Data Security and Privacy Policy

Privacy Policy

Parents Bill of Rights

Online Privacy Statement

Online Privacy Statement

Last Reviewed Date: 05/08/2021

Introduction

‘SchoolParency’; ‘we’; ‘us’; and ‘our’; means SchoolParency of North Massapequa, New York State, US.

SchoolParency is a platform designed for the communications and transparency between Home (Parent and Student) and School (Teachers and Administrators). SchoolParency has been designed for the adoption and use by administrators, teachers, parents, and students who fall within the demographics of pre-K-12 school ages. Those who utilize SchoolParency can share messages about school logistics, school functions, school calendars, classroom learning, directory information, files, and media files.

To provide our services to you, we must process personal data, or Personally Identifiable Information (PII). We are committed to maintaining the highest standards of compliance with regulatory environments.

State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act (“FERPA”) at 12 U.S.C. 1232g (34 CFR Part 99); Children’s Online Privacy Protection Act (“COPPA”) at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment (“PPRA”) at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information.

This Privacy Policy aims to explain to the Users of our Service and Website how we process personal data so that you can make well-informed decisions regarding your legal rights. The Policy also aims to outlay our duties and responsibilities to process Student, Parent, and School Staff Data securely, including but not limited to the transfer and storage of PII from you, the LEA (Local Education Authority).

All documents and data transferred belonging to students, teachers, or principals are done within the scope and according to the New York State Education Law 2-d.

 

When does this Privacy Policy apply?

This Policy applies to the personal information that we collect, use or ask you to provide to help us establish and manage your SchoolParency account through your applicable LEA. Where you contact our team by email, we are the Data Controller of the data being processed. This Privacy Policy applies as soon as you access our Services, visit our Website, contact or engage with us.

We may update this Privacy Policy from time to time to keep up with legislative or regulatory changes and ensure that it remains in-line with our business needs and obligations. Any update or modification of the current version of this Policy will be considered applicable from its publication time. If we make material changes, such as how we may use your personal information, we will notify you prior to the change becoming effective.  Our notification will be via email, a notice to our home page, and by email to your parents/guardians, if you are a minor, in order to obtain consent for new uses to your personal information, if required.  We strongly suggest that you read our Terms of Use so you may understand additional terms and conditions that may apply to the use of our Website.  Should you have any questions, comments, or suggestions concerning our privacy policy, we ask that you contact us at support@SchoolParency.com.

Without affecting your rights under any current applicable legislation, this Privacy Statement is not contractual by nature and does not form part of your contract with us. By using our services or products, you are presumed to have read and understood this Privacy Statement.

 

 

Types of data that we collect

We strive to be transparent about our practices concerning the collection and usage of personal data, or PII (Personally Identifiable Information).

·        Contact Data: Full name, email address, phone number, address (including district)

·        Student Performance Data – grade level, courses enrolled in, groups the student is a member of, primary language, language proficiency level, attendance records, student assignments, school trips attended or planned, Physical or Behavioural Identifying characteristics, Place of Birth, Date of Birth, School Enrolment details, Year of Graduation, Academic or Extracurricular activities, Standardised Test Scores, Student-Generated Content, teachers names,

·        Sensitive Student Data: Details of any free or reduced meal programs received by the student, the balance of the student’s meal account, details of how the student commutes to School (by bus, walks, driven by parent or guardian…), Gender, Attendance Record, Ethnicity or Race, Student Disability Information, living situation, medical alerts, low-income status

·        Transaction Data – information about payments and subscriptions to the Services and past transaction history.

·        Information you provide to us during customer service interactions and to receive technical assistance from us.

·        Device Data – Browser type and settings, IP address, Operating System (if applicable), Internet Connection type, Use of Cookies, User Interaction Metadata

·        Parent Data – Full name, relationship with the student, language preferences, email address, and phone number

·        School Staff Data: Full name, job title, courses responsible for (if applicable), name of School, address of School, type of School, contact details

·        Optional Data: career or income data, interests and hobbies, talents or achievements, messages and posts, photos and videos, comments, and engagements.

