Skip Navigation
Student Data Protection

Student Data Protection (7)

Protection of Pupil Rights Amendment (PPRA) and UT FERPA Policy

Policy Statement

Weber School District shall ensure that parental involvement occurs in cases where information collected from a student would generally raise privacy concerns in accordance with 20 USC 1232h and UCA 53E-9-203.

Procedures

  1. Third party surveys. 
    1. Before the administration or distribution of any survey created by a third party, Weber School District shall provide notice to parents and the opportunity to inspect the survey within a reasonable time of receiving the request. 
  2. Collection of sensitive information. 
    1. Restrictions on collecting sensitive information. Written parental consent shall be required before students are administered a psychological or psychiatric examination, test, or treatment, or any survey, analysis, or evaluation in which the evident intended effect is to cause the student to reveal information concerning one or more of the following sensitive areas about the student or any family member: 
  • Political affiliations or beliefs or, except as provided under UCA 53G-10-202 or rules of the state board, political philosophies; 
  • Mental or psychological problems; 
  • Sex behavior, orientation, or attitudes; 
  • Illegal, anti-social, self-incriminating, or demeaning behavior; 
  • Critical appraisals of others with whom the student or family member has close family relationships;
  • Legally recognized privileged relationships, such as with lawyers, medical personnel, or ministers; 
  • Religious practices, affiliations, or beliefs of the student or student’s parent; or 
  • Income, other than as required by law to determine program eligibility.
  1. Scope of written consent requirement. Prior written consent shall be required:
  • in all grades, kindergarten through grade 12;
  • within the curriculum and other school activities; and
  • whether the information collected is personally identifiable or not.
  1. Validity of written consent. The following procedures dictate the validity of written consent:
  • Written consent shall be considered valid only if notice was given in accordance with the notification requirements of this policy; 
  • The authorization shall only be valid for the activity for which it was granted;
  • A written withdrawal of authorization submitted to the school principal by the authorizing parent terminates the authorization;
  • A general consent used to approve admission to school or involvement in special education, remedial education, or a school activity does not constitute written consent under this section.
  1. Exceptions. Prior written consent shall not be required:
  • as part of a suicide prevention program as described in UCA 53G-9-702 where the parent has received notification and the ability to opt out of the process in accordance with the notification section of this policy; or 
  • if there is a reasonable belief that there is an emergency, child abuse, neglect, or a serious threat to the wellbeing of the student in accordance with the Emergency Situations section of this policy.
  1. Data disclosure Sensitive information collected under this policy may be shared in accordance with the Family Educational Rights and Privacy Act (FERPA), 20 USC 1232g, and UCA 53E-9-308.
  2. Data storage restriction. Sensitive information collected from a survey may not be stored in a student’s Student Achievement Backpack as defined in UCA 53E-3-511.
  3. Expressions of belief. This policy does not limit the ability of a student to, under UCA 53G-10-203, spontaneously express sentiments or opinions otherwise protected against disclosure under this policy.
  4. Inspection of instructional materials. 

Weber School District shall provide notice and an opportunity to a parent to inspect any instructional content that is provided to a student, regardless of its format, including printed or representational materials, audio-visual materials, and materials in electronic or digital formats (such as materials accessible through the Internet) used as part of the educational curriculum for the student. 

  1. Exclusion for academic tests or academic assessments. The opportunity to inspect instructional materials shall not extend to academic tests or academic assessments.
  1. Nonemergency, invasive physical examinations. 

Weber School District shall provide notification to parents and the opportunity to opt out of nonemergency, invasive physical examination that is:

  • Required as a condition of attendance;
  • Administered by the school and scheduled in advance; and
  • Not necessary to protect the immediate health and safety of the student, or of other students. 
  1. Definition. The term “invasive physical examination” means any medical examination that involves the exposure of private body parts, or any act during such examination that includes incision, insertion, or injection into the body, but does not include a hearing, vision, or scoliosis screening.
  2. Exception. This policy does not apply to any physical examination or screening that is permitted or required by an applicable Utah law, including physical examinations or screenings that are permitted without parental notification.
  1. Marketing surveys. 

Weber School District shall provide notice of and an opportunity to opt out of activities involving collection, disclosure, or use of personal information collected from students for marketing or to sell or otherwise distribute the information to others. 

  1. Exceptions. The requirement to provide notice and the opportunity to opt out does not apply to the collection, disclosure, or use of personal information collected from students for the exclusive purpose of developing, evaluating, or providing educational products or services for, or to, students or educational institutions, such as the following:
  • College or other postsecondary education recruitment, or military recruitment.
  • Book clubs, magazines, and programs providing access to low-cost literary products.
  • Curriculum and instructional materials used by elementary schools and secondary schools.
  • Tests and assessments used by elementary schools and secondary schools to provide cognitive, evaluative, diagnostic, clinical, aptitude, or achievement information about students (or to generate other statistically useful data for the purpose of securing such tests and assessments) and the subsequent analysis and public release of the aggregate data from such tests and assessments.
  • The sale by students of products or services to raise funds for school-related or education-related activities.
  • Student recognition programs.

Weber School District shall provide notification to parents of this policy as follows:

  1. Required notifications. Weber School District shall provide the following notifications:
  1. notification at the beginning of each school year regarding this policy and within a reasonable period of time after any substantive changes to this policy;
  2. notification at the beginning of each school year of any planned third-party surveys;
  3. direct notification annually at the beginning of the school year by postal mail, hand, or email, including the specific or approximate dates, of any 
  • marketing survey; or 
  • nonemergency, invasive physical examination;
  1. direct notification by postal mail, hand, or email, including the specific or approximate dates, annually at the beginning of the school year and at least two weeks prior to the administration of any collection of sensitive information. This notice shall also include:
  • an internet address where the parent can view the exact survey to be administered to the parent’s student, and a notice that a copy of the survey questions will also be made available at the school. 
  • notice that a parent has a reasonable opportunity to obtain in writing the following information concerning the survey:
  • records or information, including information about relationships, that may be examined or requested;
  • the means by which the records or information shall be examined or reviewed;
  • the means by which the information is to be obtained;
  • the purposes for which the records or information are needed;
  • the entities or persons, regardless of affiliation, who will have access to the personally identifiable information; and
  • a method by which a parent of a student can grant permission to access or examine the personally identifiable information
  1. Waiver of two-week’s notice requirement. The two-week’s notice requirement for a collection of sensitive information may be waived in the following circumstances:
  • In response to a situation which a school employee reasonably believes to be an emergency, or as authorized under UCA 62A-4a-4, Child Abuse or Neglect Reporting Requirements;
  • By order of a court; or
  • After receiving notice of a collection of sensitive information protected by this policy, a parent may waive the two-week’s notice requirement.  

Weber School District shall provide training for teachers and administrators on the implementation of this policy.

  1. Emergency situations. 

If a school employee, agent, or school resource officer believes a student is at-risk of attempting suicide, physical self-harm, or harming others, the school employee, agent, or school resource officer may intervene and ask a student questions regarding the student's suicidal thoughts, physically self-harming behavior, or thoughts of harming others for the purposes of:

  • Referring the student to the appropriate prevention services; and
  • Informing the student’s parent without delay.
  1. Exception to notifying parents of an emergency situation. If the matter has been reported to the Division of Child and Family Services within the Department of Human Services, it is the responsibility of the division to notify the student's parent of any possible investigation, prior to the student's return home from school.
  2. Minimum degree of intervention. School employees, agents, or school resource officers shall use the minimum degree of intervention to accomplish the goals of this policy.
  1. Students who have turned 18 and emancipated minors. 

The rights to notification and opt out shall transfer to the student when the student turns 18 years old or is an emancipated minor. 

  1. Exception. The notification shall be given to and written consent required from the parent in all grades, kindergarten through 12, regardless of the student’s age, before a collection of sensitive information shall be administered.

