inBloom, Inc. Privacy & Information Security Policy

Revised January 2, 2014

 

TABLE OF CONTENTS

I.  INTRODUCTION

II.  DEFINITIONS

III.  PRIVACY OF PERSONAL INFORMATION

A.  Basic Privacy Protections

B.  Access to  inBloom PII

IV.  INFORMATION SECURITY PROGRAM

A.  Information Security Risk Assessment

B.  Security Controls Implementation

C.  Security Monitoring

D.  Security Process Improvement

E.  Breach Remediation

F.  Organization, Responsibilities and Administration

G.  Personnel Security Policy Overview

V.  ENFORCEMENT

I.  INTRODUCTION

inBloom, Inc, a not-for-profit entity organized and operated to carry out a charitable and educational purpose within the meaning of Section 501(c)(3) of the Internal Revenue Code of 1986, operates a set of shared technology services that includes a secure, multi-tenant data store and middleware for identity management and data integration called inBloom services (“inBloom”).   The service is designed to help School Districts and State Educational Agencies provide educators, parents, elementary and secondary school students with learning data from many sources and connect them to relevant instructional resources to support personalized learning through inBloom.   The service also helps State Educational Agencies in evaluating federal- and state-supported education programs.

inBloom, Inc is providing inBloom to districts and states as a utility for them to more easily synchronize and transfer data, including student personally identifiable information (PII), across the various learning applications they deploy to teachers, students, and families. Access to the data residing in inBloom remains the legal responsibility of the School District and State Educational Agency Customer in accordance with the Family Educational Rights and Privacy Act (FERPA).  inBloom, Inc will not access student data except on the rare occasion it is directed to by a Customer in the course of providing maintenance and support in operating the inBloom service.

This Policy describes, in general, (i) the services inBloom, Inc provides to School Districts and State Educational Agency Customers, (ii) what steps inBloom, Inc takes to protect the information that the School District and State Educational Agency Customers choose to store with inBloom, Inc, (iii) how that information is used, (iv) with whom inBloom, Inc shares that information, and (v) the steps inBloom, Inc has taken to protect the security of that information.  This Policy also describes briefly the responsibility that School District and State Educational Agency Customers have for controlling access to the information they store with inBloom.

This Policy has been reviewed and approved by inBloom Inc's Independent Advisory Board, which is also responsible for reviewing and approving amendments to the Policy.  It also has been provided in draft form to School Districts and State Educational Agencies already participating in inBloom with an opportunity for comment.   Enforcement of this Policy is a critical responsibility of inBloom, Inc and its Chief Executive Officer (CEO).

Each of the privacy and security provisions in this Policy are effective as of the Effective Date set forth in the Policy and apply to inBloom, Inc , it’s contractors, and, where applicable by its terms, to School District and State Educational Agency Customers and their employees that have access to PII through inBloom.   Additional policies may also be posted on the web portal or site through which School Districts and State Educational Agencies may access inBloom, and such policies will apply to the use of inBloom.  To the extent, however, that any of those policies contradict this policy or the services agreement between inBloom, Inc and a School District or State Educational Agency Customer, this policy and the services agreement will govern.

The privacy and security provisions in this Policy do not apply by the terms of this Policy to Customers' contractors and Third Party Application Providers.  Each School District and State Educational Agency Customer is responsible for ensuring its own compliance with applicable law, including FERPA, and with the terms of the service agreement it has with inBloom, Inc.   Accordingly, School District and State Educational Agency Customers determine what privacy and security requirements to include in their agreements with their contractors and Third Party Application Providers and may elect to adopt all or some of the provisions in this policy in such contracts.  To the extent that certain provisions in this policy are not by their terms applicable to School District and State Educational Agency Customers, such Customers also may elect to apply all or some of such provisions in this policy to themselves and their own employees.         

II.  DEFINITIONS

As used in this Policy,

“Customer” means any School District or State Educational Agency customer of the inBloom service.

“Customer Authorized User” means an individual employee or contractor of a School District Customer or State Educational Agency Customer authorized by such customer to access inBloom. 

