipment or systems being removed for transfer to another organization or being designated as surplus property is appropriately sanitized in accordance with applicable policies and procedures.


APPENDIX B (Password Control Standards)


Password Control Standards

The  District’s s Data Governance and Use Policy require the use of strictly controlled passwords for network access and for access to secure sites and information. In addition, all users are assigned to Microsoft security groups that are managed through Microsoft Group Policies. The security groups include separate groups at each school for Office Staff, Tech Staff, Instructional Staff, Students, and Users.

Password Standards:

  1. Users are responsible for complying with the following password standards for network access or access to secure information:
  2. Passwords shall never be shared with another person.
  3. Every password shall, where possible, be changed yearly if not more frequently for staff and on an age appropriate schedule for students. Guest passwords are changed every 28 days.
  4. Passwords shall, where possible, have a minimum length of eight (8) characters.
  5. When possible, for secure sites and/or software applications, user created passwords should adhere to the same criteria as required for network access. This criteria is defined in the  District’s WSD Network Group Policy Criteria for Passwords and is listed below:
  • Shall not contain the user's account name or parts of the user's full name
  • Contain characters from three of the following four categories:
      • English uppercase characters (A through Z)
      • English lowercase characters (a through z)
      • Base 10 digits (0 through 9)
      • Non-alphabetic characters (for example, !, $, #, %)
  1. Passwords shall never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by the Technology Department.
  2. Passwords shall not be programmed into a PC or recorded anywhere that someone may find and use them.
  3. When creating a password for secure information or sites, it is important not to use passwords that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc...). A combination of alpha and numeric characters is more difficult to guess.


  1. Where possible, system software should enforce the following password standards:
  2. Passwords routed over a network shall be encrypted.
  3. Passwords shall be entered in a non-display field.
  4. System software shall enforce the changing of passwords and the minimum length.
  5. System software shall disable the user password when more than five consecutive invalid passwords are given. Lockout time shall be set at a minimum of 30 minutes.
  6. System software should maintain a history of previous passwords and prevent their being easily guessed due to their association with the user. A combination of alpha and numeric characters is more difficult to guess.

APPENDIX C (Purchasing and Disposal Procedures)


Purchasing and Disposal Procedures for


This procedure is intended to provide for the proper purchasing and disposal of technological devices only. Any computer, laptop, mobile device, printing and/or scanning device, network appliance/equipment, AV equipment, server, internal or external storage, communication device or any other current or future electronic or technological device may be referred to as ‘systems’ in this document. For further clarification of the term technological systems contact the  District’s  (WSD) Technology Director.


All involved systems and information are assets of the District  and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.


  1. Purchasing Guidelines

All systems that will be used in conjunction with  the District  technology resources or purchased, regardless of funding, shall be purchased from an approved list or be approved by the Technology Director. Failure to have the purchase approved may result in lack of technical support, request for removal from premises, or denied access to other technology resources.


  1. Utah Competitive Bid Laws

All electronic equipment is subject to Utah competitive bid laws. There are several purchasing coops that have been approved for use by the Utah State Board of Education. In the event that a desired product is not included in one of these agreements, the District   bids the item or items using the district’s competitive bidding process. All technological systems, services, etc. over $15,000 purchased with public funds are subject to Utah’s competitive bid laws.


  1. Inventory

All technological devices or systems over $500 are inventoried by the Technology Department in accordance with the  District’s  Finance Department using the iFAS inventory system. There are some exceptions under $500, as determined by the Technology Director, such as but not limited to companion devices or peripherals that are inventoried. The district technology staff is responsible for ensuring that any network equipment, file servers, or district systems, etc. are inventoried.


  1. Disposal Guidelines

Equipment shall be considered for disposal for the following reasons:

  1. End of useful life
  2. Lack of continued need
  3. Obsolescence
  4. Wear, damage, or deterioration
  5. Excessive cost of maintenance or repair


The local school principal, Technology Director, and the District’s WSD Purchasing Agent shall approve school disposals by discard or donation. Written documentation in the form of a spreadsheet including but not limited to the following shall be provided to the District Technology Office no later than Wednesday at 9:00 a.m.

  1. Fixed asset tag (FAT) number,
  2. Location,
  3. Description,
  4. Serial number, and
  5. Original cost and account code if available.
  6. Methods of Disposal

Once equipment has been designated and approved for disposal, it shall be handled according to one of the following methods. It is the responsibility of the local school Technology Coordinator to modify the iFas inventory entry to reflect any in-school transfers, in-district transfers, donations, or discards for technological systems. The district technology staff is responsible for modifying the inventory records to reflect any transfers within the central offices, transfers of central office electronic equipment to local schools, central office donations, or central office discards.


  1. Transfer/Redistribution

If the equipment has not reached the end of its estimated life, an effort shall be made to redistribute the equipment to locations where it can be of use, first within an individual school or office, and then within the district. Service requests may be entered to have the equipment moved, reinstalled and, in the case of computers, laptops, or companion devices, have it wiped and reimaged or configured.


  1. Discard

All electronic equipment in the District’s  shall be discarded in a manner consistent with applicable environmental regulations. Electronic equipment may contain hazardous materials such as mercury, lead, and hexavalent chromium. In addition, systems may contain Personally Identifiable Information (PII), Confidential, or Internal Information. Systems shall be wiped clean of this information prior to leaving the school district.


A district-approved vendor shall be contracted for the disposal of all technological systems/equipment. The vendor shall provide written documentation verifying the method used for disposal and a certificate stating that no data of any kind can be retrieved from the hard drive or any other component capable of storing data. Under no circumstances should any technological systems/equipment be placed in the trash. Doing so may make the District  and/or the employee who disposed of the equipment liable for violating environmental regulations or laws.


  1.  Donation

If the equipment is in good working order, but no longer meets the requirements of the site where it is located, and cannot be put into use in another part of a school or system, it may be donated upon the written request of the receiving public school system’s superintendent or non-profit organization’s director.


It shall be made clear to any school or organization receiving donated equipment that the District WSD is not agreeing to and is not required to support or repair any donated equipment. It is donated AS IS.

District WSD staff should make every effort before offering donated equipment, to make sure that it is in good condition and can be re-used. Microsoft licenses or any other software licenses are not transferred outside the District  .