 

 

update 9/13/2021

Wednesday, 11 September 2019 10:09

Student Data Collection Notice

Written by

STUDENT DATA COLLECTION NOTICE

Necessary Student Data

Necessary student data means data required by state statute or federal law to conduct the regular activities of the school.

  • Student Name, Date of birth, and Sex
  • Parent and student contact information and Custodial parent information
  • A student identification number (including the student’s school ID number and the state-assigned student identifier, or SSID)
  • Local, state, and national assessment results or an exception from taking a local, state, or national assessment (click here for more information on assessments)
  • Courses taken and completed, credits earned, and other transcript information
  • Course grades and grade point average
  • Grade level and expected graduation date or graduation cohort
  • Degree, diploma, credential attainment, and other school information
  • Attendance and mobility
  • Drop-out data
  • Immunization record or an exception from an immunization record
  • Race, Ethnicity, or Tribal affiliation
  • Remediation efforts
  • An exception from a vision screening required under Section 53G-9-404 or information collected from a vision screening described in Utah Code Section 53G-9-404
  • Information related to the Utah Registry of Autism and Development Disabilities (URADD), described in Utah Code Section 26-7-4
  • Student injury information
  • A disciplinary record created and maintained as described in Utah Code Section 53E-9-306
  • Juvenile delinquency records
  • English language learner status
  • Child find and special education evaluation data related to initiation of an IEP

Optional Student Data

We may only collect optional student data with written consent from the student’s parent or from a student who has turned 18.

  • Information related to an IEP or needed to provide special needs services
  • Biometric information used to identify the student
  • Information required for a student to participate in an optional federal or state program (e.g., information related to applying for free or reduced lunch)

Certain sensitive information on students collected via a psychological or psychiatric examination, test, or treatment, or any survey, analysis, or evaluation will only be collected with parental consent. You will receive a separate consent form in these cases. See our Protection of Pupil Rights Act (PPRA) notice for more information.

Prohibited Collections

Except as provided above, the following topics are prohibited topics from a school official to a student.

  • Psychological or psychiatric examination
  • Test, treatment, survey, analysis, or evaluation of psychological or psychiatric examinations
  • Political affiliations
  • Mental or psychological problems
  • Sexual behavior, orientation, or attitudes
  • Gender identity (added by HB 182, 2024)
  • Illegal, anti-social, self-incriminating, or demeaning behavior
  • Religious affiliations or beliefs
  • Income, except as required by law
  • Legally recognized relationships, such as with lawyers, medical personnel, or ministers.
  • Critical appraisals of individuals with whom the student or family member has close family relationships

We will not collect a student’s social security number or criminal record, except as required by Utah Code Section 80-6-103.

 

Data Sharing

We will only share student data in accordance with the Family Educational Rights and Privacy Act (FERPA), which generally requires written parental consent before sharing student data. FERPA includes several exceptions to this rule, where we may share student data without parental consent. For more information on third parties receiving student information from us, see our Metadata Dictionary.

Student data will be shared with the Utah State Board of Education via the Utah Transcript and Records Exchange (UTREx). For more information about UTREx and how it is used, please visit the Utah State Board of Education’s Information Technology website.

Benefits, Risks, and Parent Choices

The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly. Parents are given the following choices regarding student data:

  • Choice to request to review education records of their children and request an explanation or interpretation of the records (see our annual FERPA notice for more information)
  • Choice to contest the accuracy of certain records (see our annual FERPA notice for more information), potentially leading to the correction, expungement, or deletion of the record
  • Choice to opt into certain data collections (see the section above on optional data collections)
  • Choice to opt out of certain data exchanges
    • Information that has been classified as directory information (see our directory information notice for more information)
    • Parents of students with an IEP may have their information shared with the Utah Registry of Autism and Developmental Disabilities (URADD). If included in this data exchange, parents will receive a separate notice within 30 days of the exchange, informing them of their right to opt out, per Utah Code Section 53E-9-308(6)(b)
  • Choice to file a complaint if you believe the school or its agents are violating your rights under FERPA or Utah’s Student Data Protection Act. If you have a complaint or concern, we recommend starting locally and then escalating to the state and US Department of Education

Your local school district or charter school

Tanya Miller

The Utah State Board of Education

Report your concern with the USBE hotline

The US Department of Education

Report your concern here

Storage and Security

In accordance with Board Rule R277-487-3(14), we have adopted a cybersecurity framework called the CIS Controls.  

 

 

updated 4/24/2024

Directory information

 

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Weber School District, with certain exceptions, must obtain your written consent before disclosing any personally identifiable information from your child's education records, except for certain designated "directory information." Directory information may be disclosed without your consent unless you have notified Weber School District otherwise.

 

Purpose of directory information

 

The primary purpose of directory information is to allow Weber School District to include information from your child’s education records in certain school publications. Examples include:


• A playbill showing your student’s role in a drama production;
• The annual yearbook;
• Honor roll or other recognition lists;
• Graduation programs, and
• Sports activity sheets, such as for wrestling, showing the weight and height of team members.


Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent.
Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks.



Military recruiters and institutions of higher education

 

In accordance with two federal laws, the Elementary and Secondary Education Act of 1965 (ESEA) and Section 10 U.S.C. § 503(c), Weber School District, as a recipient of ESEA assistance, is required to provide military recruiters and institutions of higher education with student names, addresses, and telephone listings upon request. Parents may opt out of this disclosure by notifying Weber School District in writing.

Opting out

 

To opt out of having Weber School District disclose directory information from your child's education records, please submit a written notification to the district by the last day of September.



What information is designated directory information?

 

Weber School District has designated the following information as directory information:

  • Student's name
  • Address
  • Telephone listing
  • Electronic mail address
  • Photograph
  • Date and place of birth
  • Major field of study
  • Dates of attendance
  • Grade level
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • The most recent educational agency or institution attended
    Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems but only if the identifier cannot be used to gain access to education
    records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the
    authorized user
  • A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except
    when used in conjunction with one or more factors that authenticate the user's identity, such
    as a PIN, password, or other factor known or possessed only by the authorized user.

 

(updated 11/07/2023)

Wednesday, 11 September 2019 08:58

Notification of Rights under FERPA for Schools

Written by

Model Notification of Rights under FERPA for Schools

The Family Educational Rights and Privacy Act (FERPA) affords parents and students who are 18 years of age or older ("eligible students") certain rights with respect to the student's education records.  These rights are:

  1. The right to inspect and review the student's education records within 45 days after the day the [Name of school (“School”)] receives a request for access.

Parents or eligible students who wish to inspect their child’s or their education records should submit to the school principal [or appropriate school official] a written request that identifies the records they wish to inspect.  The school official will make arrangements for access and notify the parent or eligible student of the time and place where the records may be inspected.

  1. The right to request the amendment of the student’s education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.

Parents or eligible students who wish to ask the [School] to amend their child’s or their education record should write the school principal [or appropriate school official], clearly identify the part of the record they want changed, and specify why it should be changed.  If the school decides not to amend the record as requested by the parent or eligible student, the school will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment.  Additional information regarding the hearing procedures will be provided to the parent or eligible student when notified of the right to a hearing.

  1. The right to provide written consent before the school discloses personally identifiable information (PII) from the student's education records, except to the extent that FERPA authorizes disclosure without consent.

One exception, which permits disclosure without consent, is disclosure to school officials with legitimate educational interests.  The criteria for determining who constitutes a school official and what constitutes a legitimate educational interest must be set forth in the school’s or school district’s annual notification for FERPA rights.  A school official typically includes a person employed by the school or school district as an administrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personnel) or a person serving on the school board.  A school official also may include a volunteer,  contractor, or consultant who, while not employed by the school, performs an institutional service or function for which the school would otherwise use its own employees and who is under the direct control of the school with respect to the use and maintenance of PII from education records, such as an attorney, auditor, medical consultant, or therapist; a parent or student volunteering to serve on an official committee, such as a disciplinary or grievance committee; or a parent, student, or other volunteer assisting another school official in performing his or her tasks.  A school official typically has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.

