Jefferson County School Board Data Governance Plan

(1)

Page 1 of 56

Jefferson County School Board

Data Governance Plan

(2)

Page 2 of 56

Applicable Laws and Standards

The Jefferson County School District will abide by any law, statutory, regulatory, or contractual obligations affecting its information systems. The District’s data governance policy and

procedures are informed by the following laws, rules, and standards, among others as identified:

FERPA

The Family Educational Rights and Privacy Act (FERPA) afford parents and students over 18 years of age (“eligible students”) certain rights with respect to the student’s education records. These rights are:



The right to inspect and review the student’s educational records within 45 days of the day the school receives a request for access.

Parents or eligible students should submit to the school principal a written request that identifies the record(s) they wish to inspect. The school official will make arrangements for access and notify the parent or eligible student of the time and place where the records may be inspected.



The right to request the amendment of the student’s education records that the parent or eligible student believes is inaccurate.

Parents or eligible students may ask the school to amend a record they believe is inaccurate by notifying the school principal in writing. The request must clearly identify the part of the record to be amended and must specify why it is inaccurate. If the school decides not to amend the record as requested by the parent or eligible student, the school will notify the parent or eligible student of the decision and advise them of their right to a hearing regarding the request for amendment. Information regarding the hearing procedures will be provided to the parent or eligible student at the time of this notification.



The right to consent to disclosures of personally identifiable information contained in the student’s education records, except to the extent that FERPA authorizes disclosure without consent.

Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions:

 School officials with legitimate educational interest;

 Other schools to which a student is transferring;

 Specified officials for audit or evaluation purposes;

 Appropriate parties in connection with financial aid to a student;

 Organizations conducting certain studies for or on behalf of the school;

 Accrediting organizations;

 State and local authorities, within a juvenile justice system, pursuant to specific State law;

(6)

Page 6 of 56

 Appropriate officials in cases of health and safety emergencies.

Jefferson County Board of Education school administrators will transfer upon request all education records, including disciplinary records, with respect to a suspension or expulsion, to any private or public elementary school or secondary school for any student who is enrolled or seeks, intends, or is instructed to enroll on a full or part-time basis.

School Districts, with certain exceptions, must obtain your written consent prior to the disclosure of personally identifiable information from your child’s education records. However, school districts may disclose appropriately designated “directory information” without written consent, unless you have advised the district to the contrary.

The primary purpose of directory information is to allow the school district to include this type of information from your child’s education records in certain school publications. Examples include:

 A playbill, showing your student’s role in a drama production;  The annual yearbook;

 Honor roll or other recognition lists;  Graduation programs; and

 Sports activity sheets.

Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent. Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks.

Additionally, parents have to right to inspect, upon request, any instrument used in the collection of information as described above. This inspection will be scheduled within 45 days of the day the school receives such a request in writing.

The Jefferson County Board of Education has designated the following information as Directory Information:

 Student’s or parent’s name;

 Address;

 Telephone listing;

 Participation in officially recognized activities and sports;

 Weight and height of members of athletic teams;

 Electronic mail address;

 Photograph;

 Diplomas, honors and awards received;

 Date and place of birth;

 Dates of attendance;

 Grade level;

(7)

Page 7 of 56

The use of directory information by Jefferson County Schools is for educational purposes and for the benefit and enhancement of educational programs.

Parents and eligible students have the right to request that directory information not be disclosed by contacting the school principal in writing no later than fifteen (15) days of the beginning of the school year or within (15) days after enrollment in school, whichever is later.

Parents should know that schools may, upon request, provide military recruiters the same access to secondary school students as provided to postsecondary institutions or to prospective employers; and must provide student’s names, addresses, and telephone listings to military recruiters, when requested, unless a parent has “opted” out of providing such information. Parents of Jefferson County School students and eligible students wishing to “opt” out must notify the school principal in writing no later than fifteen (15) days after receipt of this notice each school each year.

 Parents should know that schools and contractors must obtain prior written parental consent before minor students are required to participate in any ED funded survey, analysis, or evaluation that reveals information concerning;

 Political affiliations or beliefs of the student or the student’s parent;  Mental and psychological problems of the student or the student’s family;

 Sex behavior or attitudes;

 Illegal, anti-social, self-incriminating, or demeaning behavior;

 Critical appraisals of other individuals with whom respondents have close family relationships;

 Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;

 Religious practices, affiliations, or beliefs of the student or student’s parent;

 Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).

Additionally, schools and contractors must make instructional materials available for inspection by parents if those materials will be used in connection with an ED-funded survey, analysis, or evaluation in which their children participate.

 Parents have the right to inspect, upon request, a survey created by a third party (non-Department of Education funded), if the survey contains one or more of the eight items of information noted above, before the survey is administered or distributed by a school to students. This inspection will be scheduled within 45 days of the day the school receives such a request.

 Parents have the right to opt out of (deny permission for their child) activities involving the collection and disclosure of personal information from students for marketing purposes or for selling that information, or otherwise providing that information to others for that purpose. However, this right does not apply to the collection, disclosure or use of personal information collected from students for the exclusive purpose of developing, evaluating, or providing educational products or services for, or to, students or educational institutions, such as the following:

 college or other postsecondary education recruitment, or military recruitment;

(8)

Page 8 of 56

 curriculum and instructional materials used by elementary schools and secondary schools;

 tests and assessments used by elementary schools and secondary schools to provide cognitive, evaluative, diagnostic, clinical, aptitude or achievement information about students;

 the sale by students of products or services to raise funds for school-related or education-related activities; and

 student recognition programs.

 Parents have the right to opt out of (deny permission for their child) participation in the administration of any third party (non-Department of Education funded) survey containing one or more of the above described eight items of information. Parents wishing to opt out must notify the school administrator in writing within fifteen (15) days receipt of notice of survey(s) or by the designated due date.

