4490: Information Security Breach and Notification
The BOCES values the protection of private information of individuals in accordance with applicable laws and regulations. Further, BOCES is required to notify affected individuals when there has been or is reasonably believed to have been a compromise of the individual’s private information in compliance with the Information Security Breach and Notification Act and Board policy.
a) “Private information” shall mean **personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
1. Social security number;
2. Driver’s license number or non-driver identification card number; or
3. Account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an
individual’s financial account.
“Private information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
**“Personal information” shall mean any information concerning a person which, because of name, number, symbol, mark or other identifier, can be used to identify that person.
b) “Breach of the security of the system,” shall mean unauthorized acquisition or acquisition without valid authorization of computerized data which compromises the security, confidentiality, or integrity of personal information maintained by BOCES. Good faith acquisition of personal information by an employee or agent of BOCES for the purposes of BOCES is not a breach of the security of the system, provided that private information is not used or subject to unauthorized disclosure.
Determining if a Breach Has Occurred
In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or person without valid authorization, BOCES may consider the following factors, among others:
a) Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device
containing information; or
b) Indications that the information has been downloaded or copied; or
c) Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or
d) System failures.
a) For any computerized data owned or licensed by BOCES that includes private information, BOCES shall disclose any breach of the security of the system following discovery or notification of the breach to any New York State resident whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. The disclosure to affected individuals shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The BOCES shall consult with the State Office of Information Technology Services to determine the scope of the breach and restoration measures.
b) For any computerized data maintained by BOCES that includes private information which BOCES does not own, BOCES shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
The notification requirement may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation. The required notification shall be made after the law enforcement agency determines that such notification does not compromise the investigation.
Methods of Notification
The required notice shall be directly provided to the affected persons by one of the following methods:
a) Written notice;
b) Electronic notice, provided that the person to whom notice is required has expressly consented to receiving the notice in electronic form; and a log of each such
notification is kept by BOCES when notifying affected persons in electronic form. However, in no case shall BOCES require a person to consent to accepting such
notice in electronic form as a condition of establishing any business relationship or engaging in any transaction;
c) Telephone notification, provided that a log of each such notification is kept by BOCES when notifying affected persons by phone; or
d) Substitute notice, if BOCES demonstrates to the State Attorney General that the cost of providing notice would exceed $250,000, or that the affected class of subject
persons to be notified exceeds 500,000, or that BOCES does not have sufficient contact information. Substitute notice shall consist of all of the following:
1. Email notice when BOCES has an email address for the subject persons;
2. Conspicuous posting of the notice on BOCES’ website page, if BOCES maintains one; and
3. Notification to major statewide media.
Regardless of the method by which notice is provided, the notice shall include contact information for the notifying District and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired.
In the event that any New York State residents are to be notified, BOCES shall notify the New York State Attorney General (AG), the New York State Department of State and the New York State Office of Information Technology Services as to the timing, content and distribution of the notices and approximate number of affected persons.
In the event that more than five thousand (5,000) New York State residents are to be notified at one time, BOCES shall also notify consumer reporting agencies, as defined pursuant to State Technology Law Section 208, as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York State residents. A list of consumer reporting agencies shall be compiled by the State Attorney General and furnished upon request to school districts required to make a notification in accordance with State Technology Law Section 208(2), regarding notification of breach of security of the system for any computerized data owned or licensed by BOCES that includes private information.
State Technology Law Sections 202 and 208
Article 39-F (§899-aa)
Adoption Date: May 3, 2006
Completely Revised Date: July 3, 2013
Revision Date: January 7, 2015
5111: Use of TST BOCES Email
Electronic mail or email is a valuable business communication tool, and users shall use this tool in a responsible, effective and lawful manner. Every employee/authorized user has a responsibility to maintain the TST BOCES’ image and reputation, to be knowledgeable about the inherent risks associated with email usage and to avoid placing the TST BOCES at risk.
Although email seems to be less formal than other written communication, the same laws and business records requirements apply. TST BOCES employees/authorized users shall use the TST BOCES’ designated email system, for all business email, including emails in which students or student issues are involved.
All employees and authorized users shall acknowledge annually and follow the TST BOCES’ policies and regulations on acceptable use of computerized information resources, including email usage.
Classified and Confidential
District employees and authorized users may not:
a) Provide lists or information about TST BOCES employees or students to others and/or classified information without approval. Questions regarding usage and requests for such lists or information should be directed to a Principal/supervisor.
b) Forward emails with confidential, sensitive, or secure information without Principal/supervisor authorization. Additional precautions should be taken when sending documents of a confidential nature.
c) Use file names that may disclose confidential information.
d) Send or forward email with comments or statements about the TST BOCES that may negatively impact it.