[Optional] Upon request, the school discloses education records without consent to officials of another school or school district in which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes of the student’s enrollment or transfer.  [NOTE:  FERPA requires a school or school district to make a reasonable attempt to notify the parent or student of the records request unless it states in its annual notification that it intends to forward records on request or the disclosure is initiated by the parent or eligible student.]

  1. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the [School] to comply with the requirements of FERPA. The name and address of the Office that administers FERPA are:

Student Privacy Policy Office

U.S. Department of Education

400 Maryland Avenue, SW

Washington, DC  20202

[NOTE:  In addition, a school may want to include its directory information public notice, as required by § 99.37 of the regulations, with its annual notification of rights under FERPA.]

[Optional]  See the list below of the disclosures that elementary and secondary schools may make without consent.

FERPA permits the disclosure of PII from students’ education records, without consent of the parent or eligible student, if the disclosure meets certain conditions found in § 99.31 of the FERPA regulations.  Except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the parent or eligible student, § 99.32 of the FERPA regulations requires the school to record the disclosure.  Parents and eligible students have a right to inspect and review the record of disclosures.  A school may disclose PII from the education records of a student without obtaining prior written consent of the parents or the eligible student –

  • To other school officials, including teachers, within the educational agency or institution whom the school has determined to have legitimate educational interests. This includes contractors, consultants, volunteers, or other parties to whom the school has outsourced institutional services or functions, provided that the conditions listed in § 99.31(a)(1)(i)(B)(1) - (a)(1)(i)(B)(3) are met. (§ 99.31(a)(1))
  • To officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer, subject to the requirements of § 99.34. (§ 99.31(a)(2))
  • To authorized representatives of the U. S. Comptroller General, the U. S. Attorney General, the U.S. Secretary of Education, or State and local educational authorities, such as the State educational agency (SEA) in the parent or eligible student’s State. Disclosures under this provision may be made, subject to the requirements of § 99.35, in connection with an audit or evaluation of Federal- or State-supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs. These entities may make further disclosures of PII to outside entities that are designated by them as their authorized representatives to conduct any audit, evaluation, or enforcement or compliance activity on their behalf, if applicable requirements are met.  (§§ 99.31(a)(3) and 99.35)
  • In connection with financial aid for which the student has applied or which the student has received, if the information is necessary for such purposes as to determine eligibility for the aid, determine the amount of the aid, determine the conditions of the aid, or enforce the terms and conditions of the aid. (§ 99.31(a)(4))
  • To State and local officials or authorities to whom information is specifically allowed to be reported or disclosed by a State statute that concerns the juvenile justice system and the system’s ability to effectively serve, prior to adjudication, the student whose records were released, subject to § 99.38. (§ 99.31(a)(5))
  • To organizations conducting studies for, or on behalf of, the school, in order to: (a) develop, validate, or administer predictive tests; (b)  administer student aid programs; or (c)  improve instruction, if applicable requirements are met.  (§ 99.31(a)(6))
  • To accrediting organizations to carry out their accrediting functions. (§ 99.31(a)(7))
  • To parents of an eligible student if the student is a dependent for IRS tax purposes. (§ 99.31(a)(8))
  • To comply with a judicial order or lawfully issued subpoena if applicable requirements are met. (§ 99.31(a)(9))
  • To appropriate officials in connection with a health or safety emergency, subject to § 99.36. (§ 99.31(a)(10))
  • Information the school has designated as “directory information” if applicable requirements under § 99.37 are met. (§ 99.31(a)(11))
  • To an agency caseworker or other representative of a State or local child welfare agency or tribal organization who is authorized to access a student’s case plan when such agency or organization is legally responsible, in accordance with State or tribal law, for the care and protection of the student in foster care placement. (20 U.S.C. § 1232g(b)(1)(L))
  • To the Secretary of Agriculture or authorized representatives of the Food and Nutrition Service for purposes of conducting program monitoring, evaluations, and performance measurements of programs authorized under the Richard B. Russell National School Lunch Act or the Child Nutrition Act of 1966, under certain conditions. (20 U.S.C. § 1232g(b)(1)(K))
  • School Resource Officers (SRO) will be considered a school official. (189334 C.F.R. Part 99)
Monday, 13 November 2017 10:26

Data Governance Plan

Written by

Weber School District Data Governance Plan

1. Governing Principles

Weber School District (hereafter referred to as the LEA) takes its responsibility to safeguard student data very seriously. This governance plan incorporates the following Generally Accepted Information Principles (GAIP):

  • Risk: There is risk associated with data and content. The risk must be formally recognized, either as a liability or through incurring costs to manage and reduce the inherent risk.
  • Due Diligence: If a risk is known, it must be reported. If a risk is possible, it must be confirmed.
  • Audit: The accuracy of data and content is subject to periodic audit by an independent body.
  • Accountability: An organization must identify parties which are ultimately responsible for data and content assets.
  • Liability: The risks in information means there is a financial liability inherent in all data or content that is based on regulatory and ethical misuse or mismanagement.

2. Data Maintenance and Protection Policy

The LEA acknowledges the risks and liabilities associated with maintaining student data and other education-related data, and will implement reasonable data industry best practices to mitigate these risks.

2.1 Process

In accordance with R277-487, the LEA shall do the following:

  • Designate an individual as an Information Security Officer
  • Adopt the CIS Controls or comparable
  • Report to the USBE by October 1 each year regarding the status of the adoption of the CIS controls or comparable and future plans for improvement.

 

3. Roles and Responsibilities Policy

The LEA acknowledges the need to identify parties who are ultimately responsible and accountable for data and content assets. These individuals and their responsibilities are as follows:

3.1 Data Manager roles and responsibilities

  • manage the sharing of personally identifiable student data (PISD) outside of the education entity, as described in this section, and obtain authorization for such sharing.
  • provide necessary technical assistance, training, and support.
  • serve as the primary local point of contact for the state student data officer.
  • ensure that the following notices are available to parents:

3.2 Information Security Officer

  • Oversee adoption of the CIS controls
  • Provide for necessary technical assistance, training, and support as it relates to IT security

4. Training and Support Policy

The LEA acknowledges that training and supporting educators and staff on federal and state data privacy laws is essential for legal compliance.

4.1 Procedure

  1. The data manager will ensure that all educators with access to student records receive annual training on student data confidentiality, based on the Data Sharing Policy.
  2. The data manager will report the completion status of the annual confidentiality training to USBE by October 1 each year, and provide a copy of the training materials used.
  3. The data manager will maintain a list of all employees who are authorized to access student education records, after they have completed training that meets the requirements of 53E-9-204.
  4. Effective August 1st of each year, all staff with access to student records must complete the Student Data Privacy course and quiz located in TalentEd with a perfect score. A list of those who complete the course and quiz successfully will be submitted to the Weber School District Board of Education.

5. Audit Policy

In accordance with the risk management priorities of the LEA, the LEA will conduct an audit of:

  • The effectiveness of the controls used to follow this data governance plan; and
  • Third-party contractors, as permitted by the contract described in 53E-9-309(2).

6. Data Sharing Policy

There is a risk of redisclosure whenever student data are shared. The LEA shall follow appropriate controls to mitigate the risk of redisclosure and to ensure compliance with federal and state law.

