Data Storage and Retention Policy

Purpose

This policy is designed to outline certain retention and deletion requirements for Data, including, PII, in alignment with laws and regulations for student users in grades K-12. Retention of certain Data, including, PII, may be required by law or permitted for designated purposes. 

Scope and Definitions

This policy is written for all Data Owners, privacy officer(s) and any others who manage the use of Data, including, PII, within Campus Suite. 

See the Definitions section of the policies for certain definitional terms used in this policy. 

Policy Statements

Campus Suite only collects minimal Data, including, PII, from students who opt to use the Campus Suite communications platform, i.e. opt to be notified by the school via voice or email regarding school notifications.

Data Retention

Campus Suite typically queries a student users’ data, including, PII, directly from the school’s SIS system, or via a third-party like Clever, GG4L and ClassLink. These providers have already been granted access to selected data made available to them by the school. In these cases, the school can decide to revoke access to the selected data at their discretion. The data used by Campus Suite is only used for as long as the students account is active, and it is necessary to provide the Campus Suite services to the student user and thereafter, unless, otherwise specified herein. 

Some Data, including, PII, may be kept after an account is inactive, including, for an Educational Entity’s legal compliance reasons (e.g., maintenance of “education records” under FERPA or “student user records” under various state student privacy laws.) 

Deletion 

1. Upon Request – Data, Including, PII
   Data, including, PII, may be deleted at any time as follows. Upon receipt of a request by a verified student user or the parent of the verified student user, of a request to delete the Data, including, PII, in writing, Campus Suite will delete the Data, including, PII. The student user’s Data, including, PII, will be deleted as soon as reasonably possible after receipt of a such request. 
   
   
2. Upon Request – Account
   An account may be deleted at any time as follows. Upon receipt of a request by a verified student user or the parent of the verified student user, of a request to delete the account, in writing Campus Suite will delete the account. The student user’s account will be deleted as soon as reasonably possible after receipt of a such request. 
   
   
3. Inactive Accounts/Data, Including, PII
   Campus Suite deems an account and data, including, PII, inactive if a student user or a parent of the student user does not log into their account for a period of 7 years. 
   
   
4. Requested by a Parent
   All parental requests regarding a student user’s Data, including, PII, are to be first addressed to the Educational Entity that the student user is associated with and has an account with Campus Suite and otherwise addressed in accordance with Campus Suite’s K-12 Privacy Policy. If parental requests regarding a student user’s Data, including, PII, are not addressed by the Educational Entity, such parent may as a second level of support, contact Campus Suite, as follows:
   
   Campus Suite, Chief Privacy Officer
   752 Dunwoodie Dr., Cincinnati. OH 45230
   E-Mail: helpdesk@campussuite.com
   
   
5. Archival Storage
   When deleting an account, the student user’s username and password and any device specific information, location information and IP address will be deleted.
   
   
6. Specific Student Information
   Copies of Data, including, PII may remain in a cached or archived form on Campus Suite’s systems or the system of Campus Suite’s third party service providers after a student user requests deletion of the Data, including, PII. 

Data Table

Campus Suite has established a Data Table K-12 to document all Data, including, PII, processed, considering any reasons why Data, including, PII, must be retained. For each data type, the Data Table K-12 also documents the following: 

1. Identification;
2. Data Owner; 
3. Processing (transfer and share);
4. Classification;
5. Retention times, and:
6. Disposition upon deletion.

Anonymization

When the Data, including, PII, meets the end of the retention period or a request is made to delete the Data, including, PII, it may be erased or sufficiently anonymized. Anonymization may include practices such as the following: 

1. Deleting specific element(s) or unique identifier(s) that would otherwise identify the subject.
2. Separating personal Data from non-identifying Data (e.g. separating order number from name/address).
3. Aggregating personal Data of enough individuals so that specific Data cannot be attributed to a subject.

Backups will be executed in accordance with the backup schedule of _____________ which is deployed by Campus Suite in support of the Site and the Campus Suite App.

Campus Suite ensures that Data, including, PII stored is accurate and kept up-to-date through the means of auditing, review processes, and the implementation of security controls (e.g. integrity monitoring). 

Storage

Data, including, PII, may be stored if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. 

In the event of prolonged storage, Campus Suite must document the purpose as Campus Suite must implement and maintain technical and organizational measures to protect said Data, including, PII. Technical measures may include anonymization, encryption, and other controls.

Retention Upon Termination of Contract with an Educational Entity 

As part of the contract between Campus Suite and an Educational Entity, the Educational Entity acknowledges that upon termination of that relationship, for any reason, Campus Suite will schedule complete disposition of the data with AWS (our upstream provider), and will only continue to maintain the Data, including, PII when required to do so upon order of an authority.

Upon termination of the contract between Campus Suite and an Educational Entity, Campus Suite will terminate any access to the Data, including, PII, by the Educational Entity, including, access by administrators, faculty and its personnel. 

Upon termination of a contract between Campus Suite and an Educational Entity, student users will only be allowed access to add new Data, including, PII, if the student user becomes associated with another Educational Entity that Campus Suite has a contract with, or is registered with Campus Suite as an Individual User in accordance with the requirements of Campus Suite and the Terms.  

Exceptions

Any exceptions to the Data Retention and Deletion Policy K-12 are highly discouraged, but in the event, there is a legitimate business need, it must be approved by Chief Executive Officer and the exception will be documented.  All exceptions will be reviewed quarterly and will be prohibited after no longer necessary. 

Governing Laws and Regulations

Family Educational Rights and Privacy Act and its implementing regulations, 20 U.S.C. 1232g and 34 C.F.R. Part 99, respectively (FERPA)

Children’s Online Privacy Protection Act (COPPA) 

NYS Education Law section 2-d, 101, 207 and 305 – Part 121

Non-Compliance

Violations of this policy will be treated in accordance with Campus Suite’s policies. Campus Suite may face significant fines if non-compliant with regulations. Individuals subject to this policy will be subject to sanctions for non-compliance that may include, but are not limited to, one or more of the following:

1. Disciplinary action according to applicable Campus Suite policies. 
2. Termination of employment.
3. Legal action according to applicable laws and contractual agreements.

Relavent Documents

• Privacy Policy
• Terms and Conditions