Privacy Policy & Agreements

DATA PRIVACY AND SECURITY POLICY

I. Purpose

This policy addresses Plattsburgh City School District's ("District") responsibility to adopt appropriate administrative,
technical and physical safeguards and controls to protect and maintain the confidentiality, integrity and availability of its
data, data systems and information technology resources. The District takes active steps to protect the confidentiality of
protected information in compliance with all applicable state and federal laws. The District likewise expected all District
officers, employees, and partners to maintain the confidentiality of protected information in accordance with state and
federal law and applicable District policies.

II. Policy Statement

It is the responsibility of the District:

1. to comply with legal and regulatory requirements governing the collection, retention, dissemination, protection, and
   destruction of information;
2. to maintain a comprehensive Data Privacy and Security Program designed to satisfy its statutory and regulatory
   obligations, enable and assure core services, and fully support the Department of Education's mission;
3. to protect, and not sell or disclose for marketing or commercial purposes, personally identifiable information, and
   sensitive and confidential information from unauthorized use or disclosure;
4. to address and require the adherence of its vendors with federal, state and SED requirements in its vendor
   agreements, especially 8 NYCRR Part 121;
5. to train its users to share a measure of responsibility for protecting SED's data and data systems;
6. to identify its required data security and privacy responsibilities and goals, integrate them into relevant processes,
   and commit the appropriate resources towards the implementation of such goals; and
7. to communicate its required data security and privacy responsibilities and goals and the consequences of noncompliance,
   to its users.

III. Standard

The District will use the National Institute of Standards and Technology's Cybersecurity Framework v 1.1 (NIST CSF or
Framework) as the standard for its Data Privacy and Security Program.

III. Scope The policy applies to District officers, administrators, and employees, and also to independent/subcontractors, interns,
volunteers ("Users") and third-party contractors who receive or have access to the District's data and/or data systems.

This policy encompasses all systems, automated and manual, including systems managed or hosted by third parties on
behalf of the District and it addresses all information, regardless of the form or format, which is created or used in support of
the activities of an educational agency.

This policy, as implemented, shall ensure that every use and disclosure of personally identifiable information by the District
shall benefit students and the District and shall ensure that personally identifiable information shall not be included in public
reports or other documents.

This policy shall be published on the District website and notice of its existence shall be provided to all employees and Users.

IV. Compliance

All Users are responsible for the compliance of their programs with this policy, related policies, and their applicable standards, guidelines and procedures. Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented, and Users will be directed to adopt corrective practices, as applicable.

V. Oversight

The District shall appoint a Data Protection Officer who shall annually report to the Board of Education on data privacy and

security activities and progress, the number and disposition of reported breaches, if any, and a summary of any complaint submitted pursuant to Education Law §2-d. The Data Protection Officer will also be responsible for the implementation of the policies and procedures required in Education Law § 2-d and its implementing regulations, and will serve as the point of contact for data security and privacy for the District.

VI. Data Privacy

1. Laws such as the Family Educational Rights Privacy Act (FERPA), NYS Education Law §2- d and other state or federal laws addressing data security and confidentiality shall be adhered to at all times.
2. Data protected by law must only be used in accordance with law and regulation and the District policies to ensure it is protected from unauthorized use and/or disclosure.
3. The District has established a Data Protection Officer and a Data Privacy Committee to manage its use of data protected by law. The Data Protection Officer and the Data Privacy Committee will determine whether a proposed use of personally identifiable information would benefit students and educational agencies, and to ensure that personally identifiable information is not included in public reports or other public documents, or otherwise publicly disclosed;
4. No student data shall be shared with third parties without a written agreement that complies with state and federal laws and regulations. No student data will be provided to third parties unless it is permitted by state and federal laws and regulations. Third-party contracts must include provisions required by state and federal laws and regulations.
5. The identity of all individuals requesting personally identifiable information, even where they claim to be a parent or eligible student or the data subject, must be authenticated in accordance with District procedures.
6. It is the District's policy to provide all protections afforded to parents and persons in parental relationships, or students where applicable, required under the Family Educational Rights and Privacy Act, the Individuals with Disabilities Education Act, and the federal regulations implementing such statutes. Therefore, the District shall ensure that its contracts require that the confidentiality of student data or teacher or principal APPR data be maintained in accordance with federal and state law and this policy.
7. Contracts with third parties that will receive or have access to personally identifiable information must include a Data Privacy and Security Plan that outlines how the contractor will ensure the confidentiality of data is maintained in accordance with state and federal laws and regulations and this policy.