Donations are prohibited to individuals outside of the school system or to current faculty, staff, or students of the District . The donation of or sale of portable technology-related equipment is permissible to retiring employees if the following criteria have been met:


  • the portable equipment has been used solely by the retiring employee for over two years;
  • the equipment shall not be used by the employee assuming the responsibilities of the retiring employee; and
  • the equipment has reached or exceeded its estimated life.


All donations and/or sales shall be approved by the Finance Director and Technology Director.


  1. Required Documentation and Procedures


  1. For purchases, transfers and redistributions, donations, and disposal of technology-related equipment, it is the responsibility of the appropriate on-site technician to create/update the inventory to include previous location, new school and/or room location, and to note the transfer or disposal information. When discarding equipment, the fixed asset tag is removed from the equipment and turned in with other documentation to the local school bookkeeper. A spreadsheet export from iFAS is sent to the district technology office.


  1. When equipment is donated, a copy of the letter requesting the equipment shall be on-file with the district technology office prior to the donation. Equipment is donated in order of request.


  1. Any equipment donated shall be completely wiped of all data. This step will not only ensure that no confidential information is released, but also shall ensure that no software licensing violations will inadvertently occur. For non-sensitive machines, all hard drives shall be fully wiped using a wiping program approved by the district technology office, followed by a manual scan of the drive to verify that zeros were written.


  1. Any re-usable hardware that is not essential to the function of the equipment that can be used as spare parts shall be removed: special adapter cards, memory, hard drives, zip drives, CD drives, etc.


  1. A district-approved vendor SHALL handle all disposals that are not redistributions, transfers, or donations. Equipment shall be stored in a central location prior to pick-up. Summary forms shall be turned into district technology office and approved by the Finance Director prior to the scheduled “pick up” day. be boxed together and shall not be listed on summary forms.


APPENDIX D (Memorandum of Agreement)


Weber School District’s Technological Services and Systems


Memorandum of Agreement (MOA)

THIS MEMORANDUM OF AGREEMENT, executed and effective as of the ____ day of _________________, 20___, by and between _________________, a corporation organized and existing under the laws of (the “Company”), and WEBER SCHOOL DISTRICT (WSD), a public school system organized and existing under the laws of the state of Utah (the “School Board”), recites and provides as follows.




The Company and the School Board are parties to a certain agreement entitled “_________________________” hereafter referred to as (the “Agreement”). In connection with the execution and delivery of the Agreement, the parties wish to make this Memorandum of Agreement (also referred to as MOA or Addendum) a part of the original Agreement in order to clarify and/or make certain modifications to the terms and conditions set forth in the original Agreement.


The Company and the School Board agree that the purpose of such terms and conditions is to ensure compliance with the Family Educational Rights and Privacy Act (FERPA) and the overall privacy and security of student Personally Identifiable Information (PII) hereafter referred to as student information and/or data, including but not limited to (a) the identification of the Company as an entity acting for the School Board in its performance of functions that a School Board employee otherwise would perform; and (b) the establishment of procedures for the protection of PII, including procedures regarding security and security breaches.


NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is acknowledged hereby, the parties agree as follows.




The following provisions shall be deemed to be included in the Agreement:


Confidentiality Obligations Applicable to Certain WSD Student Records. The Company hereby agrees that it shall maintain, in strict confidence and trust, all WSD student records containing personally identifiable information (PII) hereafter referred to as “Student Information”. Student information shall not be shared with any other resource or entity that is outside the intended purpose of the Agreement.


The Company shall cause each officer, director, employee and other representative who shall have access to WSD Student Records during the term of the Agreement (collectively, the “Authorized Representatives”) to maintain in strict confidence and trust all WSD Student Information. The Company shall take all reasonable steps to insure that no WSD Student information is disclosed to any person or entity except those who (a) are Authorized Representatives of the Company performing functions for WSD under the Agreement and have agreed to be bound by the terms of this Agreement; (b) are authorized representatives of WSD, or (c) are entitled to such WSD student information from the Company pursuant to federal and/or Utah law. The Company shall use WSD student information, and shall take all reasonable steps necessary to ensure that its Authorized Representatives shall use such information, solely for purposes related to and in fulfilment of the performance by the Company of its obligations pursuant to the Agreement.


The Company shall: (a) designate one of its Authorized Representatives to be responsible for ensuring that the Company and its Authorized Representatives maintain the WSD student information as confidential; (b) train the other Authorized Representatives with regard to their confidentiality responsibilities hereunder and pursuant to federal and Utah law; (c) maintain at all times a list of Authorized Representatives with access to WSD student information.


Other Security Requirements. The Company shall maintain all technologies, policies, procedures and practices necessary to secure and protect the confidentiality and integrity of WSD student information, including procedures to (a) establish user IDs and passwords as necessary to protect such information; (b) protect all such user passwords from detection and unauthorized use; (c) prevent hostile or unauthorized intrusion that could result in data corruption, or deny service; (d) prevent and detect computer viruses from spreading to disks, attachments to e-mail, downloaded files, and documents generated by word processing and spreadsheet programs; (e) minimize system downtime; (f) notify WSD of planned system changes that may impact the security of WSD data; (g) return or destroy WSD data that exceed specified retention schedules; (h) notify WSD of any data storage outside the US; (i) in the event of system failure, enable immediate recovery of WSD information to the previous business day. The Company should guarantee that WSD data shall not be sold to, accessed by, or moved by third parties.


In the event of a security breach, the Company shall (a) immediately take action to close the breach; (b) notify WSD within 24 hours of Company's first knowledge of the breach, the reasons for or cause of the breach, actions taken to close the breach, and identify the WSD student information compromised by the breach; (c) immediately notify the student, if they are an adult student, or the legal guardian if the student is not an adult (d) return compromised WSD data for review; (e) provide communications on the breach to be shared with affected parties and cooperate with WSD efforts to communicate to affected parties by providing WSD with prior review of press releases and any communications to be sent to affected parties; (f) take all legally required, reasonable, and customary measures in working with WSD to remediate the breach which may include toll free telephone support with informed customer services staff to address questions by affected parties and/or provide monitoring services if necessary given the nature and scope of the disclosure; (g) cooperate with WSD by providing information, records and witnesses needed to respond to any government investigation into the disclosure of such records or litigation concerning the breach; and (h) provide WSD with notice within 24 hours of notice or service on Company, whichever occurs first, of any lawsuits resulting from, or government investigations of, the Company's handling of WSD data of any kind, failure to follow security requirements and/or failure to safeguard WSD data. The Company’s compliance with the standards of this provision is subject to verification by WSD personnel or its agent at any time during the term of the Agreement. Said information should only be used for the purposes intended and shall not be shared, sold, or moved to other companies or organizations nor should other companies or organization be allowed access to said information. (HB 358 53A-1-1405:475)

Disposition of WSD Data Upon Termination of Agreement


Upon expiration of the term of the Agreement, or upon the earlier termination of the Agreement for any reason, the Company agrees that it promptly shall deliver to the School Board, and shall take all reasonable steps necessary to cause each of its Authorized Representatives promptly to deliver to the School Board, all required WSD student data and/or staff data or proof that all student/staff data has been expunged. The Company hereby acknowledges and agrees that, solely for purposes of receiving access to WSD data and of fulfilling its obligations pursuant to this provision and for no other purpose (including without limitation, entitlement to compensation and other employee benefits), the Company and its Authorized Representatives shall be deemed to be school officials of the School Board, and shall maintain WSD data in accordance with all federal state and local laws, rules and regulations regarding the confidentiality of such records. The non-disclosure obligations of the Company and its Authorized Representatives regarding the information contained in WSD data shall survive termination of the Agreement. The Company shall indemnify and hold harmless the Board from and against any loss, claim, cost (including attorneys' fees) or damage of any nature arising from or in connection with the breach by the Company or any of its officers, directors, employees, agents or representatives of the obligations of the Company or its Authorized Representatives under this provision.

Certain Representations and Warranties. The Company hereby represents and warrants as follows: (a) the Company has full power and authority to execute the Agreement and this MOA and to perform its obligations hereunder and thereunder; (b) the Agreement and this MOA constitute the valid and binding obligations of the Company, enforceable in accordance with their respective terms, except as such enforceability may be limited by bankruptcy or similar laws affecting the rights of creditors and general principles of equity; and (c) the Company’s execution and delivery of the Agreement and this Addendum and compliance with their respective terms will not violate or constitute a default under, or require the consent of any third party to, any agreement or court order to which the Company is a party or by which it

may be bound.


Governing Law; Venue. Notwithstanding any provision contained in the Agreement to the contrary, (a) the Agreement shall be governed by and construed in accordance with the laws of the State of Utah, without reference to conflict of laws principles; and (b) any dispute hereunder which is not otherwise resolved by the parties hereto shall be decided by a court of competent jurisdiction located in the State of Utah.


IN WITNESS WHEREOF, the parties hereto have caused this Addendum to be executed by their duly authorized officers effective as of the date first written above.


















Weber School District


Monday, 13 November 2017 10:23

Student Data Privacy Policy

Written by



  • Weber School District is dedicated to protecting the privacy and rights of individuals in accordance with federal, state, and local laws. Certain student data are required, and that data must be strictly maintained to provide the most secure methods of storage. The purpose of the Student Data Protection Policy is to explicitly outline how all student data are collected, managed, maintained, and then expulsed.  It will demonstrate to students and their parent or guardian that all data collected by Weber School District is done so in accordance with all federal, state, and local laws.  Students and their parents or guardians should expect that their personally identifiable data is safe, properly cared for, and used only for appropriate purposes
  • This policy applies to all staff and students of Weber School District. Any breach of the Student Data Protection Act, the WSD Student Data Protection Policy, or the Data Governance Plan is considered to be an offence and in that event, Weber School District disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with the district, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments who deal with external agencies will take responsibility for working with the Student Data Compliance Officer to ensure that such agencies sign a contract agree to abide by this policy


  • The scope of this Student Data Protection Policy encompasses laws within the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§ 6501–6506), Utah House Bill 358 (2017), and Utah Senate Bill 102 (2017)
  • The Student Data Protection Policy applies to electronic and paper records within Weber School District. It also applies to personal data held visually in photographs, video clips, and sound data.  Weber School District collects a large amount of student’s personal data every year, including but not limited to staff records, names and addresses, examination marks, fees, and research data
  • The Student Data Protection Policy should be used by all Weber School District employees, both full and part time. It also applies to any agency, subsidiary, join venture, suppliers, and vendors who receive personal data from Weber School District, have access to student data, or who provide information to Weber School District


Weber School District is committed to a policy of protecting the rights and privacy of individuals (includes students, staff and others) in accordance with the Student Data Protection Act (HB 358 Utah 2017; SB 102 Utah 2017). The district needs to process certain information about its staff, students, and other individuals it has dealings with for administrative purposes. To comply with the law, information about individuals must be collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.


Weber School District has adopted the following principles to govern its use, collection, storage, transmittal, and deletion of all student data, except as specifically provided by this policy or as required by applicable laws.

  • A student’s personally identifiable student data is owned by the student (HB 358 53A-1-1405:472)
    • The student may download, export, transfer, save, or maintain the data, including a document
  • Student data, both personally identifiable and otherwise, shall be processed fairly and lawfully
  • Appropriate physical, technical, and procedural measures shall be taken to: (i) prevent and/or to identify unauthorized or unlawful collection, processing, transmittal of student data; and (ii) prevent accidental loss or destruction of, or damaged to, student data
  • Student data will be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes
  • Student data will be adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or processed
  • Personal data shall not be kept in a form which permits identification of the student for longer than necessary for the permitted purposes
  • The following student data may not be collected by either the district or its schools (HB 358 53A-1-1406:484)
  • Social Security Number
  • Criminal Record
    • Unless the minor is taken into custody or detention for a violent felony. In that case, law enforcement officers will notify the Superintendent for the purpose of the minor’s supervision and student safety
    • A metadata dictionary will be maintained in compliance with state requirements (HB 358 53A-1-1408:564)
    • Student data will not be collected and/or processed unless:
  • The parent or legal guardian has provided a valid, informed consent authorizing the data’s collection and use
  • Processing is necessary for compliance with a Weber School District legal obligation
  • Processing is necessary in order to protect the vital interest of the student
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorized vest in the student data or in a third party to whom the data is disclosed
  • Processing is necessary for legitimate interest of Weber School District or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the student