·        System data – SchoolParency username, login credentials, aggregated data, or other information that does not identify individuals, for example, information regarding our page views. App downloads, email delivery, test delivery, and engagement

Student Data or any other Education Records transmitted to the Provider pursuant to this Agreement is and will continue to be the property of and under the control of the LEA or to the party who provided such data (such as the student or parent.) All intellectual property rights, in and to Student Data or Education Records shall remain the exclusive property of the LEA or the party who provided such data.

 

How we use the data, we collect

Depending on your relationship with us, we may use your data to:

·        Provide you with our Service, features including but not limited to:

– Community Wall

– Communication

– Multi-tiered system

– School Shop

– Ribbons

– Points Systems

·        Create and manage your SchoolParency account

·        Please verify your identity and entitlement to services when you contact us or access our services (i.e., school eligibility and attendance)

·        Provide quotes for our services or negotiate a contract with you

·        Process your transactions

·        Monitor your School’s level of usage of our Service and identify areas of potential development.

·        Provide you with technical and customer support

·        Provide you with service messages about our products and services

·        We may use cookies to personalize your experience with our site and help you navigate through it.  If you so choose, you may block or remove cookies using the technical settings on your browser, though some devices may not allow this.  If you decide to disable cookies, it may impact your ability to enjoy all the services our site offers.

 

 

NYS Education Law 2-d and your child’s data

We only process child data in line with the provisions set out in the Children’s Online Privacy and Protection Act (“COPPA”) and the New York Education Law Section 2-d and its implementing regulations.

NYS Education Law 2-D sets our specific standards to be met when processing student, teacher, or principal data. For more information on how we comply, please see our Parents’ Bill of Rights and a Data Security and Privacy Policy on our website www.schoolparency.com

 

Should you wish to report a suspected breach or unauthorized disclosure of child data, Complaints may be submitted to NYSED at http://www.nysed.gov/data-privacysecurity/report-improper-disclosure; by mail to Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234; by email to privacy@nysed.gov; or by telephone at 518-474- 0937.

 

If you have any questions or comments relating to the modification or erasure of student data, please feel free to contact your School directly or contact us at support@SchoolParency.com. In the event that we agree to amend or erase data on your behalf, we must share this data with your School to ensure your request is acted upon.

 

How long do we keep your personal data?

 

We process your personal data only for as long as necessary to achieve the purposes for which it was initially collected. After a student graduates or withdraws from attendance at their School, the School will delete their SchoolParency account and the data involved, as appropriate. Please note that account deletions can with reversed if needed within 30 days from closure.

Please note that we may have the retain elements of your personal information on some occasions after our relationship has ended. We are required to keep this data for as long as necessary to comply with our legal and regulatory obligations, including possible claims relating to the services we offer and the use of our Website.

 

Who do we share your data with?

 

We may share your data with the following third parties to fulfill our commitment to you. The PII that we collect and receive from a student, parent or educational institution, or agency is solely processed for service provision within this Policy’s scope. Please note that we will never share or sell your data to a third party:

 

·        SchoolParency account admins within your School. On occasion, other staff members within the School may be granted access to this information if deemed appropriate by the registered admins.

·        In the event that your School should wish to create an online directory, your contact information, including your name, email address, and phone number, would be made available for other registered parents/guardians in your School. This data, however, will not be shared outside of your School. You can opt-out of this, meaning your details will not be disclosed to any other parent/guardian in the online directory but will still be visible to registered staff at your School. Please see more information in ‘Other Rights and Obligations’ below.

·        Data processing companies and suppliers from time to time to help manage our Website and services, analyzing the use of our app and Website, sending emails (distributions), communication platform providers (phone calls and text messages), website hosting, providing customer support, and communications to users.

·        Technology service providers who host our information systems, back up servers, or that offer us technological support. These parties will be subject to the terms of this Privacy Policy, our Terms of Use, and their security and privacy obligations.

·        Administrative, judicial, and/or legal authorities in response to requirements, as long as they are required in accordance with the applicable law and regulations;

·        Our legal advisors when a claim is presented in relation to our services and products.

