Student Data Privacy
Under Colorado’s Student Data Transparency and Security Act, Liberty Common School is required to post and maintain the following information on its website:
- A link to the Colorado Department of Education’s Data Dictionary;
- A link to the Colorado Department of Education’s inventory of data containing personally-identifiable information on individual students;
- Student personally-identifiable information collected and maintained by Liberty Common School in its electronic-data system that is not reported to the Colorado Department of Education;
- A list of school-service-contract providers with which Liberty Common School contracts that includes a copy of each school service contract; and;
- To the extent practicable, a list of the school service on-demand providers that Liberty Common School and/or its employees use for school services.
Student-Data Privacy Policy
Adopted June 2019
- Policy Statement
- Scope of Policy
- Definitions
- Transparency
- Maintenance of Student Records and Data Retention and Destruction
- Access to Student Records and Personally Identifiable Information
- Data Destruction
- Vendor or Provider Misuse and/or Unauthorized Disclosure of PII
- Staff Training
- Data Security Audits
- Enforcement
Policy Statement
Student privacy is a critical component of Liberty Common School’s (LCS) operations, and the protection and management of the various types of student records and Personally Identifiable Information (PII) is critical to LCS’s operations. Concurrently, using data effectively and responsibly is foundational to making the best decisions in today’s schools and improving student performance. LCS maintains student files, as well as computer systems and related devices that collect and record data as required for educational delivery, management, and reporting purposes. Student PII or other sensitive data requested, collected, captured, generated, stored, or otherwise entrusted to and maintained by LCS shall be analyzed on a case by case basis and shared only for legitimate educational purposes with those who are authorized, or as required by law. Reasonable care must be taken to ensure that student PII or other sensitive data is never misused or disclosed to unauthorized individuals or agencies.
The purpose of this policy (Policy) is to establish general privacy practices for student records and PII academic and discipline records, and information captured or generated by LCS’s operations, systems, network devices, or communications. The policy further delimits conditions where PII may be disclosed.
The privacy and protection of confidential student and faculty education records and the PII contained therein shall be governed by the federal Family Education Rights and Privacy Act (FERPA), the Colorado Student Data Transparency and Security Act (SDTSA), and this Policy.
This Policy attempts to be as comprehensive as possible, but it is not intended to cover every situation which may be considered student data privacy-related. LCS is committed to providing a place for learning, teaching, and gathering free from concerns that one’s PII will be poorly protected and/or misused. LCS administrators and IT specialists will prioritize student-data privacy when evaluating whether to engage with third-party service providers. The adoption of this Policy are in keeping with this commitment.
Scope of Policy
Definitions
- Data. Any student or family information collected, captured, stored, generated, or otherwise entrusted to and maintained by LCS, its employees, contractors, agents, systems, storage devices, or other means. This includes systems and devices involved in the transmission and storage of video and voice data.
- Personally-Identifiable Information. As used in this policy, “personally identifiable information” (PII) is information that, alone or in combination, is linked or linkable to a specific individual so as to allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the individual with reasonable certainty. All student PII is confidential and private. LCS data privacy procedures adhere to the guidelines set forth in FERPA and SDTSA.
- PII includes but is not limited to:
- (1) the student’s name;
- (2) the name of the student’s parent or other family members;
- (3) the address or phone number of the student or student’s family;
- (4) personal identifiers such as the student’s social security number, student number or biometric record;
- (5) indirect identifiers such as the student’s date of birth, place of birth or mother’s maiden name; or
- (6) photographic and voice records.
- PII includes but is not limited to:
- School Service Contract Provider. An entity, other than a public education entity or an institution of higher education, that enters into a formal, negotiated contract with LCS to provide a school service.
- School Service On-Demand Provider. An entity, other than a public education entity, that provides a school service to LCS, subject to agreement by LCS, or an employee of LCS, to standard, non-negotiable terms and conditions of service established by the providing entity.
- Student Academic and Discipline Records. "Records" are any information or data, including but not limited to academic and discipline records, recorded in any medium including, but not limited to, handwriting, print, tapes, film, and any electronic storage or retrieval media. "Student records" are those records directly related to a student and maintained by LCS.
- Third Party. A third party, for the purpose of this Policy, is an entity other than LCS or a person who is not employed by LCS.
Transparency
LCS will maintain a Student Privacy page on its website. This page will contain all elements required by the SDTSA, including
- A list of all School Service On-Demand Providers used by LCS. This list will be maintained by the IT Department, and updated a minimum of twice per year.
- A list of any School Service On-Demand Providers which LCS has either refused to use or discontinued to use due to student-privacy concerns. This list will be maintained by the IT Department.
- A list of School Service Contract Providers engaged in a contractual relationship with LCS, along with links to the executed contracts. This list will be maintained jointly by the LCS Administration and the LCS IT Department.
- A link to access a list of the Colorado Department of Education’s inventory of data containing PII on individual students.
- A description of PII in language understandable to a layperson.
- A link to this Policy.
Maintenance of Student Records and Data Retention and Destruction
All student-education records, including but not limited to confidential PII and student academic and discipline records, shall be retained for the periods required by governing law and relevant LCS policy. Thereafter, such records are subject to destruction in accordance with governing law, recognized best practices, and Section VII of this Policy.
