712 - Technology and Data Security

The Independence Community School District (ICSD) recognizes the increasingly vital role technology plays in society. It is the goal of the district to embrace technology as a resource to further educate our students, and better prepare students for the future. It is the intent of the district to support secure data systems in the district, including security for all personally identifiable information (PII) that is stored digitally on district-maintained devices, computers and networks. Technology also has incredible potential to support increased efficiency, communication and growth through collaboration among administration, students, staff, employees, and volunteers.

However, with this growth opportunity comes increased potential for valuable sensitive data to become public. The district takes seriously its responsibility to protect private data. The purpose of this policy is to ensure the secure use and handling of all district data, computer systems, devices and technology equipment by district students, employees, and data users.

The district supports the use of third-party vendors to perform necessary education functions for the district. Utilizing third party vendors to outsource functions the district would traditionally perform provides a cost-effective means to deliver high quality educational opportunities to all students. However, it is paramount that third party vendors with access to sensitive data and PII of district students, employees and data users be held to the highest standards of data privacy and security.

The selection of third-party vendors shall be in accordance with appropriate law and policy. Third-party vendors with access to PII shall meet all qualifications to be designated as a School Official under the Family Educational Rights and Privacy Act (FERPA). The board shall ensure that any approved contract with a third-party vendor will require that the vendor comply with all applicable state and federal laws, rules, or regulations, regarding the privacy of PII.

It is the responsibility of the superintendent to develop procedures for the district to enhance the security of data and the learning environment. The procedures shall address, but not be limited to, the following topics:

Access Control – Access control governs who may access what information within the district and the way users may access the information. Increased access to secure networks and data will inevitably increase the risk of security compromise to those networks and data. It is the responsibility of the superintendent to develop procedures for determining which individuals will have access to district networks, devices and data; and to what extent such access will be granted. System and network access will be granted based upon a need-to-have requirement, with the least amount of access to data and programs by the user as possible.

Security Management – Security management addresses protections and security measures used to protect digital data. These include measures related to audits and remediation, as well as security plans for responding to, reporting and remediating security incidents. It is the responsibility of the superintendent to develop procedures to govern the secure creation, storage and transmission of any sensitive data and personally identifiable information (PII). The superintendent or designee shall implement network perimeter controls to regulate data moving between trusted internal resources to external entities.

Technology and Data Use Training – Technology and data use training addresses acceptable use best practices to safeguard data for students, employees and staff. It is the responsibility of the superintendent to develop procedures for creating and administering a training program on proper data and technology use. The training shall address the proper use and security of all district owned or controlled technology, devices, media and data. Training should be administered to all district data users during the Fall Staff Professional Development training days or as hired during the academic school year.

In furtherance of this policy, the superintendent or designee shall be responsible for overseeing district-wide data and technology security, to include development of standards and procedures and adherence to the administrative procedures defined in this document.

Legal References: 20 U.S.C. §1232g; 34 C.F.R. Part 99
                                                  47 U.S.C. §254
                                                  20 U.S.C. §6777
                                                  Iowa Code §§ 279.70; 715C

Cross References: 401.13   Staff Technology Use/Social Networking
                                                  506.1     Student Records
                                                  605.4     Technology in the Classroom

Approved 06/17/2019 Reviewed 06/17/2019 Revised __________

dawn.gibson.cm… Fri, 02/19/2021 - 09:49

712R1 - Security Requirements of Third-Party Vendors Regulation

The district must ensure proper safeguards and procedures exist to use third-party vendors as a resource to further educational functions. The following procedures shall be used to investigate and contract only with qualifying third-party vendors for the performance of necessary educational functions of the district; and to ensure that third-party vendors meet the required standards to be designated under the Family Educational Rights and Privacy Act (FERPA) as a School Official to handle personally identifiable information (PII) within the district.

Third-party vendors may be designated by the district as a School Official when the vendor:

Performs an institutional service or function for which the school or district would otherwise use its own employees;
Has met the criteria set forth in the district's annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records;
Is under the direct control of the district regarding the use and maintenance of education records; and
Uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the district to do so and is otherwise permitted by FERPA).