·        If we sell or buy any business or assets, in which case we may need to disclose your data to the prospective seller, buyer, or business partner.

·        Where we use a third party or service provider to provide our Service to you, we enter into written agreements with them as sub-processors, including specific data processing terms with the same level of protection as afforded by us.

 

FERPA is a federal statute governing the confidentiality and privacy of students’ educational records. Generally, PII relating to Student Educational Records should not be shared with a third party unless under the consent of the relevant parent or guardian (Model Notification of Rights under FERPA. However, FERPA (99.31(a)(1)(i)(B) offers two exemptions to this, one of which we utilize in our capacity as School Official.[1].

 

In line with COPPA rules, all third-party service providers/operators, including name and contact information (address, telephone number, and/or email address), will be made available on request.

 

Security of your data

 

As per NYS Ed Law 2-d(b)(3), all applicable state and federal laws and regulations pertaining to data privacy and security. Within the scope of Service provision, safeguards considered to meet industry standards are; encryption, firewalls, and password protection.

 

SchoolParency has incorporated technical and organizational security measures in protecting PII.  When student data is transferred, it is done so in an encrypted fashion and transmitted securely.  Access to the SchoolParency site is only through authentication of one’s username and password, which should remain confidential to the user.  It is the responsibility of the LEA to ensure that unauthorized person(s) do not gain access to the Service, your school account, or any parent, student, or teacher PII. If a breach has occurred, the LEA should notify SchoolParency without undue delay and, where possible, within 72 hours (including weekends and non-business days).

 

Your information is protected on a server that is behind a firewall; while utilizing security software to maintain the confidentiality of the personal information we have accumulated.  In the unlikely event of a security breach of a user’s personal information, we shall notify all users whose information may have been comprised to both the data subject and the LEA, in accordance with all applicable laws and regulations and their capacity as the data controller. We will also post a notice on our site of such a potential breach.

In line with NYS ED Law 2-D, in the case of a Security Incident or Data Breach involving Student Data, the LEA shall notify the parent or eligible student of any authorized release of Student Data involving Personally Identifiable Information from the student records in the most practical way possible and without undue delay.

In any notification to a parent, guardian, or eligible student due to a Security Incident by SchoolParency or any of our providers or sub-contractors, or if the Security Incident is unrelated to the LEA actions or omissions, SchoolParency, if so requested, shall reimburse the LEA for the full cost of such notification.

 

Links to other sites

Our Website may contain links to other third-party websites and services. This Privacy Policy does not apply to any links provided to you by anyone other than us. Third parties will appoint their privacy policies, and these should be consulted should you have any queries about how they process your data. We have no control over such third-party Website and have no responsibility for their actions.

 

Rights under GDPR

Any personal information you supply will be treated in accordance with applicable data protection laws, including the GDPR (EU) and any other applicable or superseding laws. We are committed to delivering the rights individuals are entitled to and upholding a transparent approach to processing data. These are:

·        The right to request a copy of the personal information we collected about you in the last 12 months. To do this, please contact us at support@schoolparency.com to request a copy including full details of what you require. You may also be required to submit or demonstrate proof of your identity.

·         

·        The right to object (right to be forgotten) to your personal information being used for specific purposes. Where required, we ensure we will obtain your consent before undertaking marketing or data selling, and you will always have the ability to opt-out.

 

·        The right to rectification: You may request that we correct any inaccurate and/or complete any incomplete personal information. Unless your particular School does not allow for it, you may review, update, correct and add or delete your personal information in your account by logging on to SchoolParency. If your School does not allow you to do this, then instructions on how to rectify your information will be provided.

·         

·        The right to withdraw consent: Where we are processing your personal information on the basis that you have given us your consent to do so, you may withdraw your consent at any time.

·         

·        The right of erasure: You may request that we erase your personal information, and we will comply unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for retaining your personal information, such as keeping your payment information for several years to comply with tax laws or protect SchoolParency in any legal disputes.

·         

·        The right to data portability: Under GDPR, in certain circumstances, you may request that we provide your personal information to you in a structured, commonly used, and machine-readable format and have it transferred to another provider of the same or similar services to us. Where this right is applicable, we will comply with such transfer as far as it is technically feasible.

