LinkIt! Privacy Policy

Last modified on September 2023

Purpose

LinkIt! is committed to protecting the privacy and confidentiality of student personally identifiable information (PII) in accordance with international standards (e.g., ISO/IEC 27001^[1]) and jurisdiction-specific security and privacy legislation (e.g. U.S. federal and state laws, Australian Privacy Act of 1988) and has adopted a five-point privacy and data security policy as outlined below. This policy specifically relates to the use of the company’s technology platforms that include, but are not limited to, applications for assessment management, data warehousing and reporting, analytics, and intervention management.

Country and U.S. state privacy laws are based on Fair Information Practice Principles (FIPPs)^[2] that incorporate the following objectives:
‍

1. Transparency
   Data use must be lawful, fair, and understandable to users.
2. Individual Participation
   For the LinkIt! application, data owners have the ability to share specific datasets with third parties. For the public-facing website, visitors have the option to opt-in or opt-out of sharing information with LinkIt! depending on country and state privacy laws.
3. Purpose Specification and Limitation
   Data is collected and processed for explicit, legitimate purposes.
4. Data Minimization
   Only directly relevant and purpose-defined data is collected; limited retention for only as long as necessary to fulfill that purpose.
5. Use Limitation
   Access to data is limited to those with need-to-access to fulfill a specific purpose.
6. Data Quality and Integrity
   We provide the ability for data owners to review personal data collected, edit errors, have deleted or transferred copy of data.
7. Security Accountability and Auditing
   We employ data protection and usage monitoring to help us keep data safe and private.

This policy addresses the FIPPs objectives and how LinkIt! addresses its customers’ right to access, right to correct, right to delete, right to data portability, and right to opt-out. LinkIt! subscribes to the recommended practices contained in the Student Privacy Pledge 2020, an initiative of the Future of Privacy Forum. This pledge states in part: “School service providers take responsibility to both support the effective use of student information and safeguard student privacy and information security.” Simply stated, LinkIt! shares responsibility for maintaining student data privacy with its Account Holders (as defined below).
___________________________________________________________________________________
^{[1] ISO/IEC 27001. https://www.iso.org/standard/27001
[2] Fair Information Practice Principles (FIPPs). https://www.fpc.gov/resources/fipps/
‍}

Policy Maintenance and Access

The privacy policy shall be available for review on the company’s website located at linkit.com/resources/privacy-policy. The policy is reviewed annually and updated to ensure its continued conformance to Federal and State laws. To the extent required by law, such changes will be reflected on the company website.
‍

Definitions

Account Roles: The District or local education agency (LEA) acts as data owner and establishes the rights and privileges associated with student PII. Its authorized representatives (e.g., teachers, administrators, specialists), or the parent/student (for direct, consensual information collection as determined by law), act as account holders. LinkIt! acts as the data controller and implements the District or LEA’s policies regarding data collection, retention, and disposition.  

Anonymization (AKA de-identification): The application of techniques or processes to a dataset with the goal of preventing or limiting certain types of privacy risks to individuals, protected groups, and establishments, while still allowing the production of aggregate statistics. This focus area includes a broad scope of anonymization in accordance with recommendations from the U.S. National Institute of Standards and Technology (NIST).^[3] Anonymization is designed for demonstration and training purposes by authorized individuals (District personnel or LEA staff) and only for those student records to which they have specified access privilege. Anonymization can be reversed by the individual(s) who performed the initial anonymization. Anonymization is performed in real time and is not retained after termination of the session (i.e., the anonymized report is not saved).

Anonymized Data: Records that have enough personally identifiable information removed or obscured so that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.^[4] As noted above, anonymization is reversible by the person who performed the anonymization.

Personally Identifiable Information (PII): PII includes information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information.^[5]

PII for Educational Records: a term referring to identifiable information that is maintained in education records and includes direct identifiers, such as a student's name or identification number, indirect identifiers, such as a student’s date of birth, or other information which can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information.^[6]

Successor Entity: entity that results from a merger, acquisition, or other corporate transition involving a change in majority of the voting control of the Company’s capital stock.

___________________________________________________________________________________
^{[3] National Institute of Standards and Technology. https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/collaboration-space/introduction
‍[4] U.S. Department of Education. https://studentprivacy.ed.gov/glossary
‍[5] Ibid.
[6] Ibid.}

Privacy Commitments

1. Data Ownership, Access, & Sharing

The District or local educational agency (LEA) owns the student data. LinkIt! shall limit the use or exchange of identifiable student PII to those individuals who have been explicitly given access to that data based on their role as designated by the District or LEA. Such data may be used for the following purposes: (1) monitoring student, class, instructor, school, and district performance to facilitate instructional improvement and make evidence-based decisions; (2) providing a collaborative environment that uses anonymized data for monitoring performance holistically, which leads to data-driven decisions.

Student PII is entrusted to LinkIt! by school districts or LEAs. LinkIt! shall not distribute, repurpose, sell, or share student PII outside of the LinkIt! secure software development and technical support environments. As required by prevailing laws in its customers’ jurisdictions, LinkIt! further agrees that PII shall not be revealed, transmitted, exchanged, or otherwise passed to third-party vendors including, but not limited to, learning management systems (LMS platforms), student information systems (SIS), or other interested parties without the express written consent of the contracting district or LEA. The foregoing shall not prohibit LinkIt! from the use of aggregated data and appropriately anonymized PII for research, development, and analysis.

