LHRIC Data Privacy Notice
District data is collected by the Lower Hudson Regional Information Center (LHRIC) for the purpose of supporting districts participating in the LHRIC’s services (Participating Districts), including State Reporting – Data Collection, Test Scoring, Data Analysis, Data Integration, RIC One API, Student Services and Financial Services. These LHRIC Services enable Participating Districts to comply with New York State Reporting requirements, including SIRS, and to inform instructional and operational decisions by District personnel.
Each Participating District is the sole owner of its data, including but not limited to data transmitted by the Participating District to the LHRIC (hereinafter, collectively referred to as District Data).
District Data includes Personally Identifiable Information (PII). PII is any information to which unauthorized access, disclosure, modification, destruction, or disruption of access or use could adversely impact students or District personnel. PII includes, but is not limited to, one or more of the following: student names; student grades; student information, such as address, phone number, email, social security number and/or date of birth; student school identification numbers; student locker combinations; student photos; students’ individualized education programs (IEPs).
Additionally, with respect to the personnel of Participating Districts, PII includes social security numbers; driver’s license numbers; non-driver ID numbers; bank account numbers; credit card numbers; debit card numbers; security codes for bank, credit or debit accounts and any access code/password that permits access to personal records, including financial records.
The LHRIC is a consortium of 62 public school districts in Westchester, Rockland and Putnam counties. LHRIC services reflect the security and privacy values of the school districts in the consortium. Participating Districts are afforded data privacy and security first and foremost because Participating Districts govern and control the LHRIC as members of the consortium.
The LHRIC is guided by an Advisory Board consisting of representative District Superintendents, School Business Officials, and Assistant Superintendents for Instruction, District Data Administrators and Directors of Technology from the 62 Districts in the Region. Additionally, the LHRIC budget is subject to component district approval of BOCES budgets each year.
The data protection procedures utilized by the LHRIC comply with Service Organization Control (SOC) 2 security and privacy principles and criteria. The LHRIC is audited annually and is awarded the following seal upon completion.
General information describing SOC 2 principles and criteria is available from the American Institute of CPA’s from the link above and in greater detail from at: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/serviceorganization'smanagement.aspx
The Participating District will be notified when there are material changes to the Data Protection procedures utilized by the LHRIC.
On a day to day basis, LHRIC trains and supervises all LHRIC personnel on data security and privacy standards. This includes annual renewal of the SWBOCES Acceptable Use Policy by each staff member and annual updates and refreshers on policy and procedure specific to LHRIC services.
The boundaries of the LHRIC facilities and systems covered by this notice are defined by location, servers and connections that support the purposes described above.
All storage is located at 450 Mamaroneck Avenue, Harrison, NY and at a back-up site located at Rockland BOCES, 65 Parrott Road, West Nyack, NY. Servers are located in key card accessible Data Centers on both premises. Documents are collected and stored, including student Test Booklets, Answer Sheets and ISRs at 450 Mamaroneck Avenue, Harrison, NY. They are located in key card accessible rooms.
Connections to the servers are only made through a firewall, connections use encryption (SSL), virtual private networks (VPN), secure file transfer protocol (SFTP), password hashing and routine security patching and upgrading of systems, including desktop systems, are performed systematically. A variety of software is used to monitor systems for intrusion vulnerability.
The LHRIC maintains a “least privileged” access philosophy for all LHRIC users in regard to access and authorization to data. The LHRIC user access is restricted by only allowing privileges to individuals based on job classification and function, which must be approved by their department manager.
Access control policy and procedures are communicated at least annually to the LHRIC personnel and are supervised continuously by the LHRIC management.
Access provided by the LHRIC Services is granted to Participating District users by the Participating District’s Data Administrators. The LHRIC authorizes the Participating District Data Administrators upon receipt of written approval from the district’s Superintendent.
In the event of an adversarial or accidental data breach the LHRIC will adhere to the INFORMATION SECURITY BREACH AND NOTIFICATION REGARDING STUDENT DATA REGULATION, reference regulation SWBOCES _4571R-2. This regulation is available upon request by the District Data Administrator to the LHRIC Account Manager.