  • Consent for the collection, management, dissemination, and deletion of student data must be informed, express, and freely given
  • To be valid, consent must be in writing
  • Consent with regard to Personally Identifiable Information must refer expressly to that data
  • Consent must be revocable
  • Consent system shall include provisions for determining what disclosures should or must be made in order to obtain a valid consent, documentation of the date, method and content of the disclosures made, as well as the validity, scope, and volition of the consents given

Transfers to Third-Parties

  • Student data shall not be transferred to another entity, country, or territory, unless reasonable and appropriate steps have been taken to maintain the required level of data protection
  • Student data may be communicated to the third persons only for reasons consistent with the purposes for which the data were originally collected or other purposes authorized by law
  • All student personally identifiable information transferred outside of Weber School District or across public communications networks shall be de-identified or shall be protected against unauthorized access by use of encryption
  • All transfers of student data to third persons for further processing shall be subject to written agreements
  • A third-party contractor shall use PII student data under contract strictly for the purpose of providing the contracted product or services within the negotiated contract terms (HB 358 53A-1-1410:639) (Modified by SB 163 53A-1-1410:289)
  • When contracting with a third-party contractor, Weber School District will be required to list the following provisions
    • Requirements and Restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor
    • A description of a person or affiliated third-party contractor with whom the third-party contractor may share student data
    • A provision outlining the deletion of the student data received by the third-party contractor
    • Provisions that prohibit the secondary use of PII student data
    • An agreement by the third-party contractor that Weber School District may audit the third-party contractor to verify compliance of the contract
    • A stipulation that the third-party contractor will share student data as requested by law enforcement
    • A third-party contractor may:
      • Use student data for adaptive learning or customized learning
      • Market an educational application or product to the parent or legal guardian of a student if the third-party contractor did not use student data
      • Use a recommendation engine to recommend to a student:
        • Content that relates to learning or employment if the recommendation is not motivated by payment or other considerations
        • Services that relate to learning or employment if the recommendation is not motivated by payment or other considerations (HB 358 53A-1-1410:668)
      • The third-party contractor may respond to a student’s request for information or feedback, if the content of the response is not motivated by payment or other considerations
      • The third-party contractor may use student data to allow or improve operability and functionality of their internal application (HB 358 53A-1-1410:674) or identify for a student non-profit institutions of higher education or scholarship providers that are seeking students who meet specific criteria (SB 163 53A-1-1410:324)
        • Regardless of whether the identified non-profit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor and
        • Only if the third-party contractor obtains written consent by a legal guardian (SB 163 53A-1-1410:327)
      • A third-party contractor is not required to obtain written consent if the third-party contractor:
        • Is a national assessment provider and
        • Secures the express written consent of the student or legal guardian and
        • Express written consent is given in response to clear and conspicuous notice that the national assessment provider requests consent solely to provide access to information on employment, educational scholarships, financial aid, or postsecondary educational opportunities
      • At the completion of a contract with Weber School District, if the contract has not been renewed, the third-party contractor shall:
        • Return all PII student data or
        • Delete all PII student data under the control of the education entity unless a student or the legal guardian consents to the maintenance of the PII student data
      • The third-party contractor may not:
        • Sell student data
        • Collect, use, or share student data if the data is inconsistent with the contract for Weber School District
        • Use student data for targeted advertising
      • A person may obtain student data through the purchase of, merger with, or otherwise acquiring third-party contractor if the third-party contractor remains in compliance with this section.

Third-Party Contractor Penalties (exact fines/repercussions are TBD) (HB 358 53A-1-1411:699)

  • If a third-party contractor knowingly or recklessly permits unauthorized collecting, sharing, or use of student data:
    • Weber School District may not enter into a future contract with them
      • Unless the school board determines that the third-party contractor has corrected the error
      • Unless the third-party contractor demonstrates they are currently compliant with these policies
      • Unless the third-party contractor is able to comply with the requirements listed here
    • May be required to pay a civil penalty up to $XX,XXX
      • The board may bring an action in the Weber County district court, if necessary, to enforce payment of the civil penalty
      • An individual who knowingly or intentionally permits unauthorized collecting, sharing, or use of student data may be found guilty of a class X misdemeanour
    • May be required to pay costs of notifying parents and students of the unauthorized use of student data
    • May be required to pay all expenses incurred by Weber School District and its schools as a result of the unauthorized sharing of student data
  • A parent or student may bring an action in a court of competent jurisdiction for damages caused by a knowing or reckless violation of the student data policy by a third-party contractor

Disclosures at the Time of Data Collection (HB 358 53A-1-1406:487)

  • Appropriate disclosures will be made at the time a legal guardian is asked to give consent to the collection or processing of student data, and whenever student data are collected.
  • The disclosure must be a stand-alone document that is published annually and available on the Weber School District’s website
  • Specific information must be disclosed to the legal guardian and/or any other person from whom student data are obtained at the time of collection, unless the legal guardian already has the information. Weber School District must establish technical or administrative means for documenting the fact that the legal guardian already has the information and how.
  • These disclosures should be given as soon as possible, and preferably at the first point of contact with the Legal Guardian. The disclosure will include both necessary and optional data that will be collected and include how the district stores and protects student data.
  • The disclosures should be made in a manner calculated to draw attention to them. The disclosures may not be given orally. Disclosures may be given electronically via the school district’s intranet or in writing. The receipt or form should be retained along with a contemporaneous record establishing the fact, date, content, and method of disclosure for a period of XXXXXX
  • If inadequate disclosures are made initially, additional disclosures may have to be made at a later time, and the fact, date, content, and method of these additional disclosures shall be recorded.
  • The Student Data Disclosure must contain the following statement: “The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly.”

