Policy 3060 – Student Data Governance and Privacy
The purpose of this policy is to establish standards and procedures for maintaining a student data governance and privacy program that aligns with federal, State, and local laws and regulations.
Policy Document
I. Policy Value Statement
The Board of Education of Howard County (Board) recognizes its responsibility as stewards of student data to safeguard personally identifiable information throughout the Howard County Public School System (HCPSS). As a local education agency, the Board also acknowledges that the appropriate processing of student data is necessary for the fulfillment of federal, State, and local legal requirements.
The Board further recognizes the need for a comprehensive policy to address student data governance and privacy that confirms compliance with legal and regulatory mandates, establishes a commitment to public transparency about HCPSS student data practices, and institutes standards for safeguarding the privacy of student data throughout the HCPSS.
II. Purpose
The purpose of this policy is to establish standards and procedures for maintaining a student data governance and privacy program that aligns with federal, State, and local laws and regulations.
III. Standards
-
Student data will be:
-
Processed lawfully and in a transparent manner in relation to the student;
-
Collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
-
Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
-
Accurate and, where necessary, kept up to date;
-
Processed in a manner that provides for the appropriate privacy of the student data, including protection against unauthorized or unlawful processing and using appropriate technical or organizational data privacy controls; and
-
Processed according to the appropriate standards and procedures indicated in HCPSS Policy 3050 Records Management and HCPSS Policy 3040 Technology Security.
-
-
HCPSS will only collect and/or share student data if the collection and/or sharing is:
-
At the consent of the student/parent for one or more specific purposes;
-
Necessary for the performance of an HCPSS approved and Family Educational Rights and Privacy Act (FERPA) compliant contract, grant, or agreement to provide an essential service or function including, but not limited to, the student information system, the learning management system, and the library media system;
-
Necessary for compliance with a legal obligation to which the HCPSS is subject;
-
Necessary in order to protect the safety of an individual student;
-
Necessary for the exercise of the official authority vested in the HCPSS, including compliance with the Maryland State Department of Education (MSDE) regulations pertaining to student education records as specified in COMAR and compliance with the United States Department of Education regulations pertaining to school system reporting and accountability as specified in the Every Student Succeeds Act (ESSA); or
-
Allowed under FERPA.
-
-
HCPSS will include student data privacy protections in all contracts, grants, and agreements requiring the sharing of student data. These protections will include, but are not limited to:
-
Limiting the student data shared to the minimum necessary to fulfill the purpose of the contract, grant, or agreement;
-
Mandating that student data are processed only for specified purposes;
-
Prohibiting disclosure of student data to an additional party;
-
Prohibiting processing of student data for commercial gain beyond that of the specified contractual purpose;
-
Mandating the reasonable administrative, technical, and physical safeguards of student data;
-
Mandating the maintenance of a data breach incident response plan and data breach notification process; and
-
Permitting a technical and/or administrative review by HCPSS to monitor compliance with the contractual agreements.
-
-
The Board will approve all contracts, grants, and agreements that require the processing and/or sharing of HCPSS student data with an entity outside of the HCPSS, notwithstanding those that are required by State and federal regulations as described in Section III.B.1—5.
-
HCPSS will maintain a comprehensive student data governance and privacy program that confirms compliance with legal and regulatory mandates, establishes a commitment to public transparency about HCPSS student data practices, and institutes standards for safeguarding the privacy of student data throughout the HCPSS. The student data governance and privacy program requires the HCPSS to:
-
Manage and maintain a method to collect and respond to parent inquiries about student data governance and privacy practices;
-
Manage and maintain a method for engaging with offices throughout the HCPSS to encourage the use of digital technologies and data governance strategies that sustain and/or enhance student data privacy;
-
Maintain and publicize an inventory of the student data elements the HCPSS collects with an explanation and/or legal or regulatory authority;
-
Maintain and publicize an inventory of the contracts, grants, agreements, and digital tools that involve student data;
-
Conduct data privacy assessments of enterprise information systems and records management practices that involve student data;
-
Incorporate data privacy controls that apply the least privilege methodology into enterprise information systems and records management practices that process student data;
-
Maintain a Data Privacy Incident Response Plan that includes Maryland breach notification requirements and identifies the critical response team;
-
Respond to potential student data privacy incidents by convening the critical response team and taking action according to the Data Privacy Incident Response Plan;
-
Review public releases of student data in order to ensure data is de-identified;
-
Review internal requests for access to student data in order to incorporate appropriate student data privacy controls and disclosure avoidance techniques;
-
Review HCPSS responses to external research and data sharing requests in order to incorporate appropriate student data privacy controls for all approved requests;
-
Review contracts, grants, and agreements in order to incorporate appropriate student data privacy requirements;
-
Review digital tools and authorize only those digital tools that adhere to federal, State, and local student data privacy laws and regulations;
-
Conduct annual training and/or notification for all HCPSS employees, contractors, and volunteers on student data privacy policies, procedures, and practices; and
-
Report biannually to the Board on activities that impact student data privacy, including parental inquiries, data privacy controls, and relevant legislative and regulatory changes.
-
V. Responsibilities
-
All HCPSS Board members and school system officials will maintain the privacy of all student data by:
-
Following all approved data governance and privacy controls; and
-
Using only contracted essential digital tools or authorized supplemental digital tools with students for HCPSS-sanctioned activities.
-
-
The Superintendent/designee will collaborate with HCPSS executive leadership to manage and maintain the student data governance and privacy program.
-
HCPSS offices that initiate or implement an enterprise information system or records management process will collaborate with the Superintendent/designee to conduct a data privacy assessment of the system or process and incorporate appropriate data privacy controls as necessary.