The Jefferson County Board of Education will make arrangements to protect student privacy in the event of the administration of a survey to students.

 Parents have the right to inspect, upon written request to the school principal, any instructional material used as part of the educational curriculum for students. This inspection will be scheduled within 45 days of the day the school receives such a written request.

 Parents have the opportunity to “opt out” of the administration of physical examinations or screenings that are non-emergency or invasive and are 1) required as a condition of attendance; 2) administered by the school and scheduled by the school in advance; AND 3) NOT necessary to protect the immediate health and safety of the student, or of other students. (Invasive physical examination is defined as any medical examination that involves the exposure of private body parts, or any act during such an examination that includes incision, insertion, or injection into the body, but does not include a hearing, vision, or scoliosis screening.) Jefferson County Schools do not conduct invasive physical examinations or screenings. Vision, hearing and scoliosis screenings are scheduled throughout the school year in Jefferson County Schools. Please contact your school regarding these screenings. Parents wishing to “opt out” of health screenings must notify the school principal in writing within fifteen (15) days of receipt of this notice or upon written notification of a scheduled screening. “Opt Out” forms are available at all schools and on the Jefferson County Schools web site.

 Parents have the right to file a complaint with the U.S. Department of Education concerning alleged failures by the Jefferson County School District to comply with the requirements of FERPA. The name and address of the office that administers FERPA is as follows:

The Family Educational Rights and Privacy Act, applies to all institutions that are recipients of federal aid administered by the Secretary of Education. This regulation protects student information and accords students specific rights with respect to their data.

http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html ALABAMA RECORDS DISPOSITION AUTHORITY

Alabama Law Section 41-13-23 authorized the Alabama Department of Archives and History to publish rules for Local Government Records Destruction. For more information:

(9)

Page 9 of 56

ALABAMA OPEN RECORDS LAW

COPPA

The Children’s Online Privacy Protection Act, regulates organizations that collect or store information about children under age 13. Parental permission is required to gather certain information; see www.coppa.org for details.

HIPAA

The Health Insurance Portability and Accountability Act, applies to organizations that transmit or store Protected Health Information (PII). It is a broad standard that was originally intended to combat waste, fraud, and abuse in health care delivery and health insurance, but is now used to measure and improve the security of health information as well.

(10)

Page 10 of 56

JefCoEd Acceptable Use Policy

The Jefferson County Board of Education and its employees may notify parents, guardians and students of information through written communications. Although the Board may elect to use various methods of providing those communications to parents and guardians, it is the ultimate responsibility of each student to notify his or her parent or guardian of all written communications provided to him or her by the Board or a school. A failure to do so may result in disciplinary action against the student.

The Jefferson County Board of Education may utilize the internet and other computer resources to enhance the educational experience for students and for more efficient operation of its schools. Access to computers and other technology resources may be offered and used for permissible purposes only and such access and use will be restricted. The internet and the Board’s technology should promote educational growth, and each student must agree to use the Board’s technology appropriately by reviewing, agreeing to and abiding by the Board’s Acceptable Use Agreement for Students as a condition to that access.

The Jefferson County Board of Education (the “Board”) is pleased to provide network and Internet access to students. In exchange, student cooperation in exercising and promoting responsible use of this access is required.

The Technology Acceptable Use Agreement (AUA) applies to all technology resources owned, leased, operated, or maintained by the Board, regardless of the physical location of the resource or the user. It also applies to student use of all personally owned devices and technology resources (regardless of ownership) brought onto school grounds or to school activities during school hours or at school functions. Violations of the AUA and/or Board policy may result in suspension or termination of network or computer privileges, disciplinary action, and/or appropriate legal action. Each student and his or her parent or guardian will be solely responsible for unauthorized use of the Board’s technology resources, and will bear any cost resulting from or associated with such unauthorized use or misuse including, but not limited to, any and all damages, restitution, liabilities and costs of defense incurred by the Board.

In exchange for access to and use of the Jefferson County Board of Education technology resources, I agree to abide by the Technology Acceptable Use Agreement and all Board policies, rules, and regulations regarding the use of technology. My signature on the Notice of Receipt page

INTERNET AND THE USE OF TECHNOLOGY

JEFFERSON COUNTY BOARD OF EDUCATION TECHNOLOGY ACCEPTABLE USE AGREEMENT

(11)

Page 11 of 56

in the Code of Student Conduct indicates that I have received, understand and agree to all of the following terms, conditions and requirements:

Access

The Jefferson County Board of Education’s technology resources are made available to students for bona fide educational and school-related purposes. All technology resources are the property of the Jefferson County Board of Education, and any use is by permission only.

A.The use of all Board technology resources is a privilege, not a right, and inappropriate use will

result in cancellation of those privileges. The district Director of Technology and/or school administrators will determine when inappropriate use has occurred and may deny, revoke or suspend specific user privileges and accounts accordingly.

B. Each student may use only accounts, files, software, and technology resources that are

assigned to him/her and may not attempt to log in to the network as another person or use a computer that is logged on as another person.

C.Studentsmust not reduce the efficiency of use for others or attempt to modify or hack

technology resources, utilities, and configurations, change the restrictions associated with his/her accounts, or attempt to breach any technology resource security system, either with or without malicious intent.

D.A user may not copy software, programs, source code, data or any other computer resource for

unauthorized or unlicensed use. A user may not modify or delete computer data or information of another student, faculty or the school.

E.Modification or alteration of the Board’s resources without authorization of the school

principal or his or her designee is strictly prohibited. No student may modify system settings or install software without specific authorization from the principal or his or her designee.

F.Studentsare not permitted to connect or install any computer hardware, components, or

software, which is not school system property, without prior approval from the district technology department.

