3520.1 - Information Security Breach and Notification

Policy 3520.1

Business and Non-Instructional Operations

Information Security Breach and Notification


The Board of Education is concerned about the rise in identity theft and the need for prompt notification when security breaches occur.  Therefore, the District will take reasonable security measures to guard against the foreseeable loss or exposure of restricted personal information about staff, students, and parents.  The District will consider practices concerning physical, technical and administrative safeguards for both paper and electronic records.

To this end, the Board directs the Superintendent of Schools, in accordance with appropriate business and technology personnel, to establish regulations which:
  • Identify and/or define the types of private information that is to be kept secure.  For purposes of this policy, “private information” does not include information that can lawfully be made available to the general public pursuant to federal or state law or regulation;
  • Include procedures to identify any breaches of security that result in the release of private information; and
  • Include procedures to notify persons affected by the security breach.

Any breach of the district’s computerized data which compromises the security, confidentiality, or integrity of personal information and information pertaining to District security and maintained by the District shall be promptly reported to the Superintendent and the Board of Education.  However, good faith acquisition of personal information by an officer or employee or agent of the District for the purposes of the District is not considered a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.

Legal Reference:     Connecticut General Statutes
1-19(b)(11) Access to public records. Exempt records. 
7-109 Destruction of documents. 
10-15b Access of parent or guardians to student’s records. 
10-209 Records not to be public. 
11-8a Retention, destruction and transfer of documents 
11-8b Transfer or disposal of public records. State Library Board to adopt regulations.
46b-56 (e) Access to Records of Minors. Connecticut Public Records Administration Schedule V - Disposition of Education Records (Revised 1983).
Federal Family Educational Rights and Privacy Act of 1974 (section 438 of the General Education Provisions Act, as amended, added by section 513 of P.L. 93-568, codified at 20 U.S.C.1232g.).

Information Security Breach and Notification

Legal Reference:     Connecticut General Statutes (continued)
Dept. of Education 34 C.F.R. Part 99 (May 9, 1980 45 FR 30802) regs. implementing FERPA enacted as part of 438 of General Education Provisions Act (20 U.S.C. 1232g) parent and student privacy and other rights with respect to educational records, as amended 11/21/96.

42 U.S.C. 1320d-1320d-8, P.L. 104-191, Health Insurance Portability and Accountability Act of 1996 (HIPAA)

65 Fed. Reg. 503 12-50372 
65 Fed. Reg. 92462-82829
63 Fed. Reg. 43242-43280
67 Fed. Reg. 53182-53273

Policy adopted:    April 4, 2017    
NEWTOWN PUBLIC SCHOOLS, Newtown, Connecticut