Third party vendor data use requirements shall include, but not be limited to the following:

The vendor implement and maintain security procedures and practices consistent with current industry standards; and
The vendor be prohibited from collecting and using PII for:
1. Targeted advertising;
2. Amassing a profile about a student or students except in furtherance of educational purposes;
3. Selling or renting PII for any purpose other than those expressly permitted by law; and
4. Disclosing PII for any purposes other than those expressly permitted by law.

dawn.gibson.cm… Fri, 02/19/2021 - 09:51

713 - Responsible Technology Use and Social Networking

Computers, electronic devices and other technology are powerful and valuable education and research tools and, as such, are an important part of the instructional program. In addition, the school district depends upon technology as an integral part of administering and managing the schools’ resources, including the compilation of data and recordkeeping for personnel, students, finances, supplies, and materials. This policy outlines the board’s expectations in regard to these different aspects of the school district’s computer technology resources. Students, staff, and volunteers must conduct themselves in a manner that does not disrupt the educational process and failure to do so may result in discipline, up to and including student discipline under all relevant district policies, and termination for employees.

General Provisions

The superintendent is responsible for designating a Technology Director who will oversee the use of school district technology resources. The Technology Director will prepare in-service programs for the training and development of school district staff and relevant volunteers in technology skills, appropriate use of district technology, and for the incorporation of technology use in subject areas.

The superintendent, working with appropriate staff, shall establish regulations governing the use and security of the school district’s technology resources. The school district will make every reasonable effort to maintain the security of the district networks and devices. All users of the school district’s technology resources, including students, staff and volunteers, shall comply with this policy and regulation, as well as others impacting the use of school equipment and facilities. Failure to comply may result in disciplinary action, up to and including termination, or expulsion as well as suspension and/or revocation of technology access privileges.

Usage of the school district’s technology resources is a privilege, not a right, and that use entails responsibility. District-owned technology and district maintained Internet-based collaboration software, social media, and e-mail accounts are the property of the school district. Therefore, users of the school district’s network must not expect, nor does the school district guarantee, privacy for use of the school district’s network including web sites visited. The school district reserves the right to access and view any material stored on school district equipment, within district-owned software, or any material used or accessed in conjunction with the school district’s network.

The superintendent, working with the appropriate staff, shall establish procedures governing management of technology records in order to exercise appropriate control over technology records, including financial, personnel and student information. The procedures will address at a minimum:

passwords,
system administration,
separation of duties,
remote access,
data back-up (including archiving of e-mail),
record retention, and
disaster recovery plans.

Social Networking or Other External Web Sites

For purposes of this policy any website, other than the school district web site or school-school district sanctioned web sites, are considered external web sites. Employees and volunteers shall not post confidential or proprietary information, including photographic images, about the school district, its employees, students, agents, or others on any external web site without prior written consent of the superintendent. Employees and volunteers shall adhere to all applicable privacy and confidentiality policies adopted by the school district when on external web sites. Employees, students and volunteers shall not use the school district logos, images, iconography, etc. on external web sites unless authorized in advance by school administration. Employees, students and volunteers need to realize that the internet is not a closed system and anything posted on an external site may be viewed by others. Employees, students and volunteers who don’t want school administrators to know their personal information, should refrain from sharing it on the internet. Employees and volunteers should not connect with students via external web sites without consent of the building level administrator.

Employees and volunteers who wish to connect with students through an Internet-based software application that is not District-approved must first obtain the prior written consent of the building administrator. At all times, no less than two licensed employees must have access to all accounts and interactions on the software application. Employees and volunteers who would like to start a social media site for school district sanctioned activities, should obtain prior written consent from the superintendent.

It is the responsibility of the superintendent to develop administrative regulations implementing this policy.

Legal Reference: Iowa Code § 279.8.

282 I.A.C. 25, 26.

Cross Reference: 106 Anti-Bullying/Harassment

307 Administrator Code of Ethics

401.01 Employee Orientation

407 Licensed Employee Termination of Employment

413 Classified Employee Termination of Employment

605 Instructional Materials

Approved: 03/18/2024

Reviewed:

Revised:

lschaul@indeek12.org Tue, 03/19/2024 - 11:17