6.1 Procedure for App/Website Approval

  1. To request approval for a new app, staff must submit a request through LearnPlatform.
  2. A Review Committee, composed of Directors and DT&L personnel, will assess the app to determine whether it aligns with Weber School District's learning methods and objectives.
  3. If the Review Committee approves the app or website, they will submit it to the Student Data Privacy Manager.
  4. The data manager is responsible for approving all data sharing or designating other trained individuals to do so.
  5. For external research, the data manager must ensure that the study complies with the FERPA study exception described in 34 CFR 99.31(a)(6).
  6. After sharing student data, the data manager must record the exchange in the LEA Metadata Dictionary on LearnPlatform.
  7. Any Data Privacy Agreements must be uploaded to the SDPC Resource Registry.
  8. After sharing from student records, the data manager shall make a note in the student record of the exchange in accordance with 34 CFR 99.32.

7. Expungement Request Policy

The LEA acknowledges the risk of using student data to mistreat students, as this data can follow them year after year. To mitigate this risk, the LEA will review all requests for records expungement from parents and make a determination based on the following procedure.

7.1 Procedure

The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, and assessment information.

The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.

  1. If a parent believes that a record is misleading, inaccurate, or in violation of the student’s privacy, they may request that the record be expunged.
  2. The LEA shall decide whether to expunge the data within a reasonable time after the request.
  3. If the LEA decides not to expunge the record, they will inform the parent of their decision as well as the right to an appeal hearing.
  4. The LEA shall hold the hearing within a reasonable time after receiving the request for a hearing.
  5. The LEA shall provide the parent notice of the date, time, and place in advance of the hearing.
  6. The hearing shall be conducted by any individual that does not have a direct interest in the outcome of the hearing.
  7. The LEA shall give the parent a full and fair opportunity to present relevant evidence. At the parents’ expense and choice, they may be represented by an individual of their choice, including an attorney.
  8. The LEA shall make its decision in writing within a reasonable time following the hearing.
  9. The decision must be based exclusively on evidence presented at the hearing and include a summary of the evidence and reasons for the decision.
  10. If the decision is to expunge the record, the LEA will seal it or make it otherwise unavailable to other staff and educators.

8. Data Breach Response Policy

The LEA will implement and maintain CIS v8 and NIST SP 800-122-compliant data security controls to protect personally identifiable information (PII). In the event of a data breach or inadvertent disclosure of PII, the LEA staff will follow the LEA's incident response plan.

8.1 Procedures

  1. The Superintendent will work with the information security officer to designate individuals to be members of the cyber incident response team (CIRT)
  2. At the beginning of an investigation, the information security officer will begin tracking the incident and log all information and evidence related to the investigation.
  3. The information security officer will call the CIRT into action once there is reasonable evidence that an incident or breach has occurred.
  4. The information security officer will coordinate with other IT staff to determine the root cause of the breach and close the breach.
  5. The CIRT will coordinate with legal counsel to determine if the incident is meets the legal definition of a significant breach as defined in R277-487 and determine which entities and individuals need to be notified.
  6. If law enforcement is notified and begins an investigation, the CIRT will consult with them before notifying parents or the public so as to not interfere with the law enforcement investigation.

9. Publication Policy

The LEA recognizes the importance of transparency and will post this policy on the LEA website.

 

 

(updated 11/7/2023)

Monday, 13 November 2017 10:23

Student Data Privacy Policy

Written by

 

PURPOSE

  • Weber School District is dedicated to protecting the privacy and rights of individuals in accordance with federal, state, and local laws. Certain student data are required, and that data must be strictly maintained to provide the most secure methods of storage. The purpose of the Student Data Protection Policy is to explicitly outline how all student data are collected, managed, maintained, and then expulsed.  It will demonstrate to students and their parent or guardian that all data collected by Weber School District is done so in accordance with all federal, state, and local laws.  Students and their parents or guardians should expect that their personally identifiable data is safe, properly cared for, and used only for appropriate purposes
  • This policy applies to all staff and students of Weber School District. Any breach of the Student Data Protection Act, the WSD Student Data Protection Policy, or the Data Governance Plan is considered to be an offence and in that event, Weber School District disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with the district, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments who deal with external agencies will take responsibility for working with the Student Data Compliance Officer to ensure that such agencies sign a contract agree to abide by this policy

SCOPE

  • The scope of this Student Data Protection Policy encompasses laws within the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§ 6501–6506), Utah House Bill 358 (2017), and Utah Senate Bill 102 (2017)
  • The Student Data Protection Policy applies to electronic and paper records within Weber School District. It also applies to personal data held visually in photographs, video clips, and sound data.  Weber School District collects a large amount of student’s personal data every year, including but not limited to staff records, names and addresses, examination marks, fees, and research data
  • The Student Data Protection Policy should be used by all Weber School District employees, both full and part time. It also applies to any agency, subsidiary, join venture, suppliers, and vendors who receive personal data from Weber School District, have access to student data, or who provide information to Weber School District

POLICY STATEMENT

Weber School District is committed to a policy of protecting the rights and privacy of individuals (includes students, staff and others) in accordance with the Student Data Protection Act (HB 358 Utah 2017; SB 102 Utah 2017). The district needs to process certain information about its staff, students, and other individuals it has dealings with for administrative purposes. To comply with the law, information about individuals must be collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.

DATA PROTECTION PRINCIPLES

Weber School District has adopted the following principles to govern its use, collection, storage, transmittal, and deletion of all student data, except as specifically provided by this policy or as required by applicable laws.

  • A student’s personally identifiable student data is owned by the student (HB 358 53A-1-1405:472)
    • The student may download, export, transfer, save, or maintain the data, including a document
  • Student data, both personally identifiable and otherwise, shall be processed fairly and lawfully
  • Appropriate physical, technical, and procedural measures shall be taken to: (i) prevent and/or to identify unauthorized or unlawful collection, processing, transmittal of student data; and (ii) prevent accidental loss or destruction of, or damaged to, student data
  • Student data will be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes
  • Student data will be adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or processed
  • Personal data shall not be kept in a form which permits identification of the student for longer than necessary for the permitted purposes
  • The following student data may not be collected by either the district or its schools (HB 358 53A-1-1406:484)
  • Social Security Number
  • Criminal Record
    • Unless the minor is taken into custody or detention for a violent felony. In that case, law enforcement officers will notify the Superintendent for the purpose of the minor’s supervision and student safety
    • A metadata dictionary will be maintained in compliance with state requirements (HB 358 53A-1-1408:564)
    • Student data will not be collected and/or processed unless:
  • The parent or legal guardian has provided a valid, informed consent authorizing the data’s collection and use
  • Processing is necessary for compliance with a Weber School District legal obligation
  • Processing is necessary in order to protect the vital interest of the student
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorized vest in the student data or in a third party to whom the data is disclosed
  • Processing is necessary for legitimate interest of Weber School District or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the student

Consent

  • Consent for the collection, management, dissemination, and deletion of student data must be informed, express, and freely given
  • To be valid, consent must be in writing
  • Consent with regard to Personally Identifiable Information must refer expressly to that data
  • Consent must be revocable
  • Consent system shall include provisions for determining what disclosures should or must be made in order to obtain a valid consent, documentation of the date, method and content of the disclosures made, as well as the validity, scope, and volition of the consents given

