(last updated May 2016)
There are many concerns today over how education technology companies protect data and whether they profit from the sale of that data or advertising. From its launch in 2004, School Loop has never and will never sell any student or parent data (or any system data for that matter). We don't sell ads or carry advertising. And we regularly review and update our industry-standard security practices and systems.
This document discusses data security in general, FERPA compliance, and the requirements of AB1584, SB177 SOPIPA Compliance.
With regards to FERPA and the use of School Loop, in general, districts are guided by the U.S. Department of Ed's ruling on Edline and the Clark County School District (Las Vegas, Nevada). http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/clarkcty062806.html. Edline was competitor offering similar services. The Department of Education conclusion is as follows:
Based on the information provided, it appears that the arrangement schools within the District have with Edline meets these requirements for disclosing specified information from education records to Edline as a "school official" under this FERPA exception. In particular, 1) Edline provides online hosting services that permit parents to view some of their children's education records, and Edline uses the information from education records to perform those services that would otherwise be provided by school employees; 2) Edline's online access services provide it with "legitimate educational interests" in the information disclosed to Edline by each school; and 3) Edline's use and maintenance of personally identifiable information from education records is subject to the direct control of each school within the District. Each school or the District must ensure that Edline does not redisclose or permit the redisclosure of any personally identifiable information from education records except as specifically authorized by the school or District that is responsible for the contract. The school (or District), in turn, remains responsible for any FERPA violations committed by its service provider. In that regard, we note that Edline takes reasonable and appropriate steps to ensure that information from education records is not disclosed or made available to other parties and does not use the information for any other purpose.
Based on this guidance, districts in California and across the country use systems like School Loop and stay within the law.
As noted, School Loop offers a variety of account types and settings that help districts enforce their policies. These accounts have access to different types of content. Access to those accounts can be controlled in various ways.
School Loop offers roles for certificated employees (teachers, principals, and certificated staff), classified employees (we call those accounts Associates), parents, students, and a class of account we label Afterschool Professional (ASP). ASP accounts are optional for districts and allow districts and parents to approve accounts for tutors, social workers, people who run after school programs, and others they deem fit.
Parents and students can only see their own grades and attendance information, and other such information published specifically to them as members of classes and schools. Parents and students self-register, and districts are given the choice of approving each account before any access is granted (approval being whatever process they set up to verify that the registrant is legit), or allowing limited access to parents and requiring verification for grades and attendance. Additionally, all parents and students have a tool that allows them to challenge the membership of any other person who registers as a parent. This Challenge tool sends an alert to administrators, and admins can then suspend or delete the account, ignore the challenge, or ask for more information.
Classified staff have no access to individual student data. ASPs need to be approved by the parent to gain access at one of two levels. One level gives ASPs access to homework information, and the ability to send email to the other members of the students Learning Management Team -- a student's teachers and parents, and any other member of staff that has joined the team. A higher level of access set by the school allows ASPs the same access as certificated employees (see below).
Certificated employees by default have access to all student grades and attendance, homework information, submitted work, a digital locker than can contain pertinent information about that student (accommodations, for instance), and a threaded "Intervention" discussion group -- a way that members of the Learning Management Team can discuss a student. That access can be turned off for certificated employees as well.
The combination of account types, access rights, control over account registration, and control over access to content has proved successful at helping hundreds of districts enforce their privacy policies in different ways. In addition, there are a variety of fine-tuning settings that allow you to further limit access, mask the identity of a student, and restrict parent accounts for students.
Over our history, we have repeatedly refined these tools to help districts use School Loop safely and within their policy guidelines. We are quite concerned over privacy and protecting students, and take our responsibilities to do so seriously.
School Loop implements industry-standard security procedures for storing and accessing informationto avoid the loss or theft of any data, with an emphasis on protecting personal data, defined as login credentials, permanent student IDs, addresses, phone numbers. If we detect a breach involving the loss or theft of personal data our notification plan is as follows:
Within 24 hours:
Upon resolution:
Within 60 days (CA only):