91.1 WEDM Privacy Policy

Privacy Policy

MSD of Warren Township values your child’s privacy and strives to ensure parents are aware of the web-based tools and applications we use and the nature of personal information that will be collected and used by those tools and applications. An annual notice will go to parents about the programs being used at their schools. In addition, this list of educational web-based tools and applications used by MSD of Warren Township and related privacy policies will be revised annually if necessary to ensure that they are up to date.

Acknowledgement of Contractor Responsibilities under FERPA
This document is intended for MSD of Warren Township (School) and contractors (providers) to
inform contractor personnel about their responsibilities to protect students’ personally
identifiable information acquired from School. For more information about FERPA, please visit
http://ptac.ed.gov and http://familypolicy.ed.gov.
Introduction
Your organization has been hired by School to perform services that may require you to access
and use personally identifiable information (PII) from students’ education records. Your access
and use of the PII is governed by the Family Educational Rights and Privacy Act (FERPA).
FERPA requires the School to use reasonable methods to ensure your organization and its
personnel comply with FERPA and its regulations. If you have any questions about information
in this document, they should be directed to your School point of contact.
Your organization has a written agreement with the School detailing several points, including:

  • The PII that is shared with (disclosed to) your organization;
  • A description of the services and the reason why PII is required;
  • A plan, including a timetable, for destroying the PII once the information is no longer
    needed; and
  • Policies and procedures to protect PII from unauthorized disclosure, access, or use.
    What is FERPA?
    The Family Educational Rights and Privacy Act is a Federal law protecting PII in students’
    education records from unauthorized disclosure. It affords parents the right to have access to
    their children’s education records, the right to seek to have the records amended, and the right for
    parents and eligible students to have some control over the disclosure of PII from the education
    records.
    FERPA includes provisions allowing students’ PII to be disclosed by educational agencies or
    institutions without the prior, written consent of the parents if the disclosure meets the criteria for
    one of the permitted consent exceptions. The FERPA statute is codified at 20 U.S.C. § 1232g,
    and the FERPA regulations are found at 34 CFR Part 99.
    What are my responsibilities regarding student PII under FERPA?
    You must make sure the students’ PII is:
  • Adequately protected once it is under your control. Comprehensive security standards
    should protect your electronic data systems. Standardized policies and procedures, including
    role-based access controls, should be in place to mitigate data security risks.
  • Not disclosed to another party (except back to the School). The data must not be shared with
    unauthorized users, and they must be protected from inadvertent disclosure due to careless
    handling.
  • Protected in public reporting. Appropriate disclosure avoidance techniques must be applied.
  • Not used for other purposes. The PII has been provided only to perform the services
    described in the contract. It should not be used for other purposes.
  • Destroyed by the agreed upon date. FERPA’s audit or evaluation exception requires that
    data be destroyed when no longer needed for the specific purpose for which they were
    disclosed.
    What at a minimum must a provider do under its agreement with School?
    Data includes all PII and other non-public information. Data includes, but is not limited to,
    student data, metadata, and user content.
    Provider may use de-identified Data solely for provider’s product development, research, or
    other purposes. De-identified Data will have all direct and indirect personal identifiers removed.
    This includes, but is not limited to, name, ID numbers, date of birth, demographic information,
    location information, and school ID. Furthermore, provider agrees not to attempt to re-identify
    de-identified Data and not to transfer de‐identified Data to any party unless that party agrees not
    to attempt re-identification.
    Provider cannot use any Data to advertise or market to students or their parents. Data may not be
    used for any purpose other than the specific purpose(s) outlined in its agreement with School.
    Provider cannot change how Data is collected, used, or shared under the terms of its agreement
    with School in any way without advance notice to and consent from the School. Provider will
    only collect Data necessary to fulfill its duties as outlined in its agreement with School. Provider
    will use Data only for the purpose of fulfilling its duties and providing services under its
    agreement with School, and for improving services rendered under its agreement with School.
    Provider is prohibited from mining Data for any purposes other than those agreed to by the
    parties. Data mining or scanning of user content for the purpose of advertising or marketing to
    students or their parents is prohibited. Data cannot be shared with any additional parties without
    prior written consent of the user except as required by law.
    School understands provider may rely on one or more subcontractors to perform services under
    its agreement with School. Provider agrees to share the names of these subcontractors with
    School upon request. All subcontractors and successor entities of provider will be subject to the
    terms of the agreement with School. Provider will ensure all Data in its possession and in the
    possession of any subcontractors, or agents to which the provider may have transferred Data, are
    destroyed or transferred to the School under the direction of the School when the Data is no
    longer needed for its specified purpose, at the request of the School.
    Provider agrees all Data rights, including all intellectual property rights, shall remain the
    exclusive property of the School, and provider has a limited, nonexclusive license solely for the
    purpose of performing its obligations as outlined in its agreement with School. This agreement
    does not give provider any rights, implied or otherwise, to Data, content, or intellectual property,
    except as expressly stated in the agreement with School. This includes the right to sell or trade
    Data.
    Any Data held by provider will be made available to the School upon request by the School.
    Provider will store and process Data in accordance with industry best practices and applicable
    laws, regulations, and DOE guidance. This includes appropriate administrative, physical, and
    technical safeguards to secure Data from unauthorized access, disclosure, and use. Provider will
    conduct periodic risk assessments and remediate any identified security vulnerabilities in a
    timely manner. Provider will also have a written incident response plan, to include prompt
    notification of the School in the event of a security or privacy incident, as well as best practices
    for responding to a breach of PII. Provider agrees to share its incident response plan upon
    request.
    The undersigned on behalf of provider acknowledges he or she has read, understands, and will
    uphold all responsibilities as outlined in applicable laws and the Contractor Responsibilities
    under FERPA.

https://www.warren.k12.in.us/o/msd-of-warren-township/page/parent-tech-info