The Family Educational Rights and Privacy Act (FERPA)
(20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
School officials with legitimate educational interest;
Other schools to which a student is transferring;
Specified officials for audit or evaluation purposes;
Appropriate parties in connection with financial aid to a student;
Organizations conducting certain studies for or on behalf of the school;
Accrediting organizations;
To comply with a judicial order or lawfully issued subpoena;
Appropriate officials in cases of health and safety emergencies; and
State and local authorities, within a juvenile justice system, pursuant to specific State law.
Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
Protection of Pupil Rights Amendment (PPRA)
The Protection of Pupil Rights Amendment (PPRA) applies to the programs and activities of a state education agency (SEA), local education agency (LEA), or other recipient of funds under any program funded by the U.S. Department of Education. It governs the administration to students of a survey, analysis, or evaluation that concerns one or more of the following eight protected areas:
political affiliations or beliefs of the student or the student’s parent;
mental or psychological problems of the student or the student’s family;
sex behavior or attitudes;
illegal, anti-social, self-incriminating, or demeaning behavior;
critical appraisals of other individuals with whom respondents have close family relationships;
legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers;
religious practices, affiliations, or beliefs of the student or student’s parent; or
income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).
PPRA also concerns marketing surveys and other areas of student privacy, parental access to information, and the administration of certain physical examinations to minors. The rights under PPRA transfer from the parents to a student who is 18 years old or an emancipated minor under state law.
Children's Online Privacy Protection Act
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
District Policies- FERPA
Code: JRA-E(2)
Policy - EHA
Student Data Privacy and Security
Sublette County School District #9 (District) is required to establish and maintain guidelines for the collection, access, privacy, security and use of student data by school districts. The guidelines shall, at a minimum, be in compliance with the federal Family Educational Rights and Privacy Act (FERPA) and other relevant federal and state laws. The Superintendent and/or designee shall develop and maintain administrative regulations, guidelines and procedures to protect the privacy and security of student data. This policy applies to all employees and/or contractors of the District. Any violation of this policy will be subject to disciplinary action allowed by Board Policy including reprimand, suspension, termination or any remedies allowed by law.
The Superintendent and/or designee shall develop and implement student data privacy and security guidelines and procedures. These guidelines and procedures provide detailed information and steps to ensure the privacy of student data and that only authorized individuals or entities have access. These guidelines and procedures shall also provide detailed information and mechanisms to ensure student data is secure in transit and at rest. These guidelines and procedures shall be included in the Sublette County School District #9 Technology and Data Guidelines. The District Technology and Data Guidelines will be approved annually by the Board of Trustees per policy (CHCA). These guidelines and procedures shall include the following:
Data Collection
Authorized and Authentication Mechanisms for Assessing Student Data
Administrative, Physical, and Logical Security Safeguards: Including Employee Training and Data Encryption.
Privacy and Security Compliance
Process for Identification and Response to Data Security Incidents: Including Breach Notification and Mitigation Procedures
Standards for Retention and Verified Destruction of Student Data
Adopted: 01/15/18
Code: EHAA
The purpose is to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access sensitive information.
This policy applies to all District workforce members including, but not limited to full-time employees, part-time employees, trainees, volunteers, contractors, temporary workers, and anyone else granted access to sensitive information. In addition, this policy applies to all workstations and other computing devices owned or operated by the District and any computing device allowed to connect to the District’s internal network.
The workstations and other computing devices at the District are to be used for work related purposes except as otherwise provided. This includes, but is not limited to, Internet and Web access as well as the use of e-mail at the District. Workforce members should not expect any level of privacy as their activities, e-mails, files, and logs may be viewed at any time by the Security Officer or other members of management in support of this and other policies and procedures.
The District may revoke the access rights of any individual at any time in order to protect or secure the confidentiality, integrity, and availability of sensitive information or to preserve the functionality of electronic information systems.
The District will implement reasonable and appropriate measures to secure its computing devices could be used to access sensitive information. These measures will include, but are not limited to the following:
· All user and administrator accounts must be protected by some form of authentication. If passwords are used, they must follow the guidelines set forth in the Authentication Policy.
· All users accessing the District computing devices must have and use a unique user ID as set forth in the Authentication Policy.
· Procedures must be maintained that implement security updates and software patches in a timely manner.
· Procedures must be maintained that require users to run an up-to-date anti-virus program on all computing devices at the District.
· All unnecessary and unused services (or ports) must be disabled.
· Measures will be taken to physically protect computers that are located in public areas and portable computers such as laptops and PDAs that can be taken off the premises.
· Computers located in public areas will be situated as to block unauthorized viewing and/or will have screen savers that black out the screen.
The Security Officer will be responsible for ensuring the implementation of the requirements of this policy.
Failure to comply with this or any other security policy will result in disciplinary actions up to and including termination of employment. Legal actions also may be taken for violations of applicable regulations and standards such as state and federal rules to include the Family Educational Rights and Privacy Act (FERPA).
WSBA Adopted: 10/2017
Adopted: 6/15/21
District Policy-PPRA
