Policy 3060 Implementation Procedures - Student Data Governance and Privacy
Implementation Procedures
I. General Provisions
-
In order to process student data properly and maintain the data privacy of individual students, all Howard County Public School System (HCPSS) Board members and school system officials will:
-
Process only the student data to which they have authorized access;
-
Use only authorized methods to process student data; and
-
Disclose student data only under authorized conditions, through authorized methods, and to authorized recipients.
Authorization will be determined through the procedures for conducting data privacy assessment and implementing data privacy controls as outlined in Section III.
-
-
In order to minimize the student data that the HCPSS creates and/or collects, HCPSS departments will:
-
Document the legal authority and specific purpose for creating and/or collecting student data;
-
Identify the minimum student data elements necessary to accomplish the specific purpose of creating and/or collecting the student data;
-
Limit the creation and/or collection of student data to the minimum information identified;
-
Take reasonable steps to monitor the continued relevance of the student data being created and/or collected; and
-
Provide parents with the ability to opt-out of any collection and/or sharing of their student’s data that does not align with the provisions specified in Section III.B. of the policy.
-
-
In order to implement the student data governance and privacy program, the Superintendent/designee will:
-
Coordinate with HCPSS executive leadership and departments/offices to manage and maintain the requirements of the student data governance and privacy program that are delineated in Section III.D. of the policy;
-
Measure the effectiveness and fidelity of the student data governance and privacy program in order to support continuous improvement efforts; and
-
Develop and implement continuous improvement efforts based on the measured effectiveness and fidelity of the data privacy program.
-
II. Parent Inquiries and Notifications
-
To manage and maintain communications with parents about the HCPSS student data governance and privacy practices, the Superintendent/designee will implement methods of annual notification and ongoing communications.
-
The annual notifications and ongoing communications will include, but are not limited to:
-
Publicizing the process for parents to opt out of the collection and/or sharing of their student’s data when the collection and/or sharing does not align with the provisions specified in Section III.B. of the policy.
-
Publicize a list of all current enterprise information systems, records management practices, contracts, grants, agreements, and digital tools that involve student data and the student data involved.
-
III. Data Privacy Assessments and Controls
-
To conduct data privacy assessments on enterprise information systems and records management practices, the Superintendent/designee will coordinate with the department initiating or implementing the system or practice to:
-
Document the student data that the enterprise information system or records management practice creates, collects, uses, maintains, and/or discloses;
-
If the information system or records management practice generates new information, the privacy assessment will document the types and purpose of the student data generated.
-
If the information system or records management practice receives information from another system or practice, the privacy assessment will document the types and sources of the student data received.
-
-
Document the legal authority and specific purposes of the student data being created, collected, used, maintained, and/or disclosed by the enterprise information system or records management practice;
-
Document the nature and scope of legally authorized usages and disclosures of student data;
-
Document any relevant records retention schedules for the student data being maintained according to the Records and Information Disposition Schedules (RIDS); and
-
Document the procedure for individuals to opt-in/out, when applicable, of the creation, collection, use, maintenance, and/or disclosure of student data.
-
-
To incorporate data privacy controls into its enterprise information systems and records management practices, the Superintendent/designee and the department initiating or implementing the system or practice will coordinate to:
-
Determine the appropriate data privacy controls for an enterprise information system or records management practice that limit access to student data according to the least privilege methodology;
-
Implement data privacy controls for specific enterprise information systems or records management practices;
-
Manage and maintain a process to review the implementation of and efficacy of the data privacy controls; and
-
Make improvements to the data privacy controls as necessary.
-
IV. HCPSS Data Privacy Incident Response Plan
-
To maintain a Data Privacy Incident Response Plan that includes Maryland breach notification requirements and aligns with the HCPSS Technology Security Incident Response Procedures, the Superintendent/designee will:
-
Review its Data Privacy Incident Response Plan at least annually to revise and update the plan according to current nationally benchmarked best practices in risk management, data security, and data privacy;
-
Conduct an annual drill of the Data Privacy Incident Response Plan with all relevant HCPSS offices and departments, and modify the plan according to procedural gaps exposed through the drill process; and
-
Collaborate with HCPSS executive leadership and departments/offices to align the Data Privacy Incident Response Plan with the HCPSS Continuity of Operations Plan and Disaster Recovery Plan.
-
-
If a potential data privacy incident arises, the critical response team will:
-
Convene to assess the potential data privacy incident;
-
Take coordinated action according to the Data Privacy Incident Response Plan;
-
Notify individuals affected according to the regulatory mandates of the Maryland data breach notification requirements; and
-
Use the lessons learned from the incident response to improve the processes of identifying, defending, detecting, responding to, and recovering from future potential incidents.
-
V. Data Privacy Reviews
-
To review contracts, grants, and agreements in order to incorporate appropriate data privacy requirements, the Superintendent/designee will:
-
Coordinate with relevant HCPSS departments/offices to manage and maintain a contract, grant, and agreement review procedure;
-
Coordinate with relevant HCPSS departments/offices to identify contracts, grants, and agreements involving student data;
-
Coordinate with relevant HCPSS departments/offices to include contractual requirements that safeguard the privacy of student data in identified contracts and agreements; and
-
Coordinate with relevant HCPSS departments/offices to ensure that all contracts, grants, and agreements involving student data adhere to the Maryland Student Data Privacy Law.
-
-
To review supplemental digital tools and authorize only those supplemental digital tools that adhere to federal, State, and local data privacy laws and regulations, the Superintendent/designee will:
-
Coordinate with relevant HCPSS departments/offices to manage and maintain a digital tool review procedure;
-
Coordinate with HCPSS relevant departments/offices to identify digital tools that involve student data; and
-
Coordinate with relevant HCPSS departments/offices to authorize only those digital tools that adhere to federal, State, and local data privacy laws and regulations.
-
VI. Monitoring
Policy 3060 implementation procedures will be overseen by the Office of the Deputy Superintendent.
VII. History
ADOPTED: June 7, 2018
REVIEWED: January 27, 2023
MODIFIED: February 8, 2024
REVISED:
EFFECTIVE: February 8, 2024
Policy History Key
- Adopted-Original date the Board took action to approve a policy
- Reviewed-The date the status of a policy was assessed by the Superintendent’s Standing Policy Group
- Modified-The date the Board took action to alter a policy that based on the recommendation of the Superintendent/designee did not require a comprehensive examination
- Revised-The date the Board took action on a that policy based on the recommendation of the Superintendent/designee needed a comprehensive examination
- Effective-The date a policy is implemented throughout the HCPSS, typically July 1 following Board action.