DATA PRIVACY
- Home ⌂
- Documents
- Training
- Data Retention
- Submit Apps/Services for Review
- Textbook and Software FERPA Database
- FAQ
- Virtual Classroom Privacy, FERPA and FAQ
Home ⌂
The content on this site is provided to the Davis District community to accomplish 2 primary objectives.
- To communicate to the community what student data is shared outside the district.
- Review apps, websites, and 3rd party content for either compliance to FERPA mandates and FERPA exceptions.
Documents: Find documents posted as required by state law regarding how DSD handles student personal data.
Training: Supporting documents and videos for school administrators to provide training to teachers on student data privacy as required by board policy.
Submit Apps/Services for Review: Links to forms educators can use to submit any app/website/service for review of the terms of service and privacy policies for those services.
FERPA Metadata Dictionary: The DSD version of the state's Metadata Dictionary to clearly state what metadata or information is shared with outside parties. This is a combined database for FERPA status, Teaching and Learning approval and comments, Special Education review, and Technology review of services and products.
Jonathan Hyatt
- Student Data Privacy Manager
- Phone: 801.402.5360
- Email: jhyatt@dsdmail.net
Mark Reid
- Information Security Officer and Director of Technology Services
- Phone: 801.402.5750
- Email: mreid@dsdmail.net
The Davis School District is committed to ensuring the privacy, security, and confidentiality of student data while enabling the information to be used to improve student outcomes.
Documents
DISTRIBUTED DOCUMENTS
- Annual FERPA Notice and Directory Information Notice
- Administrative Memo 28 (Section on FERPA and Directory Information) [pdf]
- The directory information notice is included annually in student handbook publications from each school. The district memo below indicates district policies to include in the handbook publication -- including FERPA directory information notice.
- Directory Information Opt-out Form [pdf] -- Must be submitted annually to your schools' administration office.
- Data Collection Notice [pdf] - Student Information
- Data governance plan [pdf]
- IT security plan [pdf]
- Apps Texts Software Database [link for district users] - Database of what information is shared with 3rd parties in the context of official school business and through the procedures of using educational and technology products in classrooms. Contact Jon Hyatt with questions.
- Student data disclosure [pdf]
- Utah Code Title 53E-9-305(2) - Annual notification of student data collection
RELATED DISTRICT POLICY
Training
In order to keep students' personally identifiable information (abbreviated PII) secure, every employee who will encounter student PII needs to be trained on a yearly basis. (11IR-110 Family Educational Rights and Privacy Policy)
EMPLOYEE TRAINING
UTAH STUDENT DATA PROTECTION ACT
RESOURCES FROM USBE
Data Retention
DATA RETENTION
The District and its schools shall retain and dispose of student records in accordance with the District’s adopted student records retention schedule. Student records not on the District schedule shall be retained and disposed of in compliance with active retention schedules for student records per the Utah Education Records Retention Schedule.
Submit Apps/Services for Review
- Review procedures
- Review metadata dictionary - State database of services with whom student information is shared.
- Submit a TOS request - (see the list below and add product to list if not present) Request to share student information with a 3rd party company or website. Without this approval, we cannot share student information (usernames, emails, passwords) with websites without written parent permission.
- Outcome 1: Site/App/or Service will be added to DSD database
- Outcome 2: FERPA approval will be indicated whether written parent consent will be requires OR it will be added as an EXCEPTION under FERPA rules (school official exception)
- Submit a MOU request - Request to get a Memorandum of Understanding written or signed relating to research and student information shared with partner organizations
Textbook and Software FERPA Database
This DSD Power App is designed to allow for DSD usersearching the database based on content area, platform, and to sort by more recent, or alphabetical. For questions on this, please contact Jon Hyatt.
Click here to login directly to Microsoft Office >> Power Apps >> Apps Texts and Websites Database App
FAQ
Frequently Asked Questions FAQ
- What is P.I.I.?
- P.I.I. or PII is the common acronym for Personally Identifiable Information
- Can I use a data wall to motivate students to monitor and improve their own learning?
