MODEL STUDENT DATA PRIVACY AND SECURITY POLICY
Drafted by the Data Management Council and adopted by the Idaho State Board of Education
Effective August 14, 2014
The efficient collection, analysis, and storage of student information is essential to improve the education of our students. As the use of student data has increased and technology has advanced, the need to exercise care in the handling of confidential student information has intensified. The privacy of students and the use of confidential student information is protected by federal and state laws, including the Family Educational Rights and Privacy Act (FERPA) and the Idaho Student Data Accessibility, Transparency and Accountability Act of 2014 (Idaho Data Accountability Act).
Student information is compiled and used to evaluate and improve Idaho's educational system and improve transitions from high school to postsecondary education or the workforce. The Data Management Council (DMC) was established by the Idaho State Board of Education to make recommendations on the proper collection, protection, storage and use of confidential student information stored within the Statewide Longitudinal Data System (SLDS). The DMC includes representatives from K-12, higher education institutions and the Department of Labor.1
This model policy is required by the Idaho Data Accountability Act. In order to ensure the proper protection of confidential student information, each school district and public charter school shall adopt, implement and electronically post this policy. It is intended to provide guidance regarding the collection, access, security and use of education data to protect student privacy. This policy is consistent with the DMC's policies regarding the access, security and use of data maintained within the SLDS.2 Violation of the Idaho Data Accountability Act may result in civil penalties.3
Administrative Security consists of policies, procedures, and personnel controls including security policies, training, and audits, technical training, supervision, separation of duties, rotation of duties, recruiting and termination procedures, user access control, background checks, performance evaluations, and disaster recovery, contingency, and emergency plans. These measures ensure that authorized users know and understand how to properly use the system in order to maintain security of data.
Aggregate Data is collected or reported at a group, cohort or institutional level and does not contain Pll.
Data Breach is the unauthorized acquisition of Pll.
1 Data Mana gement Council
2 Data Mana gement Council Policies and Procedure s
3 Idaho Code Title 33. Section 1 33
Logical Security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures ensure that only authorized users are able to perform actions or access information in a network or a workstation.
Personally Identifiable Information (Pll) includes: a student's name; the name of a student's family; the student's address; the students' social security number; a student education unique identification number or biometric record; or other indirect identifiers such as a student's date of birth, place of birth or mother's maiden name; and other information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community who does not have personal knowledge of the relevant circumstances, to identify the student.
Physical Security describes security measures designed to deny unauthorized access to facilities or equipment.
Student Data means data collected at the student level and included in a student's educational records.
Unauthorized Data Disclosure is the intentional or unintentional release of Pll to an unauthorized person or untrusted environment.
Idaho Student Data Accessibility, Transparency and Accountability Act of 2014, Idaho Code Title 33, Section 133