MSD Policies

Safety

134 Standards for the Protection of Personal Information of Staff and Students

The Superintendent and/or his/her designee shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of entity of the Manchester School District; (b) the amount of resources available to the Manchester School District; (c) the amount of stored data; and (d) the need for security and confidentiality of both student and employee information.

Scope:

The provisions of this policy apply to all persons that own, license or have access to personal information about an employee or student of the Manchester School District.

Definitions:

These Standards apply to “Student Personally-Identifiable Data” and “Teacher Personally-Identifiable Data” (RSA 189:65), as well as “Covered Information” (RSA 189:68)

“Student personally-identifiable data” means:

  1. The student's name.

  2. The name of the student's parents or other family members.

  3. The address of the student or student's family.

  4. Indirect identifiers, including the student's date of birth, place of birth, social security number, email, social media address, or other electronic address, telephone number, credit card account number, insurance account number, and financial services account number.

  5. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

“Teacher personally-identifiable data” or “teacher data,” which shall apply to teachers, paraprofessionals, principals, school employees, contractors, and other administrators, means:

  1. Social security number.

  2. Date of birth.

  3. Personal street address.

  4. Personal email address.

  5. Personal telephone number.

  6. Performance evaluations.

  7. Other information that, alone or in combination, is linked or linkable to a specific teacher, paraprofessional, principal, or administrator that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify any with reasonable certainty.

  8. Information requested by a person who the department reasonably believes or knows the identity of the teacher, paraprofessional, principal, or administrator to whom the education record relates.

“Covered information” means personally identifiable information or materials, in any media or format that meets any of the following:

  1. Is created or provided by a student, or the student's parent or legal guardian, to an operator in the course of the student's, parent's, or legal guardian's use of the operator's site, service, or application for K-12 school purposes.

  2. Is created or provided by an employee or agent of the K-12 school, school district, local education agency, or county office of education, to an operator.

  3. Is gathered by an operator through the operation of a site, service, or application described in subparagraph (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student's educational record or email, first and last name, home address, date of birth, telephone number, unique pupil identifier, social security number, financial or insurance account numbers, email address, other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, other student identifiers, search activity, photos, voice recordings, or geo-location information.

  1. The comprehensive information security program will establish standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this comprehensive security program are to insure the security and confidentiality of personal information in a manner that is fully consistent with all state and federal requirements; protects against anticipated threats or hazards to the security or integrity of such information; and protects against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any employee or student.

  2. Without limiting the generality of the foregoing, the comprehensive information security program shall include, but shall not be limited to:

    1. Designating one or more employees to maintain the comprehensive information security program;

    2. Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of such safeguards for limiting such risks, including but are not limited to:

      • ongoing employee (including temporary and contract employee) training;

      • employee compliance with policies and procedures; and

      • means for detecting and preventing security system failures.

    3. Developing security regulations for employees relating to the storage, limiting access and transportation of records containing personal information inside and outside of school premises.

    4. Imposing disciplinary measures, up to and including termination, for violations of the comprehensive information security program rules and regulations.

    5. Preventing employees that are terminated, on leave, or under investigation from accessing records containing personal information.

    6. Oversee service providers, by:

      • Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with this policy and any applicable federal policies; and

      • Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information.

    7. Imposing reasonable restrictions upon physical access to records containing personal information, and storing of such records and data in locked facilities, storage areas or containers.

    8. Regularly monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

    9. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

    10. The Superintendent and/or their designee shall document and report responsive actions taken in connection with any incident involving a breach of security, and completing mandatory post-incident review of events and actions taken, if any, to make changes in practices relating to protection of personal information. These actions will be in accordance with RSA 189:67 (VI) and all relevant laws and district policies. RSA 189:67 (VI) requires the district to report quarterly on its website the number of times it disclosed student personally-identifiable data to any person, organization entity or government or a component thereof, other than the student, his or her parents, foster parents or legal guardian and the school district, early childhood program or post-secondary institution in which the student was enrolled at the time of disclosure; the name of the recipient or entity of the disclosure; and the legal basis for the disclosure.

