Idaho Statesman staff report:
The Idaho State Board of Education has approved a policy aimed at protecting public school students’ personal information and data.
The policy, which covers public and charter schools, governs collecting, using and sharing student information.
Read more on Idaho Statesman.
For purposes of the policy, Personally Identifiable Information (PII) includes:
a student’s name; the name of a student’s family; the student’s address; the students’ social security number; a student education unique identification number or biometric record; or other indirect identifiers such as a student’s date of birth, place of birth or mother’s maiden name; and other information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community who does not have personal knowledge of the relevant circumstances, to identify the student.
The policy includes notification to the state and affected parties in the event of a breach:
School districts and public charter schools shall notify in a timely manner affected
individuals, students, and families if there is a confirmed Data Breach or confirmed
Unauthorized Data Disclosure.
The guts of the policy with respect to usage specifies:
- Publicly released reports shall not include PII and shall use Aggregate Data in such a manner that re-identification of individual students is not possible.
- School district or public charter school contracts with outside vendors involving student data, which govern databases, online services, assessments, special education or instructional supports, shall include the following provisions which are intended to safeguard student privacy and the security of the data:
- Requirement that the vendor agree to comply with all applicable state and federal law;
- Requirement that the vendor have in place Administrative Security, Physical Security, and Logical Security controls to protect from a Data Breach or Unauthorized Data Disclosure;
- Requirement that the vendor restrict access to PII to the authorized staff of the vendor who require such access to perform their assigned duties;
- Prohibition against the vendor’s secondary use of PII including sales, marketing or advertising;
- Requirement for data destruction and an associated timeframe; and
- Penalties for non-compliance with the above provisions.
- School districts and public charter schools shall clearly define what data is determined to be directory information.
- If a school district or public charter school chooses to publish directory information which includes PII, parents must be notified annually in writing and given an opportunity to opt out of the directory. If a parent does not opt out, the release of the information as part of the directory is not a Data Breach or Unauthorized Data Disclosure.