EHAB – Data Governance and Security

To accomplish the ConVal School District’s mission and comply with the law, the District must collect, create and store information. Accurately maintaining and protecting this data is important for efficient District operations, compliance with laws mandating confidentiality, and maintaining the trust of the District’s stakeholders. All persons who have access to District data are required to follow state and federal law, District policies and procedures, and other rules created to protect the information.

A. Definitions

Confidential Data/Information – Information that the District is prohibited by law, policy or contract from disclosing or that the District may disclose only in limited circumstances. Confidential data includes, but is not limited to, personally identifiable information regarding students and employees.

Critical Data/Information – Information that is determined to be essential to District operations and that must be accurately and securely maintained to avoid disruption to District operations. Critical data is not necessarily confidential.

B. Data and Privacy Governance Plan – Administrative Procedures

  1. Data Governance Plan. The Superintendent, in consultation with the District Information Security Officer (“ISO”) (see paragraph C, below) shall create a Data and Privacy Governance Plan (“Data Governance Plan”), to be presented to the Board no later than June 30, 2019. Thereafter, the Superintendent, in consultation with the ISO, shall update the Data Governance Plan for presentation to the Board no later than June 30 each year.

The Data Governance Plan shall include:

(a)  An inventory of all software applications, digital tools, and extensions.  The inventory shall include users of the applications, the provider, purpose, publisher, privacy statement, and terms of use;

(b)  A review of all software applications, digital tools, and extensions and an assurance that they meet or exceed minimum standards set by the New Hampshire Department of Education;

(c)  Policies and procedures for access to data and protection of privacy for students and staff including acceptable use policy for applications, digital tools, and extensions used on District hardware, server(s) or through the District network(s);

(d)  A response plan for any breach of information; and

(e)  A requirement for a service provider to meet or exceed standards for data protection and privacy.

  1. Policies and Administrative Procedures. The Superintendent, in consultation with the ISO, is directed to review, modify and recommend (policies) create (administrative procedures), where necessary, relative to collecting, securing, and correctly disposing of District data (including, but not limited to Confidential and Critical Data/Information, and as otherwise necessary to implement this policy and the Data Governance Plan. Such policies and/or procedures will may or may not be included in the annual Data Governance Plan.

C. Information Security Officer

The Superintendent or her/his designee is hereby designated as the District’s Information Security Officer (ISO). The ISO is responsible for implementing and enforcing the District’s security policies and administrative procedures applicable to digital and other electronic data, and suggesting changes to these policies, the Data Governance Plan, and procedures to better protect the confidentiality and security of District data. The ISO will work with the both District and building level administrators and Data managers (paragraph E, below) to advocate for resources, including training, to best secure the District’s data.

The Superintendent will also designate an alternate ISO, who will assume the responsibilities of the ISO when the ISO is not available.

D. Responsibility and Data Stewardship

All District employees, volunteers, contractors, and agents are responsible for accurately collecting, maintaining and securing District data including, but not limited to, Confidential and/or Critical Data/Information.

E. Data Managers

All District administrators are data managers for all data collected, maintained, used, and disseminated under their supervision, as well as data they have been assigned to manage in the District’s data inventory. Data managers will monitor employee access to the information to ensure that confidential information is accessed only by employees who need the information to provide services to the District and that confidential and critical information is modified only by authorized employees. Data managers will assist the ISO in enforcing District policies and procedures regarding data management.

F. Confidential and Critical Information

The District will collect, create, or store confidential information only when the Superintendent or designee determines it is necessary, and in accordance with applicable law. The District will provide access to confidential information to appropriately trained District employees and volunteers only when the District determines that such access is necessary for the performance of their duties. The District will disclose confidential information only to authorized District contractors or agents who need access to the information to provide services to the District and who agree not to disclose the information to any other party except as allowed by law and authorized by the District.

