6501SP Data Privacy
All district employees and other authorized individuals, including third parties granted access to personal information, are responsible for ensuring sensitive records, files, and data, whether verbal, electronic, or paper, are secured to ensure the privacy and confidentiality of personal information.
For purposes of this procedure, personal information includes, but is not limited to: medical information, leave status, Americans with Disabilities Act (ADA) and/or Section 504 accommodation requests, performance evaluations, background check results, investigation reports, disciplinary actions, wages, garnishments, transcripts, interview notes, personal home or cellphone numbers, home address, personal email addresses, emergency contact information, social security number, district ID number, state identification card or driver’s license number, date of birth, biometric data, mother’s maiden name, tax information, and bank account/routing numbers.
Sensitive records or sensitive data include but are not limited to personal information, as described above, as well as any non-personally identifiable information that, if assembled together, would allow a reasonable person to identify an individual.
Many departments have access to and use personal information and other sensitive records for business and/or educational purposes. Sensitive records will only be used for a legitimate business purpose with reasonable security precautions.
Board Policy No. 5260, Personnel Records, requires that staff maintain personnel records and files in a secure location, and Board Policy No. 3231, Student Records, requires that student and education records be treated in a confidential and professional manner. Each of these policies also has a corresponding procedure that further details requirements for the handling of district records and confidential information as do numerous additional School Board policies and procedures, including, but not limited to those listed as additional resources below.
The following protocols should be used by all district employees and authorized users to the extent possible to ensure that sensitive records are not lost/stolen and that unauthorized persons do not gain access to these records.
Examples of violations of the district’s sensitive data handling protocol include, but are not limited to, the following:
Staff violations of the policy and/or sensitive data handling protocol may result in disciplinary action up to and including termination. Staff who are concerned that a violation may have occurred should contact their supervisor. Reports also can be made directly to Human Resources by emailing employeemisconduct@seattleschools.org or online. Human Resources should be contacted directly if the employee’s supervisor and/or evaluator is the subject of the report.
The district may be required to comply with a lawfully issued subpoena or a request under the Public Records Act, and some information from personnel records and other sensitive records may be disclosable under state law. If you have questions about such disclosure, please contact the district’s Public Records Office (publicrecords@seattleschools.org).
Under The Family Educational Rights and Privacy Act of 1974 (FERPA), a school may not generally disclose personally identifiable information from an eligible student’s education records to a third party unless the parent/guardian or eligible student has provided written consent. However, there are exceptions to FERPA’s general prohibition against non-consensual disclosure of personally identifiable information from education records. Under these specific exceptions, schools are permitted to disclose personally identifiable information from education records without consent, though they are not required to do so. Additional School Board policies and procedures, including many listed as additional resources below, support district compliance with FERPA requirements.
Credit Cardholder Data (CHD) are sensitive records used to process payment card transactions. CHD consists of the following data:
Sensitive Authentication Data includes additional data that may be transmitted or processed as part of a payment transaction but may not be stored at any time. Sensitive Authentication Data includes:
Credit card records and handling requirements detailed in this procedure apply to all:
Requirements for Credit Card Data Handling:
Immediately report any data theft or inappropriate disclosure of personal information or CHD to your supervisor and to cybersecurity@seattleschools.org. For system-wide data breaches and/or loss of equipment containing personal information, you must also contact the Department of Technology Services at techline@seattleschools.org or 206-252-0333. This includes but is not limited to loss, or theft of files, laptops, hard drives, flash drives, or other storage devices.
Responsibilities of Information Technology Security Officer
The Superintendent or their designee will designate an Information Technology Security Officer (ISO) responsible for maintaining the security of district information technology (IT) including reviewing and making recommendations for implementation of and updates to applicable policies and procedures. The ISO will support the implementation of IT security controls within the Department of Technology Services and in collaboration with schools and divisions across the district and will ensure all district employees have access to annual IT security training. The ISO will maintain an IT Security Handbook containing technical security standards for implementation as an administrative procedure of the Department of Technology Services.
Policy Cross References:
Revisions:
Adopted: