1. Governing Principles
Weber School District (hereafter referred to as the LEA) takes its responsibility to safeguard student data very seriously. This governance plan incorporates the following Generally Accepted Information Principles (GAIP):
Risk: There is risk associated with data and content. The risk must be formally recognized, either as a liability or through incurring costs to manage and reduce the inherent risk.
Due Diligence: If a risk is known, it must be reported. If a risk is possible, it must be confirmed.
Audit: The accuracy of data and content is subject to periodic audit by an independent body.
Accountability: An organization must identify parties which are ultimately responsible for data and content assets.
Liability: The risks in information means there is a financial liability inherent in all data or content that is based on regulatory and ethical misuse or mismanagement.
2. Data Maintenance and Protection Policy
The LEA acknowledges the risks and liabilities associated with maintaining student data and other education-related data, and will implement reasonable data industry best practices to mitigate these risks.
2.1 Process
In accordance with R277-487, the LEA shall do the following:
Designate an individual as an Information Security Officer
Adopt the CIS Controls or comparable
Report to the USBE by October 1 each year regarding the status of the adoption of the CIS controls or comparable and future plans for improvement.
3. Roles and Responsibilities Policy
The LEA acknowledges the need to identify parties who are ultimately responsible and accountable for data and content assets. These individuals and their responsibilities are as follows:
3.1 Data Manager roles and responsibilities
manage the sharing of personally identifiable student data (PISD) outside of the education entity, as described in this section, and obtain authorization for such sharing.
provide necessary technical assistance, training, and support.
serve as the primary local point of contact for the state student data officer.
ensure that the following notices are available to parents:
3.2 Information Security Officer
Oversee adoption of the CIS controls
Provide for necessary technical assistance, training, and support as it relates to IT security
4. Training and Support Policy
The LEA acknowledges that training and supporting educators and staff on federal and state data privacy laws is essential for legal compliance.
4.1 Procedure
The data manager will ensure that all educators with access to student records receive annual training on student data confidentiality, based on the Data Sharing Policy.
The data manager will report the completion status of the annual confidentiality training to USBE by October 1 each year, and provide a copy of the training materials used.
The data manager will maintain a list of all employees who are authorized to access student education records, after they have completed training that meets the requirements of 53E-9-204.
Effective August 1st of each year, all staff with access to student records must complete the Student Data Privacy course and quiz located in TalentEd with a perfect score. A list of those who complete the course and quiz successfully will be submitted to the Weber School District Board of Education.
5. Audit Policy
In accordance with the risk management priorities of the LEA, the LEA will conduct an audit of:
The effectiveness of the controls used to follow this data governance plan; and
Third-party contractors, as permitted by the contract described in 53E-9-309(2).
6. Data Sharing Policy
There is a risk of redisclosure whenever student data are shared. The LEA shall follow appropriate controls to mitigate the risk of redisclosure and to ensure compliance with federal and state law.
6.1 Procedure for App/Website Approval
To request approval for a new app, staff must submit a request through LearnPlatform.
A Review Committee, composed of Directors and DT&L personnel, will assess the app to determine whether it aligns with Weber School District's learning methods and objectives.
If the Review Committee approves the app or website, they will submit it to the Student Data Privacy Manager.
The data manager is responsible for approving all data sharing or designating other trained individuals to do so.
For external research, the data manager must ensure that the study complies with the FERPA study exception described in 34 CFR 99.31(a)(6).
After sharing student data, the data manager must record the exchange in the LEA Metadata Dictionary on LearnPlatform.
Any Data Privacy Agreements must be uploaded to the SDPC Resource Registry.
After sharing from student records, the data manager shall make a note in the student record of the exchange in accordance with 34 CFR 99.32.
7. Expungement Request Policy
The LEA acknowledges the risk of using student data to mistreat students, as this data can follow them year after year. To mitigate this risk, the LEA will review all requests for records expungement from parents and make a determination based on the following procedure.
7.1 Procedure
The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, and assessment information.
The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.
If a parent believes that a record is misleading, inaccurate, or in violation of the student’s privacy, they may request that the record be expunged.
The LEA shall decide whether to expunge the data within a reasonable time after the request.
If the LEA decides not to expunge the record, they will inform the parent of their decision as well as the right to an appeal hearing.
The LEA shall hold the hearing within a reasonable time after receiving the request for a hearing.
The LEA shall provide the parent notice of the date, time, and place in advance of the hearing.
The hearing shall be conducted by any individual that does not have a direct interest in the outcome of the hearing.
The LEA shall give the parent a full and fair opportunity to present relevant evidence. At the parents’ expense and choice, they may be represented by an individual of their choice, including an attorney.
The LEA shall make its decision in writing within a reasonable time following the hearing.
The decision must be based exclusively on evidence presented at the hearing and include a summary of the evidence and reasons for the decision.
If the decision is to expunge the record, the LEA will seal it or make it otherwise unavailable to other staff and educators.
8. Data Breach Response Policy
The LEA will implement and maintain CIS v8 and NIST SP 800-122-compliant data security controls to protect personally identifiable information (PII). In the event of a data breach or inadvertent disclosure of PII, the LEA staff will follow the LEA's incident response plan.
8.1 Procedures
The Superintendent will work with the information security officer to designate individuals to be members of the cyber incident response team (CIRT)
At the beginning of an investigation, the information security officer will begin tracking the incident and log all information and evidence related to the investigation.
The information security officer will call the CIRT into action once there is reasonable evidence that an incident or breach has occurred.
The information security officer will coordinate with other IT staff to determine the root cause of the breach and close the breach.
The CIRT will coordinate with legal counsel to determine if the incident is meets the legal definition of a significant breach as defined in R277-487 and determine which entities and individuals need to be notified.
If law enforcement is notified and begins an investigation, the CIRT will consult with them before notifying parents or the public so as to not interfere with the law enforcement investigation.
9. Publication Policy
The LEA recognizes the importance of transparency and will post this policy on the LEA website.
updated 10/17/2024