Employees and authorized users may use the TST BOCES’ email system for limited personal use. However, there is no expectation of privacy in email use. Personal use should not include chain letters, junk mail, and jokes. Employees and authorized users shall not use the TST BOCES’ email programs to conduct job searches, post personal information to bulletin boards, blogs, chat groups and list services, etc. without specific permission from the Principal/supervisor. The TST BOCES’ email system shall not be used for personal gain or profit.
All email accounts on the TST BOCES’ system are the property of the TST BOCES. Personal accounts and instant messaging shall not be used to conduct official business.
Receiving Unacceptable Mail
Employees and authorized users who receive offensive, unpleasant, harassing or intimidating messages via email or instant messaging shall inform their Principal/supervisor immediately.
Archival of Email
All email sent and received to an employee’s email account should be archived by the TST BOCES for a period of no less than six (6) years. Depending on the TST BOCES’ archival system, employees may have access to view their personal archive, including deleted email. Retention of email messages and records will comply with all applicable law.
Employees/authorized users should receive regular training on the following topics:
a. The appropriate use of email with students, parents and other staff to avoid issues of harassment and/or charges of fraternization.
b) Confidentiality of emails.
c) Permanence of email: email is never truly deleted, as the data can reside in many different places and in many different forms.
d) No expectation of privacy: email use on TST BOCES’ property is NOT to be construed as private.
The District Superintendent or his/her designee may report inappropriate use of email by an employee/authorized user to the employee/authorized user’s Principal/supervisor who will take appropriate disciplinary action. Violations may result in a loss of email use, access to the technology network and/or other disciplinary action. When applicable, law enforcement agencies may be involved.
All employees/authorized users will be required to access a copy of the TST BOCES’ policies on staff and student use of computerized information resources and the regulations established in connection with those policies. Each user will acknowledge this employee/designated user agreement before establishing an account. Each user will at least annually acknowledge acceptance of the policy before continuing in his/her use of email.
A standard Confidentiality Notice will automatically be added to each email as determined by the TST BOCES.
NOTE: Refer also to Policies:
#3110 — Discrimination and Harassment Including Sexual Harassment in the BOCES
#4490 – Information Security Breach and Notification
#4570 – Records Management
#7171 – District Computer Access and Internet Safety
Adoption Date: September 4, 2013
Revision Date: October 1, 2014
5112: Staff Use of Personal/Mobile Technology
All staff who use mobile technology in the course of their job duties, including but not limited to cell phones, smart phones, flash drives, tablets, e-readers, laptop computers, scanners, printers, digital cameras, camcorders, PDAs, iPads and iPods, shall abide by this Policy which governs the use of this type of equipment. Any device that runs software or systems including, but not limited to, Palm OS, Windows, Pocket PC, Android or IOS is considered a “computer” for the purposes of this Policy. In addition, all applicable language in Policy 5111, Use of TST BOCES Email and Policy 7171, District Computer Access and Internet Safety also applies to mobile and personal technology equipment when it is used in conjunction with the District’s wireless network or in the course of the staff member’s job duties.
Access to confidential data is a privilege afforded to District staff in the performance of their duties. Safeguarding this data is a District responsibility that the Board of Education takes very seriously. Consequently, District employment does not automatically guarantee the initial or ongoing ability to use mobile/personal devices to access the DCS and the information contained therein.
Confidentiality and Private Information and Privacy Rights
Confidential and/or private data, including but not limited to, protected student records, employee personal identifying information, and District assessment data, shall only be loaded, stored or transferred to District-owned devices which have encryption and/or password protection. This restriction, designed to ensure data security, encompasses all computers and devices within the DCS, any mobile devices, including flash or key drives, and any devices that access the DCS from remote locations. Staff will not use email to transmit confidential files in order to work at home or another location. Staff will not use unapproved cloud-based storage services (such as Dropbox, GoogleDrive, SkyDrive, etc.) for confidential files.
Staff will not leave any devices unattended with confidential information visible. All devices are required to be locked down and must have a password or pin number while the staff member steps away from the device, and settings enabled to freeze and lock after a set period of inactivity.
Staff data files and electronic storage areas shall remain District property, subject to District control and inspection. The District Superintendent or his/her designee may access all such files and communications without prior notice to ensure system integrity and that users are complying with requirements of this policy and accompanying regulations. Staff should NOT expect that information stored on the DCS will be private.
Personally Owned Devices
Staff may choose to use their own personal devices to perform job-related functions, rather than the technology assigned to them by the District. If a staff member chooses to use his/her own personal technology equipment, the following guidelines will apply:
1) Personal devices connected to the DCS or wireless network must have updated and secure operating systems, and have their use segregated from District network resources. Staff must notify
Technology staff of their planned use of such a device so proper safeguards can be instituted.