“FERPA” means the Family Educational Rights and Privacy Act of 1974 (codified at 20 U.S.C. § 1232g) and its associated regulations, as they may be amended from time to time.  The regulations are issued by the U.S. Department of Education, and are available at http://www2.ed.gov/policy/gen/reg/ferpa/index.html.

"Personally Identifiable Information" (or "PII") means any information defined as personally identifiable information under FERPA.  The personally identifiable information of teachers and other educators will also be treated as PII under this Policy. Some identifying information of teachers and other educators (such as name, role, subjects taught, and similar publicly available school-related information) may be made available through inBloom to Customers and Third Party Application Providers solely for the educational purposes of inBloom.

“School District” means a local educational agency or independent special purpose school system, school network or a dependent school system under the control of a state or local government. 

"inBloom Contractor" means each contractor of inBloom, Inc that may be required to handle PII in the course of providing customer-directed support of inBloom.

“State Educational Agency” means the educational agency primarily responsible for the supervision of public elementary and secondary schools in any of the 50 United States, the Commonwealth of Puerto Rico, or the District of Columbia. 

“Third Party Application Provider" means third party application providers that a School District Customer or State Educational Agency Customer has elected to grant access to its data (including its PII) via the SLI as further defined in Section 1.31 of the Service Agreement between SLC and its SLI Customers.

"Third Party Authorized Users" means employees or contractors of Third Party Application Providers.

III.  PRIVACY OF PERSONAL INFORMATION

A.  Basic Privacy Protections

  1. Compliance with Law and Policy.  All Personally Identifiable Information uploaded to, and made accessible from, inBloom will be handled, processed, stored, transmitted and protected in accordance with all applicable federal data privacy and security laws (including FERPA) and with this policy. 
  2. Training.  Employees of inBloom, Inc (including temporary and contract employees) and of inBloom, Inc Contractor are educated and trained on the proper uses and disclosures of PII and the importance of privacy and information security.  Such training will include training for new employees and refresher training for current employees.
  3. Personnel Guidelines.  All inBloom, Inc employees and inBloom, Inc Contractor personnel are required to be aware of and work to protect the confidentiality and security of PII.  inBloom, Inc and its Contractors and their respective personnel shall not access PII unless directed to by Customer or to comply with a legal obligation under federal or state law, regulation, subpoena or agency action that requires such access.  The following list  provides a general description of the internal policies with which inBloom, Inc and its Contractor and their respective personnel  are required to comply :

--Limit internal access to PII to persons with proper authorization and allow use and/or disclosure internally, when necessary, solely to persons with a legitimate need for the PII to carry out the educational purposes of inBloom. 

--Allow access to PII residing in inBloom only by Customer Authorized Users and Third Party Authorized Users who have specifically been designated to have access rights to such PII by those Customers' respective "Super Administrators" (as defined in Section B(3) below).

--Require that materials containing PII in electronic form are stored solely within secure data repositories and PII are not available on shared drives that are used by other users or on a local drive.

--Identify reasonably foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing PII and report them as promptly as possible to inBloom Inc's CEO or other official within inBloom, Inc designated to be responsible for privacy compliance, or to inBloom Inc Contractor's CEO or designate, who shall in turn report such risks to inBloom Inc's CEO or designate.  The CEOs or their designates of both the inBloom, Inc Contractor and inBloom, Inc will evaluate such risks and improve, where necessary, the effectiveness of current safeguards for limiting such risks, including, but not limited to: (1) ongoing employee (including temporary and contract employee) training; (2) employee compliance with policies and procedures; and (3) means for detecting and preventing security system failures.

--When PII is no longer needed, delete access to PII, in accordance with secure deletion/destruction procedures that inBloom, Inc has approved.

--inBloom, Inc employees and inBloom, Inc Contractors are permitted to download information from inBloom or other sources of PII on to local or portable devices or storage only when necessary or as directed by a School District or State Educational Agency and must confirm that the information is encrypted and stored in password-protected files, and that devices containing the information have appropriate security settings in place (such as encryption, firewall protection, anti-virus software and malware protection).

