Student Information Privacy Notice
The South Central Regional Information Center (SCRIC) is fully committed to protecting the confidentiality of student information under our stewardship. This Privacy Notice explains how we collect, share, use, and protect the student information within the systems and services that we manage on behalf of school districts.
Why do we collect student information?
Student data is collected and used by the SCRIC for the sole purpose of supporting the specific services that school districts contract with us. These services include the management of student information systems, special education systems, cafeteria systems, New York State Education Department (NYSED) reporting systems, data dashboard services, student email and collaboration systems and other systems that may store or transmit student information. These systems are necessary in order for districts to manage the day-to-day operations of their schools and comply with New York State reporting requirements.
The SCRIC provides services to a consortium of 50 public school districts and their associated BOCES centers in Broome, Tioga, Delaware, Chenango, Madison, Otsego, Schoharie and Greene counties of New York State. Although less common, some school districts outside this region and some non-public school district entities also cross-contract for SCRIC services.
Can the SCRIC provide access to student data?
Although student information often resides on systems that are managed and may be physically located at the SCRIC, all student data housed within these systems belongs to the respective school districts.
The SCRIC will not release or provide access to student data to parents, students or other outside parties, including vendors or other unauthorized agencies, without the expressed written consent of the school district that is responsible for the data. Requests for student information or access received by the SCRIC from unauthorized parties will be referred to the respective school district for authorization using the Third Party Data Authorization Process.
If, for any reason, the SCRIC intends to use student information in a manner different from that stated at the time of collection, we will notify the school district and school administration will have a choice as to whether or not the SCRIC can use student information in such a way.
If students or parents wish to review, update or correct student information, they should follow the policies and procedures of their local school district.
What student information is collected?
Only student information relevant and necessary to the services that school districts purchase from the SCRIC is collected. No other student information is collected. The specific information that is collected varies from one service to another and includes Personally Identifiable Information (PII). PII is data that identifies a specific student, can be used to distinguish one student from another or be used in combination with other information to identify the student.
PII includes, but is not limited to, a student’s name, address, social security number, email, unique school identification number, grades, locker combination, student photos, individualized education programs (IEPs), biometric records, medical records, date of birth, place of birth, driver license numbers, bank account numbers, mother’s maiden name and any access codes or passwords that permit access to personal records.
How is student information secured?
The SCRIC is committed to protecting the personally identifiable information of students and maintaining its accuracy. The SCRIC implements physical, administrative, and technical safeguards to protect student information from unauthorized access, use and disclosure. Measures for protecting data include, but are not limited to:
Password protection and authentication to establish the identity of all persons accessing systems housing student data and at the appropriate level of authority.
Stringent account provisioning and deprovisioning and authorization procedures.
Encrypted transmission of student data.
Secured file structures limiting student information access to only authorized employees.
Badge-protected access to all facilities that house electronic systems that may contain student data and hardcopy student records.
Privacy requirements incorporated into all contracts with vendors and consultants who come into contact with student data.
Anti-virus, filtering and anti-malware services and established, monthly, security patches applied to all servers and systems.
Annual privacy risk assessment and review of security and privacy controls.
The SCRIC also regularly promotes awareness of student data security and privacy issues and trains staff on security and privacy standards. This includes an annual mandatory training session for all RIC staff and managers regarding security and privacy policies, guidelines and practices.
How is student information retained and disposed?
Student data is retained for no longer than necessary to fulfill the purposes for which it was collected or as required by law. Student data, whether in electronic or hard copy form, will be deleted by SCRIC personnel who have proper authorization from the school district to do so. Once authorized, SCRIC staff will ensure that data is anonymized, disposed of or destroyed in a manner that prevents loss, theft, misuse or unauthorized access.
The SCRIC adheres to New York State’s ED-1 Records Retention and Disposition Schedule which establishes minimum periods of time that records must be retained. Additionally, the SCRIC may not dispose of student data that is reported to the New York State Student Information Repository System (SIRS). While the SIRS reporting process allows for records to be deleted in the regional, Level 1–Data Warehouse that are in error, New York State takes possession of this data after it is reported to the Level 2–Data Warehouse. At that time, reported student information becomes subject to New York State’s privacy policies.
Who else besides the school and the RIC has access to student information?
Sometimes individuals and organizations outside the schools and the SCRIC, such as software support teams and technical consultants, have access to student data by the nature of the work they do. For some SCRIC services, student information is physically hosted off-site of the schools and the SCRIC within the secured systems of service providers.
In these cases, the SCRIC requires stringent contractual obligations for security and privacy of student data in compliance with the New York State Common Core Implementation Reform Act of March, 2014. Contracts with these providers include the following stipulations:
Student information will be used solely for the purpose defined in the contract and related directly to supporting SCRIC services.
Student information will not be shared with any other entity or individual without the express permission of the SCRIC (if authorized by the school district) unless required by statute or a court order.
Upon the expiration of the contract, the third party service provider will delete any electronic student data in its possession, will return any non-electronic documents containing student data that it has in its possession and will notify the SCRIC when the data has been deleted or disposed.
Student information will be corrected upon request by the SCRIC (if authorized by the school district) and the SCRIC will be notified when the data has been corrected.
All Federal and State laws and regulations governing security and privacy of student information must be abided by.
A description of the physical location of student information in the service provider’s possession must be provided, as well as a description of the administrative, technical and physical safeguards utilized to assure the privacy and security of student information in their possession and when transmitted.
Communication with the SCRIC in no less than 24 hours of any data breach or in the event that student information is requested by legal authorities.
The service provider must comply with the Broome-Tioga BOCES Parents’ Bill of Rights for Data Privacy and Security, as required by New York State Education Law Section 2-d.
