Protecting student and staff personally identifiable information (PII).

At the Concord School District, we work continuously to secure our staff and student data. Parents and educators should be aware that the FBI has warned school districts that student data is a very valuable target for cybercriminals. This is because students do not have an established credit record, and their identities are easier to impersonate; but also, because cybercriminals are collecting, selling, and saving data sets for future crimes.

Parents: click here to see applications in use which have not yet signed a DPA (data privacy agreement).

For assistance with data privacy concerns, please contact Chief Information Security Officer, Pam McLeod, at help@sau8.org or (603) 225-0811.

District policies and procedures align to NH RSA 189:66, V. This RSA was amended in 2018 (HB1612) to give the NH Department of Education, NH school districts, and application vendors the responsibility to secure our student and staff PII. We are also responsible to federal laws such as FERPA, COPPA and CIPA.

Schools have a longstanding culture of adopting free online tools because of tight budgets and to help engage students in their learning. Unfortunately, data privacy was often not a consideration when selecting these tools, a concern that the NH Legislature addressed by passing HB1612.

We take data privacy very seriously, while striving to support educational innovation. Since the passage of HB1612 we have taken the following steps:

1. The Technology department strives to maintain best security practices, as it has for many years.

2. The Concord School Board approved a Data Governance Policy in 2018 .

3. We created a Data Governance Plan in 2019, and review the plan regularly with the School Board. Presentation to the Concord School Board

4. During the 2019-20 school year, we evaluated each and every online tool that we use in the district to determine if the tool collects student or staff PII; if it does, we ask the vendor to sign a NH Data Privacy Agreement (NH DPA). In short, we do not accept the vendor's out of the box privacy terms - we ask them to accept ours. Vendors who do not agree are not used in the district (note: there are a few exceptions, and those are noted here).

(It is important to note that data security encompasses a wide range of practices on local and cloud-hosted servers, and we do not publish or share details of our security approach, per RSA 91-A:5, XI)

When HB1612 was passed in 2018, school districts around our state worked together to form a collaborative approach to asking vendors to sign data privacy agreements. Because NH has so many small districts, we often don't have the buying power to ask large ed-tech companies for custom agreements; by working together, we have more leverage and more importantly, each district does not need to reinvent the wheel by repeating their efforts. This model is called the NH Student Privacy Alliance and operates under the NH CTO Council (nhcto.org), which is a non-profit that is the professional organization for our school technology leaders. District members of the alliance pay a small fee per student, which is used to contract with a consultant and a consulting attorney, who work on our behalf to negotiate data privacy agreements (DPAs) with ed-tech application vendors. The NHCTO works with other organizations, such as the Superintendents' association (NHSAA) and the school boards' association (NHSBA), to ensure that the project has buy in from school boards and superintendents.

Concord's Technology Director and CISO, Pam McLeod, was one of the founders of the Alliance and helps to lead this effort.

In 2020, New Hampshire's alliance joined both a 3-state DPA with MA and RI to improve our negotiating power with software companies. We also joined the first national DPA, the first nationwide document to incorporate the nuances of all state student privacy laws. By early 2021, just 18 months after the founding of the alliance, we had surpassed 700 approved software applications and became the most active state in the nation.