Governing Principals 

Iron County School District (referred to as the LEA throughout) takes its responsibility toward student data seriously. This governance plan incorporates the following Generally Accepted Information Principles (GAIP):

● Risk: There is risk associated with data and content. The risk must be formally recognized, either as a liability or through incurring costs to manage and reduce the inherent risk. 

● Due Diligence: If a risk is known, it must be reported. If a risk is possible, it must be confirmed. 

● Audit: The accuracy of data and content is subject to periodic audit by an independent body. 

● Accountability: An organization must identify parties which are ultimately responsible for data and content assets. 

● Liability: The risks in information means there is a financial liability inherent in all data or content that is based on regulatory and ethical misuse or mismanagement.

2. Data Maintenance and Protection Policy 

The LEA recognizes that there is risk and liability in maintaining student data and other education-related data and will incorporate reasonable data industry best practices to mitigate this risk. 

2.1 Process In accordance with R277-487, the LEA shall do the following:

● Designate an individual as an Information Security Officer 

● Adopt the CIS Controls or comparable 

● Report to the USBE by October 1 each year regarding the status of the adoption of the CIS controls or comparable and future plans for improvement.

3. Roles and Responsibilities Policy 

The LEA acknowledges the need to identify parties who are ultimately responsible and accountable for data and content assets. These individuals and their responsibilities follow. 

3.1 LEA Data Manager

● Authorize and manage the sharing, outside of the student data manager's education entity, of personally identifiable student data for the education entity as described in this section 

● Provide for necessary technical assistance, training, and support 

● Act as the primary local point of contact for the state student data officer 

● Ensure that the following notices are available to parents:

o Annual FERPA notice (see 34 CFR 99.7), 

o Directory information policy (see 34 CFR 99.37), 

o Survey policy and notice (see 20 USC 1232h and 53E-9-203), 

o Data collection notice (see 53E-9-305) 

o Acceptable Use Policy (AUP); elementary schools o Responsible Use Policy (RUP); secondary schools

3.2 Information Security Officer 

● Oversee adoption of the CIS controls 

● Maintain network security (student filtering, probate student access) 

● Provide for necessary technical assistance, training, and support as it relates to IT security

3.3 Data Systems Manager 

● Coordinates product development and maintenance of systems hosting student data 

● LEA webmaster; overseeing school webmasters and sites to ensure compliance with Americans with Disabilities Act (ADA) regulations, and FERPA as it pertains to student data privacy 

● Uploads to LEA parent/student notification system

3.4 Student Information System (SIS) Specialist 

● Oversees LEA SIS 

● Trains school registrars and secretaries responsible for school SIS oversight 

● Reviews student data inquiries from schools, parents, and LEA administration 

● Responsible for state reporting of student data

3.5 Data Systems Developer 

● Programming/development improvements to SIS 

● Data extracts, exports, and imports 

● Tracking student and parent AUP and RUP data

3.6 Information Technology Officer 

● Creates student G-Suite, device, and access accounts 

● Support and maintenance of student G-Suite, device, and access accounts

3.7 Assessments Director 

● Organize testing proctors, sets testing dates, coordinates with technology personnel 

● Oversees elementary and secondary student state testing programs (e.g., ACT) 

● Provides testing results for state reporting and counselors 

3.8 Special Programs Director 

● Special education data

4. Training and Support Policy 

The LEA recognizes that training and supporting educators and staff regarding federal and state data privacy laws is a necessary control to ensure legal compliance.

4.1 Procedure

1. The data manager will ensure that educators who have access to student records will receive an annual training on confidentiality of student data to all employees with access to student data. The content of this training will be based on the Data Sharing Policy. This training will focus on the LEA Directory Information Policy, the use of student personally identifiable information (PII), and discerning between what can and cannot be shared. 

2. By October 1 each year, the data manager will report to USBE the completion status of the annual confidentiality training and provide a copy of the training materials used. 

3. The data manager shall keep a list of all employees who are authorized to access student education records after having completed a training that meets the requirements of 53E-9-204. This training will focus on the specific individuals who are authorized to view and share student records, and the rights of parental consent. 

4. Training for items 4.1.1 and 4.1.3 may be provided in one of several options, to be organized by the LEA. This may consist of student data privacy videos, USBE re-licensure course for teachers, in-person training by USBE (or a LEA student data privacy authority), or a combination. 

