Skip to main content

Student Data Privacy and Security Policy

The efficient collection, analysis, and storage of student information is essential to improve the education of our students. As the use of student data has increased and technology has advanced, the need to exercise care in the handling of confidential student information has intensified. The privacy of students and the use of confidential student information is protected by federal and state laws, including the Family Educational Rights and Privacy Act (FERPA).
Student information is compiled and used to evaluate and improve California’s educational 
system and improve transitions from high school to postsecondary education or the workforce. The State Board of Education to makes recommendations on the proper collection, protection, storage and use of confidential student information stored within the California’s Longitudinal Pupil Achievement Data System (CALPADS). 
 

Defined Terms:
Administrative Security consists of policies, procedures, and personnel controls including security policies, training, and audits, technical training, supervision, separation of duties, rotation of duties, recruiting and termination procedures, user access control, background checks, performance evaluations, and disaster recovery, contingency, and emergency plans. These measures ensure that authorized users know and understand how to properly use the system in order to maintain security of data. 

Personally Identifiable Information (PII) includes: the name of a student’s family; the students’ social security number; a student education unique identification number; or other indirect identifiers such as a student’s date of birth, place of birth or mother’s maiden name; and other information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community who does not have personal knowledge of the relevant circumstances, to identify the student.

Directory information (DI) includes: a students name; address; telephone number; major course of study; participation in school activities; dates of attendance; awards; previous school attendance; Height and weight of athletes. This information is made available to specific agencies in accordance with state and federal laws.  VCPUSD enrollment agreement and release of directory information.

Aggregate Data is collected or reported at a group, cohort or institutional level and does not contain PII. 

Data Breach is the unauthorized acquisition of PII.

Logical Security consists of software safeguards for an organization’s systems, including user identification and password access, authenticating, access rights and authority levels. These measures ensure that only authorized users are able to perform actions or access information in a network or a workstation.

Physical Security describes security measures designed to deny unauthorized access to facilities or equipment. 
Student Data means data collected at the student level and included in a student’s educational records. 
Unauthorized Data Disclosure is the intentional or unintentional release of PII to an unauthorized person or untrusted environment. 
 
Collection:
Valley Center - Pauma Unified School District “The District” shall follow applicable state and federal laws related to student privacy in the collection of student data.
 
Access:
Unless prohibited by law or court order, the District shall provide parents, legal guardians, or eligible students, as applicable, the ability to review their child’s educational records.  The Superintendent, administrator, or designee, is responsible for granting, removing, and reviewing user access to student data. An annual review of existing access shall be performed.  Access to PII maintained by the district shall be restricted to: (1) the authorized staff of the school district who require access to perform their assigned duties; and (2) authorized employees of the State Board of Education and the State Department of Education who require access to perform their assigned duties; and (3) contracted vendors who require access to perform their assigned duties.
 
Security:
The District shall have Security controls in place to protect from a Data Breach or Unauthorized Data Disclosure. 
 The District shall notify in a timely manner affected individuals, students, and families if there is a confirmed Data Breach or confirmed Unauthorized Data Disclosure. All PII data shall be transmitted securely through industry standard methods.
 

Use:
Publicly released reports shall not include PII and shall use Aggregate Data in such a manner that re-identification of individual students is not possible. 
The District contracts with outside vendors involving student data, which govern databases, online services, assessments, special education or instructional supports, shall include the following provisions which are intended to safeguard student privacy and the security of the data: 
    ◦    Requirement that the vendor agree to comply with all applicable state and federal law; 
    ◦    Requirement that the vendor have in place Administrative Security, Physical Security, and Logical Security controls to protect from a Data Breach or Unauthorized Data Disclosure; 
    ◦    Requirement that the vendor restrict access to PII to the authorized staff of the vendor who require such access to perform their assigned duties; 
    ◦    Prohibition against the vendor’s secondary use of PII including sales, marketing or advertising; 
    ◦    Requirement for data destruction and an associated time frame; and 
    ◦    Penalties for non-compliance with the above provisions.
• The District shall clearly define what data is determined to be directory information. 
• If The District school chooses to publish directory information which includes PII, parents must be notified annually in writing and given an opportunity to opt out of the directory. If a parent does not opt out, the release of the information as part of the directory is not a Data Breach or Unauthorized Data Disclosure.


Resources:
FERPA: Family Education Rights and Privacy Act
e-CFR: Electronic Code of Federal Regulations pertaining to FERPA: 34 CFR Part 99  
Title 20 - Chapter 31: PDF File
U.S. Department of Education: Family Policy Compliance Office