MODEL STUDENT DATA PRIVACY AND SECURITY POLICY
Drafted by the Data Management Council and adopted by the Idaho State Board of Education
Effective August 14, 2014
The efficient collection, analysis, and storage of student information is essential to improve the education of our students. As the use of student data has increased and technology has advanced, the need to exercise care in the handling of confidential student information has intensified. The privacy of students and the use of confidential student information is protected by federal and state laws, including the Family Educational Rights and Privacy Act (FERPA) and the Idaho Student Data Accessibility, Transparency and Accountability Act of 2014 (Idaho Data Accountability Act).
Student information is compiled and used to evaluate and improve Idaho’s educational system and improve transitions from high school to postsecondary education or the workforce. The Data Management Council (DMC) was established by the Idaho State Board of Education to make recommendations on the proper collection, protection, storage and use of confidential student information stored within the Statewide Longitudinal Data System (SLDS). The DMC includes representatives from K-12, higher education institutions and the Department of Labor.¹
This model policy is required by the Idaho Data Accountability Act. In order to ensure the proper protection of confidential student information, each school district and public charter school shall adopt, implement and electronically post this policy. It is intended to provide guidance regarding the collection, access, security and use of education data to protect student privacy. This policy is consistent with the DMC’s policies regarding the access, security and use of data maintained within the SLDS.² Violation of the Idaho Data Accountability Act may result in civil penalties.³
Defined Terms
Administrative Security consists of policies, procedures, and personnel controls including security policies, training, and audits, technical training, supervision, separation of duties, rotation of duties, recruiting and termination procedures, user access control, background checks, performance evaluations, and disaster recovery, contingency, and emergency plans. These measures ensure that authorized users know and understand how to properly use the system in order to maintain security of data.
Aggregate Data is collected or reported at a group, cohort or institutional level and does not contain PII.
Data Breach is the unauthorized acquisition of PII.
Logical Security consists of software safeguards for an organization’s systems, including user identification and password access, authenticating, access rights and authority levels. These measures ensure that only authorized users are able to perform actions or access information in a network or a workstation.
Personally Identifiable Information (PII) includes: a student’s name; the name of a student’s family; the student’s address; the students’ social security number; a student education unique identification number or biometric record; or other indirect identifiers such as a student’s date of birth, place of birth or mother’s maiden name; and other information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community who does not have personal knowledge of the relevant circumstances, to identify the student.
Physical Security describes security measures designed to deny unauthorized access to facilities or equipment.
Student Data means data collected at the student level and included in a student’s educational records.
Unauthorized Data Disclosure is the intentional or unintentional release of PII to an unauthorized person or untrusted environment.
Collection
- School districts and public charter schools shall follow applicable state and federal laws related to student privacy in the collection of student data.
Access
- Unless prohibited by law or court order, school districts and public charter schools shall provide parents, legal guardians, or eligible students, as applicable, the ability to review their child’s educational records.
- The Superintendent, administrator, or designee, is responsible for granting, removing, and reviewing user access to student data. An annual review of existing access shall be performed.
- Access to PII maintained by the school district or public charter school shall be restricted to: (1) the authorized staff of the school district or public charter school who require access to perform their assigned duties; and (2) authorized employees of the State Board of Education and the State Department of Education who require access to perform their assigned duties; and (3) vendors who require access to perform their assigned duties.
Security
- School districts and public charter schools shall have in place Administrative Security, Physical Security, and Logical Security controls to protect from a Data Breach or Unauthorized Data Disclosure.
- School districts and public charter schools shall immediately notify the Executive Director of the Idaho State Board of Education and the State Superintendent of Public Instruction in the case of a confirmed Data Breach or confirmed Unauthorized Data Disclosure.
- School districts and public charter schools shall notify in a timely manner affected individuals, students, and families if there is a confirmed Data Breach or confirmed Unauthorized Data Disclosure.
Use
- Publicly released reports shall not include PII and shall use Aggregate Data in such a manner that re-identification of individual students is not possible.
- School district or public charter school contracts with outside vendors involving student data, which govern databases, online services, assessments, special education or instructional supports, shall include the following provisions which are intended to safeguard student privacy and the security of the data:
- Requirement that the vendor agree to comply with all applicable state and federal law;
- Requirement that the vendor have in place Administrative Security, Physical Security, and Logical Security controls to protect from a Data Breach or Unauthorized Data Disclosure;
- Requirement that the vendor restrict access to PII to the authorized staff of the vendor who require such access to perform their assigned duties;
- Prohibition against the vendor’s secondary use of PII including sales, marketing or advertising;
- Requirement for data destruction and an associated timeframe; and
- Penalties for non-compliance with the above provisions.
- School districts and public charter schools shall clearly define what data is determined to be directory information.
- If a school district or public charter school chooses to publish directory information which includes PII, parents must be notified annually in writing and given an opportunity to opt out of the directory. If a parent does not opt out, the release of the information as part of the directory is not a Data Breach or Unauthorized Data Disclosure.
Resources
FERPA
Electronic Code of Federal Regulations pertaining to FERPA: 34 CFR Part 99
U.S. Department of Education, Family Policy Compliance Office
Idaho Student Data Accessibility, Transparency and Accountability Act of 2014, Idaho Code Title 33, Section 133
—
¹ Data Management Council
² Data Management Council Policies and Procedures
³ Idaho Code Title 33, Section 133
Xavier Charter School Privacy Policy
Effective as of August 01, 2024
This Privacy Policy (“Policy”) applies to https://www.xaviercharter.org, and Xavier Charter School, Inc. (“Company”) and governs data collection and usage. For the purposes of this Privacy Policy, unless otherwise noted, all references to the Company include https://www.xaviercharter.org. The Company’s website is a informational site. By using the Company website, you consent to the data practices described in this statement.