- Data walls -- publicly posting PII academic progress, attendance, test results of any type is a violation of FERPA. The alternative is to use individual file folders or student / teacher mentoring sessions to keep student data and information separate.
See this Washington Post article from 2014 about data walls and FERPA issues. https://www.washingtonpost.com/news/answer-sheet/wp/2014/02/21/how-some-school-data-walls-violate-u-s-privacy-law/?noredirect=on&utm_term=.df262aa88f40
Virtual Classroom Privacy, FERPA and FAQ
Teacher and STS responsibilities with increased online instruction.
Summary of USBE response to privacy questions (Mar 31, 2020)
This document contains best practices in accordance with federal and state law. Local policies can be stricter than what is found in this document, so please consult your local policies as well.
May educators use web conferencing software to hold a virtual class? In general, yes. Providing instruction and allowing students to converse with each other does not generally constitute a disclosure of education records protected by FERPA. Educators should avoid disclosing information from education records in a virtual class just the same as they would during an in-person class. As a best practice, educators should take care to ensure that access to the virtual class is secure. For example, there have been cases where educators have publicly posted the link to access the class in a public forum, like Twitter, which has allowed individuals not associated with the class to access it and even in some cases hijack the class with inappropriate content. As a best practice, directions (with hyperlinks) should be posted either to a student calendar or directly within the LMS (Canvas or Google Classroom).
Which privacy/security requirements must be met for web conferencing or other software to be approved? This question is best answered by the LEA’s data manager or IT director. In general, not every usage of an online service means information is disclosed from an education record. For example, asking students to view a video on YouTube generally would not require any information to be disclosed from education records. If Personally Identifiable Information (PII) is disclosed, but only directory information is disclosed (e.g., a login is created to access a resource library), then you may use the resource in accordance with your directory information policy. If PII is disclosed, you should also consider if it is a general audience website (i.e., not specifically intended for K – 12 audiences). If it is for general audiences, for example, a website like Zoom, then you only need to ensure that the website does not claim control/ownership over the information and that they do not redisclose the PII. If it is an educational website receiving PII, certain requirements will need to appear in the online agreement. This can be handled by having the provider sign a Data Privacy Agreement (DPA). It is also possible that they may meet the audit requirement in other ways, such as by publicly posting the results of a self-assessment of their privacy policies (e.g., if they have signed the Student Privacy Pledge or if they have been reviewed by a Children's Online Privacy Protection Act (COPPA) safe harbor (e.g., Privo, iKeepSafe, TrustArc).
How can we learn more about the specific security and privacy functions of our virtual learning software? In some cases, the company will have specific tutorials, blogs, or other resources to explain the specific functionality. For example,
- · Zoom has the document Best Practices for Securing Your Virtual Classroom
- · Microsoft has this document Shifting to distance learning: A 5-day guide for school leaders, which relates to using Office 365, Microsoft Teams, or Flipgrid
- · Google has their Teacher’s Center, which includes the article Welcome to your first day of Google Hangouts Meet. The G Suite Admin Help section includes this article Set up Meet for distance learning
Is it an issue if the software an educator wants to use includes a lot of advertisements? Advertising is a common part of the internet, and not all advertising is based on gathering information on a student over time and building an advertising profile (also known as behavioral advertising). Some advertisements appear contextually (e.g., if you go to a website for movie reviews, you will see advertisements for movies). The mere fact that advertising appears does not mean a student’s privacy is being violated. The only way this can be determined is by reviewing the company’s privacy policy and determining what information they use to provide advertising. Another solution is to have the vendor sign the Utah Student Privacy Alliance’s Data Privacy Agreement (DPA), which includes provisions prohibiting behavioral advertising. Educators should also consider that websites that serve large numbers of pop-up ads may have other security issues. Students may be directed to update their browser settings to block pop-up ads (though note that in most modern browsers, this is the default setting). If the problem persists despite doing all of the above, then the website likely should be avoided. Districts should investigate installing adblockers on district-owned devices and if possible through their google suite for educators.
