7400.1: Electronic Records Retention & Disposition7400.1: Electronic Records Retention & Disposition holly Mon, 07/22/2019 - 11:19
The District may maintain student records in an electronic or digital format. The District may maintain electronic or digital student and staff records on District controlled servers, contracted third party hosted servers, and/or web-based/cloud servers. The District shall take steps to ensure that the confidentiality and privacy of the student and staff records are maintained as provided by state and federal law and the District’s policies and rules.
A. The District shall take all reasonable steps necessary to ensure that the use of the Internet or contracted third part hosted services for the gathering, maintaining and/or storing of District information shall not abridge the right of privacy of students and staff as provided by law.
B. The District shall take all steps necessary for all users of a contracted third party hosted service maintaining, gathering and storing District information to have a unique user name and unique user password and to protect the confidentiality of such user names and passwords.
C. The District shall require that any contracted third party hosted service used by the District have software or mechanisms in place to alert the service of any intrusions or attempted intrusions into the database by unauthorized users. The contracted third party hosted service shall provide to the District upon request an intrusion analysis setting out to the extent possible the dates, times, and places or other applicable information of attempted intrusions by unauthorized computers or persons to the service.
D. The District shall require that any contracted third party hosted service maintaining, gathering and storing District information maintain a log of all requests for access to information for any student contained on the contracted third party hosted service.
E. The District shall require the contracted third party hosted services to have verifiable parental consent and District authorization (i.e., written or digital) prior to the collection of personally identifiable information from a student.
F. All student or District information contained on the contracted third party hosted servers accessible through the Internet shall be secured utilizing, at a minimum, 128-bit encryption.
G. Any third party hosted service shall, at the requirement of the District, upgrade its encryption software as may be required from time to time to ensure complains with generally accepted encryption standards.
H. The District shall be granted access to all privacy policies, end user license agreements, encryption certificates, access logs documenting requests for information from any database containing information of District students, student records and/or parents.
II. USE OF INFORMATION
A. No personally identifiable information about any student obtained by, maintained by, retained by, or gathered by the contracted third party hosted service for and on behalf of the District shall be disclosed to any third parties, except to the extent necessary to the operation and maintenance of the service site.
B. Information may only be gathered by a contracted third party hosted service in the aggregate and may only be used for the purposes of providing educational services to the District and for internal company use only. No personally identifiable information about any student may be utilized by the contracted third party hosted service for any reason without prior authorization (i.e., written or digital) by the District and parental consent as may be required by law.
C. Any personally identifiable information regarding any student of the District maintained, retained, or gathered by a contracted third party hosted service must be destroyed in compliance with the legal requirements of law and District policies and rules. Personally identifiable information includes but is not limited to Permanent Student Records, Subsidiary Student Records, Special Education Records, and any Electronic Student Records as defined in District Rule 5720.1
III. TERMINATION – REMOVAL OF RECORDS
A. All data pertaining to any educational information of any student of the District shall be returned to the District upon termination of the contracted third party hosted service provider contract or other agreement at the option of the District.
B. At no time will the District’s information or any student information maintained, retained, or gathered by the contracted third party hosted service be deemed to be the property of the service.
C. Upon termination of any contract or the relationship with the contracted third party hosted service and after the return of all District and student information and date the service shall provide the District with a statement that all known copies of said information have been destroyed.
IV. UTILIZATION OF TRACKING SOFTWARE, A/K/A “Cookie Technology”
A. Tracking software or mechanisms which may be utilized by the contracted third party hosted service that allow the service to store information about a user on that user’s own computer shall not be allowed to collect any personally identifiable information except to the extent necessary to track the user’s activities within a particular site. When the contracted third party hosted services are terminated the tracking software or mechanism shall be removed or terminated.
B. Any software or mechanism that allows the contracted third party hosted service to store its own information about a user on the user’s own computer which persists or remains a part of the user’s computer and which is or may be automatically activated, updated and shared with the service when the user reconnects to the service shall not be permitted except to the extent that as a “persistent cookie” it is utilized to retain individual unique password and/or user name information for the purposes of logging in to the contracted third party hosted service to access the site.
C. Any information collected from or by the utilization of tracking software by a contracted third party hosted service may be retained by the service only to the extent reasonably necessary to upgrade, update and make navigation of the services’ site more efficient.
D. Any and all information collected or maintained by a contracted third part hosted service shall be maintained or retained in compliance with the requirements of these rules and any other applicable policies or rules relating to personally identifiable educational information and in compliance with the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA).
Child Online Privacy Protection Act (COPPA) 15 U.S.C. § 501 et seq.
FERPA, 20 U.S.C. § 1232, et seq.
Neb. Rev. Stat. § 79-2, 104-105
Neb. Rev. Stat. § 79-539