7400: Electronic Records Retention & Disposition
7400: Electronic Records Retention & Disposition holly Mon, 07/22/2019 - 11:16The Superintendent or designee shall be responsible for the retention and disposition of all District records. All District records may be maintained and stored in an electronic format or in some other approved manner or format.
Neb. Rev. Stat. § 79-539
20 U.S.C. § 1232, et seq.
15 U.S.C. § 501, et seq.
7400.1: Electronic Records Retention & Disposition
7400.1: Electronic Records Retention & Disposition holly Mon, 07/22/2019 - 11:19The District may maintain student records in an electronic or digital format. The District may maintain electronic or digital student and staff records on District controlled servers, contracted third party hosted servers, and/or web-based/cloud servers. The District shall take steps to ensure that the confidentiality and privacy of the student and staff records are maintained as provided by state and federal law and the District’s policies and rules.Â
I. SECURITYÂ
A. The District shall take all reasonable steps necessary to ensure that the use of the Internet or contracted third part hosted services for the gathering, maintaining and/or storing of District information shall not abridge the right of privacy of students and staff as provided by law.Â
B. The District shall take all steps necessary for all users of a contracted third party hosted service maintaining, gathering and storing District information to have a unique user name and unique user password and to protect the confidentiality of such user names and passwords.Â
C. The District shall require that any contracted third party hosted service used by the District have software or mechanisms in place to alert the service of any intrusions or attempted intrusions into the database by unauthorized users. The contracted third party hosted service shall provide to the District upon request an intrusion analysis setting out to the extent possible the dates, times, and places or other applicable information of attempted intrusions by unauthorized computers or persons to the service.Â
D. The District shall require that any contracted third party hosted service maintaining, gathering and storing District information maintain a log of all requests for access to information for any student contained on the contracted third party hosted service.Â
E. The District shall require the contracted third party hosted services to have verifiable parental consent and District authorization (i.e., written or digital) prior to the collection of personally identifiable information from a student.Â
F. All student or District information contained on the contracted third party hosted servers accessible through the Internet shall be secured utilizing, at a minimum, 256-bit encryption.Â
G. Any third party hosted service shall, at the requirement of the District, upgrade its encryption software as may be required from time to time to ensure complains with generally accepted encryption standards.Â
H. The District shall be granted access to all privacy policies, end user license agreements, encryption certificates, access logs documenting requests for information from any database containing information of District students, student records and/or parents.Â
II. USE OF INFORMATIONÂ
A. No personally identifiable information about any student obtained by, maintained by, retained by, or gathered by the contracted third party hosted service for and on behalf of the District shall be disclosed to any third parties, except to the extent necessary to the operation and maintenance of the service site.Â
B. Information may only be gathered by a contracted third party hosted service in the aggregate and may only be used for the purposes of providing educational services to the District and for internal company use only. No personally identifiable information about any student may be utilized by the contracted third party hosted service for any reason without prior authorization (i.e., written or digital) by the District and parental consent as may be required by law.Â
C. Any personally identifiable information regarding any student of the District maintained, retained, or gathered by a contracted third party hosted service must be destroyed in compliance with the legal requirements of law and District policies and rules. Personally identifiable information includes but is not limited to Permanent Student Records, Subsidiary Student Records, Special Education Records, and any Electronic Student Records as defined in District Rule 5720.1Â
III. TERMINATION – REMOVAL OF RECORDSÂ
A. All data pertaining to any educational information of any student of the District shall be returned to the District upon termination of the contracted third party hosted service provider contract or other agreement at the option of the District.Â
B. At no time will the District’s information or any student information maintained, retained, or gathered by the contracted third party hosted service be deemed to be the property of the service.Â
C. Upon termination of any contract or the relationship with the contracted third party hosted service and after the return of all District and student information and date the service shall provide the District with a statement that all known copies of said information have been destroyed.Â
IV. UTILIZATION OF TRACKING SOFTWARE, A/K/A “Cookie Technology”Â
A. Tracking software or mechanisms which may be utilized by the contracted third party hosted service that allow the service to store information about a user on that user’s own computer shall not be allowed to collect any personally identifiable information except to the extent necessary to track the user’s activities within a particular site. When the contracted third party hosted services are terminated the tracking software or mechanism shall be removed or terminated.Â
B. Any software or mechanism that allows the contracted third party hosted service to store its own information about a user on the user’s own computer which persists or remains a part of the user’s computer and which is or may be automatically activated, updated and shared with the service when the user reconnects to the service shall not be permitted except to the extent that as a “persistent cookie” it is utilized to retain individual unique password and/or user name information for the purposes of logging in to the contracted third party hosted service to access the site.Â
C. Any information collected from or by the utilization of tracking software by a contracted third party hosted service may be retained by the service only to the extent reasonably necessary to upgrade, update and make navigation of the services’ site more efficient.Â
D. Any and all information collected or maintained by a contracted third part hosted service shall be maintained or retained in compliance with the requirements of these rules and any other applicable policies or rules relating to personally identifiable educational information and in compliance with the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA).