5. Training may vary from year to year, and will be announced by May 15th (for the new/upcoming school year). 

6. Training will be available to all employees by June 15th . 

7. Training must be completed by September 20th . 

8. New employees starting at the LEA after September 10th must complete training within two weeks from their contract date of hire. 

9. Each school will assign an administrative custodian to track completion of training. Accountability will be maintained digitally and shared with the LEA data manager.

5. Audit Policy 

In accordance with the risk management priorities of the LEA, that the LEA will conduct an audit of: 

● The effectiveness of the controls used to follow this data governance plan; and 

● Third-party contractors, as permitted by the contract described in 53E-9-309(2).

6. Data Sharing Policy 

There is a risk of redisclosure whenever student data are shared. The LEA shall follow appropriate controls to mitigate the risk of redisclosure and to ensure compliance with federal and state law.

6.1 Procedure 

1. The LEA data manager shall approve all data sharing or designate other individuals who have been trained on compliance requirements with FERPA. 

2. School principals will be the approving authority for sharing student data between teachers and parents, in following FERPA regulations and Utah law. 

3. Students who are opted-out of Directory Information by their parent will have a notification [alert] placed on their SIS profile; the student’s teachers will be notified and will maintain precautions to ensure student PII is not being shared or used counter to the opt-out process. 

4. Each school will have an employee assigned as the school webmaster 

a. The school webmaster is responsible for maintaining student privacy, adding and updating content, and following LEA guidelines for layout and consistency. 

b. The LEA will have a webmaster responsible for developing and maintaining LEA and school website guidelines for consistency, compliance with ADA and FERPA. 

c. The LEA webmaster will mentor school webmasters and website development. 

5. For external research, the LEA data manager shall ensure that the study follows the requirements of FERPA’s study exception described in 34 CFR 99.31(a)(6). 

6. Research requests will be introduced to the LEA superintendent by way of the data manager. The superintendent may or may not choose to involve the school board for granting approval. 

7. After sharing from student records, the data manager shall ensure that an entry is made in the LEA Metadata Dictionary to record that the exchange happened. 

8. After sharing from student records, the data manager shall make a note in the student record of the exchange in accordance with 34 CFR 99.32.

7. Expungement Request Policy 

The LEA recognizes the risk associated with data following a student year after year that could be used to mistreat the student. The LEA shall review all requests for records expungement from parents and make a determination based on the following procedure.

7.1 Procedure 

The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, assessment information. 

The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.

1. If a parent believes that a record is misleading, inaccurate, or in violation of the student’s privacy, they may request that the record be expunged. 

2. The LEA shall decide whether to expunge the data within a reasonable time after the request. 

3. If the LEA decides not to expunge the record, they will inform the parent of their decision as well as the right to an appeal hearing. 

4. The LEA shall hold the hearing within a reasonable time after receiving the request for a hearing. 

5. The LEA shall provide the parent notice of the date, time, and place in advance of the hearing. 

6. The hearing shall be conducted by any individual that does not have a direct interest in the outcome of the hearing. 

7. The LEA shall give the parent a full and fair opportunity to present relevant evidence. At the parents’ expense and choice, they may be represented by an individual of their choice, including an attorney. 

8. The LEA shall make its decision in writing within a reasonable time following the hearing. 

9. The decision must be based exclusively on evidence presented at the hearing and include a summary of the evidence and reasons for the decision. 

10. If the decision is to expunge the record, the LEA will seal it or make it otherwise unavailable to other staff and educators.

8. Data Breach Response Policy 

The LEA shall follow industry best practices to protect information and data. In the event of a data breach or inadvertent disclosure of personally identifiable information, the LEA staff shall follow industry best practices for responding to the breach.

8.1 Procedures

1. The superintendent and director of secondary education will work with the information security officer to designate individuals to be members of the cyber incident response team (CIRT). 

2. At the beginning of an investigation, the information security officer will begin tracking the incident and log all information and evidence related to the investigation. 

3. The information security officer will call the CIRT into action once there is reasonable evidence that an incident or breach has occurred. 

4. The information security officer will coordinate with other IT staff to determine the root cause of the breach and close the breach. 

5. The CIRT will coordinate with legal counsel to determine if the incident meets the legal definition of a significant breach as defined in R277-487 and determine which entities and individuals need to be notified. 

6. If law enforcement is notified and begins an investigation, the CIRT will consult with them before notifying parents or the public so as to not interfere with the law enforcement investigation.

9. Publication Policy 

The LEA recognize the importance of transparency and will post this policy on the LEA website.