FERPA/DATA POLICIES

Data Manager: Jenn Christensen, jchristensen@lincoln-academy.org

Information Security Officer: 

Annual FERPA/Directory Information Notice

The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that Lincoln Academy, with certain exceptions, obtain your written consent prior to the disclosure of personally identifiable information from your child’s education records. However, Lincoln Academy, may disclose appropriately designated “directory information” without written consent, unless you have advised the school to the contrary in accordance with school procedures. The primary purpose of directory information is to allow Lincoln Academy to include this type of information from your child’s education record in certain school publications.

Examples include:

  • A playbill, showing your student’s role in a drama production
  • Honor roll or other recognition lists
  • Annual yearbook
  • Graduation lists
  • School Newsletter
  • School promotional materials including videos and brochures
  • Sports activity sheets

Directory Information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent. Outside organizations include, but are not limited to companies that publish yearbooks. If you do not want Lincoln Academy to disclose directory information from your child’s education records without your prior written consent, you must notify Lincoln Academy in writing.

Lincoln Academy has designated the following information as directory information:

  • Student’s Name
  • Student ID
  • Address
  • Telephone Listing
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • Date and place of birth
  • Major field of study
  • The most recent educational agency or institution attended
  • Email address
  • Photographs
  • Dates of attendance
  • Grade level
  • Participation in officially recognized activities and sports
Accommodations for Students with Disabilities

In compliance with Section 504 of the Rehabilitation Act (“504”) and the Americans with Disabilities Act(ADA), Lincoln Academy will provide reasonable accommodations to qualified individuals with disabilities. Students, parents or employees needing accommodations should contact their school ADA/504 Coordinator. In compliance with the Equal Educational Opportunity Act of 1974 and the Title Vi of the Civil Rights Act of 1964, it is Lincoln Academy policy to provide alternative language services to limited English Proficient(LEP) students so that students with language barriers have a meaningful opportunity to Participate in Lincoln Academy educational programs. Lincoln Academy provides English as a Second Language(ESL) instruction and other effective services to students who are identified as LEP by means if a thorough evaluation process. Parents or guardians who want to request alternative language services for their child should contact Lincoln Academy.

Equal Educational and Employment Opportunity

It is the policy of Lincoln Academy for provide equal educational and employment opportunity for all individuals. Therefore, Lincoln Academy prohibits all discrimination on the basis of race, color, religion, sex, age, national origin, disability, or veterans’ status. This policy extends to all aspects of Lincoln Academy educational programs, as well as to the use of all Lincoln Academy facilities, and participation in all school-sponsored activities.

Civil Rights Grievance Procedure

Complaints of discrimination should be filed with the individual’s principal or supervisor. If the complaint is against the principal or supervisor, the complaint may be filed directly may be filed directly with the Board of Trustees. Lincoln Academy compliance with Title IX, Section 504 of the Rehabilitation Act, the Americans with Disabilities Act, and all other applicable State and Federal Civil Rights laws, may be reached at the following address and telephone number:

Jake Hunt, Principal
Lincoln Academy
1582 West 3300 North
Pleasant Grove, UT 84062
(801)756-2039

Complaints of discrimination should be reported as soon as possible, but no later than 90 days after incident in order to be effectively investigated and resolved.

Student Data Collection Notice

Necessary Student Data

Necessary student data means data required by state statute or federal law to conduct the regular

activities of the school.

  • Student Name, Date of birth, and Sex
  • Parent and student contact information and Custodial parent information
  • A student identification number (including the student’s school ID number and the stateassigned student identifier, or SSID)
  • Local, state, and national assessment results or an exception from taking a local, state, or national assessment (click here for more information on assessments)
  • Courses taken and completed, credits earned, and other transcript information
  • Course grades and grade point average
  • Grade level and expected graduation date or graduation cohort
  • Degree, diploma, credential attainment, and other school information
  • Attendance and mobility
  • Drop-out data
  • Immunization record or an exception from an immunization record
  • Race, Ethnicity, or Tribal affiliation
  • Remediation efforts
  • An exception from a vision screening required under Section 53G-9-404 or information collected from a vision screening described in Utah Code Section 53G-9-404
  • Information related to the Utah Registry of Autism and Development Disabilities (URADD), described in Utah Code Section 26-7-4
  • Student injury information
  • A disciplinary record created and maintained as described in Utah Code Section 53E-9-306
  • Juvenile delinquency records
  • English language learner status
  • Child find and special education evaluation data related to initiation of an IEP
Optional Student Data

We may only collect optional student data with written consent from the student’s parent or from a student who has turned 18.