--inBloom, Inc requires that any downloaded materials consisting of PII remain in the United States and Canada.

--The unencrypted transmission of information from inBloom, or any other source of PII, wirelessly or across a public network to any third party is prohibited.

B.  Access to inBloom PII

  1. Customers Determine Access to PII.  School Districts and State Educational Agencies that use inBloom to store PII have control of the data and are the ultimate arbiters of who is able to have access to the PII.  School Districts and State Educational Agencies that elect to use inBloom sign an agreement with inBloom, Inc, which includes requirements to comply with this Data Privacy and Security Policy.  A State Educational Agency, as authorized by School Districts, may also sign a participation agreement on behalf of School Districts in its state.  Student data are uploaded into inBloom by the School District and/or State Educational Agency.  It remains the responsibility of the School District and/or State Educational Agency to ensure that the information uploaded into inBloom is accurate, or correctly amended, in accordance with law. 
  2. Policies Re Parent Rights to Approve Disclosures of PII to Third Party Application Providers. School District and State Educational Agency Customers are responsible, as appropriate, for determining and notifying parents of policies regarding the extent to which parents (or students 18 and over) are given advance notice of, and the opportunity to decline, the provision of PII for their children (or themselves) to a Third Party Application Provider that uses the PII to provide educational services to schools or students.  Each School District and State Educational Agency shall be responsible for handling any complaints from parents (or students 18 and over) regarding the disclosure of their student information to a Third Party Application Provider. 
  3. Super Administrators.  Each School District Customer and State Educational Agency Customer that uses inBloom must designate a Super Administrator. “Super Administrator” means any personnel designated by a Customer as responsible for managing access to PII stored in inBloom by designating Customer Authorized Users and Third Party Authorized Users (including Third Party Application Providers) and for determining the scope of data to which they have access.   The Super Administrator shall be responsible for making all administrative decisions regarding access to and use of inBloom with regard to data provided by the Super Administrator's agency.  A Super Administrator may delegate all or some of his or her functions under this policy to employees within the School District or State Educational Agency.
  4. Access Based on Roles/Agreements.  Access to PII will be determined by the Super Administrator based on the roles of the School District's or State Educational Agency's employees and their legitimate interest in having access to the PII to perform their role and, in the case of their contractors and Third Party Application Providers and their Third Party Authorized Users, based on agreements with such third party authorizing their use of inBloom and their access to the PII.  For example, based on local role authentication, a school principal in a participating school district would have authorization to view all student data for students in her school, but not student data of students in other schools within the school district.  Each inBloom role will determine what permission users assigned that role will have to access and use the data and what data they are allowed to access. It is the responsibility of the Super Administrator to ensure that permissions and roles are kept current regardless of cause.  For example, after a student transfers to a new school, a teacher would not be able to see PII for that student with the exception of information associated with the section previously taught.   When a teacher retires, all access to PII is terminated.
    1. School Districts and State Educational Agencies, through their respective Super Administrators, are responsible for determining the eligibility of Third Party Application Providers and their Third Party Authorized Users to access PII and documenting appropriate agreements with such third parties, consistent with the School District's or State Educational Agency's participation agreement with inBloom, Inc, that limit use of PII to the purposes of inBloom.
    2. inBloom, Inc will define certain pre-defined default permissions and roles.  For example, a user with the role of "teacher" might be able to see all PII for students that she teaches and create assessment results for those students.  A "principal" might be able to see PII for all students in her school but have no permission to create assessment results.  
    3. While the pre-defined roles cannot be changed, Super Administrators or users with the appropriate permissions will be able to create custom roles, by associating the role with any combination of inBloom permissions.  Super Administrators or users with the appropriate permissions can define a custom role that has a new grouping of permissions, but cannot create new permissions.  For example, a custom role may be created to limit access to sensitive information (such as disciplinary records, Individual Education Plans and other records of students with disabilities, or free and reduced lunch eligibility) solely to administrators who need access to that information, and to deny access to others who would normally have access to such permission based on their roles).
  5. Directory of Users; Authentication.  User names, their credentials, and roles will be stored in either a School District or State Educational Agency-designated Directory, or, when available, an inBloom-hosted Directory.  School Districts or State Educational Agencies with their own directories need to integrate the directories with inBloom.  When users log into the inBloom portal or an inBloom application, their identities will be authenticated by a School District's or State Educational Agency's Directory, not by the inBloom system itself.  The School District's or State Educational Agency's Directory will verify that the user name and password credentials supplied are valid and return this information to inBloom.
  6. Aggregate Data.  In addition to providing access to student PII to users authorized by the Super Administrator, as provided above, Third-Party Applications that provide access to student data stored by districts/states with inBloom may also limit such access to aggregate data for some recipients (for example, due to small size of data set that may allow identification of students).   The Super Administrator will be able to configure the number of students permitted to be seen in aggregate groups by users of applications that pull data directly from inBloom.
  7. Parent Companies/Affiliates of Contractors.  Neither inBloom, Inc nor its Contractors will be permitted to share PII with their parent companies, subsidiaries or other affiliates, unless such parent company, subsidiary or affiliate is an inBloom, Inc Contractor under a written agreement with inBloom, Inc and is subject to a service agreement and all other security and confidentiality provisions applicable to the inBloom, Inc or inBloom, Inc Contractor.