Other Rights and Responsibilities

·        SchoolParency agrees to assist LEAs in fulfilling their data privacy obligations, including assisting in data subject rights requests and claims.

 

·        Where an LEA wishes to compile a Contact Directory, the LEA should warrant and guarantee to SchoolParency that it complies with the Directory Information Exemption offered by FERPA 2003. This exemption includes, without limitation, informing parents, guardians, and students what information the LEA considers to be “Directory Information” and the information they wish to disclose. Parents, Guardians, and Students should be offered a reasonable amount of time to object to the LEA disclosing their PII for the purposes of building a Contact Directory.

·         

·        LEAs should comply with the School Official Exemption, including, without limitation, confirming to parents and guardians in their annual notification of FERPA rights that the Educational Institution considers their service providers as ‘School Officials’ is considered a ‘School Official’ and offer a definition of “legitimate educational interest” to include services provided by SchoolParency.

 

·        SchoolParency will ensure that all company personnel with access to student data, regardless of how limited it may be, is subject to confidentiality clauses in line with data privacy laws.

·         

·        If you receive a data subject access request or require copies of Student Data held by SchoolParency to provide a copy to the data subject, we will provide you with copies of requested data within a thirty (30) day period.

 

·        Upon written request or following the termination of any service agreement, SchoolParency will securely destroy the relevant Student Data as soon as reasonably practicable following the thirty (30) day reversal period to allow an opportunity for any accounts closed in error to be reinstated.

 

·        We will never sell or release a student’s Personally Identifiable Information (“PII”) for commercial gain or purpose. As defined by Education Law 2-d and FERPA, PII includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for further definition.

·         

·        As part of SchoolParency’s commitment to transparency in data processing, please note that we will never use any PII supplied under the scope of the Service to target or direct advertising to any parents, guardians, or school staff without prior consent, wherever applicable.

 

·        SchoolParency ensure that all data processing falls within the scope as afforded by the provisions laid out in LEA’s Parents Bill of Rights (http://www.nysed.gov/common/nysed/files/programs/data-privacy-security/parents-bill-of-rights_2.pdf)

 

·        Under the Parents Bill of Rights, Parents and Guardians have the right to request to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student (18 years or older). This also includes directing us to delete it and refusing to allow any further collection or use of your child’s information.

 

·        Parents and Guardians have the right to be notified according to applicable laws and regulations if a breach or unauthorized release of their child’s PII occurs.

  • We ensure any vendors we contract with that will receive PII will address statutory and regulatory data privacy and security requirements (FERPA; Education Law Section 2-d)

 

 

·        Unless integral to the provision of our Services (i.e., a software provider), you can consent to collecting and using your child’s information but still not allowing disclosure to third parties.

 

·        We commit to ensuring that you will be notified in accordance with all applicable laws and regulations if a breach or unauthorized release of PII occurs. We will notify you by email, US mail, telephone, or other means as permitted by law if it is determined that a data security incident occurred.

 

·        We ensure that our personnel is trained on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII.

 

·        SchoolParency will never require you or your child to disclose more information than is reasonably necessary to participate in an activity.

 

·        Should you decide you no longer wish to agree with the Privacy Policy and withdraw your consent, you may unsubscribe by just clicking on the link in the SchoolParency email which was sent to you by your School or contacts the School directly and ask them to delete your account.  Another option is to contact us at support@SchoolParency.com and make this request.  We will honor your request and respond to you within a reasonable time as per NYS law.  SchoolParency will retain your information for as long as your account remains active (+ 30-day reversal period).

 

The right to lodge a complaint

We suggest that you contact us with any questions or have a complaint about how we process your personal information. You can reach us at support@schoolparency.com.

 

However, you have the right to lodge a complaint with a supervisory authority – particularly the supervisory authority of the State of your habitual residence or place of the alleged infringement – if you believe that the processing of your Personal Data does not comply with legal requirements.

For unauthorized disclosure of Child data, complaints may be submitted here or by mail to Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234, by email to privacy@nysed.gov, or by telephone at 518-474-0937.