  • Information related to an IEP or needed to provide special needs services
  • Biometric information used to identify the student
  • Information required for a student to participate in an optional federal or state program (e.g., information related to applying for free or reduced lunch)

Certain sensitive information on students collected via a psychological or psychiatric examination, test, or treatment, or any survey, analysis, or evaluation will only be collected with parental consent. You will receive a separate consent form in these cases. See our Protection of Pupil Rights Act (PPRA) notice for more information.

Prohibited Collections

We will not collect a student’s social security number or criminal record, except as required by Utah Code Section 78A-6-112(3).

Data Sharing

We will only share student data in accordance with the Family Educational Rights and Privacy Act (FERPA), which generally requires written parental consent before sharing student data. FERPA includes several exceptions to this rule, where we may share student data without parental consent. For more information on third parties receiving student information from us, see our Metadata Dictionary.

Student data will be shared with the Utah State Board of Education via the Utah Transcript and Records Exchange (UTREx). For more information about UTREx and how it is used, please visit the Utah State Board of Education’s Information Technology website.

Benefits, Risks, and Parent Choices

The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student .data accordingly. Parents are given the following choices regarding student data:

  • Choice to request to review education records of their children and request an explanation or interpretation of the records (see our annual FERPA notice for more information)
  • Choice to contest the accuracy of certain records (see our annual FERPA notice for more information), potentially leading to the correction, expungement, or deletion of the record
  • Choice to opt into certain data collections (see the section above on optional data collections)
  • Choice to opt out of certain data exchanges:
    • Information that has been classified as directory information (see our directory information notice for more information)
    • Parents of students with an IEP may have their information shared with the Utah Registry of Autism and Developmental Disabilities (URADD). If included in this data exchange, parents will receive a separate notice within 30 days of the exchange, informing them of their right to opt out, per Utah Code Section 53E-9-308(6)(b)
  • Choice to file a complaint if you believe the school or its agents are violating your rights under FERPA or Utah’s Student Data Protection Act. If you have a complaint or concern, we recommend starting locally and then escalating to the state and US Department of Education.
Your local district or charter school Lincoln Academy, Jake Hunt, Principal, 801-768-0869
The Utah State Board of Education Report your concern with the USBE hotline
The US Department of Education Report your concern here

Storage and Security

In accordance with Board Rule R277-487-3(14), we have adopted a cybersecurity framework called the iBoss and Open DNS.

ADA compliant as of 8.5.19

LEA Data Governance Plan

1. Governing Principles

Lincoln Academy (referred to as the LEA throughout) takes its responsibility toward student data seriously. This governance plan incorporates the following Generally Accepted Information Principles (GAIP):

  • Risk: There is risk associated with data and content. The risk must be formally recognized, either as a liability or through incurring costs to manage and reduce the inherent risk.
  • Due Diligence: If a risk is known, it must be reported. If a risk is possible, it must be confirmed.
  • Audit: The accuracy of data and content is subject to periodic audit by an independent body.
  • Accountability: An organization must identify parties which are ultimately responsible for data and content assets.
  • Liability: The risks in information means there is a financial liability inherent in all data or content that is based on regulatory and ethical misuse or mismanagement.
2. Data Maintenance and Protection Policy

The LEA recognizes that there is risk and liability in maintaining student data and other educationrelated data and will incorporate reasonable data industry best practices to mitigate this risk.

2.1 Process

In accordance with R277-487, the LEA shall do the following:

  • Designate an individual as an Information Security Officer
  • Adopt the CIS Controls or comparable
  • Report to the USBE by October 1 each year regarding the status of the adoption of the CIS controls or comparable and future plans for improvement.
3. Roles and Responsibilities Policy

The LEA acknowledges the need to identify parties who are ultimately responsible and accountable for data and content assets. These individuals and their responsibilities are as follows:

3. 1 Data Manager roles and responsibilities
  • authorize and manage the sharing, outside of the student data manager’s education entity, of personally identifiable student data for the education entity as described in this section
  • provide for necessary technical assistance, training, and support
  • act as the primary local point of contact for the state student data officer
  • ensure that the following notices are available to parents:
    • annual FERPA notice (see 34 CFR 99.7),
    • directory information policy (see 34 CFR 99.37),
    • survey policy and notice (see 20 USC 1232h and 53E-9-203).
    • data collection notice (see 53E-9-305)
3.2 Information Security Officer
  • Oversee adoption of the CIS controls
  • Provide for necessary technical assistance, train ing, and support as it relates to IT security
4. Training and Support Policy

The LEA recognizes that training and supporting educators and staff regarding federal and state data privacy laws is a necessary control to ensure legal compliance.