IV.  INFORMATION SECURITY PROGRAM

The security of the PII that School Districts and State Educational Agencies store in inBloom is of critical importance to inBloom, Inc.  inBloom Inc’s formal IT Security Program, consists of technical, physical and administrative safeguards focused to protect PII with a particular focus on all PII stored by School District and State Educational Agency Customers in inBloom.  inBloom Inc's IT Security Program is designed to identify, manage and control the risks to system and data availability, integrity, and confidentiality, and to ensure accountability for system actions.  inBloom Inc's Security Program includes, and the security program of each inBloom, Inc Contractor is required to include, the following key general processes which will be more fully described in other materials as necessary:

A.  Information Security Risk Assessment

inBloom, Inc periodically conducts, and inBloom, Inc Contractors are required to periodically conduct, an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PII included in or accessed through inBloom and shall implement security measures sufficient to reduce identified risks and vulnerabilities.  Such measures shall be implemented based on the level of risks, capabilities, and operating requirements.  These measures must include as appropriate and reasonable the following safeguards:

  1. Administrative Safeguards
    1. Sanctions:  Appropriate sanctions against inBloom, Inc and its Contractor personnel who fail to comply with inBloom, Inc security policies and procedures, with the potential for criminal referral if warranted.
    2. System Monitoring:  Procedures to regularly review records of information systems activity, including maintaining access logs, access reports, security incident tracking reports, and periodic access audits.
    3. Security Oversight:  Assignment of one or more appropriate senior officials within inBloom, Inc and each inBloom, Inc Contractor, as applicable, to be responsible for developing, implementing, and monitoring of safeguards and security issues.
    4. Appropriate Access:  Procedures to determine that the access of inBloom, Inc and inBloom, Inc Contractor personnel to PII is appropriate and meets a legitimate need to support their roles in business or clinical operations.  Procedures for establishing appropriate authorization mechanisms for inBloom, Inc and inBloom, Inc Contractor personnel who have access to inBloom and PII. 
    5. Employee and Contractor Supervision:  Procedures for regularly monitoring and supervising inBloom, Inc and inBloom, Inc Contractor personnel who have access to inBloom and PII.
    6. Access Termination:  Procedures for terminating access to inBloom and PII when employment ends, or when an individual no long has a legitimate need for access.
    7. Recording Requests and Disclosures:    Disclosures of PII to and requests for disclosures of PII from third parties -- other than employees of inBloom, Inc or of the School District or State Educational Agency that provided the PII to inBloom -- are recorded by the School District or State Educational Agency Customer.
  2. Physical Safeguards
    1. Access to inBloom:  Procedures that grant access to PII by establishing, documenting, reviewing, and modifying a user’s right of access to a workstation, software application/transaction, or process.
    2. Awareness Training:  Establish on-going security awareness through training or other means that provide inBloom, Inc and inBloom, Inc Contractor personnel (including management) with updates to security procedures and policies (including guarding against, detecting, and reporting malicious software). Awareness training should also address procedures for monitoring log-in attempts and reporting discrepancies, as well as procedures for safeguarding passwords.
    3. Incident Response Plan:  Procedures for responding to, documenting, and mitigating where practicable suspected or known security incidents and their outcomes.
    4. Physical Access:  Procedures to limit physical access to PII and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed, including physical barriers that require electronic control validation (e.g., card access systems) or validation by human security personnel.