Sources of Student Data

  • Student data shall be collected only from the legal guardian unless the nature of the business purpose necessitates collection of the data from other persons or bodies, collection from the legal guardian would necessitate disproportionate effort, or collection must be accomplished under emergency circumstances in order to protect an interest of the student or to prevent serious loss.
  • Weber School District will create a form or system to document and automate this process as fully as possible.
  • If student data are collected from someone other than the Legal Guardian, the student’s guardian must be informed of the following items unless the legal guardian has received the required information by other means, notification would require disproportionate effort, or the law expressly provides for collection, processing or transfer of the student data.
  • The fact of the collection, processing or transfer of the data by Weber School District;
  • The nature and purposes of the processing;
  • The recipients or categories of recipients of the data;
  • The origin of the data; and

Student Rights

  • Weber School District shall establish a system to enable and facilitate exercise of student data rights of access, blockage, erasure, opposition, rectification, and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of the student data.
  • shall be entitled to obtain the following information about student data upon a request made in compliance with reasonable policies and procedures established, and set forth in writing.
  • Whether Weber School District has stored student data concerning the Legal Guardian.
  • Whether any of the data is personally identifiable.
  • The source(s) of the data, if known.
  • The recipients or categories of recipients to whom the data have been or may be transmitted.
  • The purposes of the collection, processing, use and storage of the data.
  • A hard copy of the data in an intelligible form.
    • Weber School District shall provide its response to a request for student data within 40 days of the date the school district receives a written request from the legal guardian and appropriate verification that the requestor is the an authorized legal representative.
    • A Legal Guardian shall have the right to require Weber School District to correct or supplement erroneous, misleading, outdated, or incomplete student data.
    • Requests for access to or rectification of student data shall be directed, at the Legal Guardian’s option, to the principal of the school responsible for the student data.
    • Weber School District shall establish a system for logging each request under this Section as it is received and noting the response date.
    • If Weber School District cannot respond fully to the request within the time indicated, then they shall nevertheless provide the following information within the specified time:
  • An acknowledgement of receipt of the request.
  • Disclosure of responsive information located to date.
  • Identification of any requested information or modifications which Weber School District will not provide, the reason(s) for the refusal, and the procedures for appealing the decision within the district, if any.
  • An estimate of a date by which the remaining responses will be made.
  • A statement or estimate of any costs to be paid by the requestor.
  • The name and contact information of the individual who the requestor should contact for follow up.
    • Where providing the information about the requesting student would disclose personally identifiable information about another individual, the school handling the request must review the data and redact or withhold the information as may be necessary or appropriate to protect that person’s rights.
    • Weber School District may establish procedures to screen and deny abusively burdensome or repetitive requests by or on behalf of a Legal Guardian.
    • The rights provided to parents in this policy transfer to the student when the student turns 18 years old or becomes an emancipated minor

Sensitive Data

  • Sensitive Data should not be processed unless:
    • Such processing is specifically authorized or required by law
    • The legal guardian expressly consents
    • The processing is required for preventive medicine, medical diagnosis, or health care treatment; provided the data are processed by a health professional subject to national law or rules with an obligation of professional secrecy or by another person with an equivalent obligation of secrecy. If Weber School District is relying upon this medical exemption, all contracts with employees and independent contractors who will have access to the Sensitive Data must contain confidentiality requirements equivalent to those imposed on health professionals.
    • Where the legal guardian is physically or legally incapable of giving consent, but the processing is necessary to protect a vital interest of the student. This exemption may apply, for example, where emergency medical care is needed.
    • Data relating to criminal offenses may be processed only by or under the control of an official authority.
  • If Weber School District is relying upon one of the exemptions to authorize processing of Sensitive Data, the exemption relied upon, and the basis for the exemptions should be recorded with the data.

Data Quality Assurance

  • Each individual school shall take steps to assure that student data it collects or processes is complete and accurate in the first instance. Data must be accurate and updated in such a way as to give a true picture of the current situation of the student.
  • Weber School District shall correct data which it knows to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the legal guardian does not request rectification. Inaccurate data must be erased and replaced by corrected or supplemented data.
  • Student data must be kept only for the period necessary for permitted uses. When defining a permitted use for data, the individual school shall establish a remove or review date for the stated purpose.
  • Student data should be erased if their storage violates any of the data protection rules or if knowledge of the data are no longer required by Weber School District or for the benefit of the Legal Guardian. See the Student Record Retention section in the Data Governance Plan.
  • Student data should be blocked, rather than erased, insofar as the law prohibits erasure, erasure would impair legitimate interests of the Legal Guardian, erasure is not possible without disproportionate effort due to the specific type of storage; or if the legal guardian disputes that the data are correct and it cannot be ascertained whether they are correct or incorrect.

Notice of Non-Compliance

  • Weber School District shall notify the Superintendent, directors, and principals that: i) failure to comply with relevant data protection legislation may trigger criminal and civil liability, including fines, imprisonment, and damage awards; and ii) they can be personally liable where an offense is committed by Weber School District with their consent or involvement, or is attributable to any neglect on their part.

Data Security

  • Physical, Technical, and Organizational Security Measures
    • Weber School District shall adopt physical, technical, and organizational measures to ensure the security of student data, including the prevention of their alteration, loss, damage, unauthorized processing or access, having regard to the state of the art, the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
    • Adequate security measures should include all of the following:
  • Entry Control: Prevention of unauthorized persons from gaining access to data processing systems in which student data are processed or stored.
  • Access Control: Prevention of data processing systems from being used by unauthorized persons.
  • Disclosure Control: Preventing persons entitled to use a data processing system from accessing data beyond their needs and authorizations. This includes preventing unauthorized reading, copying, modifying or removal during processing and use, or after storage.
  • Input Control: Ensuring that it can be subsequently checked and established whether and by whom student data has been entered into, modified on, or removed from data processing systems.
  • Job Control: Ensuring that in the case of commissioned processing of student data, the data can be processed only in accordance with the instructions of the school district.
  • Availability Control: Ensuring that student data are protected against undesired destruction or loss.
  • Use Control: Ensuring that data collected for different purposes can and will be processed differently
  • Longevity Control: Ensuring that data is not kept longer than necessary, including by requiring that data transferred to third persons be returned or destroyed.


  • Employees
    • Employees with inquiries or complaints about the processing of student data should first discuss the matter with their Principal or Supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate supervisor, or if the supervisor and the employee are unable to reach a satisfactory resolution of the issues raised, the employee should bring the issue to the attention of their Director.
  • Parents, Legal Guardians, and Adult Students
    • Parents, legal guardians, and adult students with inquiries or complaints about the processing of student data should bring the matter to the attention of the Student Data Compliance Officer in writing. Any disputes concerning the processing of the personal data of non-employees will be resolved through arbitration.