District employees, volunteers, contractors, and agents will notify the ISO or designee immediately if there is reason to believe confidential information has been disclosed to an unauthorized person or any information has been compromised, whether intentionally or otherwise. The ISO or designee will investigate immediately and take any action necessary to secure the information, issue all required legal notices and prevent future incidents. When necessary, the Superintendent, ISO or designee is authorized to secure resources to assist the District in promptly and appropriately addressing a security breach.

Likewise, the District will take steps to ensure that critical information is secure and is not inappropriately altered, deleted, destroyed, or rendered inaccessible. Access to critical information will only be provided to authorized individuals in a manner that keeps the information secure.

All District staff, volunteers, contractors, and agents who are granted access to critical or confidential information/data are required to keep the information secure and are prohibited from disclosing or assisting in the unauthorized disclosure of such confidential or critical data/information.  All individuals using confidential and critical data/information will strictly observe all administrative procedures, policies and other protections put into place by the District including, but not limited to, maintaining information in locked rooms or drawers, limiting access to electronic files, updating and maintaining the confidentiality of password protections, encrypting and redacting information, and disposing of information no longer needed in a confidential and secure manner.

G. Using Online Services and Applications

District staff members are encouraged to research and utilize online services or applications to engage students and further the District’s education mission. District employees, however, are prohibited from installing or using applications, programs or other software, or online system/website, that either stores, collects or shares confidential or critical data/information, until the ISO approves the vendor and the software or service used.  Before approving the use or purchase of any such software or online service, the ISO or designee shall verify that it meets the requirements of the law, Board policy, and the Data Governance Plan, and that it appropriately protects confidential and critical data/information. This prior approval is also required whether or not the software or online service is obtained or used without charge.

H. Training

The ISO will provide appropriate training to employees who have access to confidential or critical information to prevent unauthorized disclosures or breaches in security. All school employees will receive annual training in the confidentiality of student records, and the requirements of this policy and related procedures and rules.

I. Data Retention and Deletion

The ISO or designee shall establish a retention schedule for the regular archiving and deletion of data stored on District technology resources. The retention schedule should comply with, and be incorporated [by reference] into the data/record retention schedule established under Policy EHB and administrative procedure EHB-R, including but not limited to, provisions relating to Litigation and Right to Know holds as described in Policy [EHB].

J. Consequences

Employees who fail to follow the law or District policies or procedures regarding data governance and security (including failing to report) may be disciplined, up to and including termination. Volunteers may be excluded from providing services to the District. The District will end business relationships with any volunteer, contractor, or agent who fails to follow the law, District policies or procedures, or the confidentiality provisions of any contract. In addition, the District reserves the right to seek all other legal remedies, including criminal and civil action and seeking suspension or revocation of an employee’s teaching certificate.

The District may suspend all access to data or use of District technology resources pending an investigation. Violations may result in temporary, long-term or permanent suspension of user privileges.  The District will cooperate with law enforcement in investigating any unlawful actions. The Superintendent or designee has the authority to sign any criminal complaint on behalf of the District.

Any attempted violation of District policies, procedures, or other rules will result in the same consequences, regardless of the success of the attempt.

Legal References:

15 U.S.C. §§ 6501-6506 * Children’s Online Privacy Protection Act (COPPA)
20 U.S.C. § 1232g * Family Educational Rights and Privacy Act (FERPA)
20 U.S.C. § 1232h * Protection of Pupil Rights Amendment (PPRA)
20 U.S.C. § 1400-1417 * Individuals with Disabilities Education Act (IDEA)
20 U.S.C. § 7926 * Elementary and Secondary Education Act (ESSA)
RSA 189:65 * Definitions
RSA 186:66 * Student Information Protection and Privacy
RSA 189:67 * Limits on Disclosure of Information
RSA 189:68 * Student Privacy
RSA 189:68-a * Student Online Personal Information
RSA 359-C:19-21 * Right to Privacy/Notice of Security Breach

Category:  Priority/Required by Law

First Read:  December  19, 2019
Second Read:  January 7, 2020
Adopted:  January 7, 2020

Reviewed: August 16, 2022