Student Data Privacy and Security Policy

Better Choices Education LLC

www.BetterChoicesEducation.com

1. Introduction

Better Choices Education LLC ("Contractor") provides a web-based software platform (“Platform”) designed to assist local and regional boards of education in managing student conduct interventions by assigning, delivering, tracking, and reporting behavior-based educational assignments. This policy affirms our compliance with Connecticut General Statutes §§10-234aa to 10-234dd regarding the collection, use, and protection of student data.

2. Scope of Data Collected

The Platform may collect, store, and process the following student information for school purposes only:

• Student full name

• Student school-issued or personal email address

• Assignment records associated with discipline incidents

• Time stamps and progress on assigned modules

We do not collect Social Security numbers, biometric data, health records, or persistent unique identifiers beyond what is essential to system access and operation.

3. Compliance with State Law

This Platform was designed and is operated in full compliance with Connecticut student data privacy laws. Specifically:

3a. Ownership and Control

• Student data remains the property of the student and/or their parent or legal guardian.

• The Contractor acknowledges that it does not own or control student information, student records, or student-generated content.

3b. Use Limitations

• Student data will be used exclusively for purposes outlined in contracts with school districts, and only for educational and administrative functions.

• No student data will be used for targeted advertising.

• Student data will not be sold, rented, or traded.

4. Data Access, Review, and Deletion

• Students, parents/guardians, or the school district may request review or correction of any personally identifiable data via secure written request.

• Data will be deleted within a reasonable period upon request by the school district, student, or legal guardian, unless retention is required by law or stored only in disaster recovery systems.

5. Data Security

The Contractor has implemented security procedures consistent with:

• HIPAA/HITECH breach prevention guidelines (13402(h)(2) of P.L. 111-5)

• 45 CFR 164.312 (technical safeguards for electronic records)

This includes:

• Encryption of data at rest and in transit using current standards (e.g., AES-256, TLS 1.2+)

• Access controls (unique logins, session timeouts, role-based access)

• Audit logs for all data access and changes

• Integrity controls using hashing to verify data has not been tampered with

• Authentication processes with password standards and optional two-factor authentication

• Secure transmission using HTTPS and blocking insecure protocols

6. Breach Notification Procedures

If any unauthorized release, access, or disclosure of student information occurs:

• The Contractor will notify the affected school district within 30 days for student information breaches, or within 60 days for directory/assignment data.

• If a student’s data is involved, the Contractor will cooperate fully with the district to enable parental or student notification within the legally required timelines.

7. Subcontractor Controls

Any third-party service provider used by the Contractor (e.g., for hosting or analytics) shall be bound by written agreements to:

• Use student data only for contracted services

• Not disclose or reuse student data

• Maintain equivalent security and privacy standards

8. Contract Termination and Data Disposition

Upon contract termination, the Contractor will:

• Deactivate all district-related student accounts

• Permanently delete all personally identifiable student information unless otherwise authorized or retained by legal obligation

• Allow students to optionally maintain access to their completed educational assignments with express consent

9. FERPA and Legal Compliance

The Contractor will ensure compliance with:

• The Family Educational Rights and Privacy Act (FERPA)

• Connecticut state law governing student data privacy

• Any applicable federal privacy or data protection regulations

10. Governing Law and Amendments

This policy and any related agreements shall be governed by the laws of the State of Connecticut. This policy may be updated from time to time to remain consistent with statutory changes and industry best practices. Contracting districts will be notified of any material revisions.