LinkIt! shall not transfer or grant access to unprotected student PII to a successor entity unless that entity:
●      follows the same commitments as found in the LinkIt! policy in relation to student PII, or
●      agrees to abide by the same Privacy Pledge to which LinkIt! is committing itself, or
●      provides notice of changes in privacy practices to account holder(s) for the latter’s review and acceptance as appropriate.

2. Data Security, Integrity, & Review

LinkIt! agrees to protect and maintain the security of student data. Protective measures include maintaining appropriate technology updates; adhering to industry standards for securing data, physical media, and communications; training its personnel in best practices; and ensuring that data collected or maintained through the LinkIt! portal is valid, accurate, complete, reliable, and auditable.

LinkIt! has implemented security mechanisms (e.g., access control, identification and authentication, least privilege and functionality, activity monitoring) to ensure that only authorized individuals and entities have access to a specific student’s data and that data integrity is assured. LinkIt! segregates datasets to allow more granular control by Districts and LEAs over what their account holders can see and do with respect to protected data. Segregation also ensures that student identifiers from different school districts cannot be inadvertently confused or accessed.

Data shall be made available to students and parents for review and correction upon request, in accordance with policy established by authorized District or LEA staff. Account holders shall communicate with the District or LEA staff with questions or concerns regarding the accuracy of their personal data as maintained through the LinkIt! platform. District or LEA staff shall then notify LinkIt! to make changes as appropriate. Changes to data are tracked for auditing.

3. Legal Compliance & Breach Notification

LinkIt! agrees to comply with country, state, and federal laws that require the notification of individuals in the event of unauthorized release of personally identifiable information or other event requiring notification. Such laws include, but are not limited to, U.S. FERPA and COPPA, as well as the Australian Privacy Act of 1988.

In the event of a confirmed data breach or other event that requires notification under applicable laws, LinkIt! shall notify the designated District or LEA representative(s). Initial notification of data breach shall be provided via email to designated District or LEA representative(s) within two business days.
Such notification shall include as much information as is known at the time with respect to the following: 
‍
1. Date and time of the breach
2. Names of student(s) whose Student Data was released, disclosed, or acquired
3. The nature and extent of the breach
4. LinkIt’s proposed plan to investigate and remediate the breach. 

LinkIt! shall send a formal, comprehensive report to the District or LEA representative(s) within 30 days of the initial notification. District and LEA staff should then provide appropriate notice to account holders upon receipt of FERPA, COPPA, or other relevant breach notification requirements according to the specific District or LEA process.

4. Risk Mitigation, Incident Response, & Data Recovery

LinkIt! has established and implemented risk mitigation practices, which include an incident response plan. This plan contains organizational policies and procedures for addressing the compromise, loss, or vulnerability of protected data.

LinkIt! takes extensive steps that include best-in-class security industry technologies to reduce the possibility of a data breach, loss, or compromise. LinkIt! also conducts periodic vulnerability assessments, penetration testing, 24/7 monitoring, and regular backups to identify, remediate, and mitigate risk. This promotes quick detection, containment, and recovery.

5. Student PII Collection, Retention, & Disposition

LinkIt! shall collect, retain, and dispose of student PII according to its agreement with the contracting District or LEA. LinkIt! shall return account holder PII in a usable, protected, electronic format upon request from the contracting District or LEA after contract termination, and then erase, destroy, or otherwise render inaccessible associated account holder PII.

The District or LEA specifies, during contract negotiations, the categories of student PII that LinkIt! will handle. This data is securely encrypted, stored, and retained throughout the contract performance period. LinkIt! shall make accessible account holder PII to the data owner (contracting District or LEA) within 10 days of written request. The request should be sent via email to the relevant LinkIt! account manager and solution center team member(s).

LinkIt! shall permanently erase, destroy, or otherwise render inaccessible or unrecoverable account holder PII within 60 days of service agreement termination.

LinkIt! uses necessary cookies to enhance account holder experience when using the LinkIt! application platform. These small text files, placed on devices and browsers, are not sold, transferred, or used for marketing purposes. LinkIt! shall implement opt-in/opt-out features for cookies on its public  website to comply with country and state privacy laws.

References Consulted

‍●      ISO/IEC 27001 Information Security Management Standard. https://www.iso.org/standard/27001‍
●      Information Security Manual (ISM). https://www.cyber.gov.au/sites/default/files/2023-06/Information%20Security%20Manual%20%28June%202023%29.pdf
●      Australian Privacy Principles. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference
●      Code of Federal Regulations (34 CFR Part 99). https://www.ecfr.gov/current/title-34/subtitle-A/part-99?toc=1‍
‍●      National Institute of Standards and Technology. https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/collaboration-space/introduction
‍●      Student Privacy Pledge 2020. https://studentprivacycompass.org/audiences/ed-tech/‍
●      U.S. Department of Education. https://studentprivacy.ed.gov/glossary
‍●      Family Educational Rights and Privacy Act (FERPA). https://studentprivacy.ed.gov/frequently-asked-questions

Revision History

Data Security and Privacy Policy Contacts