Data Security and Privacy Policy

1. Purpose

This policy outlines SchoolParency’s responsibility to adopt appropriate technical and organizational security safeguards and controls to protect and maintain the confidentiality, integrity, and availability of Student, Teacher, and Principal data and any other Personally Identifiable Information we process in line with our service provision.

2. Policy Statement

It is the responsibility of SchoolParency to:

  1. to comply with legal and regulatory requirements governing the collection, retention, dissemination, protection, and destruction of information;
  2. to maintain comprehensive security measures designed to satisfy its statutory and regulatory obligations, enable and assure core services, and fully support the NYS Education Department’s mission;
  3. to protect personally identifiable information and sensitive and confidential information from unauthorized use or disclosure;
  4. to address the adherence of its vendors with federal, state, and SchoolParency requirements in its vendor agreements; and
  5. to communicate its required data security and privacy responsibilities to its Users and train its Users to share a measure of responsibility for protecting SchoolParency data and systems integrity.

3. Standards

SchoolParency will utilize the National Institute of Standards and Technology’s Cybersecurity Framework v 1.1 (NIST CSF or Framework) as the standard for its Data Privacy and Security Program.

4. Scope

The policy applies to SchoolParency personnel, consultants, and third-parties who receive or have access to SchoolParency’s data and/or data systems (”Users”).

This policy encompasses all systems, automated and manual, including systems managed or hosted by third parties on behalf of SchoolParency. It addresses all information, regardless of the form or format, which is created or used in support of the activities of SchoolParency.

This policy shall be published on the SchoolParency website, and a notice of its existence shall be provided to all Users.

5. Compliance

SchoolParency Co-founders Eddie Jimenez and Peter Ostrander are responsible for the compliance of their programs and services with this policy, related policies, and their applicable standards, guidelines, and procedures. Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented, and personnel will be directed to adopt corrective practices, as applicable.

6. Oversight

SchoolParency Co-founders Eddie Jimenez and Peter Ostrander shall be ultimately responsible for overseeing privacy and security activities across the business. A record of reported breaches will be held by the business, including the number and disposition of any and all reported breaches. This will include a summary of any complaints and any and all remedies are taken to mitigate the breach submitted pursuant to Education Law §2-d.

7. Data Privacy

  1. Laws such as the Family Educational Rights Privacy Act (FERPA), NYS Education Law §2-d, COPPA, and other state or federal laws establish baseline parameters for what is permissible when sharing student PII. SchoolParency takes direct instruction from these laws and regulations and embeds them in our business practices.
  2. Data protected by law must only be used in accordance with law, regulation, and SchoolParency Privacy Policies to ensure it is protected from unauthorized use and/or disclosure.
  3. SchoolParency always first determine whether a proposed use of personally identifiable information would benefit students and educational agencies before processing, and ensures that personally identifiable information is not included in public reports or other public documents, or otherwise publicly disclosed;
  4. No student data shall be shared with third parties without a written agreement that complies with state and federal laws and regulations or permissible by law. Third-party contracts must include data protection provisions required by state and federal laws and regulations. No student data will be shared with third parties without a parent or guardian’s explicit consent in any event.
  5. The identity of any or all individuals requesting personally identifiable information, even where they claim to be a parent or eligible student or the data subject, will be authenticated by SchoolParency before any information is released.
  6. SchoolParency policy offers all protections afforded to parents and persons in parental relationships, or eligible students where applicable, required under the Family Educational Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act, and the federal regulations implementing such statutes.
  7. Contracts with third parties that will receive or have access to personally identifiable information must include a Data Privacy and Security Plan that outlines how the contractor will ensure the confidentiality of data is maintained in accordance with state and federal laws and regulations.

8. Incident Response and Notification

SchoolParency will respond to data privacy and security incidents efficiently and thoughtfully. SchoolParency Co-founders will determine if there is a breach. All identified breaches will be reported to the Chief Privacy Officer. For the avoidance of doubt, a breach means the unauthorized acquisition, access, use, or disclosure of student, teacher or principal PII as defined by Education law §2-d, or any SchoolParency sensitive or confidential data or a data system that stores that data, by or to a person not authorized to acquire, access, use, or receive the data.

SchoolParency will comply with legal requirements that pertain to the notification of individuals affected by a breach or unauthorized disclosure of personally identifiable information.

9. Acceptable Use Policy, User Account Password Policy, and other Related Department Policies

  1. Acceptable Use Policy, User Account Password Policy, and other Related Department Policies
  2. Users must take all measures to ensure that they keep their account login credentials confidential and secure. Never disclose your credentials to anyone. Don’t write them down or save them on a shared device.
  3. All remote connections must be made on devices free from viruses or malware that could potentially impact system security integrity.
  4. All Users of SchoolParency must agree to be bound by a duty of confidentiality, preventing the unlawful disclosure of student, teacher, or principal data.