-
HCPSS offices that initiate and/or sign a contract or agreement will collaborate with the Superintendent/designee to review the contract or agreement for data privacy implications and include data privacy protections when appropriate.
-
Based upon the recommendation of the Superintendent/designee, all contracts, grants, and agreements that require the processing and/or sharing of HCPSS student data with an entity outside of the HCPSS will require Board approval, notwithstanding those that are required by State and federal regulations as described in Section III.B.1—5.
-
The Superintendent/designee will review the policy every two (2) years to determine whether to recommend revision to this policy and implementation procedures.
VI. Delegation of Authority
The Superintendent is authorized to develop appropriate procedures for the implementation of this policy within the limits of the policy.
III. Definitions
Within the context of this policy, the following definitions apply:
-
Critical Response Team — The group of designated HCPSS personnel and system leaders who take action when potential data privacy incidents arise.
-
Data Governance — A formalized organizational approach to managing the processing of student data across the HCPSS.
-
Data Privacy — The protection of student data from unauthorized data processing.
-
Data Privacy Assessment — A process used to evaluate how a records management process or enterprise information system processes student data.
-
Data Privacy Control — An administrative, technical, or physical safeguard employed within HCPSS that governs the access to and processing of student data according to the least privilege methodology.
-
Data Privacy Incident Response Plan — The HCPSS protocols that outline the reaction to, mitigation of, and communication regarding an event that potentially compromises the confidentiality, integrity, or availability of student data.
-
Data Processing — The creation, collection, use, maintenance, release, disclosure, and/or destruction of student data.
-
De-identified Data — Data that, based on federal and State standards, the HCPSS has determined cannot identify an individual with reasonable certainty.
-
Digital Tool — Any website, application (app), or software that requires an account.
-
Enterprise Information System — An HCPSS technology platform that processes systemwide student data.
-
Essential — That which is necessary for the delivery of educational programs and operational services (such as, but not limited to, the student information system, the learning management system, and the library media system).
-
Family Educational Rights and Privacy Act (FERPA) — A federal privacy law that governs school system’s processing of personally identifiable student information and delineates parental rights to their children’s education records.
-
Least Privilege — The methodology whereby each user is assigned the appropriate level of access to student data needed for their responsibility.
-
Parent — Any one of the following, recognized as the adult(s) legally responsible for the student:
-
Biological Parent — A natural parent whose parental rights have not been terminated.
-
Adoptive Parent — A parent who has legally adopted the student and whose parental rights have not been terminated.
-
Custodian — A person or an agency appointed by the court as the legal custodian of the student and granted parental rights and responsibilities.
-
Guardian — A person who has been placed by the court in charge of the affairs of the student and granted parental rights and responsibilities.
-
Caregiver — An adult resident of Howard County who exercises care, custody, or control over the student but who is neither the biological parent nor legal guardian as long as the person satisfies the requirements of the Education Article §7-101(c) (Informal Kinship Care) or has been issued a U.S. Department of Health and Human Services’ Office of Refugee Resettlement (ORR) Verification of Release form entering into a custodial arrangement with the federal government.
-
Foster Parent — An adult approved to care for a child who has been placed in their home by a state agency or a licensed child placement agency as provided by the Family Law Article, §5-507.
-
-
Personally Identifiable Information (PII) — Any information that, alone or in combination, would make it possible to identify an individual with reasonable certainty.
-
Record — Any material created or received by the Board, an HCPSS school or office, or a school system official in connection with the transaction of HCPSS business. A record includes any form of documentary material, including but not limited to paper documents, electronic documents, microfilm, drawings, maps, pictures and any other documentary material in any format, in which business information is created or maintained.
-
Records Management Practice — Any procedure for collecting or maintaining an HCPSS record.
-
School System Official — A person employed by the HCPSS; or a person or organization contracted by the HCPSS to perform a special task (such as an attorney, auditor, school resource officer, medical consultant, or therapist).
-
Student Data — Any PII relating to an identified or identifiable student.
-
Student Education Record — Specific records, as defined and protected by FERPA, mandated by COMAR, and outlined in HCPSS Policy 9050, that are directly related to an individual student and maintained by the HCPSS.
VII. References
A. Legal
-
Every Student Succeeds Act (ESSA), 20 U.S.C. §6301
-
Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232(g)
-
Privacy Act of 1974, 5 U.S.C. § 552(a)
-
Maryland Personal Information Protection Act, Md. Code Com. Law § 4-3501 et seq.
-
The Annotated Code of Maryland, Education Article, §4-131, Student Data Privacy Act of 2015
-
COMAR 13A.08.02. Student Records
B. Board Policies
C. Relevant Data Sources
D. Other
-
Department of Homeland Security: Privacy Impact Assessment Official Guidance
-
National Institute of Standards and Technology: Publication 800-53
-
Office of Management and Budget: Circular A-130
-
HCPSS Ethics Regulations
VIII. History
ADOPTED: June 7, 2018
REVIEWED: January 27, 2023
MODIFIED: February 8, 2024
REVISED:
EFFECTIVE: February 8, 2024
Policy History Key
- Adopted-Original date the Board took action to approve a policy
- Reviewed-The date the status of a policy was assessed by the Superintendent’s Standing Policy Group
- Modified-The date the Board took action to alter a policy that based on the recommendation of the Superintendent/designee did not require a comprehensive examination
- Revised-The date the Board took action on a that policy based on the recommendation of the Superintendent/designee needed a comprehensive examination
- Effective-The date a policy is implemented throughout the HCPSS, typically July 1 following Board action.