BUSINESS AND NON-INSTRUCTIONAL OPERATIONS
STUDENT DATA PROTECTION AND PRIVACY/CLOUD-BASED ISSUES
The Board of Education (Board) may, pursuant to this policy, enter into a contract with a third party for either or both of the following purposes:
- To provide services, including Cloud-based services, for the digital storage, management, and retrieval of student records.
- To provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use student records in accordance with the contractual provision listed below.
The Board when entering into a contract with a contractor for purposes listed above, shall ensure the contract includes, but is not limited to the following:
A statement that student records, student information and student generated content continues to be the property of an under the control of the Board. (They are not the property of, or under the control of a software or electronic service contractor.)
- A description of the means by which the Board, Students, their parents or legal guardians, may retain possession and control of student-generated content, and if applicable, means by which a student, parent or legal guardian of a student may transfer student-generated content to an electronic mail accounts.
- A statement that the contractor will not use student information, student records, or student-generated content for any purposes except as authorized by their contract with the District.
- A description of the procedures by which a student, parent or legal guardian, of a student may review personally identifiable information (PII) contained in the student's record, student information or student-generated content, and have erroneous information corrected.
- A statement that the contractor shall take actions designed to ensure the security and confidentiality of student records, student information, and student-generated content.
- A description of the procedures that a contractor will follow for notifying a student, parent or legal guardian of a student, and the Board, as soon as practical, but not later than forty-eight (48) hours after the contractor becomes aware of or suspects that any student record, student information or student-generated content has been compromised, altered or corrected.
- A statement that a student's records, student information, or student-generated content shall not be retained or available to the contractor upon completion of the contracted services unless a student, parent or legal guardian of a student chooses to establish or maintain an electronic account with the contractor for the purpose of storing student-generated content.
- A statement that the contractor and the District shall ensure compliance with the Federal Family Educational Rights and Privacy Act (FERPA), 20 USC 1232g.
- A statement that Connecticut laws shall govern the rights and duties of the contractor and the Board.
- A statement that if any provision of the contract or the application of the contract is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions of the contract if those provisions can still be given effect.
- A prohibition against the contractor using personally identifiable information contained in student records to engage in advertising or for any other purposes other than those authorized pursuant to the contract.
Any provision of a contract entered into between a contractor and the Board that conflicts with the provision listed above shall be void.
Any contract that does not include the provisions listed above shall be void, provided the Board has given reasonable notice to the contractor and the contractor has failed within a reasonable time to amend the contract to include the required provisions.
Not later than five business days after executing a contract pursuant to this policy, the Board shall provide electronic notice to any student and the parent or legal guardian of a student affected by the contract. The notice shall (1) state that the contract has been executed and the date that such contract was executed, (2) provide a brief description of the contract and the purpose of the contract, and (3) state what student information, student records or student-generated content may be collected as a result of the contract. The Board shall post such notice and the contract on the Board's website.
The Board expects that an operator shall implement and maintain reasonable security procedures and practices, in accordance with current industry standards to protect student information from unauthorized access, destruction, use, modification and disclosure; and to delete any student information if a student or their parent/legal guardian or the Board requests the deletion of such student information.
Notice of Breach of Security/Data Breach
Upon notice of a breach of security by a contractor, the Board shall, within forty-eight (48) hours notify the students and the parents/legal guardians of the students whose student information, student records, or student-generated content was involved in such breach. The Board shall also, as required, post notice of the breach on its website.
Upon the discovery of a breach of security that results in the unauthorized release of student information, excluding directory information, the contract shall contain the provision that the contractor must notify the Board of such breach without unreasonable delay, and in no case later than thirty (30) days from the discovery of the breach.
Upon the discovery of a breach of security that results in the unauthorized release of directory information, student records, or student-generated content, the contract shall contain the provision that the contractor must notify the Board without reasonable delay and in no case later than sixty (6) days from the discovery of the breach.
1."Contractor" means an operator or consultant that is in possession of or has access to student information, student records or student-generated content as a result of a contract with a local or regional Board of Education.
2."Operator" means the operator of a website, online service, online application, or mobile application with actual knowledge that such website, service, or mobile application is used primarily for school purposes and was designed and marketed for school purposes and who collects, maintains or uses student information.
3."Student" means an individual who was enrolled in Litchfield Public Schools at any time between the ages of 3 and 21.
4."Deidentified information" means any information that has been altered to prevent the identification of an individual student.
5."Student-generated content" means materials created by a student, including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, or photographs. "Student-generated content" does not include student responses to a standardized assessment.
6."Student records" means any information directly related to a student that is maintained by the school district, the State Board of Education or the Department of Education or any information acquired from a student through the use of educational software assigned to the student by a teacher or other district employee.
"Student records" does not mean de-identified information, allowed under the contract to be used by the contractor to improve educational products for adaptive learning purposes and for customizing student learning.
7."Online service" includes Cloud computing services, which must comply with this policy if they otherwise meet the definition of an operator.
8. "Student information" means personally identifiable information regarding a student that in any media or format that meets any of the following:
- Is created or provided by a student, or the student's parent or legal guardian, to the operator in the course of the students', parents, or legal guardians' use of the operators' website, online service, or mobile application for school purposes.