4.1 Procedure

1. The data manager will ensure that educators who have access to student records will receive an

annual train ing on confidentia lity of student data to all employees with access to student data.

The content of this training will be based on the Data Sharing Policy.

2. By October 1 each year, the data manager will report to USBE the completion status of the annual confidentiality train ing and provide a copy of the training materia ls used.

3. The data manager shall keep a list of all employees who are authorized to access student education records after having completed a training that meets the requi rements of 53E-9-204.

 

5. Audit Policy

In accordance with the risk management priorities of the LEA, the LEA will conduct an audit of:

  • The effectiveness of the controls used to follow this data governance plan; and
  • Third-party contractors, as permitted by the contract described in 53E-9-309(2).
6. Data Sharing Policy

There is a risk of red isclosu re whenever student data are shared. The LEA shall follow appropriate controls to mitigate the risk of redisclosure and to ensure compl iance with federal and state law.

6.1 Procedure
  1. The data manager shall approve all data sharing or designate other individuals who have been trained on compliance requirements with FERPA.
  2. For external research, the data manager shal l ensure that t he study follows t he requirements of FERPA’s study exception described in 34 CFR 99.31(a)(6) .
  3. After sharing from student records, the data manager shall ensure that an entry is made in the LEA Metadata Dictionary to record that the exchange happened.
  4. After sharing from student records, the data manager shall make a note in the student record of the exchange in accordance with 34 CFR 99.32.
7. Expungement Request Policy

The LEA recognizes the risk associated with data following a student year after year that could be used to mistreat the student. The LEA shall review all requests for records expungement from parents and make a determination based on the following procedure.

7.1 Procedure

The following records may not be expunged: grades, transcripts, a record of the student’s enrollment, assessment information.

The procedure for expungement shall match the record amendment procedure found in 34 CFR 99, Subpart C of FERPA.

  1. If a parent believes that a record is misleading, inaccurate, or in violation of the student’s privacy, they may request that the record be expunged.
  2. The LEA shall decide whether to expunge the data within a reasonable time after the request.
  3. If the LEA decides not to expunge the record, they will inform the parent of their decision as well as the right to an appeal hearing.
  4. The LEA shall hold the hearing within a reasonable time after receiving the request for a hearing.
  5. The LEA shall provide the parent notice of the date, time, and place in advance of the hearing.
  6. The hearing shall be conducted by any individual that does not have a direct interest in the outcome of the hearing.
  7. The LEA shall give the parent a full and fair opportunity to present relevant evidence. At the parents’ expense and choice, they may be represented by an individual of their choice, including an attorney.
  8. The LEA shall make its decision in writing within a reasonable time following the hearing.
  9. The decision must be based exclusively on evidence presented at the hearing and include a summary of the evidence and reasons for the decision.
  10. If the decision is to expunge the record, the LEA will seal it or make it otherwise unavailable to other staff and educators.
8. Data Breach Response Policy

The LEA shall follow industry best practices to protect information and data. In the event of a data breach or inadvertent disclosure of personally identifiable information, the LEA staff shall follow industry best practices for responding to the breach.

8.1 Procedures
  1. The Jake Hunt will work with the information security officer to designate individuals to be members of the cyber incident response team (CIRT)
  2. At the beginning of an investigation, the information security officer will begin tracking the incident and log all information and evidence related to the investigation.
  3. The information security officer will call the CIRT into action once there is reasonable evidence that an incident or breach has occurred.
  4. The information security officer will coordinate with other IT staff to determine the root cause of the breach and close the breach.
  5. 5. The CIRT will coordinate with legal counsel to determine if the incident is meets the legal definition of a significant breach as defined in R277-487 and determine which entities and individuals need to be notified.
  6. If law enforcement is notified and begins an investigation, the CIRT will consult with them before notifying parents or the public so as to not interfere with the law enforcement investigation.
9. Publication Policy

The LEA recognizes the importance of transparency and will post this policy on the LEA website.