  • Each school and/or building will provide training to teach or re-emphasize privacy and security related procedures. These procedures should be set forth in written guidelines to employees and shall include at least the following.
  • Each employee’s duty to use and permit the use of student data only by authorized persons and for authorized purposes;
  • The contents of this Policy;
  • The relationship between this Policy and other Weber School District policies;
  • The need for and proper use of the forms and procedures adopted to implement this Policy;
  • The correct use of passwords, security tokens and other access mechanisms;
  • The importance of limiting access to student data, such as by using password protected screen savers, logging out when the information is not being used and attended by an authorized person;
  • Securely storing manual files, print outs and electronic storage media;
  • A general prohibition on the transfer of student data outside of the internal network and physical office premises unless otherwise stated in this Policy;
  • Proper disposal of confidential data by shredding, etc.;


7.1 Current Compliance Assessment

Weber School District shall establish a schedule for and implement a data protection compliance audit for all locations. Weber School District, in cooperation with individual locations, shall devise a plan and schedule for correcting any identified deficiencies within a fixed, reasonable time.

7.2 Annual Data Protection Audit

Each location shall review annually its data collection, processing, and security practices. This annual review shall consist of at least the following:

  • The school or building shall determine what student data they are collecting, or intends to collect, the purposes of the data collection and processing, any additional permitted purposes, the actual uses of the data, what disclosures have been made about the purposes of the collection and use of such data, the existence and scope of any legal guardian consents to such activities, any legal obligations regarding the collection and processing of such data, and the scope, sufficiency, and implementation status of security measures.
  • The school or building shall determine what student data it has in manual systems that constitute “relevant filing systems.”
  • Each school shall identify all transferees of student data in its possession or control. The school shall determine where the transferee is located, the purposes of the transfer, what physical, technical, and procedural systems are in place to maintain at least the existing level of data protection and to prevent or control further transfers.
  • The information collected in this annual review shall be delivered to the Data Security Officer for review and appropriate action including, without limitation, the following:
    • Making recommendations for improvement to policies and procedures in order to improve compliance with this policy and applicable law.
    • Satisfying the requirements of all federal, state, and local laws in relation to transferring, storing, and deleting student data.


  • Publication

This Policy shall be available to employees through the Human Resources Department and shall be made available to non-employees through posting to

  • Effective Date

This Policy is adopted as of July 1, 2017. Weber School District, in cooperation with the schools, will develop a timeline and program for implementing this Policy. This implementation program will include the resolution of any conflicts between this Policy and other existing policies. (HB 358 53A-1-1409:568)

  • Revisions

This Policy may be revised at any time. Notice of significant revisions shall be provided to employees through the Human Resources Department and to others through the Weber School District website, located at


  • For the purpose of this section, ‘parent’ includes a student’s guardian, or if the student is over 18 years old, the student
  • If a school or the school district notifies a parent of a threat or incident, the school or school district shall produce and maintain a record that verifies a parent was notified
  • At the request of a parent, the school may provide information or make recommendations related to the threat or incident
  • A school shall:
    • Provide a student a copy of a record maintained in accordance with this section as it relates to the student
    • Expunge the record maintained in accordance with this section when the student
  • Has graduated from High School and
  • Requests that the record be expunged
    • Notify a parent if the parent’s student threatens to commit suicide
    • Notify the parent of each student involved in an incident of:
  • Bullying
  • Cyber-Bullying
  • Harassment
  • Hazing
  • Retaliation



  • Written consent from a Legal Guardian must be obtained prior to a student being required to take any type of survey, analysis, or evaluation that reveals information concerning the following. Parents must have an opportunity to opt out of any survey concerning one of these areas also:
  • Political affiliations;
  • Mental and psychological problems potentially embarrassing to the student and his/her family;
  • Sex behavior and attitudes;
  • Illegal, anti-social, self-incriminating and demeaning behavior;
  • Critical appraisals of other individuals with whom respondents have close family relationships;
  • Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
  • Religious practices, affiliations, or beliefs of the student or student's parent*; or
  • Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program.)
    • Weber School District must notify the Legal Guardian, at least annually at the beginning of the school year, of the specific or approximate dates during the school year when activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes or to sell or otherwise provide the information to others for marketing purposes
    • Exception to the requirement of written notification and authorization by the Legal Guardian
      • Requirements concerning activities involving the collection and disclosure of personal information collected from students for marketing purposes does not apply to the collection, disclosure, or use of personal information collected for the exclusive purpose of developing, evaluating, or providing educational products or services such as:
    • College or post-secondary education recruitment
    • Military recruitment
    • Book clubs, magazines, and programs providing access to low-cost literary products
    • Curriculum and instructional materials used by elementary and secondary schools
    • Tests and assessments used by schools to provide cognitive, evaluative, diagnostic, clinical, aptitude, or achievement information about students
    • The sale by students of products or services to raise funds for school-related or education-related activities
    • Student recognition programs
      • The legal guardian has the right to inspect any type of instructional material or instrument used in the collection of personal information used as part of the educational curriculum for the student.
      • Any request for inspection of instructional material or instrument used in the collection of personal information must be granted within a reasonable period of time after the request is received
      • Weber School District must offer an opportunity for parents to opt out of participating in any of the activities outlined in this section


  • Terms and Definitions (HB 358 53A-1-1402)

Adult Student: Student’s 18 years old or older, emancipated students, or students qualified under the McKinney-Vento Homeless Education Assistance

Aggregate Data: Totalled and reported at the group, school, district, region, or state level with at least 10 individuals at the level

Data Authorization: Written authorization to collect or share student’s data

Data Governance Plan: Comprehensive plan for managing education data

Education Entity: Weber School District and its individual schools

Expunge: Seal or permanently delete data

Instructional Material: Instructional content that is provided to a student, regardless of its format, including printed or representational materials, audio-visual materials, and materials in electronic or digital formats (such as materials accessible through the Internet). The term does not include academic tests or academic assessments.

Invasive Physical Examination: Any medical examination that involves the exposure of private body parts, or any act during such examination that includes incision, insertion, or injection into the body, but does not include a hearing, vision, or scoliosis screening.

