Student Data Privacy and Security

Data Protection Officer: Mr. Christopher Forget (631) 583-5626

• FERPA Annual Notification
• FERPA Opt-Out Form
• Directory Information Policy
• Parent's Bill of Rights For Data Privacy and Security
• Data Privacy and Security Plan

To report a possible data breach, please call (631) 583-5626 or complete and submit the form at the following link: Click Here

FERPA ANNUAL NOTIFICATION

(Sent home in September’s “Woodhull Flyer”)

The Family Educational Rights and Privacy Act or FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records and applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The law gives parents certain rights which transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students." Among these rights are that: 

• Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
  
• Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
  
• Generally, schools must have written permission from the parent or eligible student in order to release any personally identifying information (PII)  from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
  • School officials with legitimate educational interest;
    
  • Other schools to which a student is transferring;
    
  • Specified officials for audit or evaluation purposes;
    
  • Appropriate parties in connection with financial aid to a student;
    
  • Organizations conducting certain studies for or on behalf of the school;
    
  • Accrediting organizations;
    
  • To comply with a judicial order or lawfully issued subpoena;
    
  • Appropriate officials in cases of health and safety emergencies; and
    
  • State and local authorities, within a juvenile justice system, pursuant to specific State law.

FERPA OPT-OUT FORM

 

DIRECTORY INFORMATION POLICY

Schools may disclose, without prior consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance, unless objection is submitted in writing by parents or legal guardians, or by those students themselves who are 18 years of age and older, to the Superintendent of Schools, Travis Davey, by September 15th of the current school year. Failure to make such a request shall be deemed consent to release, provide, or publish the directory information during the school year. 

Fire Island School District herewith gives notice of intention to provide, release or publish in the Fire Island School District newsletter, website, social media accounts, school or student newspapers, magazines, yearbooks or other publications, daily or weekly newspapers, athletic programs, musical or theatrical programs and news releases, video any and/or all of the following information pertaining to students as may be appropriate under the circumstances: 

• name of student
  
• names of parents
  
• address
  
• age
  
• height
  
• weight
  
• grade
  
• photograph
  
• major field of study
  
• participation in recognized school activities
  
• extracurricular activities and sports programs
  
• academic honors
  
• achievements
  
• awards
  
• scholarships
  
• and similar information

PARENTS' BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY

The Fire Island Union Free School District is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, the District informs the school community of the following: 

1. A student's personally identifiable information cannot be sold or released for any commercial purposes. 
   
2. Parents have the right to inspect and review the complete contents of their child's education record. 
   
3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred. 
   
4. A complete list of all student data elements collected by New York State is available for public review at the following website http://www.nysed.gov/student-data-privacy/student-data- inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 89 Washington Avenue, Albany, New York 12234. 
   
5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints may be addressed in writing to the Superintendent of Schools. should be directed in writing to Privacy Complaint, Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, New York 12234. Complaints may also be submitted using the form available at the following website http://www.nysed.gov/student-data-privacy/form/report-improper-disclosure. 

APPENDIX

Supplemental Information Regarding Third-Party Contractors

In the course of complying with its obligations under the law and providing educational services to District residents, the Fire Island Union Free School District has entered into agreements with certain third-party contractors. Pursuant to these agreements, third-party contractors may have access to "student data" and/or "teacher or principal data," as those terms are defined by law and regulation. 

For each contract or other written agreement that the District enters into with a third-party contractor where the third-party contractor receives student data or teacher or principal data from the District, the following supplemental information will be included with this Bill of Rights: 

1. The exclusive purposes for which the student data or teacher or principal data will be used by the third-party contractor, as defined in the contract; 
   
2. How the third-party contractor will ensure that the subcontractors, or other authorized persons or entities to whom the third-party contractor will disclose the student data or teacher or principal data, if any, will abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable laws and regulations (e.g., FERPA; Education Law Section 2-d); 
   
3. The duration of the contract, including the contract’s expiration date, and a description of what will happen to the student data or teacher or principal data upon expiration of the contract or other written agreement (e.g., whether, when, and in what format it will be returned to the District, and/or whether, when, and how the data will be destroyed); 
   
4. If and how a parent, student, eligible student, teacher, or principal may challenge the accuracy of the student data or teacher or principal data that is collected; 
   
5. Where the student data or teacher or principal data will be stored, described in a manner as to protect data security, and the security protections taken to ensure the data will be protected and data privacy and security risks mitigated; and 
   
6. Address how the data will be protected using encryption while in motion and at rest. 
   

Below are the 3rd parties which currently handle any Fire Island student or staff PII, along with the Ed Law 2d Riders supplementing their current privacy policies:

• Aimsweb
  
• BrainPOP
  
• Buncee
  
• eSchoolData
  
• Finance Manager
  
• Frontline IEP – Direct
  
• Learning A-Z
  
• Nearpod
  
• Newsela
  
• Remind
  
• SmartMusic
  
• Starfall
  
• Studies Weekly
  
• Syntax

FIRE ISLAND UFSD DATA PRIVACY AND SECURITY PLAN

I. Purpose

This policy addresses Fire Island Union Free School District’s (FISD) responsibility to adopt appropriate administrative, technical and physical safeguards and controls to protect and maintain the confidentiality, integrity and availability of its data, data systems and information technology resources. 