Issues of concern to districts are to be communicated by a District Data Administrator to the LHRIC Account Manager.
Data Retention and Disposal
District Data is retained for no longer than necessary to fulfill the purposes described above or as required by law. When data is disposed by the LHRIC it is done so in a manner that prevents loss, theft, misuse or unauthorized access. Data is deleted by authorized LHRIC personnel who overwrite data files with blank files and then e-mail the Participating District to confirm the data has been deleted.
The LHRIC adheres to ED-1 New York Records Retention Policy. Additionally, the LHRIC may not dispose of District Data in the SIRS Level 2 – Data Warehouse as it is in the possession of New York State. The SIRS reporting process allows for records to be deleted in the regional, Level 1 – Data Warehouse that are in error.
The LHRIC will dispose of records to correct data upon written request by the District’s Data Administrator.
The quality of District Data is the responsibility of the Participating District. Parental choice and consent is only expressed to the Participating District, not to the LHRIC. Corrections to District Data must be expressed and made through the Participating District.
Authorized Data Transfer
Prior to the transfer of any District Data, the LHRIC will receive the express permission of the Participating District.
Authorizations may be provided within service agreements and renew automatically with the service agreement until such time as the Participating District withdraws the authorization by e-mailing the appropriate Service Manager. Outside of service agreements, the Participating District authorizes the transfer of data, including data transferred in extracts and reports, by submitting a request to the LHRIC Service Desk.
The LHRIC will inform the Participating District upon receipt of a request by legal authorities for the Participating District’s Data. The LHRIC will give the Participating District the opportunity to challenge the disclosure.
When services utilized by the LHRIC cause District Data to reside off-site of the LHRIC locations or give access to District Data to individuals or entities who are not LHRIC personnel, including but not limited to test scoring, printing and software providers, such individuals or entities will comply with the New York State Common Core Implementation Reform Act of March 2014 and include in their SWBOCES contracts for such services with the LHRIC the following:
- District Data will be used solely for the purpose defined in the applicable contract, which will be consistent with one or more of the purposes for which District Data is provided to the LHRIC as stated in the “Our Purpose” section of this Notice (NYSI – 1a, SOC 2.1.1a).
- District Data will not be shared with any other entity or individual without the express permission of the LHRIC unless required by statute or court order and the party provides a notice of the disclosure to the LHRIC no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order. Please note the LHRIC will only give permission for the sharing of District Data in accord with the provisions of the Authorized Data Transfer section above (NYSI – 1b, SOC 2.1.1f).
- Upon the expiration of the contract, the third party service provider will delete any electronic District Data in its possession, will return any non-electronic documents constituting or containing District Data in its possession and will notify the LHRIC when the data has been deleted and/or disposed (NYSI – 1c, SOC 2.1.1d).
- District Data will be corrected upon request by the LHRIC and the LHRIC will be notified when the data has been corrected. See Data Retention and Disposal section above (NYSI – 1d, SOC 2.1.1h).
- A description of the physical location of District Data in their possession and of the administrative, technical and physical safeguards utilized to assure the privacy and security of Data in their possession and when transmitted (NYSI – 1e, SOC 2.1.1g).
- Communicate with the LHRIC in no less than 24 hours of any data breach or in the event District Data is requested by legal authorities (SOC 2.1.1i).
- Internal access within the third party to District Data is limited to those individuals that are determined to need such records or data to perform the services set forth in this contract (SOC 2.1.1e).
- A requirement to comply with all Federal and State laws and regulations governing security and privacy of District Data.
- An executed copy of the Southern Westchester BOCES’ Parents’ Bill of Rights for Data Privacy and Security, as required by New York State Education Law Section 2-d upon adoption by the School District.
- Any officers or employees of the third party service provider who have access to District Data have received or will receive training on the federal and state laws governing security and privacy of such data prior to receiving access to it (SOC 2.1.1i).
Changes to Data Privacy and Security Notice
If the Notice is changed, the changes will be posted on the LHRIC website and/or other appropriate venues accessible to Participating Districts.