712 TECHNOLOGY AND DATA SECURITY

The Morning Sun Community School District recognizes the increasingly vital role technology plays in society.  It is the intent of the district to support secure data systems in the district, including security for all personally identifiable information (PII) that is stored digitally on district-maintained devices, computers and networks.  The purpose of this policy is to ensure the secure use and handling of all district data, computer systems, devices and technology equipment by district students, employees, and data users. 

The district may use third-party vendors to perform necessary education functions for the district.  Utilizing third party vendors to outsource functions the district would traditionally perform provides a cost-effective means to deliver high quality educational opportunities to all students.  However, it is paramount that third party vendors with access to sensitive data and PII of district students, employees and data users be held to the highest standards of data privacy and security.

The selection of third-party vendors shall be in accordance with appropriate law and policy.  Third-party vendors with access to PII shall meet all qualifications to be designated as a School Official under the Family Educational Rights and Privacy Act (FERPA). The Superintendent or designee shall recommend to the Board that any approved contract with a third-party vendor will require that the vendor comply with all applicable state and federal laws, rules, or regulations, regarding the privacy of PII. 

It is the responsibility of the Superintendent or designee to develop procedures for the district to enhance the security of data and the learning environment.  The procedures shall address, but not be limited to, the following topics: 

Access Control –Access control governs who may access what information within the district and the way users may access the information. It is the responsibility of the Superintendent or designee to determine which individuals will have access to district networks, devices and data; and to what extent such access will be granted.  System and network access will be granted based upon a need-to-have requirement, with the least amount of access to data and programs by the user as possible. 

Security Management –Security management addresses protections and security measures used to protect digital data.  These include measures related to audits and remediation, as well as security plans for responding to, reporting and remediating security incidents.  It is the responsibility of the superintendent or designee to develop procedures to govern the secure creation, storage and transmission of any sensitive data and personally identifiable information (PII).  The Superintendent or designee shall implement appropriate controls to regulate data moving between trusted internal resources to external entities.

Technology and Data Use Training –Technology and data use training addresses acceptable use best practices to safeguard data for students, employees and staff.  It is the responsibility of the Superintendent or designee to help ensure appropriate training on proper data and technology use.        

 

Legal References: 

20 U.S.C. §1232g; 34 C.F.R. Part 99

47 U.S.C. §254

20 U.S.C. §6777

Iowa Code §§ 279.70; 715C

 

Cross References:   401.13  Staff Technology Use/Social Networking

                                 506.1  Student Records  Access

                                 605.4  Technology and Instructional Materials

Approved                    Reviewed                     Revised                   

 

712.R1 SECURITY REQUIREMENTS OF THIRD-PARTY VENDORS

Regulation 712R1 SECURITY REQUIREMENTS OF THIRD-PARTY VENDORS REGULATION

The District must ensure proper safeguards and procedures exist to use third-party vendors as a resource to further educational functions.  The following procedures shall be used to investigate and contract only with qualifying third-party vendors for the performance of necessary educational functions of the district; and to ensure that third-party vendors meet the required standards to be designated under the Family Educational Rights and Privacy Act (FERPA) as a School Official to handle personally identifiable information (PII) within the district. 

Third-party vendors may be designated by the district as a School Official when the vendor: 

  1. Performs an institutional service or function for which the school or district would otherwise use its own employees;
  2. Has met the criteria set forth in the district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records;
  3. Is under the direct control of the district regarding the use and maintenance of education records; and 
  4. Uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the district to do so and is otherwise permitted by FERPA). 

Third party vendor data use requirements shall include, but not be limited to the following:

  1. The vendor implement and maintain security procedures and practices consistent with current industry standards; and
  2. The vendor be prohibited from collecting and using PII for:
    1. Targeted advertising;
    2. Amassing a profile about a student or students except in furtherance of educational purposes;
    3. Selling or renting PII for any purpose other than those expressly permitted by law; and
    4. Disclosing PII for any purposes other than those expressly permitted by law.