Transfers to Third-Parties

  • Student data shall not be transferred to another entity, country, or territory, unless reasonable and appropriate steps have been taken to maintain the required level of data protection
  • Student data may be communicated to the third persons only for reasons consistent with the purposes for which the data were originally collected or other purposes authorized by law
  • All student personally identifiable information transferred outside of Weber School District or across public communications networks shall be de-identified or shall be protected against unauthorized access by use of encryption
  • All transfers of student data to third persons for further processing shall be subject to written agreements
  • A third-party contractor shall use PII student data under contract strictly for the purpose of providing the contracted product or services within the negotiated contract terms (HB 358 53A-1-1410:639) (Modified by SB 163 53A-1-1410:289)
  • When contracting with a third-party contractor, Weber School District will be required to list the following provisions
    • Requirements and Restrictions related to the collection, use, storage, or sharing of student data by the third-party contractor
    • A description of a person or affiliated third-party contractor with whom the third-party contractor may share student data
    • A provision outlining the deletion of the student data received by the third-party contractor
    • Provisions that prohibit the secondary use of PII student data
    • An agreement by the third-party contractor that Weber School District may audit the third-party contractor to verify compliance of the contract
    • A stipulation that the third-party contractor will share student data as requested by law enforcement
    • A third-party contractor may:
      • Use student data for adaptive learning or customized learning
      • Market an educational application or product to the parent or legal guardian of a student if the third-party contractor did not use student data
      • Use a recommendation engine to recommend to a student:
        • Content that relates to learning or employment if the recommendation is not motivated by payment or other considerations
        • Services that relate to learning or employment if the recommendation is not motivated by payment or other considerations (HB 358 53A-1-1410:668)
      • The third-party contractor may respond to a student’s request for information or feedback, if the content of the response is not motivated by payment or other considerations
      • The third-party contractor may use student data to allow or improve operability and functionality of their internal application (HB 358 53A-1-1410:674) or identify for a student non-profit institutions of higher education or scholarship providers that are seeking students who meet specific criteria (SB 163 53A-1-1410:324)
        • Regardless of whether the identified non-profit institutions of higher education or scholarship providers provide payment or other consideration to the third-party contractor and
        • Only if the third-party contractor obtains written consent by a legal guardian (SB 163 53A-1-1410:327)
      • A third-party contractor is not required to obtain written consent if the third-party contractor:
        • Is a national assessment provider and
        • Secures the express written consent of the student or legal guardian and
        • Express written consent is given in response to clear and conspicuous notice that the national assessment provider requests consent solely to provide access to information on employment, educational scholarships, financial aid, or postsecondary educational opportunities
      • At the completion of a contract with Weber School District, if the contract has not been renewed, the third-party contractor shall:
        • Return all PII student data or
        • Delete all PII student data under the control of the education entity unless a student or the legal guardian consents to the maintenance of the PII student data
      • The third-party contractor may not:
        • Sell student data
        • Collect, use, or share student data if the data is inconsistent with the contract for Weber School District
        • Use student data for targeted advertising
      • A person may obtain student data through the purchase of, merger with, or otherwise acquiring third-party contractor if the third-party contractor remains in compliance with this section.

Third-Party Contractor Penalties (exact fines/repercussions are TBD) (HB 358 53A-1-1411:699)

  • If a third-party contractor knowingly or recklessly permits unauthorized collecting, sharing, or use of student data:
    • Weber School District may not enter into a future contract with them
      • Unless the school board determines that the third-party contractor has corrected the error
      • Unless the third-party contractor demonstrates they are currently compliant with these policies
      • Unless the third-party contractor is able to comply with the requirements listed here
    • May be required to pay a civil penalty up to $XX,XXX
      • The board may bring an action in the Weber County district court, if necessary, to enforce payment of the civil penalty
      • An individual who knowingly or intentionally permits unauthorized collecting, sharing, or use of student data may be found guilty of a class X misdemeanour
    • May be required to pay costs of notifying parents and students of the unauthorized use of student data
    • May be required to pay all expenses incurred by Weber School District and its schools as a result of the unauthorized sharing of student data
  • A parent or student may bring an action in a court of competent jurisdiction for damages caused by a knowing or reckless violation of the student data policy by a third-party contractor

Disclosures at the Time of Data Collection (HB 358 53A-1-1406:487)

  • Appropriate disclosures will be made at the time a legal guardian is asked to give consent to the collection or processing of student data, and whenever student data are collected.
  • The disclosure must be a stand-alone document that is published annually and available on the Weber School District’s website
  • Specific information must be disclosed to the legal guardian and/or any other person from whom student data are obtained at the time of collection, unless the legal guardian already has the information. Weber School District must establish technical or administrative means for documenting the fact that the legal guardian already has the information and how.
  • These disclosures should be given as soon as possible, and preferably at the first point of contact with the Legal Guardian. The disclosure will include both necessary and optional data that will be collected and include how the district stores and protects student data.
  • The disclosures should be made in a manner calculated to draw attention to them. The disclosures may not be given orally. Disclosures may be given electronically via the school district’s intranet or in writing. The receipt or form should be retained along with a contemporaneous record establishing the fact, date, content, and method of disclosure for a period of XXXXXX
  • If inadequate disclosures are made initially, additional disclosures may have to be made at a later time, and the fact, date, content, and method of these additional disclosures shall be recorded.
  • The Student Data Disclosure must contain the following statement: “The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly.”

Sources of Student Data

  • Student data shall be collected only from the legal guardian unless the nature of the business purpose necessitates collection of the data from other persons or bodies, collection from the legal guardian would necessitate disproportionate effort, or collection must be accomplished under emergency circumstances in order to protect an interest of the student or to prevent serious loss.
  • Weber School District will create a form or system to document and automate this process as fully as possible.
  • If student data are collected from someone other than the Legal Guardian, the student’s guardian must be informed of the following items unless the legal guardian has received the required information by other means, notification would require disproportionate effort, or the law expressly provides for collection, processing or transfer of the student data.
  • The fact of the collection, processing or transfer of the data by Weber School District;
  • The nature and purposes of the processing;
  • The recipients or categories of recipients of the data;
  • The origin of the data; and

Student Rights

  • Weber School District shall establish a system to enable and facilitate exercise of student data rights of access, blockage, erasure, opposition, rectification, and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of the student data.
  • shall be entitled to obtain the following information about student data upon a request made in compliance with reasonable policies and procedures established, and set forth in writing.
  • Whether Weber School District has stored student data concerning the Legal Guardian.
  • Whether any of the data is personally identifiable.
  • The source(s) of the data, if known.
  • The recipients or categories of recipients to whom the data have been or may be transmitted.
  • The purposes of the collection, processing, use and storage of the data.
  • A hard copy of the data in an intelligible form.
    • Weber School District shall provide its response to a request for student data within 40 days of the date the school district receives a written request from the legal guardian and appropriate verification that the requestor is the an authorized legal representative.
    • A Legal Guardian shall have the right to require Weber School District to correct or supplement erroneous, misleading, outdated, or incomplete student data.
    • Requests for access to or rectification of student data shall be directed, at the Legal Guardian’s option, to the principal of the school responsible for the student data.
    • Weber School District shall establish a system for logging each request under this Section as it is received and noting the response date.
    • If Weber School District cannot respond fully to the request within the time indicated, then they shall nevertheless provide the following information within the specified time:
  • An acknowledgement of receipt of the request.
  • Disclosure of responsive information located to date.
  • Identification of any requested information or modifications which Weber School District will not provide, the reason(s) for the refusal, and the procedures for appealing the decision within the district, if any.
  • An estimate of a date by which the remaining responses will be made.
  • A statement or estimate of any costs to be paid by the requestor.
  • The name and contact information of the individual who the requestor should contact for follow up.
    • Where providing the information about the requesting student would disclose personally identifiable information about another individual, the school handling the request must review the data and redact or withhold the information as may be necessary or appropriate to protect that person’s rights.
    • Weber School District may establish procedures to screen and deny abusively burdensome or repetitive requests by or on behalf of a Legal Guardian.
    • The rights provided to parents in this policy transfer to the student when the student turns 18 years old or becomes an emancipated minor

Sensitive Data

  • Sensitive Data should not be processed unless:
    • Such processing is specifically authorized or required by law
    • The legal guardian expressly consents
    • The processing is required for preventive medicine, medical diagnosis, or health care treatment; provided the data are processed by a health professional subject to national law or rules with an obligation of professional secrecy or by another person with an equivalent obligation of secrecy. If Weber School District is relying upon this medical exemption, all contracts with employees and independent contractors who will have access to the Sensitive Data must contain confidentiality requirements equivalent to those imposed on health professionals.
    • Where the legal guardian is physically or legally incapable of giving consent, but the processing is necessary to protect a vital interest of the student. This exemption may apply, for example, where emergency medical care is needed.
    • Data relating to criminal offenses may be processed only by or under the control of an official authority.
  • If Weber School District is relying upon one of the exemptions to authorize processing of Sensitive Data, the exemption relied upon, and the basis for the exemptions should be recorded with the data.

