Student Information Security

At DeKalb Community Unit School District 428, we take student information security seriously.

To maintain the confidentiality and integrity of the District information and data including our student data, CUSD428 has implemented targeted processes and procedures. These can be categorized as:

• Systems that control where key information is stored;
• Access security practices and internal controls that restrict who has rights to view, add/delete, or edit information;
• Physical access controls to District data centers and key networking equipment.

How is access to student data managed?

CUSD428 follows best practices in establishing and managing system and network access security. Access to student data is managed and controlled through what is known as role-based security. This means that the type and amount of access to student data and other information is governed in our systems by the role which any staff member holds along with what information they require to perform their job as a trusted member of CUSD428 staff. Staff members must go through a process to gain access to authorized information that includes successfully logging into the District network or one of the systems they use as part of their job duties.

Once a staff member logs in using this method, the internal application controls, role based security, and application permissions restrictions are engaged which limit the data read, write, add, or delete functionality and are specific to a staff member’s role in the District.

The District also follows all rules set forth by state and federal government such as the Federal Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). For more information regarding these laws, please refer to the following links:

FERPA – http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

HIPAA – http://www.hhs.gov/ocr/privacy/

Learning Technology Center of Illinois Reference Guide: Laws Affecting Technology In Illinois School Districts

Student Data Flow Picture

Where is student data held and where does it go?

The primary repository of student data is our Student Information System, Skyward. Skyward maintains student demographics, household contact information, enrollments, attendance, grades, schedules, transcripts, discipline, bus, lockers, health, IEP, and LEP information. The District does not retain Social Security Numbers within any system.

In addition to the Skyward system, the District also maintains multiple supporting systems that assist in running daily operations. Based on need, some student data is routinely transferred between these applications through a variety of secure and encrypted system integration processes.

Physical access to the data centers and the servers that house this data are limited to a small group of network and application administrators in the IT Department. These data centers are also secured with fire protection and power backup capabilities. We also take routine backups of key systems and data which are securely stored and protected.

With the evolution of cloud based solutions, the District also subscribes to some externally hosted applications which are integrated with our student information system through encrypted data communications. Below is a list of various outside agencies that the District provides data to and/or receives data from. Data transferred includes basic student information such as names and schedules so staff and student can log into applications and access materials configured by the District.

• Hapara (Classroom Management)
• Pearson Successnet (Curriculum)
• My Service Tracker (IEP)
• CrisisGo (Safety and Security)
• Ellevation (ELL Curriculum)
• Hero (DHS Student Behavior Management)
• Learning A-Z (Curriculum)
• Pushcoin (Food Service)
• Edulog (Bus Route Planning)
• School Messenger (Staff/Student/Parent Notification System)
• MyOn (Curriculum)
• Harcourt (Curriculum)
• McGraw Hill Connect Ed My Math (Curriculum)
• Google Apps for Education
• Microsoft Office 365

Additionally, the District provides testing agencies such as ACT, PARCC, NWEA, ISA, etc. with basic student identification as part of the testing and scoring process. The District reports all required data to the Illinois State Board of Education (ISBE) and other government agencies.

Google Apps for Education

The District provides all students with a Google Apps for Education Account. This account allows them to collaborate and share documents with their teacher and fellow students and is an essential component of the classroom. We share limited information with Google solely for account creation purposes. This data, and any data created as a function for using a Google Apps for Education account, belongs to CUSD428. This type of account is different than having a personal gmail account. Google does not scan student content or email for advertising purposes as they do with regular consumer accounts.

Please review the Google Apps for Education Privacy Statement.

To further protect our student data we do the following:

• Clouldlock is utilized to provide an extra layer of data security and monitoring the usage of our Google Apps for Education domain.
• Applications that students can download and install on their Chromebooks are limited to what have been allowed. When a request is received, a team from Curriculum and Technology review the applications terms of service and the curricular usage of the application.
• Work is continuing to exp
• anding our usage of the IlliniCloud SAML (Security Assertion Markup Language) single-sign-on product. We are building in granular control to further limit what student information is shared with outside contracted services.
• Internet traffic on all systems/devices that join our network is filtered to maintain CIPA compliance.
• Our Chromebooks are filtered at home and school using Securly.