SchoolNow™ Data Storage and Retention Policy

Purpose

This policy is designed to outline certain retention and deletion requirements for Data, including, PII, in alignment with laws and regulations for student users in grades K-12. Retention of certain Data, including, PII, may be required by law or permitted for designated purposes. 

Scope and Definitions

This policy is written for all Data Owners, privacy officer(s) and any others who manage the use of Data, including, PII, within SchoolNow. 

See the Definitions section of the policies for certain definitional terms used in this policy. 

Policy Statements

SchoolNow only collects minimal Data, including, PII, from students who opt to use the SchoolNow communications platform, i.e. opt to be notified by the school via voice or email regarding school notifications.

Data Retention

SchoolNow typically queries a student users’ data, including, PII, directly from the school’s SIS system, or via a third-party like Clever, GG4L and ClassLink. These providers have already been granted access to selected data made available to them by the school. In these cases, the school can decide to revoke access to the selected data at their discretion. The data used by SchoolNow is only used for as long as the students account is active, and it is necessary to provide the SchoolNow services to the student user and thereafter, unless, otherwise specified herein. 

Some Data, including, PII, may be kept after an account is inactive, including, for an Educational Entity’s legal compliance reasons (e.g., maintenance of “education records” under FERPA or “student user records” under various state student privacy laws.) 

Deletion 

1. Upon Request – Data, Including, PII
   Data, including, PII, may be deleted at any time as follows. Upon receipt of a request by a verified student user or the parent of the verified student user, of a request to delete the Data, including, PII, in writing, SchoolNow will delete the Data, including, PII. The student user’s Data, including, PII, will be deleted as soon as reasonably possible after receipt of a such request. 
   
   
2. Upon Request – Account
   An account may be deleted at any time as follows. Upon receipt of a request by a verified student user or the parent of the verified student user, of a request to delete the account, in writing SchoolNow will delete the account. The student user’s account will be deleted as soon as reasonably possible after receipt of a such request. 
   
   
3. Inactive Accounts/Data, Including, PII
   SchoolNow deems an account and data, including, PII, inactive if a student user or a parent of the student user does not log into their account for a period of 7 years. 
   
   
4. Requested by a Parent
   All parental requests regarding a student user’s Data, including, PII, are to be first addressed to the Educational Entity that the student user is associated with and has an account with SchoolNow and otherwise addressed in accordance with SchoolNow’s K-12 Privacy Policy. If parental requests regarding a student user’s Data, including, PII, are not addressed by the Educational Entity, such parent may as a second level of support, contact SchoolNow, as follows:
   
   SchoolNow, Chief Privacy Officer
   752 Dunwoodie Dr., Cincinnati. OH 45230
   E-Mail: helpdesk@schoolnow.com
   
   
5. Archival Storage
   When deleting an account, the student user’s username and password and any device specific information, location information and IP address will be deleted.
   
   
6. Specific Student Information
   Copies of Data, including, PII may remain in a cached or archived form on SchoolNow’s systems or the system of SchoolNow’s third party service providers after a student user requests deletion of the Data, including, PII. 

Data Table

SchoolNow has established a Data Table K-12 to document all Data, including, PII, processed, considering any reasons why Data, including, PII, must be retained. For each data type, the Data Table K-12 also documents the following: 

1. Identification;
2. Data Owner; 
3. Processing (transfer and share);
4. Classification;
5. Retention times, and:
6. Disposition upon deletion.

Anonymization

When the Data, including, PII, meets the end of the retention period or a request is made to delete the Data, including, PII, it may be erased or sufficiently anonymized. Anonymization may include practices such as the following: 

1. Deleting specific element(s) or unique identifier(s) that would otherwise identify the subject.
2. Separating personal Data from non-identifying Data (e.g. separating order number from name/address).
3. Aggregating personal Data of enough individuals so that specific Data cannot be attributed to a subject.

Backups will be executed in accordance with the backup schedule of _____________ which is deployed by SchoolNow in support of the Site and the SchoolNow App.

SchoolNow ensures that Data, including, PII stored is accurate and kept up-to-date through the means of auditing, review processes, and the implementation of security controls (e.g. integrity monitoring). 

Storage

Data, including, PII, may be stored if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. 

In the event of prolonged storage, SchoolNow must document the purpose as SchoolNow must implement and maintain technical and organizational measures to protect said Data, including, PII. Technical measures may include anonymization, encryption, and other controls.

Retention Upon Termination of Contract with an Educational Entity 

As part of the contract between SchoolNow and an Educational Entity, the Educational Entity acknowledges that upon termination of that relationship, for any reason, SchoolNow will schedule complete disposition of the data with AWS (our upstream provider), and will only continue to maintain the Data, including, PII when required to do so upon order of an authority.

Upon termination of the contract between SchoolNow and an Educational Entity, SchoolNow will terminate any access to the Data, including, PII, by the Educational Entity, including, access by administrators, faculty and its personnel. 

Upon termination of a contract between SchoolNow and an Educational Entity, student users will only be allowed access to add new Data, including, PII, if the student user becomes associated with another Educational Entity that SchoolNow has a contract with, or is registered with SchoolNow as an Individual User in accordance with the requirements of SchoolNow and the Terms.  

Exceptions

Any exceptions to the Data Retention and Deletion Policy K-12 are highly discouraged, but in the event, there is a legitimate business need, it must be approved by Chief Executive Officer and the exception will be documented.  All exceptions will be reviewed quarterly and will be prohibited after no longer necessary. 

Governing Laws and Regulations

Family Educational Rights and Privacy Act and its implementing regulations, 20 U.S.C. 1232g and 34 C.F.R. Part 99, respectively (FERPA)

Children’s Online Privacy Protection Act (COPPA) 

NYS Education Law section 2-d, 101, 207 and 305 – Part 121

Non-Compliance

Violations of this policy will be treated in accordance with SchoolNow’s policies. SchoolNow may face significant fines if non-compliant with regulations. Individuals subject to this policy will be subject to sanctions for non-compliance that may include, but are not limited to, one or more of the following:

1. Disciplinary action according to applicable SchoolNow policies. 
2. Termination of employment.
3. Legal action according to applicable laws and contractual agreements.

Relavent Documents

• Privacy Policy
• Terms and Conditions