Is it an issue if parents or other individuals in the home can observe the virtual class? This is a local decision. FERPA does not relate to physical classroom observations, and the same applies to virtual classrooms.
If educators hold a virtual class, may students appear on camera? In general, yes. Educators should recommend and encourage some best practices to parents related to web conferencing. For example, since video will be taken in the student’s home, the camera should be positioned to ensure that nothing too personal is captured in the video. Students may be interacting with the class on a smartphone or easily portable device. Students could be reminded to not take the device (or at the very least turn off the camera and mute the microphone) if going into personal spaces, such as the bathroom. Teachers should also be respectful if parents desire not to turn on the camera so as to protect their privacy. Furthermore, educators should learn how to control the functionality of the software. For example, web conferencing software can be set so that no student can enter the room before the educator (which will minimize distracting conversations). It can also be set so that cameras and microphones default to off for all participants.
May an educator record a virtual class session? In general, yes. If doing so, the educator should be transparent about it (i.e., every participant should know the session is being recorded). The educator should also be transparent about the purpose of the recording (e.g., it will be available so any students who missed the lesson may catch up) and who will be able to access the recording (e.g., if anyone else at the school, such as the principal or a supervisor, can access it). The educator should also indicate how long the recording will be maintained before it is deleted.
When may an educator have a one-on-one conversation with a student using web conferencing software? This is part of the larger question of when is it appropriate for educators to have one-on-one conversations with students in general. Before conducting one-on-one conversations, we recommend that educators review their relevant ethics policies and standards related to communicating with students. Otherwise, educators should use approved methods for communication (e.g., work email address, not a personal one, etc.). The content of the intended conversation also determines the best way to proceed. Answering content-related questions or providing one-on-one help likely does not implicate any privacy laws. If the purpose is to discuss information from education records (e.g., discussing issues with grades), extra care should be taken to ensure that the conversation is private (e.g., asking that other individuals in the home not be present). As a best practice, teachers may consider holding virtual office hours (i.e., have a specific set of hours where they will be available on the web conference to answer questions and be available to students). It is also highly recommended that educators log a record of all one-on-one conversations (e.g., when they started and finished, what was discussed) and make those available to the student and parent.
Is it a problem for educators to publicly post on social media a picture of their entire class together on a web conference (including student pictures and names in the process)? This likely constitutes a disclosure of directory information, the same as would appear in a yearbook or a class photo. Educators should consult their LEA’s directory information policy and ensure that the disclosure is permitted. They should also check to see if any students have been opted out of directory information disclosures and then ensure that those students are not included in the image. Educators could also consider simply not making the photo public, but rather just sharing with class parents (the exact same as generally occurs when sharing a class photo).
May we share student contact information with classmates so they may stay in touch during the soft closure? In general, yes, parents may request the contact information of their child’s peers, and schools may generally share it with them. In all cases, a school may disclose a student’s email address to a classmate. They may also disclose a student’s phone number unless the parent has opted out of the disclosure in accordance with the school’s directory information policy.
May we disclose student personally identifiable information to outside entities addressing the COVID-19 outbreak? Under Family Educational Rights and Privacy Act (FERPA), schools may share student information with public health officials and other outside entities in situations where there is a significant and articulable threat to the health and safety of students and others in the school community. This document FERPA and Coronavirus Disease 2019 (COVID-19) Frequently Asked Questions from the United States Department of Education discusses various scenarios and issues related to making disclosures using FERPA’s health and safety exception during the current COVID-19 outbreak.
Additional Resources
- · U.S. Department of Education Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices (Feb 2014)
- · U.S. Department of Education FERPA and Virtual Learning Related Resources (Mar 2020)
- · U.S. Department of Education FERPA & Coronavirus Disease 2019 (COVID-19) Frequently Asked Questions(Mar 2020)
- · U.S. Department of Education FERPA & Virtual Learning During COVID-19 slideshow and video recording(Mar 30, 2020)
Contact Information
If you have additional questions, please contact privacy@schools.utah.gov or call 801-538-7523 or Todd.Call@schools.utah.gov