Data Governance Plan
Roots Charter High School Data Governance Plan
1. Purpose
Data governance at Roots Charter High School (Roots) ensures the responsible management of student and staff data throughout its entire lifecycle, from acquisition to disposal. In compliance with Utah’s Student Data Protection Act (SDPA), 53E-9-301, and relevant federal laws such as the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C.1232g; 34 CFR Part 99, and the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. 6501–6506, Roots is committed to safeguarding data privacy, maintaining transparency, and implementing security protocols that align with state and federal requirements.
2. Scope and Applicability
This plan applies to all Roots employees, contractors, volunteers, and temporary workers. It governs the assessment of data disclosure agreements, risk management processes, and compliance with privacy regulations. This plan is reviewed annually or as needed.
The plan includes policies on:
- Data Governance Structure
- Non-Disclosure Assurances
- Data Security and Privacy Training
- Data Disclosure
- Data Breach Response
- Record Retention and Expungement
- Data Quality and Transparency
3. Data Governance Structure
3.1 Structure and Responsibilities
Roots has a three-tiered data governance structure:
- LEA Student Data Manager: Authorizes data sharing, ensures compliance, maintains access logs, and conducts privacy training (53E-9-308).
- IT Security Manager: Manages system security, investigates breaches, and ensures compliance with security regulations (R277-487-3).
- Educators and Staff: Adhere to FERPA and state laws, participate in training, and report data breaches (53E-9-204).
3.2 Data Management Roles
LEA Student Data Manager Responsibilities:
- Oversees data-sharing requests
- Ensures FERPA compliance
- Provides privacy training
- Maintains an access log of authorized personnel
IT Systems Security Manager Responsibilities:
- Monitors network security (53E-9-309)
- Investigates security breaches
- Reports security status to the board
Educators Responsibilities:
- Complete privacy training (53E-9-204)
- Ensure compliance with student data policies
- Report security concerns
4. Employee Non-Disclosure Assurances
4.1 Scope
All Roots employees, contractors, and volunteers must sign a Non-Disclosure Agreement (NDA), outlining acceptable data use and security protocols (34 CFR 99.33).
4.2 Non-Compliance
Failure to comply with the NDA results in consequences up to and including dismissal (U.C.A. 53E-9-307).
4.3 Non-Disclosure Requirements
- Use password-protected systems
- Store sensitive data securely
- Follow FERPA compliance guidelines
- Do not share PII externally without authorization (34 CFR 99.31)
- Follow data minimization practices
5. Data Security and Privacy Training
5.1 Training Requirements
All employees undergo annual privacy and security training (53E-9-204). Topics include:
- FERPA compliance (34 CFR 99.30-99.32)
- Data protection best practices
- Secure data-sharing procedures
Supervisors ensure compliance and report training completion to the IT Security Manager.
6. Data Disclosure Policy
6.1 Student and Parent Access
Parents may access student records per FERPA guidelines within 45 days of a formal request (20 U.S.C. 1232g(a)(1)(A)).
6.2 Third-Party Vendor Access
Vendors must meet Utah’s Student Data Protection Act (SDPA), 53E-9-309, requirements and comply with security policies before handling student data.
6.3 External Data Requests
Roots classifies external data requests into:
- Low-risk: Public aggregate data
- Medium-risk: Data requiring disclosure avoidance techniques (53E-9-310)
- High-risk: De-identified student-level data requiring additional approvals
7. Data Breach Response Policy
7.1 Response Procedures
- The IT Security Manager tracks incidents and investigates breaches (R277-487-5).
- The Cyber Incident Response Team (CIRT) determines breach impact and mitigation.
- Affected individuals are notified within 10 days of a confirmed breach (53E-9-308(3)).
7.2 Compliance & Notification
In case of a significant breach, Roots notifies the Utah State Board of Education (USBE) and affected parties (53E-9-310).
8. Record Retention and Expungement
8.1 Expungement Requests
Parents may request the removal of inaccurate or misleading records. The process follows FERPA guidelines (34 CFR 99.20-99.22), including:
- Written request submission
- LEA review and determination
- Appeal procedures if necessary
8.2 Non-Expungeable Records
- Grades (53E-9-308(4))
- Transcripts
- Enrollment history
- Standardized assessment results
9. Data Quality and Transparency
9.1 Data Accuracy and Audits
Roots ensures data quality through:
- Annual audits (53E-9-309(3))
- Consistent data definitions and reporting practices
- Secure data collection and storage
9.2 Transparency Requirements
Roots publicly shares:
- Data collection practices (53E-9-305)
- Privacy policies
- Annual data governance reports
10. Policy Publication and Compliance
This Data Governance Plan is available on the Roots Charter High School website. Compliance with this plan is mandatory for all employees and partners to protect student privacy and ensure data security (53E-9-307).