We take privacy protection very seriously
HIPPA, FERPA, and COPPA compliant
We take very seriously our responsibility to protect student, family and teacher privacy in our training software, data storage and management systems, web-based services, and internal policies to regulate access. We are fully compliant with the Family Education Rights and Policy Act (FERPA) (link to http://www2.ed.gov/policy/gen/guid/fpco/ferpa/students.html), the more stringent, Health Information Privacy and Protection Act (HIPPA) (link to http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html), and the Children’s Online Privacy Protection Act (COPPA) (link to http://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule). At the simplest level, the gist is we will NEVER disclose student personal information to any unauthorized parties. The details are more technical and summarized below
Technically, the student records in our program are not health records, but because sometimes older students use the program to look up private concerns, including family problems that might reasonably be expected to be shared only with a counselor, we have added extra levels of confidentiality protection that are not used by other social-emotional learning or discipline programs. These include:
Protections within the software
- Providing users password protection
- Limiting teacher content monitoring to strengths-based topics (asset building)
- Requiring additional level of security to track compliance with discipline assignment
- Shielding the content of private exploration, keeping only the category “personal exploration” on student records and score cards
- Heavily encrypting all journal entries
- Providing an instant privacy screen, to shield the program from prying eyes
Where is the data stored?
Customers may select one of the three options below for the storage of student data (i.e., username and password, time spent on the program, information on completed and partially completed topics within the program):
- On the particular computing device on which the software is installed
- On a file server owned by the district within district’s network
- On a HIPPA compliant cloud server hosted by a third party under contract with Ripple Effects
NOTE: The customer may also choose to store data on their own web-server. This option would entail a consulting charge by Ripple Effects to set this up.
Privacy protections to, from and on our cloud-based server
If the cloud-based option is chosen, we have a HIPAA Business Associate Agreement with a 3rd party, for use of a secure, HIPPA compliant server. Our provider offers these things:
- Transport Encryption: Data is always encrypted as it is transmitted over the Internet
- Backup: Data is backed up and can be recovered
- Authorization: Data is only accessible by authorized personnel using unique, audited access controls
- Integrity: Data cannot be tampered with or altered
- Storage Encryption: Data is encrypted when it is being stored or archived
- Disposal: Data can be permanently disposed of when no longer needed
Internal Policies to Limit Unauthorized Access to Student Data
Any requests by school district personnel to directly access student data on the server, must be made in writing, stating the reason access is needed. The request must be signed by at least one other qualified administrator, then approved (or not) by Ripple Effects Security Officer. Instances, where limited authorization may be granted are
- For research projects where proxies for student identity are in place, and IRB approval has previously been granted
- To export data to correlate with district administrative data, if authorized by District administrators
EVEN WHEN DATA IS EXPORTED FOR THESE LIMITED USES, THE CONTENT OF INDIVIDUAL PERSONAL EXPLORATION WILL NEVER BE DISCLOSED.
Authorization to access student data will never be granted for commercial use of any kind.