G. All passwords are required to be kept private and may not be posted online.

Internet

A.All school rules and guidelines for appropriate technology usage shall apply to Internet usage. B.No student may access, view, download, or attempt to access, view or download profane, lewd,

obscene, pornographic, abusive, objectionable, illegal, or otherwise prohibited content on the Board’s computer system or through any of its other technology resources or on personally owned devices.

C.Student access to the Internet will be restricted in compliance with Children’s Internet

(12)

Page 12 of 56

software and other security measures designed to block and prohibit access to inappropriate materials based on CIPA guidelines.

D.The Board may also utilize monitoring software to control and monitor access to its system and

the internet and to further the safety and security of its students. Any attempt to disable, modify or circumvent this software or other limiting device is strictly prohibited.

Privacy and Personal Safety

A.There is no right or expectation of privacy in any Board technology resource, and the Board

will monitor internet use, network use, electronic mail, or any other use of its technology resources without limitation. All computers, devices or other components of the Board’s system may be inspected by the Board or its designees at any time.

B.The Board cannot guarantee the privacy, security, or confidentiality of any information sent or

received via the Internet.

C.Student data will only be collected with district approved data collection resources to protect

minors from unauthorized disclosure, use, and dissemination of personal data in compliance with FERPA (Family Educational Rights and Privacy Act).

D.Students shall not reveal or post any personal or contact information about themselves or other

people on websites and/or social media sites while utilizing the Board’s technology resources. Personal information includes, but is not limited to, names, addresses, telephone numbers, photos or likenesses, video, ages, dates of birth, grade levels, social security numbers, or any other information by which a person might be identified.

E.Any online message, comment, image, or anything else that causes a student to be concerned

for his/her personal safety, should be brought to the attention of an adult. Students should immediately bring any threatening or unwelcome communications to the attention of school personnel.

Copyright and Plagiarism

A.All users are expected to abide by copyright laws and to follow the Fair Use Guidelines for

Educational Multimedia. If you don’t know if your use of online material is legal or ethical, ask your teacher or administrator for guidance.

B.Users should not plagiarize (or use as their own, without citing the original creator) content,

including words or images, from the Internet. Research conducted via the Internet should be appropriately cited, giving credit to the original author.

Cyberbullying

A.Cyberbullying will not be tolerated. Engaging in these behaviors will result in disciplinary

(13)

Page 13 of 56

B.Examples of cyberbullying include but are not limited to harassment, intimidation, threats,

impersonation, insults, displaying offensive pictures, or lewd behavior.

Education of Students

A.The Board provides ongoing education to all students concerning appropriate online behavior,

including appropriate interaction with individuals on social networking websites and in chat rooms and cyberbullying awareness and response.

B.Students are expected to adhere to specific classroom guidance and directives, as well as to the

letter and spirit of this AUA and other Board policies. Use good judgment, and ask if you don’t know.

Online Collaborative Systems

The Board provides valuable online learning resources to employees and students. These resources promote collaboration and provide a controlled environment for course content. Examples of online collaborative systems used by the Board include, but are not limited to, Google Apps for Education, Microsoft 365, Moodle, and Edmodo.

A.Accounts for these services are provided to all students through a controlled environment that

is for Board use only.

● Email and other collaborative accounts are provided to students for educational purposes only. ● Employees and students will collaborate in these environments on documents, presentations,

quizzes, classroom assignments, and more.

B.All school rules and guidelines for appropriate technology usage shall apply to online

collaborative system.

Bring Your Own Device (BYOD)

A.Student devices must only access the Internet via the JefCoEd Public wireless network. 3G,

4G, or LTE access will not be allowed while on school property.

B.Permission for personal devices to be brought to school will be at the discretion of and as

authorized by the local school administration.

C.Personal devices are only to be used for educational purposes as directed by the teacher and/or

school administration.

D.Personal devices may not be used to record, transmit or post photographs, images, or video of a

person or persons on campus during school activities and/or during school hours unless assigned or authorized by the teacher or school administrator.

E.The school district may collect and examine any personal device at any time for the purpose of

enforcing the terms of this agreement, investigating student discipline issues, or for any other school-related purpose. Personal devices are subject to immediate inspection when there is a reasonable suspicion that the contents or recent utilization of the device is in violation of any of the Board’s policies, rules or regulations.

(14)

Page 14 of 56

F.The school or district assumes no responsibility for personal devices.

G.Students are not allowed to loan, trade, or sell devices on district property, including school

buses.

Violations of Acceptable Use Agreement

Violations of this agreement or other Board directives regarding use of technology may have disciplinary repercussions, including, but not limited to, the following:

● Suspension or termination of network, technology, or computer privileges ● Loss of privilege of bringing personally-owned technology devices to school ● Notification of and/or conference with parents

● Disciplinary actions as authorized by the Code of Student Conduct ● Financial accountability for damage or loss

● Legal action and/or prosecution

Limitation of Liability / Disclaimers

The Board makes no warranties of any kind, either expressed or implied, that the functions or the services provided by or through the Board’s technology resources will be error-free or without defect.

Although the Board employs filtering and other safety and security mechanisms, and attempts to ensure their proper function, it makes no guarantees as to their effectiveness.

The Board will not be responsible, financially or otherwise, for unauthorized transactions conducted or financial obligations incurred on the system network.

The Board will not be responsible for damage or harm to persons, files, data, or hardware, or for any damages or losses incurred, including but not limited to: loss of data resulting from delays or interruption of service; loss of data stored on system resources; damage to personal property used to access system resources; the accuracy, nature, or quality of information stored on system resources; or unauthorized financial obligations incurred through system-provided access.

The Jefferson County Board permits students to bring cell phones to school. However, cell phones brought to school must be stored appropriately, either in the student’s backpack, locker, personal vehicle, and/or a designated place assigned by the administrator. Cell phone use is prohibited during the school day (which is usually the time students arrive at school until dismissal) and anytime students are being transported on a school bus unless specific permission is given by a certificated school board employee.

