United Charter High Schools – Data Security and Privacy Policy

The purpose of this document is to highlight key requirements followed by the United Charter High Schools (UCHS) around data privacy and data security. This policy will be posted on the UCHS’s public website, provided to staff during onboarding, and included in the annual data security and privacy training. Failure of UCHS staff members to follow this data privacy and data security policy may lead to disciplinary action including, but not limited to, termination and/or legal action.

Please note this is not an exhaustive document as there are contractual, legal, and technology changes or exceptions that can affect this policy. Staff members affected by such changes shall be informed and trained to maintain data security and privacy. This policy may be updated at any time to address changes in school practices, legal requirements, or technology/services used by the school. Staff will be notified of updates via electronic communication, print media, in-person meetings, or during annual training. Updated policies will also be posted to the UCHS website.

Definition of Terms

• Data – 1) Factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation. 2) Pieces of information from which “understandable information” is derived.
• Personally Identifiable Information (PII) – Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
• Data Privacy – Refers to the relationship between the collection and dissemination of data which is considered personally identifiable or confidential to UCHS.
• Data Security – Refers to the processes, technology, and practices that are used to protect data.
• Principle of Least Privilege – The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.
• Third-Party Vendor – Any person or entity that is not an employee of the school (may also be referred to as contractor or consultant).
• Confidential Data – Also called “Confidential Information.” Any data, physical or electronic, that contains or includes restricted information not meant for public release, including health data, student info, employment records, and more.
• Data Breach – When data, either physical or electronic, is released, shared, accessed without authorization, or stolen, whether by accident or intent.

Data Security and Data Privacy

1. UCHS limits the collection of PII to what is needed for required tasks, services, or legal obligations.
2. Collection or disclosure of student PII will only be done securely and with legal authorization for the benefit of the student or UCHS.
3. UCHS will not include student, teacher, or principal PII in public-facing reports unless required by law or legally authorized.
4. All UCHS staff must be familiar with applicable data laws, policies, and regulations.
5. Employees must report data breaches or improper practices to the school’s Data Protection Officer, including:
   • Improper sharing of credentials
   • PII/confidential data breach
   • Vendor mishandling of data
   • Use of unauthorized applications
   • Improper storage of confidential data
6. Employees must complete annual training covering:
   • Data security and privacy
   • Security awareness
   • School policies
   • Breach reporting
   • Relevant laws/regulations
7. Employees may only use school-issued devices/accounts for accessing or sharing school-owned data such as:
   • Student data
   • School documents
   • Employee records
   • Cloud services

The use of personal email services (e.g., Yahoo, Hotmail, AOL, Gmail, Dropbox) is strictly prohibited.

8. Employees must follow sharing and security practices as per the UCHS Employee Handbook and Security Sign Off.

Network and Data Storage

1. UCHS uses the NIST Cybersecurity Framework 1.1 to guide its security policies and procedures.
2. Data will be maintained in compliance with federal, state, and local regulations, including:
   • FERPA (20 U.S.C. §1232g; 34 CFR Part 99)
   • New York State Education Law §2-d
   • New York State Education Law §3012-c
3. Systems handling PII must:
   • Follow the Principle of Least Privilege
   • Restrict network access
   • Use network segmentation
   • Use secure access methods
   • Encrypt data in transit and at rest
   • Use multifactor authentication
   • Enforce firewall traffic rules
4. Network devices and servers must block unauthorized internet access.
5. Third-party vendor access must be authorized, follow least privilege, and be revoked after task completion.
6. Printed records with PII must be stored in accordance with the law.

Third-Party Vendors Data Access

When UCHS contracts third-party vendors, the following must be ensured:

• Vendor’s policies comply with all legal and UCHS requirements.
• Vendors must comply with:
  • FERPA
  • NY Education Law §2-d
  • NY Education Law §3012-c
  • New York Shield ACT
  • NYCDOE Chancellor’s Regulation A-820
• Vendors may not sell or disclose PII for commercial purposes or outside contract scope.
• Vendors must notify UCHS of any data breach and cooperate with:
  • Legal notification requirements
  • Notifying NYS Chief Privacy Officer within 10 days
  • Informing affected parents or guardians

Reporting a Breach or Unauthorized Disclosure of Data

Anyone reporting a data breach must notify the school’s Data Protection Officer and UCHS central office by email to [email protected]. The email should include:

• Reporting individual’s name
• Contact information
• Date and time of incident
• Description of the breach or concern
• Any steps already taken