For EU Citizens, a list of Data Protection Authorities within the European Union is available here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm. 

 

 

Schedule A – Sub-contractors

 

We have enclosed an entire list of sub-processors, suppliers, and vendors that we rely on to provide our Service to you:

Provider

What they do for SchoolParency

Data involved in this processing

Digital Ocean

Digital Ocean provides SchoolParency with servers, databases, analytics, and network infrastructure.

All user personal information and uploaded content, device ID, request data, and all logs are stored on Digital Ocean. Passwords are stored as one-way hashes. All personal data is encrypted at rest.

Google Inc. (G Suite)

Utilized for SchoolParency internal emails, docs, slides, spreadsheets, etc.

SchoolParency stores its own emails and files using Google services. SchoolParency may share personal information with Google in the course of utilizing Google services, for example, if a user emails an employee for support.

 

 

 



    FERPA (§ 99.31(a)(1)(i)(B)) permits schools to outsource institutional services or functions that involve the disclosure of education records to contractors, consultants, volunteers, or other third parties provided that the outside party:

1.               Performs an institutional service or function for which the agency or institution would otherwise use employees;

2.               Is under the direct control of the agency or institution concerning the use and maintenance of education records;

3.               It is subject to the requirements in § 99.33(a) that the personally identifiable information (PII) from education records may be used only for the purposes for which the disclosure was made, e.g., to promote school safety and the physical security of students, and to govern the redisclosure of PII from education records; and

4.               Meets the criteria specified in the School or local educational agency’s (LEA’s) annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records.

 

Schedule A: Parents Bill of Rights for Data Privacy and Security (NYS Ed Law 2-D)

Pursuant to Section 2-d of the New York State Education Law (“Education Law §2-d”), parents and eligible students are entitled to certain protections regarding confidential student information. SchoolParency is committed to safeguarding personal data (“PII) from unauthorized or accidental access or disclosure as set forth below:

Any terms not defined herein, shall have the meaning set forth in Education Law §2-d.


1.      SchoolParency will not, in any event, sell or release a student’s personally identifiable information (PII) for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes but is not limited to direct identifiers such as a student’s name, identification number, parent’s name, attendance record or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity.

Please see FERPA’s regulations at 34 CFR 99.3 for a more complete list of students PII covered by regulations.

Teacher and Principal PII is defined as results of Annual Professional Performance Reviews that identify individual teachers and principals, which are confidential under Education Law §§3012-c and 3012-d, except where required to be disclosed under New York State law and regulations.

2.      Parents, Student, Eligible Students, Teachers, or Principals may challenge the accuracy of the student data or teacher or principal data collected in accordance with the procedures set forth in the FERPA regulations at 99 C.F.R. Part 34, Subpart C, §§99.20-99.22.

3.      State and federal laws protect the confidentiality of PII. SchoolParency is committed to implementing safeguards associated with industry standards and best practices to protect the confidentiality of personally identifiable information, including but not limited to, encryption, firewalls, and password protection when data is stored or transferred. SchoolParency utilize the National Institute of Standards and Technology’s Cybersecurity Framework v 1.1 (NIST CSF or Framework) as the standard for its Data Privacy and Security Program.

4.      A complete list of all Student Data elements collected by the State is available for public review at http://www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx or by writing to the NYS Education Department, Information & Reporting Services, Room 863 EBA, 89 Washington Avenue, Albany, NY 12234;

5.      Parents have the right to have complaints about possible breaches of student data addressed. Complaints about our handling of PII should be sent to support@schoolparency.com.

6.      SchoolParency has entered contracts with personnel and certain third-party contractors/sub-processors who may receive Student Data and/or teacher data and/or principal data. These contracts will include the following supplemental information:

• The exclusive purpose(s) for which the Student Data will be used;
• The commencement and termination dates of each such contract;
• A description of how the Student Data will be disposed by the contractor upon expiration of the contract;
• If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the Student Data or teacher or principal data that is collected; and
• The data storage and security measures undertaken for Student Data or teacher or principal data, including whether such data will be encrypted.