Should a cell phone be either seen or heard, the phone will be taken from the student, and placed in an appropriate location until the parent reclaims it. A parent may reclaim any cell phone so taken during the hours specified by the school administrator. The school system, which includes

(15)

Page 15 of 56

the school, administrator, teacher or staff member, shall not assume responsibility for theft, loss, or damage to any personal/wireless communication device, even for cell phones that are taken. If the phone is suspected to contain illegal or inappropriate material, the administrator has the right to inspect the contents of the phone. Any illegal or inappropriate material found on the phone may lead to further disciplinary action.

Violation of the rules regarding cell phone possession will be considered a Class I infraction (possession during the school day), Class II infraction (use during the school day or on a school bus), or Class III infraction (where context or manner of the use falls properly in the Class III infraction category), depending on the nature of the rule violated.

Cell phone use is prohibited during the school day unless used for educational purposes with the support of the local administration

Alabama State Department of Education Policy

Use of Digital Device during the Administration of a Secure Test Student Policy

The possession of digital devices (including, but not limited to, cell phones, MP3 players, cameras, or other telecommunication devices capable of capturing or relaying information) is strictly prohibited during the administration of a secure test. If a student is observed in possession of a digital device during the administration of a secure test, then the device will be confiscated. If a student is observed using a digital device during the administration of a secure test, testing for the student will cease, the device will be confiscated and is subject to search, the student will be dismissed from testing, and the student’s test will be invalidated.

Additional disciplinary action may be taken by the LEA.

Dissemination of Data Governance Policy

Copies of the Data Governance Policy will be sent electronically to all administrators annually during the Annual Administrators’ Leadership Conference. The respective school administrators are then responsible for sharing and familiarizing their staff with its contents. The Data

Governance Policy will also be posted on the Jefferson County website.

Copies of the student Acceptable Use Agreement for Technology are included in the Student Code of Conduct. All students and parents must acknowledge receipt of the handbook and the Technology Acceptable Use Policy.

Copies of the teacher’s Acceptable Use Agreement for Technology is included in all schools’ individual school’s handbook. Teachers and all Jefferson County employees must acknowledge the JefCoEd electronic policy each time they access any network accessible device. A link to the Data Governance Policy will also be included in the teacher’s Acceptable Use Agreement for Technology.

(16)

Page 16 of 56

Data Governance Committee

Name/Position Location/School

Dr. Anna Vacca, Deputy Superintendent Deputy Superintendent

Harold Jackson, Director Data and Instructional

Support

Carl Chesser, Director Information Technology

Michael Hicks, Attendance Specialist Information Technology

Bradley Arnold, Network Administration Information Technology

Judy C. Sullivan, Principal Mount Olive Elem.

Jay Jacks, Principal Pleasant Grove Elem.

Dr. Stephanie Robinson, Principal Fultondale High

Ron Tillman, Principal Clay-Chalkville Middle

Christopher Anders, Principal Hueytown Middle

Dr. Anthony Montalto, Director Student Services

Amanda Dykes, Instructional Technology Coach Data Security and

Instructional Support

Channon Davis, Instructional Technology Coach Data Security and

(17)

Page 17 of 56 Data Security Measures

I. Purpose

(A) To provide a structured and consistent process for employees to obtain necessary data access for conducting Jefferson County Schools operations.

(B) To implement standards and procedures that will effectively ensure efficient access management to System Data, while ensuring the confidentiality, integrity and availability of the information. This policy deals with access to Jefferson County Schools’

computing and network resources, all relevant provisions in the Acceptable Use Policies are applicable.

(C) To provide a structured and consistent process for employees to obtain necessary data access for conducting Jefferson County Schools operations.

(D) To define data classification and related safeguards. Applicable federal and state statutes and regulations that guarantee either protection or accessibility of System records will be used in the classification process.

(E) To provide a list of relevant considerations for System personnel responsible for purchasing or subscribing to software that will utilize and/or expose System Data.

(F) To establish the relevant mechanisms for delegating authority to accommodate this

process at the school level while adhering to separation of duties and other best practices.

II. Guiding Principles

(A)Inquiry-type access to official System Data will be as open as possible to individuals who require access in the performance of System operations without violating local Board, legal, Federal, or State restrictions.

(B)The Superintendent and/or his designees shall determine appropriate access permissions based on local policies, applicable laws, best practices, and the Alabama Open Records Act.

(C)Data Users granted “create” and/or “update” privileges are responsible for their actions while using these privileges. That is, all schools or other facilities are responsible for the System Data they create, update, and/or delete.

(D)Any individual granted access to System Data is responsible for the ethical usage of that data. Access will be used only in accordance with the authority delegated to the

(18)

Page 18 of 56

(E)It is the express responsibility of authorized users to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and related procedures.

(F)These Security Measures apply to System data regardless of location. Users who transfer or transport System data “off-campus” for any reason must ensure that they are able to comply with all data security measures prior to transporting or transferring the data. (G)Authorized Requestors are responsible for being knowledgeable in all policies, laws,

rules, and best practices relative to the data for which they are granting access; including, but not limited to FERPA, HIPAA, etc.

III. Compliance

(A)Data Users are expected to respect the confidentiality and privacy of individuals whose records they access and to abide by applicable laws, policies, procedures and guidelines with respect to access, use, or disclosure of information. The unauthorized use, storage, disclosure, or distribution of System Data in any medium is expressly forbidden; as is the access or use of any System Data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy one's personal curiosity or that of others.

(B)Each employee at the System will be responsible for being familiar with the System’s Data Security Policy and these Security Measures as they relate to his or her position and job duties. It is the express responsibility of Authorized Users and their respective supervisors to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and related procedures.