    5. Physical Identification Validation:  Access is physically safeguarded to prevent tampering and theft, including procedures to address control and validation of a person’s access to facilities based on their role or function, including employees, faculty, students, and vendors.
    6. Operational Environment:  Procedures that specify the proper functions to be performed, the manner in which they are to be performed, and the physical attributes of the surroundings of facilities where PII is stored.
    7. Media Movement:  Procedures that govern the receipt and removal of hardware and electronic media that contain PII into and out of a facility.
    8. Encryption and Final Disposition of Information:  Procedures addressing encryption of all data at rest and in transit and the final disposition of PII.  Procedures must include processes for the continued encryption of a School District Customer or State Educational Agency Customer’s information (including PII) through the time when its secure deletion/destruction has been requested by such Customer, or when the terms of an agreement between inBloom, Inc and a School District Customer or State Educational Agency Customer require that the PII be deleted/destroyed. 
  3. Technical Safeguards 
    1. Data Transmissions:  Technical safeguards, including encryption, to ensure PII transmitted over an electronic communications network is not accessed by unauthorized persons or groups.
    2. Data Integrity:  Procedures that protect inBloom PII from improper alteration or destruction.  These procedures will include mechanisms to authenticate records and corroborate that they have not been altered or destroyed in an unauthorized manner.
    3. Logging off Inactive Users: Inactive electronic sessions shall be designed to terminate automatically after a specified period of time.  
    4. Disaster Recovery and Business Continuity:  inBloom, Inc will develop contingency plans and business continuity plans designed to ensure that inBloom, Inc can continue to securely provide needed services in the event that system breakdowns, natural disasters or other events that destroy or render inoperable inBloom, Inc systems.   inBloom, Inc will develop these plans with a focus on the sensitivity of information and the criticality of the systems involved in providing services to School Districts and State Educational Agencies.  These plans will be designed to enable inBloom, Inc to provide critical services and secure PII while operating in an emergency mode.  inBloom, Inc will periodically test these procedures and make revisions as necessary.  

B.  Security Controls Implementation

inBloom, Inc and inBloom, Inc Contractors will develop procedures addressing the acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk-appropriate controls, and the need for management and staff to understand their responsibilities and have the knowledge, skills and motivation necessary to fulfill their duties.  

C.  Security Monitoring

In combination with periodic security risk assessments, inBloom, Inc and inBloom, Inc Contractors will use a variety of approaches and technologies to make sure that risks and incidents are appropriately detected, assessed and mitigated on an ongoing basis. inBloom, Inc and inBloom, Inc Contractors will also assess on an ongoing basis whether controls are effective and performing as intended, including intrusion monitoring and data loss prevention. 

D.  Security Process Improvement

Based on inBloom Inc’s security risk assessments and ongoing security monitoring, inBloom, Inc and inBloom, Inc Contractors will gather and analyze information regarding new threats and vulnerabilities, actual attacks on inBloom, Inc and inBloom, Inc Contractors, and new opportunities for managing security risks and incidents.  inBloom, Inc and inBloom, Inc Contractors will use this information to update and improve their risk assessment, strategy and control processes.

E.  Breach Remediation

inBloom, Inc and inBloom, Inc Contractors strive to keep inBloom and PII secure, and inBloom, Inc uses reasonable administrative, technical, and physical safeguards to do so.  inBloom, Inc and inBloom, Inc Contractors will maintain and update incident response plans that establish procedures to follow in case a breach occurs. inBloom, Inc and inBloom, Inc Contractors will also identify individuals within their respective organizations responsible for implementing incident response plans if a breach should occur.

