Fort Sage Unified School District

Data Practices & Student Privacy

Application Specific Privacy Policy

Fort Sage Unified School District uses applications for purpose of Administration, attendance, classroom assignments, and student testing. Apps are available to use on a students Chromebook, computer, and even smart phone for educational purposes. These apps all have their own Privacy Policy in regard to Students Data for the purposes of education. Please see below for the list of apps used by FSUSD:

AERIES

AERIES
Aeries Privacy Policy
The data your Educational Institution stores on Aeries’ systems may include, but is not limited to, the following information about students and their guardians:

Demographic information such as name, mailing address, email address, and date of birth;
Student education records including, but not limited to student’s grades, class enrollment, and behavioral records;
Financial information, including but not limited to fees and fines, such as Chromebook insurance, or administrative fees, determined by LEAs;
Health-related information including your student’s immunizations and vision and hearing screening results;
System usernames and passwords.

Odysseyware
Odysseyware Privacy Policy

Student Data:
Once students are enrolled in Edgenuity (Odysseyware) courses, Edgenuity may have access to personally identifiable information about students (“Student Data”) through the courses used by the Students. Edgenuity considers Student Data to be confidential and do not use such data for any purpose other than to provide the courses and other services on the School’s behalf. The Schools may provide for students to log into the Edgenuity platform to access the Edgenuity courses that have been authorized by the School, often at a school facility or from a student’s personal computer. The School is responsible for providing each student with login credentials and confirms that it has obtained appropriate parental consents, as needed, before the student is permitted to access the Edgenuity platform. Students (or Parents or legal guardians of the Student), retain ownership and control of all Student Data that is provided or accessed through Edgenuity’s course, and title to such Student Data never passes to Edgenuity. Edgenuity has access to Student Data only on a need-to-know basis, as requested by the School and only for the purposes of providing the students with the ability to use the Edgenuity courseware and related services. Edgenuity will not use Student Data for any purposes other than those authorized pursuant to Edgenuity’s contract with the School.

Students or parents should direct questions about the School’s use of technology service providers like Edgenuity to their School administrator. If a Student contacts Edgenuity with a question about Edgenuity's Service, Edgenuity will collect personal information from that Student only as necessary to respond to the Student’s request and direct the Student to contact the Student’s School, and Edgenuity will then delete or anonymize the personal data of the Student after Edgenuity provides a response.

Google "Google Classroom"
Education Suite & Google Chromebooks
Googles Privacy Policy

Does Google sell school or student data to third parties?
No. google doesn’t sell your G Suite data to third parties, and Google does not share personal information placed in Googles systems with third parties, except in the few exceptional circumstances described in the G Suite agreement and Googles Privacy Policy, such as when you ask Google to share it or when Google is required to do so by law.

How does Google keep data secure?
Google is fully committed to the security and privacy of your data and protecting you and the school from attempts to compromise it. Googles systems are among the industry’s most secure and we vigorously resist any unlawful attempt to access Google customers’ data.

Google’s data centers use custom hardware running a custom hardened operating system and file system. Each of these systems has been optimized for security and performance. Because Google controls the entire hardware stack, google is able to quickly respond to any threats or weaknesses that may emerge.

Google encrypts Gmail (including attachments) and Drive data while on the move. This ensures that your messages are safe not only when they move between you and Google's servers, but also as they move between Google's data centers.

NWEA "MAP Testing"
NWEA Map Testing

Information Collected Automatically
When you visit our site, we may collect certain information automatically from your device. Specifically, the information we collect automatically may include information like your IP address, device type, browser-type, broad geographic location (e.g. country or city-level location), and other technical information. We may also collect information about how your device has interacted with our site, including the pages accessed and links clicked.

Right to Erasure & Data Portability
You can: (i) object to processing of your Information that is personally identifiable (“Personal Information”), (ii) request NWEA to restrict processing of Personal Information; or (iii) request portability of your Personal Information. In order to initiate a request please email NWEA at legalservices@nwea.org.

Also, if NWEA has collected and processed your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing NWEA conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.

Children
NWEA does not knowingly collect Personal Information online from children under the age of 13 from the Website. The Website is intended for use by those in the fields of education, businesses and other adults. NWEA requests that children under the age of 13 do not submit any Personal Information to NWEA. If NWEA learns that NWEA has collected or received Personal Information from a child under 13, NWEA will delete that information.

Social Media
NWEA uses third party social media sites to provide NWEA content in formats that may be useful or interesting; however, the Website is the official source of information from NWEA. NWEA cannot attest to the accuracy or usage of other information provided by these or any other linked sites.

Browser Cookies
As with many other sites, the NWEA Website may use “cookies” or other technologies to help NWEA deliver content specific to your interests, to process your requests, and/or to analyze your visiting patterns. Cookies are small text files that a Website can send to a user’s browser for storage on the hard drive. Cookies can make use of the Web easier by saving and administering status, preferences and other user information.