(C)Employees, whether or not they are Authorized Users, are expressly prohibited from installing any program or granting any access within any program without prior consent from the Technology Department.

(D)Violations of these Data Security Measures may result in loss of data access privileges, administrative actions, and/or personal civil and/or criminal liability.

IV. Access Coordination

(A)Central Office Department heads, supervisors, area specialists, and principals

(Authorized Requestors) will assist in classifying data sensitivity levels for their areas of expertise and in identifying which employees require access to which information in order to complete their duties.

(B)The Director of Data and Instructional Support and the Director of Technology will designate individuals within the technology department to implement, monitor, and safeguard access to System Data based on the restrictions and permissions determined by the Authorized Requestors using the technical tools available.

(19)

Page 19 of 56

(C)Central Office Department heads, supervisors, area specialists, and principals will be responsible for educating all employees under their supervision of their responsibilities associated with System Data security.

V. Security Measures

(A) These Security Measures apply to information found in or converted to a digital format. (The same information may exist in paper format for which the same local policies, state laws, statutes, and federal laws would apply, but no electronic control measures are needed.)

(B) Security Measures apply to all employees, contract workers, volunteers, and visitors of the Jefferson County Schools and all data used to conduct operations of the System.

(C) Security Measures do not address public access to data as specified in the Alabama Open Records Act.

(D) Security Measures apply to System Data accessed from any location; internal, external, or remote.

(E) Security Measures apply to the transfer of any System Data outside the System for any purpose.

VI. Implementation of Network/Workstation Controls and Protections and Physical Security

(A) Shared Responsibilities

1) The Technology Department shall implement, maintain, and monitor technical access controls and protections for the data stored on the System’s network.

2) System employees, including Authorized Requestors, shall not select or purchase software programs that will utilize or expose system data without first consulting the Technology Department to determine whether or not adequate controls are available within the application to protect that data. (The exception to this would be any software program purchased or utilized by the Alabama State Department of Education. In this case, the Alabama State Department of Education shall take all security responsibility for data it accesses or receives from Jefferson County Schools.)

3) The Technology Department staff and/or the Authorized Requestor will provide professional development and instructions for Authorized Users on how to properly access data to which they have rights, when necessary. However,

(20)

Page 20 of 56

ensuring that all employees have these instructions will be the shared

responsibility of the supervisor(s) of the Authorized User(s) and the Technology Department.

4) Technical controls and monitoring cannot ensure with 100% certainty that no unauthorized access occurs. For instance, a properly Authorized User leaves their workstation while logged in, and an unauthorized person views the data in their absence. Therefore, it is the shared responsibility of all employees to

cooperatively support the effectiveness of the established technical controls through their actions.

(B)Location of Data and Physical Security

1) All data shall be stored on servers/computers which are subject to

network/workstation controls and permissions. It shall not be stored on portable media that cannot be subjected to password, encryption, or other protections.

2) Serving devices (servers) storing sensitive information shall be operated by professional network system administrators, in compliance with all Technology Department security and administration standards and policies, and shall remain under the oversight of Technology Department supervisors.

3) Persons who must take data out of the protected network environment (transport data on a laptop, etc.) must have the permission of their supervisor prior to doing so. Permission to do so will be granted only when absolutely necessary, and the person transporting the data will be responsible for the security of that data, including theft or accidental loss.

4) All servers containing system data will be located in secured areas with limited access. At the school or other local building level, the principal or other location supervisor will ensure limited, appropriate access to these physically secured areas.

5) District staff who must print reports shall take responsibility for keeping this material in a secure location – vault, locked file cabinet, etc. In addition, all printed material shall be shredded when no longer in use per District and/or ALSDE protocol.

(C)Disposal of Hardware containing System Data

1) Prior to disposal of any computer, the school will notify the Technology

Department. A technician and/or an approved vendor will remove the hard drive from the device and destroy it prior to the device being disposed of or auctioned off.

2) All schools and departments which purchase or lease copy machines or multifunction printers will be expected to include provisions for the destruction of data on the

(21)

Page 21 of 56

device’s hard drive or the destruction of the hard drive itself prior to disposing of the copier or MFP or its return the leasing agency.

(D)Application of Network and Computer Access Permissions

1) The Director of Technology and Network Administrator shall be responsible for implementing network protection measures that prevent unauthorized intrusions, damage, and access to all storage and transport mediums; including, but not limited to:

a. Maintaining firewall protection access to the network and/or workstations. b. Protecting the network from unauthorized access through wireless devices or

tapping of wired media, including establishing ‘guest’ wireless networks with limited network permissions.

c. Implementing virus and malware security measures throughout the network and on all portable computers.

d. Applying all appropriate security patches.

e. Establishing and maintaining password policies and controls on access to the network, workstations, and other data depositories.

2) The Director of Technology and Network Administrator will apply protection measures that include:

a. Categorizing and/or re-classifying data elements and views. b. Granting selective access to System Data.

c. Documenting any deviation from mandatory requirements and implementing adequate compensating control(s).

d. Conducting periodic access control assessments of any sensitive information devices or services.

(E) Sensitive Data as it pertains to Desktops/Laptops/Workstations/Mobile Devices 1) Firewalls and anti-virus software must be installed on all desktops, laptops and

workstations that access or store sensitive information, and a procedure must be implemented to ensure that critical operating system security patches are applied in a timely manner.

(22)

Page 22 of 56

2) Storage of sensitive information on laptops, mobile devices, and devices that are not used or configured to operate as servers is prohibited, unless such information is encrypted in a Technology Department-approved encryption format.

3) The user responsible for the device shall take proper care to isolate and protect files containing sensitive information from inadvertent or unauthorized access.

4) Assistance with securing sensitive information may be obtained from school-level Technology Coordinators with input from the Technology Department, as necessary.