Almost all U.S. states and many other jurisdictions have laws requiring businesses to notify individuals in the event of any unauthorized acquisition of or access to files or documents containing such individuals’ PII.  State laws vary as to the types of PII that are covered, the methods of notification and the required contents of the notice, and whether notification is required when the PII is encrypted.  Some states require notification to various third parties, such as law enforcement agencies, attorneys general and/or credit reporting companies.

If inBloom, Inc determines that a breach has occurred, when there is a reasonable risk of identity theft or other harm, or where otherwise required by law, inBloom, Inc will notify affected parties as promptly as possible, including School Districts and State Educational Agencies, and will cooperate with  School District or State Educational Agencies as needed to enable compliance with all State breach of confidentiality laws.

inBloom, Inc employees and inBloom, Inc contractors are required to report as promptly as possible to the inBloom, Inc CEO (or his or her designee) and persons responsible for managing their respective organization’s incident response plan any incident or threatened incident involving unauthorized access to or acquisition of PII of which they become aware.  Such incidents include any breach or hacking of the SLI or other Electronic Resources, or any loss or theft of data, other electronic storage, or paper.  As used herein, "Electronic Resources" means all information processing and communications hardware and software employed in inBloom Inc's or the inBloom Inc Contractor's  business, whether owned by inBloom, Inc or the inBloom, Inc Contractor, or operated by its employees or agents in performing work for inBloom, Inc or the inBloom, Inc Contractor.

Further, School District Customers and State Educational Agency Customers are responsible for notifying inBloom, Inc as promptly as possible upon having any reason to believe that PII may have been lost, stolen, inappropriately accessed in or through inBloom or a third-party application that uses inBloom, or have been otherwise compromised.

F.  Organization, Responsibilities and Administration

inBloom, Inc will appoint and will require that each inBloom, Inc Contractor appoint one or more senior officials  responsible for developing, implementing and maintaining the IT Security Program, under the oversight of inBloom, Inc's or the inBloom, Inc Contractor's CEO and Board, as applicable.  A description of inBloom, Inc's and any inBloom, Inc Contractor’s safeguards as described in this Section will be provided to School District and State Educational Agency customers upon request from the Customer in a timely manner. 

G.  Personnel Security Policy Overview

This process mitigates the risks posed by users ofinBloom, Inc’s information systems by:

    1. Performing appropriate background checks and screening of new inBloom, Inc and inBloom, Inc Contractor personnel, in particular those who will have access to inBloom;
    2. Obtaining agreements from inBloom, Inc and inBloom, Inc Contractor internal users covering confidentiality, nondisclosure and authorized use of PII, including PII contained in or access through inBloom; and
    3. Providing training to support awareness and policy compliance with new hires and annually for all inBloom, Inc and inBloom, Inc Contractor personnel.

V.  ENFORCEMENT

inBloom, Inc, each inBloom, Inc Contractor, and Customers, as applicable, will consistently enforce this Policy with appropriate discipline for its own employees. inBloom, Inc,  each inBloom, Inc Contractor, and each Customer, as applicable, will determine whether violations of this Policy have occurred and, if so, will determine the disciplinary measures to be taken against any director, officer, employee, agent or representative who violates this Policy.

The disciplinary measures may include counseling, oral or written reprimands, warnings, probation or suspension without pay, demotions, reductions in salary, or termination of service or employment, as well as criminal referral to law enforcement, if appropriate.

Persons subject to disciplinary measures may include, in addition to the violator, others involved in the wrongdoing such as (a) persons who fail to use reasonable care to detect a violation, (b) persons who withhold material information regarding a violation, and (c) supervisors who approve or condone the violations or attempt to retaliate against employees or agents or representatives of inBloom, Inc or the inBloom, Inc Contractor for reporting in good faith violations or violators.

inBloom, Inc also may take appropriate actions authorized under contract or by law regarding inBloom, Inc Contractors, Customers or third parties that fail to comply with the terms of this Policy.