7.      As per Article 4.3 of NIST 800-63-3, SchoolParency will only permit access to student data, or teacher and principal data, to employees, contractors or Service Providers that strictly require it for performing the Services.

8.      The right to have complaints about possible breaches and unauthorized disclosures of PII addressed. Complaints may be submitted to NYSED at http://www.nysed.gov/data-privacy- security/report-improper-disclosure, by mail to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234; by email to privacy@nysed.gov; or by telephone at 518-474- 0937.

9.      To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs. Complaints should be directed to support@schoolparency.com. any known security violations will be recorded internally, along with a report of remedial actions taken and dates. SchoolParency will work closely and discreetly with affected individuals with full transparency and diligence. SchoolParency will report every discovery or report of a breach or unauthorized release of student, teacher/principal PII to the State’s Chief Privacy Officer without undue delay, but no later than 10 calendar days after such discovery.



Schedule B – Supplemental Information

NYS Education Law 2-D (3)(c ) and Section 121.3 of the implementing regulations require the disclosure of “Supplemental Information” by Educational Agencies, including the following listed here. SchoolParency has formulated a corresponding answer under each question.

(i) The exclusive purposes for which the student data, or teacher or principal data, will be used:

SchoolParency provides a digital education platform for educators, administrators, students, and parents/guardians on which to stay up to date on school affairs, communicate and share content, review student work, and stay connected. Pursuant to and as fully described in the School or Purchase Agreement, SchoolParency agrees to provide this digital educational service (the “Service”) and will only process student, teacher or principal data in order to provide that Service.

The exclusive purposes for which the student data or teacher or principal data will be used under the contract are set forth either the School Agreement or the Purchase Agreement.

(ii) How SchoolParency will ensure that personnel with access to student data or teacher or principal data, if any, will abide by data protection and security requirements:

All personnel, processors, and any authorized third parties will be subject to contract with us and shall only be granted access to where there is a legitimate educational interest and only for purposes necessary to provide the Service under the Contract. Such agreements will address statutory and regulatory data privacy and security requirements, including but not limited to the purpose(s) of which Student Data will be used, the reason it was obtained, the contractual period of any such agreement, third party procedures and policies for data destruction upon the contract end, and the technical and organizational security measures they have in place to protect PII. SchoolParency will abide by the applicable data protection and security terms in Education Law §2-d and Part 121 of the Regulations.

All employees or contractors with access to student or teacher or principal data will be subject to data privacy training and pre-employment checks. All employees with access to student records receive annual FERPA Compliance training.

(iii) When the agreement with the third-party contractor expires and what happens to the student data or teacher or principal data upon expiration of the agreement:

In our service agreements or terms of service with all subcontractors, we require sufficient data retention and deletion clauses within the contract to ensure that data is disposed of securely and appropriately once our agreement with them ends. In addition to this, wherever possible, we ask for copies of their data destruction procedures.
We expect Student Data to be disposed of, deleted, or anonymized within a reasonable time period following agreement termination but no later than 30 days after the contract ends. If
data is processed by third parties in hard copy, we will ask that this is shredded or some equivalent destruction method, which makes the data uncoverable. If the data is electronic, we ask that it is erased entirely from their systems, including any backups or archives.

(iv) If and how a parent, student, eligible student, teacher, or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

We expect LEAs to establish and maintain reasonable procedures by which a parent, guardian, or Eligible Student may review the PII relating to them, contained within their Education Records. This includes the correction of inaccurate information. If we receive such a request from you, we will respond to your request for rectification within 30 business days. If we receive a request from a parent or guardian wishing to review any Student Data, we will direct them to the LEA without undue delay. Please note that SchoolParency may respond to Right to Access requests directly, as required.

(v) Where the student data, teacher or principal data will be stored and the security protections that are taken to ensure such data will be protected:

SchoolParency has adopted stringent technical and organizational security measures to ensure Student, Teacher, or Principal Data’s safety during storage. This includes maximum effort to prevent unauthorized disclosure or access by an unauthorized third party. We have embedded the following security measures:

·        Secure Access to systems including usernames and strong passwords

·        Personnel are subject to confidentiality terms and conditions

·        No copies, reproductions, or transmitting of student data except where absolutely necessary for service provision

·        All personnel have completed and are subject to ongoing Data Protection and Security training.

