Data Security Practices

The school system website includes its data privacy and security policies and practices which are updated as-needed, but at least on an annual basis.	Examples and Evidence
A link to the Rights and Responsibilities Handbook may be found on the Student Portal. Links to the Employee Code of Ethics and Responsible Use Guidelines for Technology for Staff may be found on the Staff Portal. All are updated annually as part of the review of School Board Rules.	Responsible Use Guidelines for Students and Staff as referenced in compliance package: Students Staff Students Rights and Responsibilities Handbook as referenced in the compliance package. Employee Code of Ethics Website Privacy Notice Website User Agreement Responsible Use Guidelines

The school system website includes its data privacy and security policies and practices which are updated as-needed, but at least on an annual basis.

Examples and Evidence

A link to the Rights and Responsibilities Handbook may be found on the Student Portal. Links to the Employee Code of Ethics and Responsible Use Guidelines for Technology for Staff may be found on the Staff Portal. All are updated annually as part of the review of School Board Rules.

Responsible Use Guidelines for Students and Staff as referenced in compliance package:

Students

Staff

Students Rights and Responsibilities Handbook as referenced in the compliance package.

Employee Code of Ethics

Website Privacy Notice

Website User Agreement

Responsible Use Guidelines

The school system data privacy and security procedures includes information about data retention periods for student records, data transmission technical protocols, data at-rest and methods and controls limiting access to electronic data.	Examples and Evidence
The Escambia County School District follows the State of Florida General Records Schedule GS7 For Public Schools Pre-K12 and Adult and Career Education. The District annually (or more frequently) emails information regarding retention periods for student records. The appropriate departments have Standard Operating Procedures and review those with leaders and staff. The Protecting Privacy in Connected Learning Toolkit is also used to secure data in transit outside of the District.	Student Records Page Sample IT SOP and Guidelines for Data Access and Security Sample Email for Security Access

The school system data privacy and security procedures includes information about data retention periods for student records, data transmission technical protocols, data at-rest and methods and controls limiting access to electronic data.

Examples and Evidence

The Escambia County School District follows the State of Florida General Records Schedule GS7 For Public Schools Pre-K12 and Adult and Career Education. The District annually (or more frequently) emails information regarding retention periods for student records. The appropriate departments have Standard Operating Procedures and review those with leaders and staff. The Protecting Privacy in Connected Learning Toolkit is also used to secure data in transit outside of the District.

Student Records Page

Sample IT SOP and Guidelines for Data Access and Security

Sample Email for Security Access

The school system data has enforceable policies regarding storage of data on local computers, mobile devices, storage devices and cloud file-sharing and storage services.	Examples and Evidence
The Escambia County School District follows the State of Florida Statutes and Guidelines. Guidelines regarding data storage and use are documented in standard operating procedures and District policies posted on the website. The District has a standard operating procedure for computer equipment and disposal to ensure that data stored on local computers and storage devices is appropriately destroyed. The District maintains cloud file-sharing and storage services for staff to use as additional storage. The District maintains contracts with those cloud file-sharing and storage services and includes provisions for data security in those contracts. When users leave the District, all access to cloud file-sharing and storage services is terminated (see standard operating procedure for user security). The District does not have specific policies on storage of data on personally-owned computers or mobile devices, but the Federal/State Compliance Packet, Staff Responsible Use Guidelines, and Employee Code of Ethics all require staff to maintain data security practices even on personally-owned devices.	Link to Employee Federal/State Compliance Packet Responsible Use Guidelines for Students and Staff as referenced in compliance package: Students Staff Students Rights and Responsibilities Handbook as referenced in the compliance package Employee Code of Ethics

The school system data has enforceable policies regarding storage of data on local computers, mobile devices, storage devices and cloud file-sharing and storage services.