Legal Guardian: Parent, Legal Guardian, or Adult Student

Necessary Student Data: Data required by the statute or federal law to conduct the regular activities (HB 358 53A-1-1402:314)

  • Name
  • Date of birth
  • Sex
  • Parent contact information
  • Custodial parent information
  • Contact information
  • Student ID number
  • Local, state, and national assessment results
  • Courses taken and completed, credits earned, other transcript information
  • Course grades and grade point average
  • Grade level and expected graduation date or cohort
  • Degree, diploma, credential attainment and other exit information
  • Attendance and mobility
  • Drop-out data
  • Immunization record or exception from one
  • Race
  • Ethnicity
  • Tribal affiliation
  • Remediation efforts
  • Except from vision screening
  • Information from vision screening
  • Utah registry of Autism and Developmental Disabilities
  • Student injury information
  • Cumulative disciplinary record created and maintained by district
  • Juvenile delinquency records
  • English language learner status
  • Child find and special education evaluation data related to initiation of IEP

Optional Student Data: Data not included in the Necessary category (HB 358 53A-1-1402:346)

  • Related to IEP or needed to provide special needs
  • Biometric information
  • Information that is not necessary student data and that is required for a student to participate in federal or other program

Personally Identifiable Information (PII): Information that identifies a student (HB 358 53A-1-1402:359)

  • Student’s first and last name
  • First and last name of student’s family member
  • Home or physical address
  • E-mail address or other contact information
  • Student’s phone number
  • Student’s social security number
  • Student’s biometric identifier
  • Health or disability data
  • Education entity student ID number
  • Social media username and password or alias
  • Customer number held in a cookie
  • Combinations
    • Student’s last name with a photograph
    • Student or their family member’s information combined with Personally Identifiable student information
    • Any information that would allow a reasonable person in the community to identify a student with reasonable certainty

Survey: An evaluation


  • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
  • Children’s Online Privacy Protection Act (COPPA) (15 U.S. Code § 6506)
  • Protection of Pupil Rights Amendment (PPRA)
  • Utah House Bill 358 (2017)
  • Senate Bill 102 (2017)


Tuesday, 07 November 2017 12:33

IT Security Plan

Written by

1. Purpose

The purpose of this policy is to ensure the secure use and handling of all district data, computer systems and computer equipment by District students, patrons, and employees.

2. Policy

2.1 Technology Security                                                                                               

It is the policy of the Weber School District to support secure network systems in the district, including security for all personally identifiable information that is stored on paper or stored digitally on district-maintained computers and networks. This policy supports efforts to mitigate threats that may cause harm to the district, its students, or its employees.

The district will ensure reasonable efforts will be made to maintain network security. Data loss can be caused by human error, hardware malfunction, natural disaster, security breach, etc., and may not be preventable.

All persons who are granted access to the district network and other technology resources are expected to be careful and aware of suspicious communications and unauthorized use of district devices and the network. When an employee or other user becomes aware of suspicious activity, he/she is to immediately contact the district’s Information Security Officer with the relevant information.

This policy and procedure also covers third party vendors/contractors that contain or have access to Weber School District critically sensitive data. All third party entities will be required to sign the Restriction on Use of Confidential Information Agreement before accessing our systems or receiving information.

It is the policy of Weber School District to fully conform with all federal and state privacy and data governance laws.  Including the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 (hereinafter “FERPA”), the Government Records and Management Act U.C.A. §62G-2 (hereinafter “GRAMA”), U.C.A. §53A-1-1401 et seq and Utah Administrative Code R277-487.

Professional development for staff and students regarding the importance of network security and best practices are included in the procedures. The procedures associated with this policy are consistent with guidelines provided by cyber security professionals worldwide and in accordance with Utah Education Network and the Utah State Office of Education. Weber School District supports the development, implementation and ongoing improvements for a robust security system of hardware and software that is designed to protect Weber School District’s data, users, and electronic assets.

3. Procedure

3.1. Definitions:

3.1.1.  Access: Directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, computer network, or any means of communication with any of them.

3.1.2. Authorization: Having the express or implied consent or permission of the owner, or of the person authorized by the owner to give consent or permission to access a computer, computer system, or computer network in a manner not exceeding the consent or permission.

3.1.3. Computer: Any electronic device or communication facility that stores, retrieves, processes, or transmits data.

3.1.4. Computer system: A set of related, connected or unconnected, devices, software, or other related computer equipment.

3.1.5. Computer network: The interconnection of communication or telecommunication lines between: computers; or computers and remote terminals; or the interconnection by wireless technology between: computers; or computers and remote terminals.

3.1.6. Computer property: Includes electronic impulses, electronically produced data, information, financial instruments, software, or programs, in either machine or human readable form, any other tangible or intangible item relating to a computer, computer system, computer network, and copies of any of them.

3.1.7. Confidential: Data, text, or computer property that is protected by a security system that clearly evidences that the owner or custodian intends that it not be available to others without the owner's or custodian's permission.

3.1.8. Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.

3.1.9. Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered protected data

3.1.10. Security system: A computer, computer system, network, or computer property that has some form of access control technology implemented, such as encryption, password protection, other forced authentication, or access control designed to keep out unauthorized persons.

3.1.11. Sensitive data - Data that contains personally identifiable information.

3.1.12. System level – Access to the system that is considered full administrative access.  Includes operating system access and hosted application access.

3.2. Security Responsibility

3.2.1. Weber School District shall appoint, in writing, an IT Security Group (ISG) responsible for overseeing District-wide IT security with duties that include development of District policies and adherence to the standards defined in this document.

3.3. Training

3.3.1. Weber School District, led by the ISG, shall ensure that all District employees having access to sensitive information undergo annual IT security training which emphasizes their personal responsibility for protecting student and employee information. - Training resources will be provided to all District employees.

3.4. Physical Security

3.4.1. Computer Security Weber School District shall ensure that any user’s computer must not be left unattended and unlocked, especially when logged into sensitive systems or data including student or employee information. Automatic log off, locks and password screen savers should be used to enforce this requirement. Weber School District shall ensure that all equipment that contains sensitive information will be secured to deter theft.

3.4.2. Server/Network Room Security Weber School District shall ensure that server rooms and telecommunication rooms/closets are protected by appropriate access control which segregates and restricts access from general school or District office areas. Access control shall be enforced using either keys, electronic card readers, or similar method with only those IT or other staff members having access necessary to perform their job functions are allowed unescorted access. Telecommunication rooms/closets may only remain unlocked or unsecured when because of building design it is impossible to do otherwise or due to environmental problems that require the door to be opened.