Access to student data within the third party service provider is limited to those individuals that need such records or data to perform the services set forth in this contract.
Employees of the third party service provider who have access to student data have received or will receive training on the federal and state laws governing security and privacy of such data prior to receiving access to it.
How is the quality of student information managed?
School districts are solely responsible for the accuracy of the student data that their employees enter into and utilize within systems covered under SCRIC services.
New York State has defined a multi-level process for exporting student data to the New York State Education Department Student Information Repository System (SIRS database). The first step in this process is to import data to Level 0 of the system, resolve any errors that result and validate the accuracy of this data.
For districts that participate in the SCRIC’s Managed Data Service, the SCRIC takes an active role working with school district staff to correct errors during the Level 0 process. Although the SCRIC offers error correction assistance, school district staff is responsible for making all changes to student data. SCRIC staff will only make such changes if written authorization is provided by the school district.
Is student data security and privacy monitored and enforced?
The SCRIC monitors its privacy policies and practices, including this Privacy Notice, to ensure compliance with the most recent state and federal laws and has been audited to ensure compliance with the requirements set forth in the Service Organization Control (SOC) 2 security and privacy principles and criteria. Information describing the SOC 2 principles and criteria is available from the American Institute of CPA’s at: http://www.aicpa.org
The SCRIC also self-monitors to ensure that internal security and privacy processes and procedures meet the requirements described in this Notice. This includes formalized processes for the regular assessment of risks and regular review of security and privacy procedures and documents.
What choices do students and parents have regarding the collection and use of student information?
All choices available to students and parents regarding the collection, use and disclosure of student information are governed by the policies and procedures of each student’s respective school district and are outside the jurisdiction of the SCRIC. All requests received by the SCRIC to opt-out or limit data collection, data use and information disclosure for a specific student will be referred to the school district of that student.
What if I have a complaint or dispute?
Inquiries, complaints, disputes or Freedom of Information requests concerning specific student data should be directed to the local school district(s) responsible for the student information.
If you have an inquiry, complaint, or dispute specific to the SCRIC’s privacy policies or practices, please allow thirty (30) days for us to document and respond to your request. All documented inquiries, complaints and disputes will be collected and reviewed by the SCRIC Security and Privacy Committee to determine whether appropriate actions were followed and to assess if changes to procedures and/or policies should be implemented to further improve SCRIC services. All submissions will be documented and cataloged and an appropriate response will be provided.
Please send all inquiries, complaints or dispute information to: Dan Myers
Acting SCRIC Chief Privacy Officer
What if there is a data security breach?
If there is an accidental or an intrusive data security breach, the SCRIC will adhere to the SCRIC Student Data Breach Protocol. Employees who become aware of a suspected or actual security breach must report the matter immediately as follows:
School district employees: Contact your superintendent’s office immediately.
SCRIC staff: Contact your manager immediately.
How will changes to the SCRIC’s privacy policies and procedures be communicated?
When we need to update this Notice or modify it in a way that does not impact our usage of student information, we will post a notice for 30 days on the SCRIC’s website.
If we are going to use student information in a manner different from that stated at the time of collection, we will directly notify the school district responsible for the information and the district will have a choice as to whether or not the SCRIC can use the information in such a way.
How is student information privacy governed?
The Student Data Security and Privacy Committee is a standing committee providing strategic guidance and oversight for the RIC’s information security and privacy efforts. The role of the Committee is to infuse the SCRIC’s Security and Privacy Principles into the operations of the RIC by setting policy, establishing authorities and implementing accountability as described in the Student Data Security and Privacy Committee Charter.
Membership includes both internal and external stakeholders who, by virtue of their role, have responsibility for student information security and/or privacy. Members include:
A Broome-Tioga BOCES Board member
A BOCES district superintendent
Three school superintendents
One attorney specializing in education law
One RIC management representative
The SCRIC Chief Privacy Officer
SCRIC Security and Privacy Principles
Every RIC staff member is obligated to serve as a steward of data and information held by the RIC and to protect the security and privacy of information and information technology systems. The Security and Privacy Principles below provide the guiding framework for decision making and management of security and privacy at the SCRIC.
Confidentiality – Only authorized individuals will have access to information.
Quality – Information must be reliable and accurate.
Availability – Information must be available when it is needed.
Responsibility – Accountability for the security and privacy of information must be clearly defined within the RIC.
Awareness – RIC staff members and users of RIC services must be made aware of standards, expectations and policies adopted by the RIC for protecting the security and privacy of information.
Ethics – The management of security and privacy and the use of information must always be handled in an ethical manner.
Proportionality – Security and privacy safeguards must be proportionate to the risks.
Integration – Security and privacy standards are integrated into the processes of the SCRIC consistently and within a framework of established safeguards.
Responsiveness – RIC teams must respond in a timely and coordinated manner to prevent and effectively react to security and privacy breaches and threats.
Evaluation – Security and privacy risks, controls and standards must be regularly reviewed and continuously improved.
Fairness – The rights and dignity of individuals will be preserved while carrying out security and privacy goals.
Transparency – Schools and individuals are informed about how their information will be used, disclosed and retained.
Consent – The RIC will obtain consent, or allow for schools and individuals to opt out of the collection, use, disclosure and retention of information.
Relevance – The RIC will only collect information that is relevant and required to support school services or the purposes identified.
Retention – The RIC will keep information only as long as required and will always dispose of all information in a manner that maintains confidentiality.
Disclosure – Disclosure of information to third parties is strictly limited and only as approved by authorized school district staff.
Access – The RIC will always allow school districts and those that they authorize to access their data.
Openness – The RIC is open to suggestions, complaints and disputes regarding privacy and security and maintains procedures for redress of grievances.