Data Quality Assurance

  • Each individual school shall take steps to assure that student data it collects or processes is complete and accurate in the first instance. Data must be accurate and updated in such a way as to give a true picture of the current situation of the student.
  • Weber School District shall correct data which it knows to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the legal guardian does not request rectification. Inaccurate data must be erased and replaced by corrected or supplemented data.
  • Student data must be kept only for the period necessary for permitted uses. When defining a permitted use for data, the individual school shall establish a remove or review date for the stated purpose.
  • Student data should be erased if their storage violates any of the data protection rules or if knowledge of the data are no longer required by Weber School District or for the benefit of the Legal Guardian. See the Student Record Retention section in the Data Governance Plan.
  • Student data should be blocked, rather than erased, insofar as the law prohibits erasure, erasure would impair legitimate interests of the Legal Guardian, erasure is not possible without disproportionate effort due to the specific type of storage; or if the legal guardian disputes that the data are correct and it cannot be ascertained whether they are correct or incorrect.

Notice of Non-Compliance

  • Weber School District shall notify the Superintendent, directors, and principals that: i) failure to comply with relevant data protection legislation may trigger criminal and civil liability, including fines, imprisonment, and damage awards; and ii) they can be personally liable where an offense is committed by Weber School District with their consent or involvement, or is attributable to any neglect on their part.

Data Security

  • Physical, Technical, and Organizational Security Measures
    • Weber School District shall adopt physical, technical, and organizational measures to ensure the security of student data, including the prevention of their alteration, loss, damage, unauthorized processing or access, having regard to the state of the art, the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
    • Adequate security measures should include all of the following:
  • Entry Control: Prevention of unauthorized persons from gaining access to data processing systems in which student data are processed or stored.
  • Access Control: Prevention of data processing systems from being used by unauthorized persons.
  • Disclosure Control: Preventing persons entitled to use a data processing system from accessing data beyond their needs and authorizations. This includes preventing unauthorized reading, copying, modifying or removal during processing and use, or after storage.
  • Input Control: Ensuring that it can be subsequently checked and established whether and by whom student data has been entered into, modified on, or removed from data processing systems.
  • Job Control: Ensuring that in the case of commissioned processing of student data, the data can be processed only in accordance with the instructions of the school district.
  • Availability Control: Ensuring that student data are protected against undesired destruction or loss.
  • Use Control: Ensuring that data collected for different purposes can and will be processed differently
  • Longevity Control: Ensuring that data is not kept longer than necessary, including by requiring that data transferred to third persons be returned or destroyed.

5. DISPUTE RESOLUTION

  • Employees
    • Employees with inquiries or complaints about the processing of student data should first discuss the matter with their Principal or Supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate supervisor, or if the supervisor and the employee are unable to reach a satisfactory resolution of the issues raised, the employee should bring the issue to the attention of their Director.
  • Parents, Legal Guardians, and Adult Students
    • Parents, legal guardians, and adult students with inquiries or complaints about the processing of student data should bring the matter to the attention of the Student Data Compliance Officer in writing. Any disputes concerning the processing of the personal data of non-employees will be resolved through arbitration.

6. TRAINING

  • Each school and/or building will provide training to teach or re-emphasize privacy and security related procedures. These procedures should be set forth in written guidelines to employees and shall include at least the following.
  • Each employee’s duty to use and permit the use of student data only by authorized persons and for authorized purposes;
  • The contents of this Policy;
  • The relationship between this Policy and other Weber School District policies;
  • The need for and proper use of the forms and procedures adopted to implement this Policy;
  • The correct use of passwords, security tokens and other access mechanisms;
  • The importance of limiting access to student data, such as by using password protected screen savers, logging out when the information is not being used and attended by an authorized person;
  • Securely storing manual files, print outs and electronic storage media;
  • A general prohibition on the transfer of student data outside of the internal network and physical office premises unless otherwise stated in this Policy;
  • Proper disposal of confidential data by shredding, etc.;

7. COMPLIANCE MEASUREMENT

7.1 Current Compliance Assessment

Weber School District shall establish a schedule for and implement a data protection compliance audit for all locations. Weber School District, in cooperation with individual locations, shall devise a plan and schedule for correcting any identified deficiencies within a fixed, reasonable time.

7.2 Annual Data Protection Audit

Each location shall review annually its data collection, processing, and security practices. This annual review shall consist of at least the following:

  • The school or building shall determine what student data they are collecting, or intends to collect, the purposes of the data collection and processing, any additional permitted purposes, the actual uses of the data, what disclosures have been made about the purposes of the collection and use of such data, the existence and scope of any legal guardian consents to such activities, any legal obligations regarding the collection and processing of such data, and the scope, sufficiency, and implementation status of security measures.
  • The school or building shall determine what student data it has in manual systems that constitute “relevant filing systems.”
  • Each school shall identify all transferees of student data in its possession or control. The school shall determine where the transferee is located, the purposes of the transfer, what physical, technical, and procedural systems are in place to maintain at least the existing level of data protection and to prevent or control further transfers.
  • The information collected in this annual review shall be delivered to the Data Security Officer for review and appropriate action including, without limitation, the following:
    • Making recommendations for improvement to policies and procedures in order to improve compliance with this policy and applicable law.
    • Satisfying the requirements of all federal, state, and local laws in relation to transferring, storing, and deleting student data.

8. IMPLEMENTATION

  • Publication

This Policy shall be available to employees through the Human Resources Department and shall be made available to non-employees through posting to http://wsd.net.

  • Effective Date

This Policy is adopted as of July 1, 2017. Weber School District, in cooperation with the schools, will develop a timeline and program for implementing this Policy. This implementation program will include the resolution of any conflicts between this Policy and other existing policies. (HB 358 53A-1-1409:568)

  • Revisions

This Policy may be revised at any time. Notice of significant revisions shall be provided to employees through the Human Resources Department and to others through the Weber School District website, located at http://wsd.net.

9. PARENT NOTIFICATION OF THREATS AND INCIDENTS

  • For the purpose of this section, ‘parent’ includes a student’s guardian, or if the student is over 18 years old, the student
  • If a school or the school district notifies a parent of a threat or incident, the school or school district shall produce and maintain a record that verifies a parent was notified
  • At the request of a parent, the school may provide information or make recommendations related to the threat or incident
  • A school shall:
    • Provide a student a copy of a record maintained in accordance with this section as it relates to the student
    • Expunge the record maintained in accordance with this section when the student
  • Has graduated from High School and
  • Requests that the record be expunged
    • Notify a parent if the parent’s student threatens to commit suicide
    • Notify the parent of each student involved in an incident of:
  • Bullying
  • Cyber-Bullying
  • Harassment
  • Hazing
  • Retaliation

            