·        We utilize Secure Socket Layer (SSL) to protect PII from being accessed unlawfully

·        Secure Server Authentication

·        Data Encryption (rest and transit) at AES 256 or XTS-AES 128, HTML Channel

·        Industry Standard Firewall

·        Ongoing risk assessments and security pen testing

·        Maintain secure back-ups of data for business continuity and disaster recovery

 


END 05 08 2021

Signed:
Eddie Jimenez- Founder of SchoolParency

SchoolParency
Data Security and Privacy Policy

The paramount consideration of this policy is the protection of the confidentiality of student and teacher/principal PII, whilst being stored or transferred by us. SchoolParency are responsible for the implementation of policies, regulations and procedures required by NYS Education Law §2-d, and ensuring that our digital education platform is aligned with the obligations set forth by the National Institute for Standards and Technology Cybersecurity Framework Version 1.1 (NISF CSF).

For SchoolParency’s Parents’ Bill of Rights for Data Privacy and Security is published on SchoolParency’s website (https://schoolparency.com) and available upon request.

 

1.      SchoolParency will never sell or release personally identifiable information, in any event, for commercial or marketing purposes, or knowingly permit another party to do so.

2.      Only the minimal amount of data necessary to achieve the relevant purpose will be collected and processed by us.

3.      As per Article 4.3 of NIST 800-63-3, SchoolParency will only permit access to student data, or teacher and principal data, to employees, contractors or Service Providers that strictly require it for performing the Services.

4.      SchoolParency enters into agreements with all third-party contractors and personnel who will have access to PII in the course of their duties. Such contracts include provisions requiring the processing of student or teacher/principal PII to be done so with the utmost confidentiality and maintained in accordance with Federal and State law. Third party contractors are expected by us to:


– Adopt technical and organisational safeguards and procedures that complement NIST CSF, including but not limited to encryption;

– Adhere to SchoolParency’s Data Security and Privacy Policy;

– Limit PII exposure strictly to those who require it to facilitate service provision;

– Process PII solely for the purposes permitted under the contract.
 

– Alert SchoolParency at the earliest opportunity upon discovering an unauthorized or accidental disclosure of PII, or a security breach. This alert should take place without undue delay, but certainly within three calendar days.

– Provide SchoolParency with a copy of their data security and privacy plan, and procedures;

– Never sell or release student or teacher/principal PII for commercial purposes or gain.

 

5.     Third-party contractors must not disclose PII to any other party without the explicit, written consent from the parent, guardian or eligible student (students who are over 18 years old). An exemption is available when disclosure is required by statute or court order.

6. SchoolParency personnel are subject to annual data privacy and security incident training.

 

7. SchoolParency will report every discovery or report of a breach or unauthorized release of student, teacher/principal PII to the State’s Chief Privacy Officer without undue delay, but no later than 10 calendar days after such discovery.

 

8. SchoolParency Co-founders Eddie Jimenez and Peter Ostrander are responsible for the compliance of their programs and services with this policy, related policies, and their applicable standards, guidelines, and procedures. Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented, and personnel will be directed to adopt corrective practices, as applicable.

9. SchoolParency always first determine whether a proposed use of personally identifiable information would benefit students and educational agencies before processing and ensures that personally identifiable information is not included in public reports or other public documents, or otherwise publicly disclosed.

10. Acceptable Use Policy, User Account Password Policy, and other Related Department Policies

  • All Users of SchoolParency and personnel must maintain the systems’ security and safeguard the confidentiality of SchoolParency information.

  • Users must take all measures to ensure that they keep their account login credentials confidential and secure. Never disclose your credentials to anyone. Don’t write them down or save them on a shared device.

  • All remote connections must be made on devices free from viruses or malware that could potentially impact system security integrity.

  • All Users of SchoolParency must agree to be bound by a duty of confidentiality, preventing the unlawful disclosure of student, teacher, or principal data.