VII. Transfer of Data to External Service Provider

(A) Student directory information may be transferred to an external service provider, such as an online website that teachers wish students to use for educational purposes. Provided that:

1) The teacher follows the protocols for getting approval for the site to be used.

2) The District notifies parents about their right to restrict their child’s data from being shared with such sites annually via Code of Conduct/AUP.

3) The transfer of data is handled in a manner approved by the Technology Department, or is performed by the Technology Department.

(B) No FERPA protected educational records will be transferred to an external service provider without prior approval of the Data Governance committee and/or the Jefferson County School Board. Exception: Alabama State Department of Education.

(C) No school or department should enter into a contract for the use of any program that requires the import of District data without first consulting and receiving approval from the Data Governance committee.

(D) The Data Governance committee will determine which of the following should be

required of the service provider and assist in ensuring these requirements are met prior to any data transfer:

1) Contract

2) Designating the service provider as an “Official” as defined in FERPA 3) Memorandum of Understanding

4) Memorandum of Agreement 5) Non-Disclosure Agreement

(23)

Page 23 of 56 (F) Location of Data and Physical Security

1) All data shall be stored on servers/computers which are subject to

network/workstation controls and permissions. It shall not be stored on portable media that cannot be subjected to password, encryption, or other protections.

2) Serving devices (servers) storing sensitive information shall be operated by professional network system administrators, in compliance with all Technology Department security and administration standards and policies, and shall remain under the oversight of Technology Department supervisors.

3) Persons who must take data out of the protected network environment (transport data on a laptop, etc.) must have the permission of their supervisor prior to doing so. Permission to do so will be granted only when absolutely necessary, and the person transporting the data will be responsible for the security of that data, including theft or accidental loss.

4) All servers containing system data will be located in secured areas with limited access. At the school or other local building level, the principal or other location supervisor will ensure limited, appropriate access to these physically secured areas.

5) District staff who must print reports shall take responsibility for keeping this material in a secure location – vault, locked file cabinet, etc. In addition, all printed material shall be shredded when no longer in use per District and/or ALSDE protocol.

(G)Disposal of Hardware containing System Data

1) Prior to disposal of any computer, the school will notify the Technology

Department. A technician and/or an approved vendor will remove the hard drive from the device and destroy it prior to the device being disposed of or auctioned off.

2) All schools and departments which purchase or lease copy machines or multifunction printers will be expected to include provisions for the destruction of data on the device’s hard drive or the destruction of the hard drive itself prior to disposing of the copier or MFP or its return the leasing agency.

(H)Application of Network and Computer Access Permissions

1) The Director of Technology and Network Administrator shall be responsible for implementing network protection measures that prevent unauthorized intrusions, damage, and access to all storage and transport mediums; including, but not limited to:

(24)

Page 24 of 56

a. Maintaining firewall protection access to the network and/or workstations. b. Protecting the network from unauthorized access through wireless devices or

tapping of wired media, including establishing ‘guest’ wireless networks with limited network permissions.

c. Implementing virus and malware security measures throughout the network and on all portable computers.

d. Applying all appropriate security patches.

e. Establishing and maintaining password policies and controls on access to the network, workstations, and other data depositories.

2) The Director of Technology and Network Administrator will apply protection measures that include:

a. Categorizing and/or re-classifying data elements and views. b. Granting selective access to System Data.

c. Documenting any deviation from mandatory requirements and implementing adequate compensating control(s).

d. Conducting periodic access control assessments of any sensitive information devices or services.

(I) Sensitive Data as it pertains to Desktops/Laptops/Workstations/Mobile Devices 5) Firewalls and anti-virus software must be installed on all desktops, laptops and

workstations that access or store sensitive information, and a procedure must be implemented to ensure that critical operating system security patches are applied in a timely manner.

6) Storage of sensitive information on laptops, mobile devices, and devices that are not used or configured to operate as servers is prohibited, unless such information is encrypted in a Technology Department-approved encryption format.

7) The user responsible for the device shall take proper care to isolate and protect files containing sensitive information from inadvertent or unauthorized access.

(25)

Page 25 of 56

8) Assistance with securing sensitive information may be obtained from school-level Technology Coordinators with input from the Technology Department, as necessary.

VII. Transfer of Data to External Service Provider

(F) Student directory information may be transferred to an external service provider, such as an online website that teachers wish students to use for educational purposes. Provided that:

1) The teacher follows the protocols for getting approval for the site to be used.

2) The District notifies parents about their right to restrict their child’s data from being shared with such sites annually via Code of Conduct/AUP.

3) The transfer of data is handled in a manner approved by the Technology Department, or is performed by the Technology Department.

(G) No FERPA protected educational records will be transferred to an external service provider without prior approval of the Data Governance committee and/or the Jefferson County School Board. Exception: Alabama State Department of Education.

(H) No school or department should enter into a contract for the use of any program that requires the import of District data without first consulting and receiving approval from the Data Governance committee.

(I) The Data Governance committee will determine which of the following should be

required of the service provider and assist in ensuring these requirements are met prior to any data transfer:

1) Contract

2) Designating the service provider as an “Official” as defined in FERPA 3) Memorandum of Understanding

4) Memorandum of Agreement 5) Non-Disclosure Agreement

(J) Non-Disclosure Agreement (NDA) Information

(26)

Page 26 of 56

When to Use a Non-Disclosure Agreement

1. Private Information. Confidential information, as defined by FERPA and other regulations and policies, is to be protected and disclosed only to those employees who have a direct legitimate reason for access to the data in order to provide educational services to the student.