Examples and Evidence

The Escambia County School District follows the State of Florida Statutes and Guidelines. Guidelines regarding data storage and use are documented in standard operating procedures and District policies posted on the website. The District has a standard operating procedure for computer equipment and disposal to ensure that data stored on local computers and storage devices is appropriately destroyed. The District maintains cloud file-sharing and storage services for staff to use as additional storage. The District maintains contracts with those cloud file-sharing and storage services and includes provisions for data security in those contracts. When users leave the District, all access to cloud file-sharing and storage services is terminated (see standard operating procedure for user security). The District does not have specific policies on storage of data on personally-owned computers or mobile devices, but the Federal/State Compliance Packet, Staff Responsible Use Guidelines, and Employee Code of Ethics all require staff to maintain data security practices even on personally-owned devices.

Link to Employee Federal/State Compliance Packet

Responsible Use Guidelines for Students and Staff as referenced in compliance package:

Students

Staff

Students Rights and Responsibilities Handbook as referenced in the compliance package

Employee Code of Ethics

The school system utilizes a documented, role-based process when granting access rights to educators, staff, and contractors to data and technology systems.	Examples and Evidence
The Escambia County School District IT Department has Standard Operating Policies and Procedures regarding security and rights. Policies are posted online and are reviewed at least annually and updated as needed.	IT Department Security SOP IT Application Security Sample IT Department SOP and Guidelines for Data Access and Security Sample Email for Security Access

The school system utilizes a documented, role-based process when granting access rights to educators, staff, and contractors to data and technology systems.

Examples and Evidence

The Escambia County School District IT Department has Standard Operating Policies and Procedures regarding security and rights. Policies are posted online and are reviewed at least annually and updated as needed.

IT Department Security SOP

IT Application Security

Sample IT Department SOP and Guidelines for Data Access and Security

Sample Email for Security Access

The school system has a process in place to communicate data incidents to appropriate stakeholders, in accordance with state law and school system policies.	Examples and Evidence
The Escambia County School District IT Department has Standard Operating Policies and Procedures regarding incidents and data security. These are reviewed at least annually and updated as needed.	IT Department Preparation and Recovery Plans IT Application Security SOP

The school system has a process in place to communicate data incidents to appropriate stakeholders, in accordance with state law and school system policies.

Examples and Evidence

The Escambia County School District IT Department has Standard Operating Policies and Procedures regarding incidents and data security. These are reviewed at least annually and updated as needed.

IT Department Preparation and Recovery Plans

IT Application Security SOP

The school system has a business continuity and disaster recovery(DR) plan which is verified and tested on an established, regular basis.	Examples and Evidence
The Escambia County School District IT Department has Standard Operating Policies and Procedures regarding disaster recovery and data security. These procedures are reviewed and updated at least annually.	IT Department Preparation and Recovery Plans IT Application Security SOP Hurricane Preparedness Plan Hurricane Preparedness Video (updated annually)

The school system has a business continuity and disaster recovery(DR) plan which is verified and tested on an established, regular basis.

Examples and Evidence

The Escambia County School District IT Department has Standard Operating Policies and Procedures regarding disaster recovery and data security. These procedures are reviewed and updated at least annually.

IT Department Preparation and Recovery Plans

IT Application Security SOP

Hurricane Preparedness Plan

Hurricane Preparedness Video (updated annually)

The school system performs an audit of data privacy and security practices on an established, regular basis.	Examples and Evidence
The Escambia County School District conducts an annual financial audit including IT operation practices. A full operational audit including a review of all IT processes occurs every three years. The identity management process is used to manage security within major applications and any security overrides are reviewed on an annual basis. Supervisors must approve any overrides prior to the additional access being granted. Documentation is posted in Vibe of interfaces among various applications. At least annually fields are reviewed.	Sample IT Department SOP and Guidelines for Data Access and Security Sample Email for Security Access

The school system performs an audit of data privacy and security practices on an established, regular basis.

Examples and Evidence

The Escambia County School District conducts an annual financial audit including IT operation practices. A full operational audit including a review of all IT processes occurs every three years. The identity management process is used to manage security within major applications and any security overrides are reviewed on an annual basis. Supervisors must approve any overrides prior to the additional access being granted. Documentation is posted in Vibe of interfaces among various applications. At least annually fields are reviewed.

Sample IT Department SOP and Guidelines for Data Access and Security

Sample Email for Security Access