VII.Right to Inspect

Parents and eligible students shall have the right to inspect and review a student's education record by making a request directly to the District in writing. Only authorized individuals shall be able to inspect and review student data, and the District shall take all necessary measures to verify the identity of parents and eligible students, and his/her authority to do so, who submit requests to inspect and review an educational record. The District shall comply with a request for access to records within a reasonable period of time, but not more than 45 calendar days after receipt of the request. The District shall transmit the personally identifiable information in a way that complies with state and federal law and regulations. Safeguards associated with industry standards and best practices shall be in place if and when education records requested by a parent or eligible student are electronically transmitted.

VIII. Incident Response and Notification

The District will respond to data privacy and security critical incidents or allegations of breach of data in accordance with Education Law §2-d and Commissioner's regulations Part 121. All breaches of data and/or data systems must be reported to the Data Protection Officer. All breaches of personally identifiable information or sensitive/confidential data must be reported to the Data Protection Officer. For purposes of this policy, a breach means the unauthorized acquisition, access, use, or disclosure of student, teacher or principal personally identifiable information as defined by Education law §2-d, or any District sensitive or confidential data or a data system that stores that data, by or to a person not authorized to acquire, access, use, or receive the data.
State and federal laws require that affected individuals must be notified when there has been a breach or unauthorized disclosure of personally identifiable information. Upon receiving a report of a breach or unauthorized disclosure, the Superintendent, Data Protection Officer, school attorneys, and other subject matter experts will determine whether notification of affected individuals is required, and where required, effect notification in the most expedient way possible and without unreasonable delay.

Parents, eligible students, teachers, principals or other staff of the District may file a written complaint about breaches or unauthorized releases of student data and/or teacher or principal data. The complaint must be filed with the District in writing. Upon receiving such a complaint, the District will promptly acknowledge receipt of same, commence an investigation, and take any necessary precautions to protect personally identifiable information. Following its investigation, the District shall provide the complainant with its findings no more than 60 calendar days from the date the District received the complaint. Should the District require additional time to relay its findings, or where the response may compromise security or impede a law enforcement investigation, the District shall provide the complainant with a written explanation that includes the approximate date when the District anticipates that it will respond to the complaint. A record of all complaints of breaches or unauthorized releases of student data shall be maintained by the District in accordance with applicable data retention policies.

IX. Acceptable Use Policy, Password Policy and other Related District Policies

1. Users must comply with the Acceptable Use Policy in using the District's resources. Access privileges will be granted in accordance with the user's job responsibilities and will be limited only to those necessary to accomplish assigned tasks in accordance with the District's missions and business functions (i.e., least privilege). Accounts will be removed, and access will be denied for all those who have left the district or moved to another position.
2. Users must comply with all other related District policies.

XI Training

All users of the District's data, data systems and data assets must annually complete the information security and privacy training offered by the district. Information security and privacy training will be made available to all users. Employees must complete the training annually, and such training may be delivered using online training tools and be included as part of professional development training.

XI. Agreements with BOCES

The District may join an executed agreement between a board of cooperative educational services and a third-party vendor. Before the District joins any such agreement, the District, prior to joining, shall review any such agreement and shall ensure that the agreement complies with all confidentiality laws and implementing regulations, including, but not limited to, the Family Educational Rights and Privacy Act (FERPA) and Education Law § 2-d.