Collection of your Personal Information
In order to better provide you with products and services offered, the Company may collect personally identifiable information, such as your:
-First and last name
-Mailing address
-Email address
-Phone number
-Student name, student age, student grade level
The Company may also collect anonymous demographic information, which is not unique to you, such as your:
-Age
-Gender
-Race
We do not collect any personal information about you unless you voluntarily provide it to us. However, you may be required to provide certain personal information to us when you elect to use certain products or services. These may include: (a) registering for an account; (b) entering a sweepstakes or contest sponsored by us or one of our partners; (c) signing up for special offers from selected third parties; (d) sending us an email message; (e) submitting your credit card or other payment information when ordering and purchasing products and services. To wit, we will use your information for, but not limited to, communicating with you in relation to services and/or products you have requested from us. We also may gather additional personal or non-personal information in the future.
Use of your Personal Information
The Company collects and uses your personal information in the following ways:
-to operate and deliver the services you have requested
-to provide you with information, products, or services that you request from us
-to provide you with notices about your account
-to carry out the Company’s obligations and enforce our rights arising from any contracts entered between you and us, including for billing and collection
-to notify you about changes to our https://www.xaviercharter.org or any products or services we offer or provide through it
-in any other way we may describe when you provide the information
-for any other purpose with your consent.
The Company may also use your personally identifiable information to inform you of other products or services available from the Company and its affiliates.
Sharing Information with Third Parties
The Company does not sell, rent, or lease its customer lists to third parties.
The Company may share data with trusted partners to help perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services tothe Company, and they are required to maintain the confidentiality of your information.
The Company may disclose your personal information, without notice, if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on the Company or the site; (b) protect and defend the rights or property of the Company; and/or (c) act under exigent circumstances to protect the personal safety of users of the Company, or the public.
Automatically Collected Information
The Company may automatically collect information about your computer hardware and software. This information can include your IP address, browser type, domain names, access times, and referring website addresses. This information is used for the operation of the service, to maintain quality of the service, and to provide general statistics regarding the use of the Company’s website.
Use of Cookies
The Company’s website may use “cookies” to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the web server that you have returned to a specific page. For example, if you personalize the Company’s pages, or register with Company’s site or services, a cookie helps the Company to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses, shipping addresses, and so on. When you return to the same website, the information you previously provided can be retrieved, so you can easily use the Company’s features that you customized.
You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Company’s services or websites you visit.
Links
This website contains links to other sites. Please be aware that we are not responsible for the content or privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of any other site that collects personally identifiable information.
Security of your Personal Information
The Company secures your personal information from unauthorized access, use, or disclosure. The Company uses the following methods for this purpose:
– SSL Protocol
When personal information (such as a credit card number) is transmitted to other websites, it is protected through the use of encryption, such as the Secure Sockets Layer (SSL) protocol.
We strive to take appropriate security measures to protect against unauthorized access to or alteration of your personal information. Unfortunately, no data transmission over the Internet or any wireless network can be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, you acknowledge that: (a) there are security and privacy limitations inherent to the Internet that are beyond our control; and (b) the security, integrity, and privacy of any and all information and data exchanged between you and us through this site cannot be guaranteed.
Right to Deletion
Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:
-Delete your personal information from our records; and
-Direct any service providers to delete your personal information from their records.
Please note that we may not be able to comply with requests to delete your personal information if it is necessary to:
-Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, and provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
-Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
-Debug to identify and repair errors that impair existing intended functionality;
-Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
-Comply with the California Electronic Communications Privacy Act;
-Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
-Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
-Comply with an existing legal obligation; or
-Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.
Children Under Thirteen
The Company follows the principles of the Children’s Online Privacy Protection Act (“COPPA”), the GDPR, and any other local laws pertaining to the collection of children’s data. Any accounts or subscriptions created for users known to be children will involve parental notification and/or consent.
The Company collects personally identifiable information from children under the age of 13.
Email Communications & Text Message (SMS) Communications
From time to time, the Company may contact you via email or SMS text message for the purpose of providing announcements, promotional offers, alerts, confirmations, surveys, and/or other general communication. In order to improve our services, we may receive a notification when you open an email from the Company or click on a link therein.
If you would like to stop receiving marketing or promotional communications via email from the Company, you may opt out of such communications by click the unsubscribe link at the bottom of each email, reply STOP to be unsubscribed, or email [email protected] to be removed from communications.
External Data Storage Sites
We may store your data on servers provided by third-party hosting vendors with whom we have contracted.
Changes to This Statement
The Company reserves the right to change this Policy from time to time. For example, when there are changes in our services, changes in our data protection practices, or changes in the law. When changes to this Policy are significant, we will inform you. You may receive a notice by sending an email to the primary email address specified in your account, by placing a prominent notice on our Xavier Charter School, Inc., and/or by updating any privacy information. Your continued use of the website and/or services available after such modifications will constitute your: (a) acknowledgment of the modified Policy; and (b) agreement to abide and be bound by that Policy.
Contact Information
The Company welcomes your questions or comments regarding this Policy. If you believe that the Company has not adhered to this Policy, please contact the Company at:
Xavier Charter School, Inc.
1218 North College Rd. W.
Twin Falls, Idaho 83301
Email Address:
Phone Number:
2087343947