FERPA Compliance and Student Data Privacy Policy
Presence, is a vendor to educational agencies and institutions (EAs) and receives personally identifiable information (PII) contained in student records from the EAs. Only information that is needed for Presence and its employees and contractors to perform services is disclosed to Presence by the EA. These disclosures are authorized under the Family Educational Rights and Privacy Act (FERPA). Presence, as a contractor to the EA, receives the disclosures on the same basis as school officials employed by the EA, consistent with FERPA regulations, 34 CFR §99.31(a)(1)(i)(B). Consistent with those regulations, Presence has a legitimate educational interest in the information to which it is given access because the information is needed to perform the outsourced service, and Presence is under the direct control of the EA in using and maintaining the disclosed education records, consistent with the terms of its contract.Presence is subject to the same conditions on use and redisclosure of education records that govern all school officials, as provided in 34 CFR §99.33. In particular, Presence must ensure that only individuals that it employs, contracts with, or that are employed by its contractor, with legitimate educational interests – consistent with the purposes for which Presence obtained the information — obtain access to PII from education records it maintains on behalf of the district or institution. Further, in accordance with 34 CFR §99.33(a) and (b), Presence may not redisclose PII without consent of a parent or an eligible student (meaning a student who is 18 years old or above or is enrolled in postsecondary education) unless the agency or institution has authorized the redisclosure under a FERPA exception and the agency or institution records the subsequent disclosure. An example of such a disclosure is when Presence is requested by a school district to assist the district in the transfer of the student records from our system to another system.
Presence will not sell or otherwise use or redisclose education records for targeted advertising or marketing purposes. Presence does not allow advertising within its products or services, and therefore there is no behavioral or targeted advertising. Presence uses data within its products and services only to deliver the services contracted by the educational institution. Presence may use anonymized, non-PII data internally to improve the products and services it delivers to EAs.
Presence employs extensive technological and operational measures to ensure data security and privacy, including advanced security systems technology, physical access controls, and security and privacy training for employees regarding compliance of FERPA, HIPAA, HITECH Act and privacy laws, and undergo a criminal background checks. Presence’s Chief Technology Officer enforces data security compliance. Data is encrypted in transmission end-to-end (via SSL) and at-rest (via AWS RDS and S3, using AES-256 bit encryption). All data is housed within the United States.
Presence does not own any of the student data or district-created data within its products. These data within the products are property of, and under the control of the EA.
In the event any third party seeks to access education records, Presence will immediately inform the EA of such request in writing. Presence shall not provide access to such data or information or respond to such requests unless compelled to do so by due process, court order or lawfully issued subpoena from any court of competent jurisdiction or directed to do so by the EA. Should Presence receive a court order or lawfully issued subpoena seeking the release of such data or information, Presence shall provide immediate notification, along with a copy thereof, to the EA prior to releasing the requested data or information, unless such notification is prohibited by law or judicial and/or administrative order or subpoena.
If the EA is unable to fulfil a request of an eligible student or parent/guardian to review the student’s records, Presence can assist at the direction and expense of the EA. In such an event where a parent, legal guardian, or eligible student seeks to make changes to the data within our products parents, legal guardians, or eligible students shall follow the procedures established by the EA in accordance with FERPA. Generally these procedures establish the right to request an amendment of the student’s education records that the parent or eligible student believes is inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA. Parents or eligible students who wish to ask the EA to amend their child’s or their education record should write an EA official (often a Principal or Superintendent), clearly identify the part of the record they want changed, and specify why it should be changed. If the EA decides not to amend the record as requested by the parent or eligible student, the EA will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures would be provided to the parent or eligible student when notified of the right to a hearing.
In the event Presence becomes aware of a data breach or inadvertent disclosure of PII, Presence shall take immediate steps to limit and mitigate such security breach to the extent possible. Presence will notify a senior member of the affected EAs leadership team, ideally the Superintendent or similar chief executive. This typically will occur within 48 hours of confirmation of the event and would include the known relevant details. The EA and Presence will work cooperatively in determining an action plan, including any required notification of affected persons.
In the event of termination to use our services or products, and at the written request of the EA or in accordance of the terms of the EAs contract, Presence will make commercially reasonable efforts destroy all student records contained in our systems. Furthermore, Presence shall ensure that it disposes of any and all data or information received from EA in a commercially reasonable manner that maintains the confidentiality of the contents of such records (e.g. shredding paper records, erasing and reformatting hard drives, erasing and/or physically destroying any portable electronic devices). At the written request of the EA, Presence will provide a written certification of destruction.
If EA does not make a written request, Presence retains student data for a period 6 years.
To the extent parents, guardians or students have questions regarding the content of, or privacy associated with, any applications used by the educational institution, please contact that agency or institution.
Presence may, from time to time, update this policy to be in compliance with evolving state and federal laws and regulations. We will not materially change our policies and practices to make them less protective of your privacy without the written consent of the EA and the EA may rely upon any and enforce any current or prior version of this policy unless otherwise agreed to in writing.
HIPAA Compliance
HIPAA Compliance Student records that are disclosed to Presence by EA and maintained within Presence products are by definition “education records” under FERPA and not “protected health information” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103. See, also, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records, USED and U.S. Department of Health and Human Services (November 2008).
However, Presence strives to comply with all privacy laws and therefore has taken measures to ensure that we are HIPAA compliant.
HIPAA Compliance
HIPAA Compliance Student records that are disclosed to PresenceLearning by EA and maintained within Presence products are by definition “education records” under FERPA and not “protected health information” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103. See, also, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records, USED and U.S. Department of Health and Human Services (November 2008).
However, PresenceLearning strives to comply with all privacy laws and therefore has taken measures to ensure that we are HIPAA compliant.