Data Security Policy

School Loop Data Security:
General Security Practices and Policies

(Updated August 2017)

Introduction

There are many concerns today over how education technology companies protect data and whether they profit from the sale of that data or advertising. From its launch in 2004, School Loop has never and will never sell any student or parent data (or any system data for that matter). We don't sell ads or carry advertising. And we regularly review and update our industry-standard security practices and systems.

This document discusses data security in general, FERPA compliance, and the requirements of AB1584, SB177 SOPIPA Compliance.

Email: data_security@schoolloop.com
Phone: (415) 952-5667

Section I: General security.

  1. Password Security. All passwords are treated securely and one-way encrypted. We cannot decrypt the passwords and do not provide information concerning Admin accounts (ROOT Admin, container Admin, local administrator or domain administrator) or their equivalent to any persons. We encourage our districts to use LDAP integration so that they have complete control over user access and passwords.

  2. Security of District Systems. We never gain or try to gain unauthorized access to or modify district systems including file servers, routers, switches, NdS and Internet services.

  3. Privacy. We adhere to all provisions of the Federal Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. 123g), California Education Code and district policies regarding the protection and confidentiality of data. We consider all data collected in the course of our duties to be protected and confidential. Release of this data can only be authorized by district leadership and by appropriate state and federal officials.

    With regards to FERPA and the use of School Loop, in general, districts are guided by the U.S. Department of Education's ruling on Edline and the Clark County School District (Las Vegas, Nevada). Edline was competitor offering similar services. The Department of Education conclusion is as follows:

    Based on the information provided, it appears that the arrangement schools within the District have with Edline meets these requirements for disclosing specified information from education records to Edline as a "school official" under this FERPA exception. In particular, 1) Edline provides online hosting services that permit parents to view some of their children's education records, and Edline uses the information from education records to perform those services that would otherwise be provided by school employees; 2) Edline's online access services provide it with "legitimate educational interests" in the information disclosed to Edline by each school; and 3) Edline's use and maintenance of personally identifiable information from education records is subject to the direct control of each school within the District. Each school or the District must ensure that Edline does not redisclose or permit the redisclosure of any personally identifiable information from education records except as specifically authorized by the school or District that is responsible for the contract. The school (or District), in turn, remains responsible for any FERPA violations committed by its service provider. In that regard, we note that Edline takes reasonable and appropriate steps to ensure that information from education records is not disclosed or made available to other parties and does not use the information for any other purpose.

    Based on this guidance, districts in California and across the country use systems like School Loop and stay within the law.

    As noted, School Loop offers a variety of account types and settings that help districts enforce their policies. These accounts have access to different types of content. Access to those accounts can be controlled in various ways.

    School Loop offers roles for certificated employees (teachers, principals, and certificated staff), classified employees (we call those accounts Associates), parents, students, and a class of account we label Afterschool Professional (ASP). ASP accounts are optional for districts and allow districts and parents to approve accounts for tutors, social workers, people who run after school programs, and others they deem fit.

    Parents and students can only see their own grades and attendance information, and other such information published specifically to them as members of classes and schools. Parents and students self-register, and districts are given the choice of approving each account before any access is granted (approval being whatever process they set up to verify that the registrant is legit), or allowing limited access to parents and requiring verification for grades and attendance. Additionally, all parents and students have a tool that allows them to challenge the membership of any other person who registers as a parent. This Challenge tool sends an alert to administrators, and admins can then suspend or delete the account, ignore the challenge, or ask for more information.

    School Loop has account types for administrators, certificated staff, classified staff, other non-staff members, students, and parents. Each type of account is designed to align with privacy regulations. Districts assign these roles