LHRIC Data Collection Privacy Notice
Our Purpose
District data is collected by the Lower Hudson Regional Information Center (LHRIC) for the purpose of supporting districts participating in the LHRIC’s services (Participating Districts), including State Reporting – Data Collection, Test Scoring, Data Analysis, Data Integration, Software as a Service, and Student Services and Financial Services.
These LHRIC Services enable Participating Districts to comply with New York State Reporting requirements, including SIRS, and to inform instructional and operational decisions by District personnel.
Data Ownership
Each Participating District is the sole owner of its data, including but not limited to data transmitted by the Participating District to the LHRIC (hereinafter, collectively referred to as District Data).
District Data includes Personally Identifiable Information (PII), as defined in SWBOCES Board Policy 5676, as applied to student data, means personally identifiable information as defined in 34 CFR Section 99.3 implementing FERPA and, as applied to teacher or principal data, means personally identifying information as this term is defined in Education Law Section 3012-c(10).
Additionally, with respect to the personnel of Participating Districts, PII includes social security numbers; driver’s license numbers; non-driver ID numbers; bank account numbers; credit card numbers; debit card numbers; security codes for bank, credit or debit accounts and any access code/password that permits access to personal records, including financial records.
District Governance
The LHRIC is a consortium of 58 districts and 3 BOCES in Westchester, Rockland and Putnam counties. LHRIC services reflect the security and privacy values of the school districts in the consortium. Participating Districts are afforded data privacy and security first and foremost because Participating Districts govern and control the LHRIC as members of the consortium.
The LHRIC is guided by an Advisory Board consisting of representative District Superintendents, School Business Officials, and Assistant Superintendents for Instruction, District Data Administrators and Directors of Technology from the 58 Consortium Districts and 3 BOCES in the Region. Additionally, the LHRIC budget is subject to component district approval of BOCES budgets each year.
Standards
The data protection procedures utilized by the LHRIC comply with Service Organization Control (SOC) 2 security and privacy principles and criteria. The LHRIC is audited annually and is awarded the following seal upon completion.
General information describing SOC 2 principles and criteria is available from the American Institute of CPA’s from the link above and in greater detail from at: http://www.aicpa.org/soc
The Participating District will be notified when there are material changes to the Data Protection procedures utilized by the LHRIC.
On a day-to-day basis, LHRIC trains and supervises all LHRIC personnel on data security and privacy standards. This includes annual renewal of the SWBOCES Acceptable Use Policy by each staff member and annual updates and refreshers on policy and procedure specific to LHRIC services.
Systems Description
The boundaries of the LHRIC facilities and systems covered by this notice are defined by location, servers and connections that support the purposes described above.
Access Control
The LHRIC maintains a “least privileged” access philosophy for all LHRIC users regarding access and authorization to data. The LHRIC user access is restricted by only allowing privileges to individuals based on job classification and function, which must be approved by their department manager.
Access provided by the LHRIC Services is granted to Participating District users by the Participating District’s Data Administrators. The LHRIC authorizes the Participating District Data Administrators upon receipt of written approval from the district’s Superintendent.
Breach Notification
In the event of an adversarial or accidental data breach the LHRIC will adhere to the INFORMATION SECURITY BREACH AND NOTIFICATION, reference regulation SWBOCES 5672. This regulation is available upon request by the District Data Administrator to the LHRIC Account Manager.
Issues of concern to districts are to be communicated by a District Data Administrator to the LHRIC Account Manager.
Data Retention and Disposal
District Data is retained for no longer than necessary to fulfill the purposes described above or as required by law. When data is disposed by the LHRIC it is done so in a manner that prevents loss, theft, misuse or unauthorized access.
The LHRIC adheres to ED-1 New York Records Retention Policy. Additionally, the LHRIC may not dispose of District Data in the SIRS Level 2 – Data Warehouse as it is in the possession of New York State. The SIRS reporting process allows for records to be deleted in the regional, Level 1 – Data Warehouse that are in error.
The LHRIC will dispose of records to correct data upon written request by the District’s Data Administrator. Requests can be made through the District’s Account manager.
The quality of District Data is the responsibility of the Participating District. Parental choice and consent is only expressed to the Participating District, not to the LHRIC. Corrections to District Data must be expressed and made through the Participating District.
Authorized Data Transfer
Prior to the transfer of any District Data, the LHRIC will receive the express permission of the Participating District.
Authorizations may be provided within service agreements and renew automatically with the service agreement until such time as the Participating District withdraws the authorization by e-mailing the appropriate Service Manager. Outside of service agreements, the Participating District authorizes the transfer of data, including data transferred in extracts and reports, by submitting a request to the LHRIC Service Desk or through the approval of a Proposal or Statement of Work.
The LHRIC will inform the Participating District upon receipt of a request by legal authorities for the Participating District’s Data. The LHRIC will give the Participating District the opportunity to challenge the disclosure.
Third-Party Services
When services utilized by the LHRIC cause District Data to reside off-site of the LHRIC locations or give access to District Data to individuals or entities who are not LHRIC personnel, including but not limited to test scoring, printing and software providers, such individuals or entities will comply with Education Law 2d Part 121 Regulation. For those vendors that have District data protected by Education Law 2-d, a Data Protection Agreement is signed by any vendor. A sample agreement can be found here:
207b0b8d-efca-4f9a-92e7-e07a3a68137f (echalk-slate-prod.s3.amazonaws.com)
Changes to Data Privacy and Security Notice
If the Notice is changed, the changes will be posted on the LHRIC website and/or other appropriate venues accessible to Participating Districts.