The NWEA Website also may use Web beacons, which are small strings of code that provide a method for delivering a graphic image on a Web page or in an email message for the purpose of transferring data. The Web beacons may be served by third party services or NWEA servers. NWEA may use cookies and Web beacons in order to properly route users through the site, customize users’ experiences on the site, to help NWEA send you information about products and services you may be interested in, and to help us improve the Website. Most browsers are initially set to accept cookies but users can change the setting to block cookies. Although disabling cookies will not interfere with your ability to access the site, users will need to accept cookies in order to use certain services on the site. Users can disable the ability of Web beacons to capture information by blocking cookies. Currently, NWEA's sites do not recognize browser “do-not-track” requests. You may, however, disable certain tracking as discussed in this Privacy Policy (e.g., by disabling cookies, or using ‘private’ browsing modes).

Contacting NWEA
NWEA responds to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. If you have any questions or concerns about NWEA's use of your Personal Information, please contact NWEA by email at legalservices@nwea.org

COPPA

The Children’s Online Privacy Protection Act (“COPPA”) is a federal law governed by the Federal Trade Commission (“FTC”) that controls what information may be collected from children under the age of 13 by companies operating websites and mobile applications. (15 U.S.C. § 6501, et seq.) COPPA requires companies to post a clear privacy policy on their
website or mobile application, provide notice to parents, and obtain parental consent before collecting personal information from children under the age of 13.

COPPA AND SCHOOLS
Section M
1. Can an educational institution consent to a website or app’s collection, use or disclosure of personal information from students?

Yes. Many school districts contract with third-party website operators to offer online programs solely for the benefit of their students and for the school system – for example, homework help lines, individualized education modules, online research and organizational tools, or web-based testing services. In these cases, the schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf. However, the school’s ability to consent for the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose. Whether the website or app can rely on the school to provide consent is addressed in FAQ M.2. FAQ M.5 provides examples of other “commercial purposes.”

In order for the operator to get consent from the school, the operator must provide the school with all the notices required under COPPA. In addition, the operator, upon request from the school, must provide the school a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information. As long as the operator limits use of the child’s information to the educational context authorized by the school, the operator can presume that the school’s authorization is based on the school’s having obtained the parent’s consent. However, as a best practice, schools should consider making such notices available to parents, and consider the feasibility of allowing parents to review the personal information collected. See FAQ M.4. Schools also should ensure operators to delete children’s personal information once the information is no longer needed for its educational purpose.

In addition, the school must consider its obligations under the Family Educational Rights and Privacy Act (FERPA), which gives parents certain rights with respect to their children’s education records. FERPA is administered by the U.S. Department of Education. For general information on FERPA, see https://studentprivacy.ed.gov/. Schools also must comply with the Protection of Pupil Rights Amendment (PPRA), which also is administered by the Department of Education. See https://studentprivacy.ed.gov/. (See FAQ M.5 for more information on the PPRA.)

Student data may be protected under state law, too. For example, California’s Student Online Personal Information Protection Act, among other things, places restrictions on the use of K-12 students’ information for targeted advertising, profiling, or onward disclosure. States such as Oklahoma, Idaho, and Arizona require educators to include express provisions in contracts with private vendors to safeguard privacy and security or to prohibit secondary uses of student data without parental consent.

2. Under what circumstances can an operator of a website or online service rely upon an educational institution to provide consent?

Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent. However, the operator must provide the school with full notice of its collection, use, and disclosure practices, so that the school may make an informed decision.

If, however, an operator intends to use or disclose children’s personal information for its own commercial purposes in addition to the provision of services to the school, it will need to obtain parental consent. Operators may not use the personal information collected from children based on a school’s consent for another commercial purpose because the scope of the school’s authority to act on behalf of the parent is limited to the school context.

Where an operator gets consent from the school rather than the parent, the operator’s method must be reasonably calculated, in light of available technology, to ensure that a school is actually providing consent, and not a child pretending to be a teacher, for example.

3. Who should provide consent – an individual teacher, the school administration, or the school district?

As a best practice, we recommend that schools or school districts decide whether a particular site’s or service’s information practices are appropriate, rather than delegating that decision to the teacher. Many schools have a process for assessing sites’ and services’ practices so that this task does not fall on individual teachers’ shoulders.

4. When the school gives consent, what are the school’s obligations regarding notifying the parent?

As a best practice, the school should consider providing parents with a notice of the websites and online services whose collection it has consented to on behalf of the parent. Schools can identify, for example, sites and services that have been approved for use district-wide or for the particular school.

In addition, the school may want to make the operators’ direct notices regarding their information practices available to interested parents. Many school systems have implemented Acceptable Use Policies for Internet use (AUPs) to educate parents and students about in-school Internet use. The school could maintain this information on a website or provide a link to the information at the beginning of the school year.

5. What information should a school seek from an operator before entering into an arrangement that permits the collection, use, or disclosure of personal information from students?

In deciding whether to use online technologies with students, a school should be careful to understand how an operator will collect, use, and disclose personal information from its students. Among the questions that a school should ask potential operators are:

What types of personal information will the operator collect from students?
How does the operator use this personal information?
Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? If so, the school cannot consent on behalf of the parent.
Does the operator enable the school to review and have deleted the personal information collected from their students? If not, the school cannot consent on behalf of the parent.
What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects?
What are the operator’s data retention and deletion policies for children’s personal information?