10. SURVEYS, ANALYSIS, AND EVALUATION RESTRICTIONS (PPRA)

  • Written consent from a Legal Guardian must be obtained prior to a student being required to take any type of survey, analysis, or evaluation that reveals information concerning the following. Parents must have an opportunity to opt out of any survey concerning one of these areas also:
  • Political affiliations;
  • Mental and psychological problems potentially embarrassing to the student and his/her family;
  • Sex behavior and attitudes;
  • Illegal, anti-social, self-incriminating and demeaning behavior;
  • Critical appraisals of other individuals with whom respondents have close family relationships;
  • Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
  • Religious practices, affiliations, or beliefs of the student or student's parent*; or
  • Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program.)
    • Weber School District must notify the Legal Guardian, at least annually at the beginning of the school year, of the specific or approximate dates during the school year when activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes or to sell or otherwise provide the information to others for marketing purposes
    • Exception to the requirement of written notification and authorization by the Legal Guardian
      • Requirements concerning activities involving the collection and disclosure of personal information collected from students for marketing purposes does not apply to the collection, disclosure, or use of personal information collected for the exclusive purpose of developing, evaluating, or providing educational products or services such as:
    • College or post-secondary education recruitment
    • Military recruitment
    • Book clubs, magazines, and programs providing access to low-cost literary products
    • Curriculum and instructional materials used by elementary and secondary schools
    • Tests and assessments used by schools to provide cognitive, evaluative, diagnostic, clinical, aptitude, or achievement information about students
    • The sale by students of products or services to raise funds for school-related or education-related activities
    • Student recognition programs
      • The legal guardian has the right to inspect any type of instructional material or instrument used in the collection of personal information used as part of the educational curriculum for the student.
      • Any request for inspection of instructional material or instrument used in the collection of personal information must be granted within a reasonable period of time after the request is received
      • Weber School District must offer an opportunity for parents to opt out of participating in any of the activities outlined in this section

11. DEFINITIONS

  • Terms and Definitions (HB 358 53A-1-1402)

Adult Student: Student’s 18 years old or older, emancipated students, or students qualified under the McKinney-Vento Homeless Education Assistance

Aggregate Data: Totalled and reported at the group, school, district, region, or state level with at least 10 individuals at the level

Data Authorization: Written authorization to collect or share student’s data

Data Governance Plan: Comprehensive plan for managing education data

Education Entity: Weber School District and its individual schools

Expunge: Seal or permanently delete data

Instructional Material: Instructional content that is provided to a student, regardless of its format, including printed or representational materials, audio-visual materials, and materials in electronic or digital formats (such as materials accessible through the Internet). The term does not include academic tests or academic assessments.

Invasive Physical Examination: Any medical examination that involves the exposure of private body parts, or any act during such examination that includes incision, insertion, or injection into the body, but does not include a hearing, vision, or scoliosis screening.

Legal Guardian: Parent, Legal Guardian, or Adult Student

Necessary Student Data: Data required by the statute or federal law to conduct the regular activities (HB 358 53A-1-1402:314)

  • Name
  • Date of birth
  • Sex
  • Parent contact information
  • Custodial parent information
  • Contact information
  • Student ID number
  • Local, state, and national assessment results
  • Courses taken and completed, credits earned, other transcript information
  • Course grades and grade point average
  • Grade level and expected graduation date or cohort
  • Degree, diploma, credential attainment and other exit information
  • Attendance and mobility
  • Drop-out data
  • Immunization record or exception from one
  • Race
  • Ethnicity
  • Tribal affiliation
  • Remediation efforts
  • Except from vision screening
  • Information from vision screening
  • Utah registry of Autism and Developmental Disabilities
  • Student injury information
  • Cumulative disciplinary record created and maintained by district
  • Juvenile delinquency records
  • English language learner status
  • Child find and special education evaluation data related to initiation of IEP

Optional Student Data: Data not included in the Necessary category (HB 358 53A-1-1402:346)

  • Related to IEP or needed to provide special needs
  • Biometric information
  • Information that is not necessary student data and that is required for a student to participate in federal or other program

Personally Identifiable Information (PII): Information that identifies a student (HB 358 53A-1-1402:359)

  • Student’s first and last name
  • First and last name of student’s family member
  • Home or physical address
  • E-mail address or other contact information
  • Student’s phone number
  • Student’s social security number
  • Student’s biometric identifier
  • Health or disability data
  • Education entity student ID number
  • Social media username and password or alias
  • Customer number held in a cookie
  • Combinations
    • Student’s last name with a photograph
    • Student or their family member’s information combined with Personally Identifiable student information
    • Any information that would allow a reasonable person in the community to identify a student with reasonable certainty

Survey: An evaluation

12. RELATED LEGISLATION AND EXISTING POLICIES

  • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
  • Children’s Online Privacy Protection Act (COPPA) (15 U.S. Code § 6506)
  • Protection of Pupil Rights Amendment (PPRA)
  • Utah House Bill 358 (2017)
  • Senate Bill 102 (2017)

13. FEEDBACK

  • Weber School District staff, students, parents, and legal guardians may provide feedback about this document by emailing
Tuesday, 07 November 2017 12:33

IT Security Plan

Written by

1. Purpose

The purpose of this policy is to ensure the secure use and handling of all district data, computer systems and computer equipment by District students, patrons, and employees.

2. Policy

2.1 Technology Security                                                                                               

It is the policy of the Weber School District to support secure network systems in the district, including security for all personally identifiable information that is stored on paper or stored digitally on district-maintained computers and networks. This policy supports efforts to mitigate threats that may cause harm to the district, its students, or its employees.

The district will ensure reasonable efforts will be made to maintain network security. Data loss can be caused by human error, hardware malfunction, natural disaster, security breach, etc., and may not be preventable.

All persons who are granted access to the district network and other technology resources are expected to be careful and aware of suspicious communications and unauthorized use of district devices and the network. When an employee or other user becomes aware of suspicious activity, he/she is to immediately contact the district’s Information Security Officer with the relevant information.

This policy and procedure also covers third party vendors/contractors that contain or have access to Weber School District critically sensitive data. All third party entities will be required to sign the Restriction on Use of Confidential Information Agreement before accessing our systems or receiving information.

It is the policy of Weber School District to fully conform with all federal and state privacy and data governance laws.  Including the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 (hereinafter “FERPA”), the Government Records and Management Act U.C.A. §62G-2 (hereinafter “GRAMA”), U.C.A. §53A-1-1401 et seq and Utah Administrative Code R277-487.

Professional development for staff and students regarding the importance of network security and best practices are included in the procedures. The procedures associated with this policy are consistent with guidelines provided by cyber security professionals worldwide and in accordance with Utah Education Network and the Utah State Office of Education. Weber School District supports the development, implementation and ongoing improvements for a robust security system of hardware and software that is designed to protect Weber School District’s data, users, and electronic assets.

3. Procedure

3.1. Definitions:

3.1.1.  Access: Directly or indirectly use, attempt to use, instruct, communicate with, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, computer network, or any means of communication with any of them.

3.1.2. Authorization: Having the express or implied consent or permission of the owner, or of the person authorized by the owner to give consent or permission to access a computer, computer system, or computer network in a manner not exceeding the consent or permission.

3.1.3. Computer: Any electronic device or communication facility that stores, retrieves, processes, or transmits data.

3.1.4. Computer system: A set of related, connected or unconnected, devices, software, or other related computer equipment.

3.1.5. Computer network: The interconnection of communication or telecommunication lines between: computers; or computers and remote terminals; or the interconnection by wireless technology between: computers; or computers and remote terminals.

3.1.6. Computer property: Includes electronic impulses, electronically produced data, information, financial instruments, software, or programs, in either machine or human readable form, any other tangible or intangible item relating to a computer, computer system, computer network, and copies of any of them.

3.1.7. Confidential: Data, text, or computer property that is protected by a security system that clearly evidences that the owner or custodian intends that it not be available to others without the owner's or custodian's permission.

3.1.8. Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.

3.1.9. Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered protected data

3.1.10. Security system: A computer, computer system, network, or computer property that has some form of access control technology implemented, such as encryption, password protection, other forced authentication, or access control designed to keep out unauthorized persons.

3.1.11. Sensitive data - Data that contains personally identifiable information.

3.1.12. System level – Access to the system that is considered full administrative access.  Includes operating system access and hosted application access.

3.2. Security Responsibility

3.2.1. Weber School District shall appoint, in writing, an IT Security Group (ISG) responsible for overseeing District-wide IT security with duties that include development of District policies and adherence to the standards defined in this document.