2. You must seek guidance from the Student Services, Special Education, and/or the Technology Department prior to transferring confidential information to any outside company, online service (free websites), or to any outside individual, organization, or agency without the explicit written permission of the parent of a minor student or an adult-aged student. This information includes:

1) Social Security number

2) Grades and test scores (local and standardized) 3) Special education information

4) Health information and 504 information

5) Attendance information (not enrollment, but specific attendance dates) 6) Family/homeless/or other similar status

7) Child Nutrition Program status (free or reduced meals)

This includes providing confidential information to individuals, including System employees, for use in dissertations or other studies for college courses or doctoral studies. Refer all such requests, including those for federal, state, or other studies to the Instruction Department and the Technology Department for their approval before releasing any such individualized information. Approved recipients may be required to complete an NDA so that they fully

understand their responsibilities with regard to safeguarding and later destroying this private information. This restriction does not apply to publicly available aggregated data such as dropout rates, attendance rates, percentage of free and reduced lunch program students.

Exceptions. Other Public K-12 Schools - Private information may be transferred upon request to the State Department of Education or other public school systems with a legitimate need for the data; however, the transfer process should comply with data security protocols (see below). In addition, personnel must research all recipients to ensure that the school is legitimately a public school rather than a private school.

Colleges – Confidential information may be transferred to institutions of higher education, when the adult student or the parent of a minor student requests that transcripts or other private

information be released to specific institutions. Such information should not be transferred to colleges based on a request from the college directly, unless approved by the individual whose records will be transferred.

3. Directory Information. Although Jefferson County Schools has identified the following as “Directory Information,” schools should still carefully consider the transfer or publication of this information. Seek guidance when in doubt. Much of this information, combined with data

(27)

Page 27 of 56

collected elsewhere can be used for identity theft purposes, stalking, and other unlawful or unethical purposes.

1) Home address

2) Home or cell phone numbers of students or their parents 3) Email addresses of students or their parents

4) Date and place of birth

Exception: U.S. Military and institutions of higher learning for recruiting purposes. However, school must first determine which parents have submitted Opt Out forms relative to these requests prior to transferring data.

(E) Non-Disclosure Agreement Processing

1) The Technology Department will keep all NDAs on file. This will eliminate the need for each school to solicit an NDA from companies which already have NDAs on file. Technology will also ensure that the NDA is renewed annually where necessary.

2) What the school should do:

a. Get the following specific information from the “entity” to which you want to transfer the information: company name, web address, phone number, fax number, and email address, name of individual you are working with.

b. List the information you wish to transfer to the ‘entity’

c. Send this information to the Technology Department for referral to the Data Governance Committee.

3) Upon approval by the Data Governance Committee, the Technology Department will determine if there is a current NDA already on file with the entity. If not, one will be prepared and sent to them. Once the agreement has been signed, the Technology Department will notify the school and oversee the process of securing and uploading the necessary data to the service provider.

4) Note that all confidential data that will be transferred by email, whether in the body of the email or as an attached file, should be encrypted. The Technology Department can help you with transporting this data.

(28)

Page 28 of 56 Nondisclosure Agreement

THIS NONDISCLOSURE AGREEMENT (this “Agreement”), by and between JEFFERSON COUNTY SCHOOLS, AL (the “District”), and ________________________________ (the “Service Provider”), relates to the disclosure of valuable confidential information. The “District” refers to all schools, departments, and other entities within Jefferson County Schools. The Service Provider refers to any free or fee-based company, organization, agency, or individual which is providing services to the District or is conducting District-approved academic research. The Disclosing Party and the Receiving Party are sometimes referred to herein, individually as a “Party” and collectively, as the “Parties.”

To further the goals of this Agreement, the Parties may disclose to each other, information that the Disclosing Party considers proprietary or confidential.

The disclosure of District’s Confidential Information by a Receiving Party may result in loss or damage to the District, its students, parents, employees, or other persons or operations. Accordingly, the Parties agree as follows:

Confidential Information disclosed under this Agreement by the District shall only be transmitted in compliance with the District’s approved security protocols. The Receiving Party must accept the data transmitted in these formats.

The Service Provider will request or receive Confidential Information from the District solely for the purpose of entering into or fulfilling its contractual obligations or pre-approved academic research.

The Service Provider agrees not to use, or assist anyone else to use, any portion or aspect of such Confidential Information for any other purpose, without the District’s prior written consent.

The Service Provider will carefully safeguard the District’s Confidential Information and may be required to describe such safety measures to the District upon request.

The Service Provider will not disclose any aspect or portion of such Confidential Information to any third party, without the District’s prior written consent.

Confidential Information disclosed under this Agreement shall not be installed, accessed or used on any computer, network, server or other electronic medium that is not the property of the District or the Service Provider, or to which third-parties have access, unless otherwise provided in a separate contract or agreement between the Parties hereto.

The Service Provider shall inform the District promptly if the Service Provider discovers that an employee, consultant, representative or other party, or any outside party has made, or is making or threatening to make, unauthorized use of Confidential Information.

The Service Provider shall immediately cease all use of any Confidential Information and return all media and documents containing or incorporating any such Confidential Information within five (5) days to the District after receiving written notice to do so, or whenever the contract for services between the District and the Service Provider expires or is terminated. In addition, the Service Provider may be required by the District to destroy any Confidential Information contained on primary or backup media upon written request of the District.

Date Date

District Service Provider

Printed Name Printed Name

Signature Signature

Title Title

(29)

Page 29 of 56

Confidential Information includes:

 any written, electronic or tangible information provided by a Disclosing Party any information disclosed orally by a Disclosing Party that is treated as confidential when disclosed

 all information covered by FERPA or other local, state, or federal regulation applying to educational agencies

 Any other information not covered by FERPA, HIPAA, or other local, state, or federal regulation which the District requires the Service Provider to treat as confidential.

VIII. Reporting Security Breaches

All employees shall be responsible for reporting suspected or actual breaches of data security whether due to inappropriate actions, carelessness, loss/theft of devices, or failures of technical security measures.