Schools also should keep in mind that under the Protection of Pupil Rights Amendment, Local Educational Agencies (LEAs) must adopt policies and must provide direct notification to parents at least annually regarding the specific or approximate dates of, and the rights of parents to opt their children out of participation in, activities involving the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information (or otherwise providing the information to others for that purpose).

FERPA

The Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C. § 1232g; 34 C.F.R. Part 99) is a Federal law that protects the privacy of student education records. The law applies to all entities that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.” Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Parents or eligible students also have the right to request that a school correct records which they believe to be inaccurate or misleading.

Generally, LEAs must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows LEAs to disclose those records, without consent, to the following parties or under the following conditions (34 C.F.R. § 99.31):

School officials with legitimate educational interest;
Other schools to which a student is transferring;
Specified officials for audit or evaluation purposes;
Appropriate parties in connection with financial aid to a student;
Organizations conducting certain studies for or on behalf of the school;
Accrediting organizations;
To comply with a judicial order or lawfully issued subpoena;
Appropriate officials in cases of health and safety emergencies; and
State and local authorities, within a juvenile justice system, pursuant to specific state law.

Directory Information
LEAs may also disclose, without consent, “directory information.” FERPA defines directory information as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. (34 C.F.R. § 99.3.) Directory information may include a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. Education records that have been appropriately designated as “directory information” by the educational agency or institution may be disclosed without prior consent. (See 34 C.F.R. §§ 99.31(a)(11) and 99.37.)

FERPA provides that a school may disclose directory information if it has given public notice of the types of information that it has designated as “directory information,” the parent or eligible student’s right to restrict the disclosure of such information, and the period of time within which a parent or eligible student has to notify the school in writing that he or she does not want any or all of those types of information designated as “directory information.” (34 C.F.R. § 99.37(a).)

Therefore, many school districts include in their annual FERPA notice a broad designation of what is considered directory information and the circumstances of when it can be released without parental consent. Again, this notice should also give parents and eligible students the opportunity to restrict such disclosure.

Disclosure to “School Officials”
Another exception, which permits disclosure without consent, is disclosure to school officials with a legitimate educational interest in the information. LEAs must include in their annual FERPA notice, how they define “school official” and “legitimate educational interest.”

A “school official” is a person employed by the school as an administrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personnel) or a person serving on the school board. A school official also may include a volunteer or contractor outside of the school who performs an institutional service of function for which the school would otherwise use its own employees and who is under the direct control of the school with respect to the use and maintenance of personally identifiable information from education records, such as an attorney, auditor, medical consultant, or therapist; a parent or student volunteering to serve on an official committee, such as a disciplinary or grievance committee; or a parent, student, or other volunteer assisting another school official in performing his or her tasks.

A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility. LEAs sometimes disclose educational records to technology vendors under the “school official” exception when the vendor is performing an institutional service or function of the LEA and the records are required to fulfill this function.

Technology vendors often qualify as a “school official” for purposes of the exemption to the Public Records Act, which allows directory information to be shared to a third-party application or website.

PPRA

PPRA Model Notice and Consent/Opt-Out for Specific Activities (PDF File)

The Protection of Pupil Rights Amendment (PPRA), 20 U.S.C. § 1232h, requires Fort Sage Unified School District to notify you and obtain consent or allow you to opt your child out of participating in certain school activities. These activities include a student survey, analysis, or evaluation that concerns one or more of the following eight areas (“protected information surveys”):
1. Political affiliations or beliefs of the student or student’s parent;
2. Mental or psychological problems of the student or student’s family;
3. Sex behavior or attitudes;
4. Illegal, anti-social, self-incriminating, or demeaning behavior;
5. Critical appraisals of others with whom respondents have close family relationships;
6. Legally recognized privileged relationships, such as with lawyers, doctors, or ministers;
7. Religious practices, affiliations, or beliefs of the student or the student’s parent; or
8. Income, other than as required by law to determine program eligibility.
This parental notification requirement and opt-out opportunity also apply to the collection, disclosure or use of personal information collected from students for marketing purposes (“marketing surveys”). Please note that parents are not required by PPRA to be notified about the collection, disclosure, or use of personal information collected from students for the exclusive purpose of developing, evaluating, or providing educational products or services for, or to, students or educational institutions. Additionally, the notice requirement applies to the conduct of certain physical exams and screenings. This includes any non-emergency, invasive physical exam or screening required as a condition of attendance, administered by the school or its agent, and not necessary to protect the immediate health and safety of a student. This does not include hearing, vision, or scoliosis screenings, or any physical exam or screening permitted or required by State law.
Following is a schedule of activities requiring parental notice and consent or opt-out for the upcoming school year. This list is not exhaustive and, for surveys and activities scheduled after the school year starts, the Fort Sage Unified School District will provide parents, within a reasonable period of time prior to the administration of the surveys and activities, notification of the surveys and activities, an opportunity to opt their child out, as well as an opportunity to review the surveys. (Please note that this notice and consent/opt-out transfers from parents to any student who is 18 years old or an emancipated minor under State law.)