- Is created or provided by an employee or agent of the school, school district, local education agency, to an operator for school purposes.
- Is gathered by an operator through the operation of the operator's website, online service, or mobile application and identifies a student including but not limited to information in the student's educational record or email account, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluation, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.
9."School purposes" means purposes that customarily take place at the direction of a teacher, or school district or aid in the administration for school activities, including, but not limited to, instruction in the classroom, administrative activities, and collaboration among students, school personnel, or parents/legal guardians. The Board, through this policy, places restrictions on an "operator" as defined in this policy. An operator shall not knowingly engage in any of the following activities with respect to their site, service, or application.
The Board through this policy, places restrictions on an "operator' as defined in this policy. An operator shall not knowingly engage in any of the following activities with respect to their website, online service or mobile application:
1.Engage in targeted advertising on the operator's site, service, or application, or on any other website, online service or mobile application;
2.Use student information to create a profile of a student for purposes other than the furtherance of school purposes;
3.Sell student information, unless the sale is part of the purchase, merger, or acquisition of an operator by a successor operator and the operator and the successor operator continue to be subject to the provisions of this policy regarding student information; or
4.Disclose student information, unless the disclosure is made (a) in furtherance of school purposes of the website, online service or mobile application, provided the recipient of the student information uses such student information to improve the operability and functionality of the website, online series or mobile application and complies with this policy; (b) to ensure compliance with federal or state law; (c) in response to a judicial order; (d) to protect the safety of users or others, or the security of the website, online service or mobile application; or (e) to an entity hired by the operator to provide services for the operator's website, online service or mobile application, provided the operator contractually (i) prohibits the entity from using student information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the entity from disclosing student information provided by the operator to subsequent third parties, and (iii) requires the entity to comply with this policy.
The Board recognizes that an operator may:
- Use student information (1) to maintain, support, evaluate or diagnose the operator's website, online service or mobile application, or (2) for adaptive learning purposes or customized student learning.
- Use de-identified student information (1) to develop or improve the operator's website, online service or mobile application, or other websites, online services or mobile applications owned by the operator, or (2) to demonstrate or market the effectiveness of the operator's website, online service or mobile application.
- Share aggregated de-identified student information for the improvement and development of websites, online services or mobile applications designed for school purposes.
Nothing in this policy shall be construed to:
- Limit the ability of a law enforcement agency to obtain student information from an operator as authorized by law or pursuant to a court order;
- Limit the ability of a student or the parent or legal guardian of a student to download, transfer or otherwise save or maintain student information;
- Impose a duty upon a provider of an interactive computer service, as defined in 47 USC 230, to ensure compliance with this section by third-party information content providers, as defined in 47 USC 230;
- Impose a duty upon a seller or provider of online services or mobile applications to ensure compliance with this policy with regard to such online services or mobile applications;
- Limit an Internet service provider from providing a student, parent or legal guardian of a student or local or regional Board of Education with the ability to connect to the Internet;
- Apply to websites, online services or mobile applications that are designed and marketed for use by individuals generally, even if the account credentials created for an operator's website, online service or mobile application may be used to access websites, online services or mobile applications that are designed and marketed for use by individuals generally.
The Board, upon determination that a request for director information is related to school purposes, may disclose directory information to any person requesting such director information. If the Board determines that a request for directory information is not related to school purposes, the Board shall not disclose such directory information.
(cf. 5125 – Student Records; Confidentiality)
(cf. 5145.15 – Directory Information)
Legal Reference: Conn. Gen. Stat. § 1-19(b) (11) Access to public records. Exempt records.
Conn. Gen. Stat. § 7-109 Destruction of documents.
Conn. Gen. Stat. § 10-15b Access of parent or guardians to student's records.
Conn. Gen. Stat. § 10-209 Records not to be public.
Conn. Gen. Stat. § 11-8a Retention, destruction and transfer of documents
Conn. Gen. Stat. § 11-8b Transfer or disposal of public records. State Library Board to adopt regulations.
Conn. Gen. Stat. § 46b-56(e) Access to Records of Minors.
Connecticut Public Records Administration Schedule V – Disposition of Education Records (Revised 1983)
P.A. 16-189 An Act concerning Student Privacy
Federal Family Educational Rights and Privacy Act of 1974 (section 438 of the General Education Provisions Act, as amended, added by section 513 of P.L. 93-568, codified at 10 U.S.C. 1232g).
Dept. of Educ, 34 C.F.R. Part 99 (May 9, 1980 45 FR 30802) regs. Implementing FERPA enacted as part of 438 of General Educ. Provisions Act (20 U.S.C. 1232g) parent and student privacy and other rights with respect to educational records, as amended 11/21/96.
Protection of Pupil Rights Amendment (PPRA) 20 U.S.C. § 1232g (2014)
Children's Online Privacy Protection Act (COPPA) 15 U.S.C. §§6501 et seq. (2014)
Litchfield Board of Education
Policy Adopted: 8/16/2017Download a PDF of this policy.