3.4.3. Contractor access Before any contractor is allowed access to any computer system, server room, or telecommunication room the contractor will need to present a company issued identification card, and his/her access will need to be confirmed directly by the authorized employee who issued the service request or by Weber School District’s Technology Department. 

3.5. Network Security

3.5.1. Network perimeter controls will be implemented to regulate traffic moving between trusted internal (District) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.

3.5.2. Network Segmentation Weber School District shall ensure that all untrusted and public access computer networks are separated from main district computer networks and utilize security policies to ensure the integrity of those computer networks. Weber School District will utilize industry standards and current best practices to segment internal computer networks based on the data they contain. This will be done to prevent unauthorized users from accessing services unrelated to their job duties and minimize potential damage from other compromised systems.

3.5.3. Wireless Networks No wireless access point shall be installed on Weber School District’s computer network that does not conform with current network standards as defined by the Network Manager.  Any exceptions to this must be approved directly in writing by the Information Security Group. Weber School District shall scan for and remove or disable any rogue wireless devices on a regular basis. All wireless access networks shall conform to current best practices and shall utilize at minimal WPA encryption for any connections.  Open access networks are not permitted, except on a temporary basis for events when deemed necessary.

3.5.4. Remote Access Weber School District shall ensure that any remote access with connectivity to the District’s internal network is achieved using the District’s Palo Alto Global VPN service that is protected by multiple factor authentication systems.  Any exception to this policy must be due to a service provider’s technical requirements and must be approved by the Information Security Officer.

3.6. Access Control

3.6.1. System and application access will be granted based upon the least amount of access to data and programs required by the user in accordance with a business need-to-have requirement.

3.6.2. Authentication Weber School District shall enforce strong password management for employees, students, and contractors. Password Creation All server system-level passwords must conform to the Password Construction Guidelines posted on the Weber School District Technology Website. Password Protection Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information. Passwords must not be inserted into email messages or other forms of electronic communication. Passwords must not be revealed over the phone to anyone. Do not reveal a password on questionnaires or security forms. Do not hint at the format of a password (for example, "my family name"). Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

3.6.2. Authorization Weber School District shall ensure that user access shall be limited to only those specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access. Weber School District shall ensure that user access should be granted and/or terminated upon timely receipt, and management’s approval, of a documented access request/termination.

3.6.3. Accounting Weber School District shall ensure that audit and log files are maintained for at least ninety days for all critical security-relevant events such as: invalid logon attempts, changes to the security policy/ configuration, and failed attempts to access objects by unauthorized users, etc.

3.6.4. Administrative Access Controls Weber School District shall limit IT administrator privileges (operating system, database, and applications) to the minimum number of staff required to perform these sensitive duties.

3.7. Incident Management

3.7.1. Monitoring and responding to IT related incidents will be designed to provide early notification of events and rapid response and recovery from internal or external network or system attacks.

3.8. Business Continuity

3.8.1. To ensure continuous critical IT services, IT will develop a business continuity/disaster recovery plan appropriate for the size and complexity of District IT operations.

3.8.2. Weber School District shall develop and deploy a district-wide business continuity plan which should include as a minimum:

  • Backup Data: Procedures for performing routine daily/weekly/monthly backups and storing backup media at a secured location other than the server room or adjacent facilities. As a minimum, backup media must be stored off-site a reasonably safe distance from the primary server room.
  • Secondary Locations: Identify a backup processing location, such as another School or District building.
  • Emergency Procedures: Document a calling tree with emergency actions to include: recovery of backup data, restoration of processing at the secondary location, and generation of student and employee listings for ensuing a full head count of all.

3.9. Malicious Software

3.9.1. Server and workstation protection software will be deployed to identify and eradicate malicious software attacks such as viruses, spyware, and malware.

3.9.2. Weber School District shall install, distribute, and maintain spyware and virus protection software on all district-owned equipment, i.e. servers, workstations, and laptops. 

3.9.3. Weber School District shall ensure that malicious software protection will include frequent update downloads (minimum weekly), frequent scanning (minimum weekly), and that malicious software protection is in active state (real time) on all operating servers/workstations.

3.9.4. Weber School District shall ensure that all security-relevant software patches (workstations and servers) are applied within thirty days and critical patches shall be applied as soon as possible.

3.9.5. All computers must use the District approved anti-virus solution.

3.9.6. Any exceptions to section 3.9 must be approved by the Information Security Officer.

3.10. Internet Content Filtering

3.10.1. In accordance with Federal and State Law, Weber School District shall filter internet traffic for content defined in law that is deemed harmful to minors.

3.10.2. Weber School District acknowledges that technology based filters are not always effective at eliminating harmful content and due to this, Weber School District uses a combination of technological means and supervisory means to protect students from harmful online content.

3.10.3. In the event that students take devices home, Weber School District will provide a technology based filtering solution for those devices.  However, the District will rely on parents to provide the supervision necessary to fully protect students from accessing harmful online content.

3.10.4. Students shall be supervised when accessing the internet and using district owned devices on school property.

3.11. Data Privacy

3.11.1. Weber School District considers the protection of the data it collects on students, employees and their families to be of the utmost importance.

3.11.2. Weber School District protects student data in compliance with the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 ( “FERPA”), the Government Records and Management Act  U.C.A. §62G-2 ( “GRAMA”), U.C.A. §53A-1-1401 et seq, 15 U.S. Code §§ 6501–6506 (“COPPA”) and Utah Administrative Code R277-487 (“Student Data Protection Act”).

3.11.3. Weber School District shall ensure that employee records access shall be limited to only those individuals who have specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.

3.12. Security Audit and Remediation

3.12.1. Weber School District shall perform routine security and privacy audits in congruence with the District’s Information Security Audit Plan.

3.12.2. District personnel shall develop remediation plans to address identified lapses that conforms with the District’s Information Security Remediation Plan Template.

3.13. Disciplinary Actions

3.13.1 Employee Disciplinary Actions shall be in accordance with applicable laws, regulations and District policies.  Any employee found to be in violation may be subject to disciplinary action up to and including termination of employment with the Weber School District.