Student Data Privacy Policy

Resource Library

digiTIES / The Islamic Education School District

Student Data Privacy Policy

ADM-007 · Administrative · Policy & Procedure

Policy Number

ADM-007

Category

Administrative

Effective Date

2026–2027 School Year

Last Reviewed

March 2026

Next Review Due

December 2026

Approved By

Principal, digiTIES

Standards

WASC A6 · NSQ B4, D1 · FERPA · SOPIPA · CA AB 1584 · COPPA

Policy Contact

Principal – principal@digities.org

Scope

All enrolled students, families, staff, contractors, and approved vendors

Replaces

New policy – addresses previously identified critical compliance gap

Policy Overview

Purpose & Statement

digiTIES is committed to protecting the privacy, security, and confidentiality of all student and family data. As a virtual school, digiTIES collects and processes student information through digital platforms and is subject to multiple federal and California state privacy laws. This policy establishes clear, enforceable standards for how student data is collected, used, stored, shared, and protected – ensuring legal compliance, family trust, and alignment with accreditation expectations.

Scope & Who This Applies To

This policy applies to all digiTIES staff, administrators, contractors, volunteers, approved technology vendors, and any party who collects, accesses, processes, or stores student or family data on behalf of digiTIES. It governs all students enrolled in Grades 1–12 and their parents/guardians.

Key Definitions

Student Educational Record: Any record directly related to a student maintained by the school, including grades, attendance, assessments, and enrollment data.

Personally Identifiable Information (PII): Any data that can identify a specific student, including name, address, student ID, or combination of data points.

Eligible Student: A student who has reached 18 years of age and thereby holds their own FERPA rights.

Approved Vendor: A technology provider or contractor that has been reviewed, approved, and contracted by digiTIES administration and that meets the data security and privacy requirements of this policy.

Procedures & Implementation

The following sections describe digiTIES data privacy practices. All staff are responsible for upholding these standards in their daily work.

Data Collection & Use

What Data digiTIES Collects

digiTIES collects only data necessary to provide education and operate the school:

  • Student identification and enrollment information
  • Academic records, grades, and assessment results
  • Attendance and engagement data
  • Communication records between school and families
  • Platform login and usage data (Microsoft Teams, SIS, and approved platforms)
  • Health or special needs information when provided voluntarily and relevant to student support

How Student Data Is Used

Student data is used only for the following educational purposes:

  • Instruction and monitoring of academic progress
  • Communication with students and families
  • Student support, intervention, and accommodations
  • School operations and regulatory compliance
  • Accreditation documentation and data reporting

Student data is never sold, shared for commercial purposes, or used for targeted advertising.

Lesson Recordings & Media

Live Lesson Recordings

All live class sessions conducted through digiTIES platforms are recorded as part of the online learning model. The following standards apply:

  • Recordings are accessible only to enrolled students in that course and authorized digiTIES staff.
  • Recordings are used for lesson review, student support, and teacher evaluation purposes.
  • Recordings are not shared publicly and are not accessible to parties outside the school without consent.
  • Recordings are retained in accordance with the data retention schedule described in Section 9.

Media Use – Student Images and Work

Student images, video recordings, voice recordings, or original work may only be used for public-facing purposes with explicit written parental consent. digiTIES will:

  • Never publish a student’s full name alongside identifying media without consent.
  • Never share sensitive student information publicly.
  • Honor consent withdrawal requests immediately – contact the Principal in writing.
  • Obtain fresh consent for any new use case not covered by prior consent.
  • Obtain fresh consent annually.

Data Sharing & Vendor Management

Data Sharing

digiTIES does not sell student data. Data may be shared only in the following circumstances:

  • With digiTIES staff who have a legitimate educational interest in the data.
  • With approved educational vendors under a written data processing agreement aligned with SOPIPA/AB 1584.
  • With approved educational providers under a written MOU.
  • When legally required by court order, subpoena, or applicable law.
  • In a health or safety emergency, to the extent permitted by FERPA.

Approved Vendor Standards

All technology platforms used by digiTIES students or staff must be reviewed and approved by administration. Approved vendors are contractually required to:

  • Use student data only for the educational purposes specified in the contract.
  • Protect and secure student data using appropriate technical safeguards.
  • Prohibit the sale, rental, or use of student data for advertising or commercial purposes.
  • Delete or return student data upon contract termination or upon school request.
  • Notify digiTIES of any data breach involving student data within 72 hours.

Staff may not introduce new technology platforms or tools that will collect student data without written approval from the Principal.

Parent & Student Rights (FERPA)

Parents and eligible students (age 18+) have the following rights under FERPA:

  • The right to inspect and review their student’s educational records within 45 days of a written request.
  • The right to request corrections to records they believe are inaccurate or misleading.
  • The right to consent to or opt out of disclosures of personally identifiable information.
  • The right to file a complaint with the U.S. Department of Education regarding FERPA violations.