3.3. Training

3.3.1. Weber School District, led by the ISG, shall ensure that all District employees having access to sensitive information undergo annual IT security training which emphasizes their personal responsibility for protecting student and employee information. - Training resources will be provided to all District employees.

3.4. Physical Security

3.4.1. Computer Security

3.4.1.1. Weber School District shall ensure that any user’s computer must not be left unattended and unlocked, especially when logged into sensitive systems or data including student or employee information. Automatic log off, locks and password screen savers should be used to enforce this requirement.

3.4.1.2. Weber School District shall ensure that all equipment that contains sensitive information will be secured to deter theft.

3.4.2. Server/Network Room Security

3.4.2.1. Weber School District shall ensure that server rooms and telecommunication rooms/closets are protected by appropriate access control which segregates and restricts access from general school or District office areas. Access control shall be enforced using either keys, electronic card readers, or similar method with only those IT or other staff members having access necessary to perform their job functions are allowed unescorted access.

3.4.2.2. Telecommunication rooms/closets may only remain unlocked or unsecured when because of building design it is impossible to do otherwise or due to environmental problems that require the door to be opened.

3.4.3. Contractor access

3.4.3.1. Before any contractor is allowed access to any computer system, server room, or telecommunication room the contractor will need to present a company issued identification card, and his/her access will need to be confirmed directly by the authorized employee who issued the service request or by Weber School District’s Technology Department. 

3.5. Network Security

3.5.1. Network perimeter controls will be implemented to regulate traffic moving between trusted internal (District) resources and external, untrusted (Internet) entities. All network transmission of sensitive data should enforce encryption where technologically feasible.

3.5.2. Network Segmentation

3.5.2.1. Weber School District shall ensure that all untrusted and public access computer networks are separated from main district computer networks and utilize security policies to ensure the integrity of those computer networks.

3.5.2.2. Weber School District will utilize industry standards and current best practices to segment internal computer networks based on the data they contain. This will be done to prevent unauthorized users from accessing services unrelated to their job duties and minimize potential damage from other compromised systems.

3.5.3. Wireless Networks

3.5.3.1. No wireless access point shall be installed on Weber School District’s computer network that does not conform with current network standards as defined by the Network Manager.  Any exceptions to this must be approved directly in writing by the Information Security Group.

3.5.3.2. Weber School District shall scan for and remove or disable any rogue wireless devices on a regular basis.

3.5.3.3. All wireless access networks shall conform to current best practices and shall utilize at minimal WPA encryption for any connections.  Open access networks are not permitted, except on a temporary basis for events when deemed necessary.

3.5.4. Remote Access

3.5.4.1. Weber School District shall ensure that any remote access with connectivity to the District’s internal network is achieved using the District’s Palo Alto Global VPN service that is protected by multiple factor authentication systems.  Any exception to this policy must be due to a service provider’s technical requirements and must be approved by the Information Security Officer.

3.6. Access Control

3.6.1. System and application access will be granted based upon the least amount of access to data and programs required by the user in accordance with a business need-to-have requirement.

3.6.2. Authentication

3.6.2.1. Weber School District shall enforce strong password management for employees, students, and contractors. 

3.6.2.2. Password Creation

3.6.2.2.1. All server system-level passwords must conform to the Password Construction Guidelines posted on the Weber School District Technology Website.

3.6.2.3. Password Protection

3.6.2.3.1. Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information.

3.6.2.3.2. Passwords must not be inserted into email messages or other forms of electronic communication.

3.6.2.3.3. Passwords must not be revealed over the phone to anyone.

3.6.2.3.4. Do not reveal a password on questionnaires or security forms.

3.6.2.3.5. Do not hint at the format of a password (for example, "my family name"). 

3.6.2.3.6. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

3.6.2. Authorization

3.6.2.1. Weber School District shall ensure that user access shall be limited to only those specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.

3.6.2.2. Weber School District shall ensure that user access should be granted and/or terminated upon timely receipt, and management’s approval, of a documented access request/termination.

3.6.3. Accounting

3.6.3.1. Weber School District shall ensure that audit and log files are maintained for at least ninety days for all critical security-relevant events such as: invalid logon attempts, changes to the security policy/ configuration, and failed attempts to access objects by unauthorized users, etc.

3.6.4. Administrative Access Controls

3.6.4.1. Weber School District shall limit IT administrator privileges (operating system, database, and applications) to the minimum number of staff required to perform these sensitive duties.

3.7. Incident Management

3.7.1. Monitoring and responding to IT related incidents will be designed to provide early notification of events and rapid response and recovery from internal or external network or system attacks.

3.8. Business Continuity

3.8.1. To ensure continuous critical IT services, IT will develop a business continuity/disaster recovery plan appropriate for the size and complexity of District IT operations.

3.8.2. Weber School District shall develop and deploy a district-wide business continuity plan which should include as a minimum:

  • Backup Data: Procedures for performing routine daily/weekly/monthly backups and storing backup media at a secured location other than the server room or adjacent facilities. As a minimum, backup media must be stored off-site a reasonably safe distance from the primary server room.
  • Secondary Locations: Identify a backup processing location, such as another School or District building.
  • Emergency Procedures: Document a calling tree with emergency actions to include: recovery of backup data, restoration of processing at the secondary location, and generation of student and employee listings for ensuing a full head count of all.

3.9. Malicious Software

3.9.1. Server and workstation protection software will be deployed to identify and eradicate malicious software attacks such as viruses, spyware, and malware.

3.9.2. Weber School District shall install, distribute, and maintain spyware and virus protection software on all district-owned equipment, i.e. servers, workstations, and laptops. 

3.9.3. Weber School District shall ensure that malicious software protection will include frequent update downloads (minimum weekly), frequent scanning (minimum weekly), and that malicious software protection is in active state (real time) on all operating servers/workstations.

3.9.4. Weber School District shall ensure that all security-relevant software patches (workstations and servers) are applied within thirty days and critical patches shall be applied as soon as possible.

3.9.5. All computers must use the District approved anti-virus solution.

3.9.6. Any exceptions to section 3.9 must be approved by the Information Security Officer.

3.10. Internet Content Filtering

3.10.1. In accordance with Federal and State Law, Weber School District shall filter internet traffic for content defined in law that is deemed harmful to minors.

3.10.2. Weber School District acknowledges that technology based filters are not always effective at eliminating harmful content and due to this, Weber School District uses a combination of technological means and supervisory means to protect students from harmful online content.

3.10.3. In the event that students take devices home, Weber School District will provide a technology based filtering solution for those devices.  However, the District will rely on parents to provide the supervision necessary to fully protect students from accessing harmful online content.

3.10.4. Students shall be supervised when accessing the internet and using district owned devices on school property.

3.11. Data Privacy

3.11.1. Weber School District considers the protection of the data it collects on students, employees and their families to be of the utmost importance.

3.11.2. Weber School District protects student data in compliance with the Family Educational Rights and privacy Act, 20 U.S. Code §1232g and 34 CFR Part 99 ( “FERPA”), the Government Records and Management Act  U.C.A. §62G-2 ( “GRAMA”), U.C.A. §53A-1-1401 et seq, 15 U.S. Code §§ 6501–6506 (“COPPA”) and Utah Administrative Code R277-487 (“Student Data Protection Act”).

3.11.3. Weber School District shall ensure that employee records access shall be limited to only those individuals who have specific access requirements necessary to perform their jobs. Where possible, segregation of duties will be utilized to control authorization access.

3.12. Security Audit and Remediation

3.12.1. Weber School District shall perform routine security and privacy audits in congruence with the District’s Information Security Audit Plan.

3.12.2. District personnel shall develop remediation plans to address identified lapses that conforms with the District’s Information Security Remediation Plan Template.

3.13. Disciplinary Actions

3.13.1 Employee Disciplinary Actions shall be in accordance with applicable laws, regulations and District policies.  Any employee found to be in violation may be subject to disciplinary action up to and including termination of employment with the Weber School District.