Data Privacy and Information Security
Summary of Procedures and Standards
It is the policy of Digital Promise to comply with applicable laws and regulations protecting the privacy of personal information in the jurisdictions and the School districts in which Digital Promise operates. Digital Promise respects and protects personal information collected or maintained by or on behalf of Digital Promise, regardless of the form, format, location or use of the information.
Behavioral Research Involving Human Subjects. Digital Promise Representatives whose work involve behavioral research involving human subjects shall comply with applicable privacy laws, regulations and rules, including, but not limited to, the Federal Policy for the Protection of Human Subjects (commonly referred to as the “Common Rule”), to the extent applicable to their work, and shall obtain any consent from human subjects as may be required by an institutional review board.
Privacy of Children and Students. Digital Promise Representatives whose work involve access to information from children or students shall comply with privacy laws, regulations, rules to the extent applicable, including, but not limited to, the federal Family Educational Rights and Privacy Act (“FERPA”), the federal Protection of Pupil Rights Amendment, and the federal Children’s Online Privacy Protection Act, as applicable.
Except as permitted by FERPA and other applicable law, Digital Promise shall not publish or otherwise disclose data containing NPI, or any other information, which identifies students, employees or officers of a school district or individual schools participating in a Digital Promise program by name without the written consent of such individuals, or in the case of a student under the age of 18, his or her parent or legal guardian.
Retention of NPI. Digital Promise retains NPI to accomplish the purposes for which it was collected or is needed to fulfill Digital Promise’s legitimate business objectives, consistent with Digital Promise’s general data retention policies and any specific document holds applicable to the information. In general, Digital Promise retains NPI for a five year period, unless a different retention period is specified in a grant agreement or other contract for certain NPI.
Disposal of NPI. If certain NPI is no longer permitted to be maintained by Digital Promise pursuant to applicable law, internal retention policies, or contractual agreements with Third Parties, each Digital Promise Representative must either destroy the NPI in an approved manner or provide the NPI to his/her manager for its disposal or safe-keeping, consistent with applicable law and any contracts or agreements between Digital Promise and Third Parties. NPI that is subject to disposal in accordance with this policy must be disposed of using means that assure that it no longer be accessible and in compliance with the Digital Promise Information Security Policy.
Safeguarding Non-public Information. Digital Promise strives to protect NPI within its possession, with the nature and extent of protection depending on the nature of the NPI and applicable local laws and regulations.
Accordingly, Digital Promise maintains an Information Security Policy that include reasonable and appropriate administrative, technical and physical safeguards that are designed to: (a) ensure the security and confidentiality of NPI; (b) protect against any anticipated threats or hazards to the security, confidentiality and integrity of NPI; and (c) protect against unauthorized access, disclosure, alteration, or destruction of NPI that could result in the destruction, use, modification, or disclosure of the NPI or substantial harm or inconvenience to Digital Promise or an individual.
Sending Confidential Information. The Information Officer (IO) shall implement reasonable measures to ensure that Digital Promise Personnel do not send Confidential Information to third parties via unencrypted emails or third-party servers that are not encrypted or password protected.
De-Identification and Aggregation of data. The IO shall implement reasonable measures for de- identifying and aggregating data used for analytical, reporting, product development, research, or other appropriate purposes.
- Removal of personal identifiers. De-identified data shall have all direct and indirect personal identifiers removed. This includes, but is not limited to, name, ID numbers, date of birth, demographic information, location information, and school ID.
- Aggregating Data. The IO shall implement reasonable measures to ensure that the aggregation of multiple individuals’ Nonpublic Personal Information is sufficient to prevent identification of an individual from that data itself or in combination with publicly available data.
The full text of Digital Promise’s Data Privacy and Information Security Policies are available here.