  3. The District will not disclose personal data or information of any employee or student to any person outside of the District, except as may be required by law and in accordance with RSA 189:67 Limits on Disclosure of Information. Such data or information may be shared to District employees as necessary.

    1. The personal data and information that the school may be in possession of is defined in Students 151. Procedures and circumstances for accessing student records can also be found in Students 151.

    2. The procedures for access and retention of school records can be found in Safety 124 for the district policies regarding public use of school records.

  4. The District’s records retention system shall comply with RSA 189:29-a as well as Department of Education regulations, state laws and federal laws. Safety 126 outlines the records retention schedule for all district records, irrespective of the specific medium of the record, i.e., paper, electronic, digital, cloud, etc..

Computer System Security Requirements

The Superintendent and/or his/her designee shall include in its comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

  1. Secure user authentication protocols including:

    1. control of user IDs and other identifiers;

    2. a reasonably secure method of assigning and selecting passwords, (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

    3. restricting access to active users and active user accounts only; and (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

  2. Secure access control measures that:

    1. restrict access to records and files containing personal information to those who need such information to perform their job duties; and

    2. assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

  3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

  4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;

  5. Encryption of all personal information stored on laptops or other portable devices;

  6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

  7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with

    up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

  8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

References:

This Data Privacy Policy has been written with the assistance of the following:

RSA 189:67 Limits on Disclosure of Information. (attachment)

Family Educational Rights and Privacy Act (FERPA)

CoSN Protecting Privacy in Connected Learning Toolkit http://www.cosn.org/focus-areas/leadership-vision/protecting-privacy

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH OF MASSACHUSETTS

Privacy Pitfalls as Education Apps Spread Haphazardly

http://www.nytimes.com/2015/03/12/technology/learning-apps-outstrip-school-ove rsight-and-student-privacy-is-among-the-risks.html?_r=1

RSA 189:66 Data Inventory and Policies Publication.

Cross References

Students 151 Students Records and Access

Safety 123 Required School Records

Safety 124 Data Management

Safety 126 Data/Records Retention

New Hampshire School Board Association Code EBH

First Reading Policy Committee: June 15, 2022

Second Reading and Adoption BOSC: June 27, 2022 

Revision History: 1/25/15; 6/8/22

Student and Teacher Information Protection and Privacy

Section 189:67

189:67 Limits on Disclosure of Information. –

I. A school shall, on request, disclose student personally-identifiable data about a student to the parent, foster parent, or legal guardian of the student under the age of 18 or to the eligible student.

II. A school or the department may disclose to a testing entity the student's name or unique pupil identifier, but not both, and birth date for the sole purpose of identifying the test taker. This data shall be destroyed by the testing entity as soon as the testing entity has completed the verification of test takers, shall not be disclosed by the testing entity to any other person, organization, entity or government or any component thereof, other than the district, school or school district, and shall not be used by the testing entity for any other purpose whatsoever, including but not limited to test-data analysis.

III. Neither a school nor the department shall disclose or permit the disclosure of student or teacher personally-identifiable data, the unique pupil identifier, or any other data listed in RSA 189:68, I to any testing entity performing test-data analysis. The testing entity may perform the test analysis but shall not connect such data to other student data.

IV. Except as provided in RSA 193-E:5, or pursuant to a court order signed by a judge, the department shall not disclose student personally-identifiable data in the SLDS or teacher personally-identifiable data in other department data systems to any individual, person, organization, entity, government or component thereof, but may disclose such data to the school district in which the student resides or the teacher is employed.

V. Student personally-identifiable data shall be considered confidential and privileged and shall not be disclosed, directly or indirectly, as a result of administrative or judicial proceedings.

VI. The department shall report quarterly on its website the number of times it disclosed student personally-identifiable data to any person, organization entity or government or a component thereof, other than the student, his or her parents, foster parents or legal guardian and the school district, early childhood program or post-secondary institution in which the student was enrolled at the time of disclosure; the name of the recipient or entity of the disclosure; and the legal basis for the disclosure. Source. 2014, 68:1, eff. July 1, 2014. 2015, 71:3, eff. Aug. 1, 2015.