2) The entire cost to acquire all personal technology equipment is the responsibility of the staff member. Services that may incur a financial cost to the District, such as phone options or other “apps” are not allowed. The District does not agree to pay such charges and staff who desire these options must assume all costs incurred for such charges.
3) Personal technology equipment is not covered by the District’s insurance if it is lost, stolen or damaged. Loss or damage to any personal technology equipment is solely the responsibility of the staff member. If lost or stolen, the loss should be reported immediately to Technology staff so appropriate action can be taken to minimize any possible risk to the DCS and the District.
4) Staff assumes complete responsibility for the maintenance of personal devices, including maintenance to conform to District standards. Staff also assumes all responsibility for problem resolution, as well as the use and maintenance of functional, up-to-date anti-virus and anti-malware software and any other protections deemed necessary by Technology staff.
5) Staff must also meet any expectations of continuity in formatting of files, etc. when making changes to documents for work purposes (i.e., do not change the format of a file so that the original file is unusable on District-owned hardware/software).
6) All personal technology equipment used on the DCS or wireless network is subject to review by the District Superintendent or his/her designee, if there is reason to suspect that the personal device is causing a problem to the DCS network, or if the staff member is suspected by a supervisor of spending excessive time at work on non-work related matters.
7) The District’s email client will not be installed on personally owned devices without prior approval of the District Superintendent or his/her designee. All access to email and personnel forms will be through employee access on the District webpage, or by accessing the wireless network or the personal data plan of the user’s device, or by accessing the guest network or personal data plan.
8) The use of personal technology equipment and/or personal Cloud storage in the course of a staff member’s professional responsibilities may result in the equipment and/or certain data maintained on it being subject to review, production and/or disclosure (i.e., in response to a FOIL request, discovery demand or subpoena). The staff is required to submit any such information or equipment, when requested.
9) It is also the responsibility of District staff using a mobile device, personal or District-owned, to ensure that all security protocols normally used in the management of District data on conventional storage infrastructure are also applied on that mobile device. All District-defined processes for storing, accessing and backing up data must be used on any device used to access the DCS.
10) Staff may access the DCS remotely if the staff member has demonstrated that his/her personal device meets the security standards set by the District.
11) Use of any mobile technology device during the school day, whether District-issued or personally owned, should not interfere with the staff member’s ability to carry out daily responsibilities.
Mobile wireless devices issued by the District will be subject to audit and inventory standards. Staff must be able to produce the device when requested by a District official. If the device is lost or damaged, it must be reported to the staff member’s supervisor immediately. If theft is suspected, law enforcement will be contacted.
Wireless Devices on District Premises
1) For security reasons, staff who use their personal device to connect to the Internet, using a District network, will only be permitted to use the District’s wireless network. Access to any other District network using a personal device is prohibited.
2) Personal devices that have the ability to offer wireless access to other devices must not be used to provide that functionality to others in any District building. The ability to connect personal devices to the District wireless network is a privilege and not a right for staff. Any staff member who violates the conditions of this regulation using his/her own device will have his/her access privileges withdrawn.
3) When personal devices are used in District facilities or on the District wireless network, the District reserves the right to:
a. Make determinations on whether specific uses of the personally owned wireless devices are consistent with the Staff Acceptable Use of Technology agreement;
b. Log network use and monitor storage disk space utilized by such users; and
c. Remove or restrict the user’s access to the network and suspend the right to use the personally owned computer in District facilities at any time, with or without cause.
Adoption Date: December 4, 2013
Revision Date: October 1, 2014
5190: Employee Personal Identifying Information
In accordance with Section 203-d of the New York State Labor Law, the District shall restrict the use and access to employee personal identifying information. As enumerated in law, “personal identifying information” shall include social security number, home address or telephone number, personal electronic mail address, Internet identification name or password, parent’s surname prior to marriage, or driver’s license number.
The District shall not unless otherwise required by law:
a) Publicly post or display an employee’s social security number;
b) Visibly print a social security number on any identification badge or card, including any time card;
c) Place a social security number in files with unrestricted access; or
d) Communicate an employee’s personal identifying information to the general public.
A social security number shall not be used as an identification number for purposes of any occupational licensing.
District staff shall have access to this policy, informing them of their rights and responsibilities in accordance with Labor Law Section 203-d. District procedures for safeguarding employee “personal identifying information” shall be evaluated; and employees who have access to such information as part of their job responsibilities shall be advised as to the restrictions on release of such information in accordance with law.