Access to Student Records and Personally Identifiable Information
- Access to PII, and the collection and sharing of PII, is only authorized in accordance with governing law and this Policy. Student PII or other sensitive data may only be collected or reviewed by LCS staff for legitimate educational purposes related to educational decisions, legal compliance, reporting, or other lawful purposes.
- Requests for any student academic and/or discipline records will be denied unless it can be reasonably ascertained by an LCS administrator that there is parental consent for the release of requested records to the individual or entity furnishing the request, and that the request is consistent with governing law. Every new request for a student records will require a new communication of parental consent to an LCS administrator.
- LCS will only provide student PII to the Colorado Department of Education as required by law or as a condition of receiving a benefit, such as grant funding or special designations.
- LCS will only disclose student PII and sensitive data to a School Service Contract Provider which contractually agrees to comply with FERPA and SDTSA laws, and for legitimate educational purposes.
- LCS will only disclose student PII and sensitive data to a School Service On-Demand Provider which contains in its user-agreement language consistent with FERPA and SDTSA laws.
- Access to LCS computers, e-mail and document accounts, and to electronically stored PII shall be password protected. Further, LCS administrators shall ensure the security of electronically stored PII, including but not limited to: (1) controlled building access; and (2) video surveillance monitoring of building’s ingress/egress.
- LCS employees, volunteers and students shall report to the LCS administration all threats and known or suspected occurrences of unauthorized access, loss, disclosure, modification, disruption or destruction of electronically stored student records or confidential PII.
Data Destruction
- LCS will dispose of or destroy data in a manner consistent with governing law and current industry standards. The IT Director will determine the appropriate process for making sensitive, digitally-maintained data from computer desktops, laptops, hard drives, and portable media, inaccessible and unusable. The IT Director will be responsible for compliance with governing law and this Policy.
- Paper and hardcopy records maintained by LCS and containing student PII or other sensitive data shall be shredded.
- A School Service Contract Provider must contractually agree to destroy student PII in a manner consistent with the SDTSA. This means:
- The School Service Contract Provider will contractually agree to destroy records containing student PII at the request of LCS, unless parental consent for record retention is attained. The contract provider shall provide the LCS with a Certificate of Data Destruction, and
- The School Service Contract Provider will contractually agree to, following the termination or conclusion of the contract, destroy all student PII collected, generated, or inferred as a result of the contract. The contract provider shall provide the LCS with a Certificate of Data Destruction.
Vendor or Provider Misuse and/or Unauthorized Disclosure of PII
If LCS identifies that a School Service On-Demand Provider or School-Service Contract provider has experienced a material breach, engaged in misuse of student data, or allowed unauthorized release of student PII, the LCS Board of Directors will ensure the following are accomplished:
- Notifying the individuals impacted by the breach; communicate the steps in place to address and resolve the breach.
- Public discussion of the nature of the material breach, and provide an opportunity for the contract provider to respond.
- A decision whether the contract shall be subject to termination and if the provider will be disqualified from future contracts with LCS.
Staff Training
LCS shall take measures to periodically educate and train staff regarding its obligation under governing law and this Policy to maintain the privacy and protection of student records and PII, including but not limited to maintaining the privacy and protection of PII when using LCS information technology, online services and mobile applications.
LCS staff are and will continue to be trained to refrain from engaging any Service On-Demand Provider without first consulting either an LCS administrator or the LCS IT Director regarding the specific provider being considered. Staff will only engage a Service On-Demand Provider once receiving explicit permission to do so.
Data Security Audits
The IT Director shall implement practices and procedures to maintain the security of electronically stored PII, including but not limited to: (1) access logging and monitoring by device and location; (2) intrusion detection and vulnerability testing; (3) use of automated tools and monitoring procedures to detect, report and remediate system vulnerabilities and breaches; (4) responding to threats and occurrences of unauthorized access, loss, disclosure, modification, disruption or destruction of electronically stored PII to LCS administration; and (5) notifying the LCS administration of affected persons of such threats and occurrences.
The director of the IT Department will determine if an external/independent third party security auditor is necessary to maintain the integrity of LCS server security.
Enforcement
LCS is committed to enforcing this Policy and engaging in practices to protect the privacy of every student and family from who it collects data. LCS staff found to be in violation of this Policy, at the sole discretion of LCS administrators, may be subject to disciplinary action, up to and including termination.
School Service Providers
Contract Providers
On-Demand Providers
School service on-demand providers for Liberty Common School are listed below.
NOTE: Liberty Common School will post the names of on-demand providers and their on-demand school services (together with any written response the on-demand providers may submit) and notify the Colorado Department of Education if Liberty Common School ceases using or refuses to use the on-demand provider and its school services for: (a) not substantially complying with the on-demand provider’s own privacy policies; (b) selling student personally identifiable information; (c) using or sharing student personally identifiable information for purposes of targeted advertising to students; (d) using student personally identifiable information to create a personal profile of a student other than for supporting purposes authorized by Liberty Common School or with the consent of an eligible student or a student’s parent/guardian; or (e) not maintaining a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality and integrity of student personally identifiable information with appropriate administrative, technological and physical safeguards.