Data Governance Training

I. School and Central Office Administrators

(A) School and Central Office Administrators will receive refresher training on FERPA and other data security procedures during annually scheduled administrative meetings. (B) Principals and Central Office Administrators shall contact the Technology Coordinator or

the Student Services Department when in doubt about how to handle classified information

(C) Principals and Central Office Administrators will be kept aware of emerging issues pertaining to data security.

II. School Registrar Data Security Training

(A) School registrars will be trained and refreshed on FERPA and other data security procedures twice annually. Training may be conducted on-site by the location

(30)

Page 30 of 56

(B) School registrars’ adherence to the data security procedures will be monitored by the Technology Department through random audits. Audits methods and procedures TBA. III. Teacher and Staff Training

(A) All new teachers will complete training on all District technology policies, including how their use of technology is governed by FERPA and other data security procedures

established by the District. Training will be conducted annually by the principal or his/her designee.

(B) All department heads will be expected to educate their support staff on data governance as it applies to their department’s work.

(C) All users will receive reminders throughout the year via email regarding malware threats and phishing scams and how to report suspected threats.

IV. Parent and Booster Training

(A) School administrators shall educate PTOs, boosters, and other parent groups about FERPA and student confidentiality. For instance, organizations who intend to post information about the school’s students or activities should not compromise the privacy of students in protective custody. Because the school cannot tell these groups which students may be in such situations, the organization should be cautioned about exposing any information or photos that could cause harm to students or their families.

(B) The Technology Department shall have procedures that include educational materials for booster organizations who wish to post their own websites. This shall include both

FERPA and COPPA information.

Data Quality Controls I. Job Descriptions

(A) Job descriptions for employees whose responsibilities include entering, maintaining, or deleting data shall contain provisions addressing the need for accuracy, timelines, confidentiality, and completeness. This includes, but is not limited to: school registrars, counselors, special education staff, and CNP staff handling free and reduced lunch data.

(B) Teachers shall have the responsibility to enter grades accurately and in a timely manner.

(C) School administrators shall have the responsibility to enter discipline information accurately and in a timely manner.

(31)

Page 31 of 56 II. Supervisory Responsibilities

(A) It is the responsibility of all Supervisors to set expectations for data quality and to evaluate their staff’s performance relative to these expectations annually.

(B) Supervisors should immediately report incidents where data quality does not meet standards to their superior and to any other relevant department, including the State Department of Education, if applicable.

Student Information Systems I. Student Information Applications

(A) Any software system owned and/or managed by the District which is used to store, process, or analyze student ‘educational records’ as defined by FERPA shall be subject to strict security measures. These systems are:

1) INOW – General student information system 2) SetsWeb – Special Education information system 3) WinSnap – Child nutrition information system 4) SchoolCast – Emergency Notification System 5) INFocus

6) Atriuum

7) Other as implemented by the District

(B) Administrators with supervisory responsibilities over the District’s Student Information Systems shall determine the appropriate access rights to the data and enforce compliance with these roles and permissions.

II. INOW Access

INOW, unlike its predecessor STI Office, enables authorized users to access the application from anywhere they may have Internet access. In response to this anywhere/anytime access, as well as the fact that INOW provides less-granular permission settings than its predecessor, the Data Governance Committee and its, INOW permissions sub-committee, has implemented the following:

(A) Strong password requirement for INOW logins

(32)

Page 32 of 56

STI Data Security Agreement Memo

Date:

To: Principals

From:

RE: Data Security and Data Security Agreement

As you know, our student and employee data should be carefully protected. Not only is the majority of the information contained therein subject to FERPA and HIPAA, but it is also data which could be used for identity theft. In order to ensure that all staff members who have access to INOW understand the important responsibilities that come with such access, we have prepared the attached INOW Data Security Agreement form.

Please read the document carefully and notice that it warns against removing personal data on students and employees from the workplace. This type of information should not be carried outside of your school on USB drives, disks, or on laptops. If any of these portable devices were to be lost or stolen, it could put the system at great risk.

Please make enough copies of this document for each of your staff who have INOW permissions to sign. Have them sign the form. Make them a copy of the signed form, and then forward the original to the Technology Department. This will include you, your assistant principals, your counselors, the school nurse, and a few others in your school. The registrars have already received and signed a copy at the recent Registrar’s meeting.

If you have questions, please feel free to contact the Director of Technology, Director of Data Security and Instructional Technology Support and/or one of the Deputy Superintendents.

(33)

Page 33 of 56

Jefferson County Schools Data Security Agreement

Electronic data is very portable and can be vulnerable to theft and unintended disclosure. Therefore, having access to personal and private information as part of one’s job duties also carries with it important responsibilities to protect the security and privacy of that data. As an employee who has access to Jefferson County Schools’ student and employee data, I understand that I have the responsibility to handle, maintain, and disseminate information contained in these records in a secure manner.

I understand that my access to and dissemination of student and/or employee data is subject to local polices, as well as state and federal laws and statutes. This includes, but is not limited to the Federal Educational Rights and Privacy Act (FERPA) and HIPAA.

I understand that transferring personal information to a third party outside of the school system in any electronic format may only be done after approval by the Director of Technology and/or the Director of Data Security and Instructional Support.

Except when explicitly instructed to do so by school or district administrators, I understand that copies of student and employee data should never be kept on a temporary storage device such as USB drive or CD; and that student and employee data should not be removed from the school premises on a laptop.

I will keep my computer workstation secure by locking or logging off when the machine is unattended. I will not share network or program passwords with others. I will not allow personal data that has been printed into the view or hands of unintended parties. I will not use my

software rights to grant others permission to data to which they are not entitled. Please sign below to indicate you understand and agree to the above statements.

Print Name/Title: ______________________________________________________________ Signature: __________________________________________ Date: ___________________ Work Location: ________________________________________________________________

Jefferson County School Board Data Governance Plan