Child Online Privacy Protection Act (COPPA) 15 U.S.C. § 501 et seq.
FERPA, 20 U.S.C. § 1232, et seq.
Neb. Rev. Stat. § 79-2, 104-105Â
Neb. Rev. Stat. § 79-539
7400.2: Retention of Electronic Mail (E-Mail) Records
7400.2: Retention of Electronic Mail (E-Mail) Records holly Mon, 07/22/2019 - 11:21The District shall take steps to ensure the retention of District electronic mail (e-mail) records that are deemed public records in compliance with the applicable state laws.Â
1. RETENTION OF E-MAIL RECORDS.Â
a. Standardized retention and filing guidelines shall be implemented by the District for the retention and retrieval of District e-mail designated for retention.Â
b. Electronic Mail (e-mail) and all attachments transmitted, created or received through/on the District system are Public records and are subject to retention and public inspection, unless excluded by specific statute or legal privilege. State Records Admin. (S. of S.) Electronic Messaging and E-Mail Guidelines, §006.01, March 2003.Â
c. E-mail of the District shall be categorized, retained and produced in accordance with State Statutes, applicable State Rules and District Policies.Â
i. Any e-mail record containing information pertaining to the operations and business of the District and not otherwise excluded herein shall be maintained by the District and shall be available to the public for inspection and copying.Â
ii. Any e-mail of the District which constitutes student records as that term is defined by Federal and State law and by the applicable District policies and rules shall be maintained by the District as required by law and District policy but shall not be disseminated as a public record.Â
iii. Any e-mail of the District which constitutes confidential personnel information as that term is defined by Federal and State law and District policy and rule shall be maintained by the District as required by law and District policy but shall not be disseminated as a public record.Â
iv. Any e-mail of the District which is subject to any legal privilege created and recognized by law or statute. Such records shall be retained and maintained by the District but shall not be disseminated as a public record.Â
v. Transitory e-mail pertaining to or constituting informal or casual and routine communications similar to telephone conversations need not be retained. Such messages include, but are not limited to, personal e- mail, junk e-mail (“spam”), date and time confirmations, routine updates, and communications not necessary or essential to performing District functions or transacting District business.Â
2. ACCESS OF E-MAIL RECORDSÂ
a. Throughout any required retention period e-mail records (archives) should be reasonably accessible. State Records Admin. (S. of S.) Electronic Messaging and E-Mail Guidelines, §006.12, March 2003.Â
b. The District shall implement the necessary process and procedures for the storage, retention and retrieval of e-mail records on the District system. The District may use Records Management Application (RMA) software to manage records in a digital form, which complies with “Design Criteria Standards for Electronic Management Software Applications” as issued by the U.S. Department of Defense. State Records Admin. (S. of S.) Electronic Messaging and E-Mail Guidelines, §007.09, March 2003.Â
c. The Superintendent or designee shall be responsible for the record keeping and management of any centralized electronic system by which e-mail is maintained, stored and provided, and shall provide for access to the e-mail of the District as required by law.
Neb. Rev. Stat. §84-1201, et seq. (Reissue 1999)
Electronic Messaging and E-Mail Guidelines, State Records Admin, March 2003