II. Policy Statement

It is the responsibility of FISD: 

1. to comply with legal and regulatory requirements governing the collection, retention, dissemination, protection, and destruction of information; 
   
2. to maintain a comprehensive Data Privacy and Security Program designed to satisfy its statutory and regulatory obligations, enable and assure core services, and fully support the Department’s mission; 
   
3. to protect personally identifiable information, and sensitive and confidential information from unauthorized use or disclosure; 
   
4. to address the adherence of its vendors with federal, state and SED requirements in its vendor agreements; and 
   
5. to communicate its required data security and privacy responsibilities to its users, and train its users to share a measure of responsibility for protecting FISD’s data and data systems. 

III. Standard

FISD will utilize the National Institute of Standards and Technology’s Cybersecurity Framework v1.1 (NIST CSF or Framework) as the standard for its Data Privacy and Security Program. 

IV. Scope

The policy applies to FISD employees, interns, volunteers, and consultants, and third-parties who receive or have access to FISD’s data and/or data systems (“Users”). 
 
This policy encompasses all systems, automated and manual, including systems managed or hosted by third parties on behalf of FISD and it addresses all information, regardless of the form or format, which is created or used in support of the activities of FISD. 
 
This policy shall be published on the FISD website and notice of its existence shall be provided to all Users. 

V. Compliance

The district superintendent is responsible for the compliance of the programs and offices with this policy, related policies, and their applicable standards, guidelines and procedures. Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented, and program offices will be directed to adopt corrective practices, as applicable. 

VI. Oversight

FISD’s Data Privacy Officer (DPO) shall regularly report to the Superintendent on data privacy and security activities, the number and disposition of reported breaches, if any, and a summary of any complaints submitted pursuant to Education Law §2-d. 

VII. Data Privacy

1. Laws such as the Family Educational Rights Privacy Act (FERPA), NYS Education Law §2-d and other state or federal laws establish baseline parameters for what is permissible when sharing student PII. 
   
2. Data protected by law must only be used in accordance with law and regulation and FISD policies to ensure it is protected from unauthorized use and/or disclosure. 
   
3. FISD has appointed a Data Protection Officer (DPO) to manage its use of data protected by law. The DPO will determine whether a proposed use of personally identifiable information would benefit students and educational agencies, and to ensure that personally identifiable information is not included in public reports or other public documents, or otherwise publicly disclosed; 
   
4. No student data shall be shared with third parties without a written agreement that complies with state and federal laws and regulations. No student data will be provided to third parties unless it is permitted by state and federal laws and regulations. Third-party contracts must include provisions required by state and federal laws and regulation. 
   
5. The identity of all individuals requesting personally identifiable information, even where they claim to be a parent or eligible student or the data subject, must be authenticated in accordance with FISD procedures. 
   
6. It is FISD’s policy to provide all protections afforded to parents and persons in parental relationships, or students where applicable, required under the Family Educational Rights and Privacy Act, the Individuals with Disabilities Education Act, and the federal regulations implementing such statutes. Therefore, FISD shall ensure that its contracts require that the confidentiality of student data or teacher or principal APPR data be maintained in accordance with federal and state law and this policy. 
   
7. Contracts with third parties that will receive or have access to personally identifiable information must include a Data Privacy and Security Plan that outlines how the contractor will ensure the confidentiality of data is maintained in accordance with state and federal laws and regulations and this policy. 

VIII. Incident Response and Notification

The District will respond to data privacy and security incidents in accordance with its Incident Response Guidelines. The incident response process will determine if there is a breach. All breaches must be reported to the DPO. For purposes of this policy, a breach means the unauthorized acquisition, access, use, or disclosure of student, teacher or principal PII as defined by Education law §2-d, or any SED sensitive or confidential data or a data system that stores that data, by or to a person not authorized to acquire, access, use, or receive the data. 
 
FISD will comply with legal requirements that pertain to the notification of individuals affected by a breach or unauthorized disclosure of personally identifiable information.

IX. Acceptable Use Policy, User Account Password Policy

1. Users must comply with FISD’s Information Security Guidelines, which outlines the responsibilities of all users of FISD information systems to maintain the security of the systems and to safeguard the confidentiality of FISD information. 
   
2. Users must comply with the FISD Acceptable Use Agreement in using District resources. Access privileges will be granted in accordance with the user’s job/role responsibilities and will be limited only to those necessary to accomplish assigned tasks in accordance with FISD’s mission and business functions. 
   
3. Users must comply with the User Account Password Guidelines. 
   
4. All remote connections must be made through managed points-of-entry in accordance with the Data Privacy and Security Guidelines for Remote Work. 

X. Training

FISD Users must annually complete FISD’s information privacy and security training.