To exercise FERPA rights, submit a written request to the Principal at principal@digities.org.

Directory Information

digiTIES may designate limited information (such as student name, grade level, and honors recognition) as directory information. Parents may opt out of directory information disclosure by submitting a written request to the Principal at any time.

Data Security & Storage

Security Safeguards

  • Student data is stored only in school-approved, secure cloud systems (Microsoft 365 / SharePoint, SIS).
  • Access to student data is restricted by role-based permissions – staff access only data relevant to their responsibilities.
  • All staff with access to student data must complete annual data privacy training.
  • Data access and usage is monitored by administration on an ongoing basis.
  • Sharing student data via unsecured channels (personal email, social media, unapproved apps) is prohibited.

Data Retention & Deletion

  • Student records are retained for a minimum of 7 years after the student’s last date of enrollment, or as required by California law.
  • Data that is no longer needed for educational or legal purposes is securely deleted or archived.
  • Vendors are required to confirm data deletion upon contract end.

Students Under Age 13 (COPPA)

For students under the age of 13, all data collection and platform access is governed by verified parental consent. digiTIES does not allow students under 13 to use any platform that collects personal data without prior documented parental consent. Parents may withdraw consent at any time by contacting the Principal in writing.

Incident Response – Data Breach

In the event of a confirmed or suspected data breach involving student data, digiTIES will:

  1. Immediately investigate the nature and scope of the breach.
  2. Notify affected families and students within 72 hours of confirmation, as required by California law.
  3. Notify the relevant vendor, if applicable, and require remediation.
  4. Report to applicable authorities if required by law.
  5. Take corrective action to prevent recurrence.
  6. Document the incident and response in the school’s governance records.

Staff & Family Responsibilities

Staff Responsibilities

  • Use only approved systems to access, store, or transmit student data.
  • Complete annual data privacy training as assigned by administration.
  • Report any suspected data breach, unauthorized access, or misuse of student data to the Principal immediately.
  • Do not discuss or share student data (grades, behavior, personal information) in any non-secure or public setting.
  • Do not use personal email accounts, social media, or unapproved tools to share student data.

Family Responsibilities – Virtual Learning

  • Maintain secure devices used to access digiTIES platforms.
  • Protect student login credentials and do not share them with unauthorized parties.
  • Support appropriate student technology use in alignment with the digiTIES Technology Acceptable Use Policy.
  • Notify digiTIES immediately if a student’s account credentials are believed to be compromised.

Standards & Legal Alignment

Standard / Law

Reference

How This Policy Addresses It

ACS WASC 2026

Standard A6

Accountability and compliance – clear policies governing student data, privacy rights, and ethical information practices.

NSQ Online Programs 2025

Standards B4, D1

Implements national/local data security and privacy policies; provides accurate policy information to stakeholders.

FERPA (Federal)

20 U.S.C. §1232g

Protects student educational records. Parents and eligible students have rights to access, correct, and control disclosure.

CA SOPIPA / AB 1584

Ed Code §49073.1

Prohibits operators from selling student data or using it for advertising. Governs third-party operator contracts.

COPPA (Federal)

15 U.S.C. §6501

Requires parental consent for data collection from children under 13. Governs vendor platform access for minors.

GDPR Principles

Data minimization

digiTIES applies GDPR principles (minimization, transparency, purpose limitation) as best practice for all student data.

Related Policies & Documents

  • ADM-001 – Enrollment & Admissions Policy
  • ADM-004 – Communication & Family Engagement Policy
  • TECH-001 – Technology Acceptable Use Policy
  • TECH-002 – Responsible AI Use Policy
  • HR-003 – Background Checks & Clearances Policy
  • HR-004 – Mandated Reporter Policy

Annual Policy Review Log

Per NSQ Standard C4 and ACS WASC Standard A6, all policies must be reviewed annually with documented stakeholder input and governing body approval.

Date

Revised By

Approved By

Summary of Changes

03.2026

Manal Nachef

Principal / Board

Initial adoption

digiTIES Vision, Mission & Values – Policy Alignment Reference

VISION

By 2030, digiTIES will stand among the world’s most respected virtual schools – a premier destination for Muslim youth seeking rigorous academics, global opportunity, and a community rooted in faith and integrity.

MISSION

digiTIES delivers a rigorous, WASC-accredited virtual education that prepares Muslim youth for competitive university pathways and meaningful futures. We combine academic excellence, innovative digital learning, and a values-driven community rooted in the Islamic tradition to develop confident, ethical, and future-ready leaders.

CORE VALUES ALIGNMENT

Before adoption, confirm this policy supports: Academic excellence · Islamic values · Digital innovation · Student agency · Community partnership · Continuous improvement