Labor Law Section 203-d
Adoption Date: June 3, 2009
5390: Data Networks and Security Access
The BOCES values the protection of private information of individuals in accordance with applicable law, regulations, and best practice. Accordingly, BOCES officials and Information Technology (IT) staff will plan, implement, and monitor IT security mechanisms, procedures, and technologies necessary to prevent improper or illegal disclosure, modification, or denial of sensitive information in the BOCES Computer System (DCS). Similarly, such IT mechanisms and procedures will also be implemented in order to safeguard BOCES technology resources, including computer hardware and software. BOCES network administrators may review BOCES computers to maintain system integrity and to ensure that individuals are using the system responsibly. Users should not expect that anything stored on school computers or networks will be private.
In order to achieve the objectives of this policy, the Board of Education entrusts the Superintendent, or his/her designee, to:
a. Inventory and classify personal, private, and sensitive Information on the DCS to protect the confidentiality, integrity, and availability of information;
b. Develop password standards for all users including, but not limited to, how to create passwords and how often such passwords should be changed by users to ensure security of the DCS;
c. Ensure that the “audit trail” function is enabled within the BOCES’ network operating system, including but not limited to all file and data servers, which will allow the BOCES to determine on a constant basis who is accessing the DCS, and establish procedures for periodically reviewing such audit trails;
d. Develop procedures to control physical access to computer facilities, data rooms, systems, networks, and data to only authorized individuals; such procedures may include ensuring that server rooms remain locked at all times and the recording of arrival and departure dates and times of employees and visitors to and from the server room;
e. Establish procedures for tagging new purchases as they occur, relocating assets, updating the inventory list, performing periodic physical inventories, and investigating any differences in an effort to prevent unauthorized and/or malicious access to these assets;
f. Periodically grant, change, and terminate user access rights to the overall networked computer system and to specific software applications and ensure that users are given access based on, and necessary for, their job duties;
g. Limit user access to the vendor master file, which contains a list of vendors from which BOCES employees are permitted to purchase goods and services, to only the individual who is responsible for making changes to such list, and ensure that all former employees’ access rights to the vendor master list are promptly removed;
h. Verify that laptop computer systems assigned to teachers and administrators use appropriate security software to ensure the integrity of sensitive data;
i. Deploy software to servers and workstations to identify and eradicate malicious software attacks such as viruses and malware;
j. Develop a comprehensive data/network security plan, including but not limited to cybersecurity, to ensure continuous security awareness throughout the DCS;
k. Develop a disaster recovery plan appropriate for the size and complexity of BOCES IT operations to ensure continuous critical IT services in the event of any sudden, catastrophic event, including, but not limited to fire, computer virus or deliberate or inadvertent employee action.
6270: Student Use of Personal Technology
The Board of Education seeks to maintain a safe and secure environment for students and staff. Advances in technology have made it possible to expand the learning environment beyond traditional classroom boundaries. Using personal electronic devices during instructional time can enable students to explore new concepts, personalize their learning experience and expand their global learning opportunities. Additionally, the use of personal technology devices is ubiquitous in today’s society and standards for student use during non-instructional time should adapt to this change. This policy defines the use of personal technology during instructional and non-instructional times and reinforces the standard that all use, regardless of its purpose, must follow the guidelines outlined in the Student Acceptable Use Policy (AUP), the District’s Code of Conduct, and the Dignity for All Students Act.
Personal technology includes all existing and emerging technology devices that can take photographs; record or play audio or video; input text; upload and download media; connect to or receive information from the internet; and transmit or receive messages, telephone calls or images. Examples of personal technology includes, but are not limited to, iPods and MP3 players; iPad, Nook, Kindle, and other tablet PCs; laptop and netbook computers; personal digital assistants (PDAs), cell phones and smart phones such as BlackBerry, iPhone, or Droid, as well as any device with similar capabilities. Unacceptable devices shall include, but are not limited to, gaming devices or consoles, laser pointers,
modems, and televisions. It is prohibited to use a personal cell phone as a router or tethering device.
Instructional purposes include, but are not limited to, approved classroom activities, research, college admissions activities, career development, communication with experts, homework and other activities as deemed appropriate by school staff. Personal technology use by students is permitted during the school day for educational purposes and/or in approved locations only. Teachers will indicate when and if classroom use is acceptable. Students are expected to act responsibly and thoughtfully when using technology resources. Students bear the burden of responsibility to inquire with school administrators and/or teachers when they are unsure of the permissibility of a particular use of technology prior to engaging in such use.
Appropriate use of personal technology during non-instructional time is also allowed if students follow the guidelines in the AUP and Code of Conduct. Non-instructional use includes texting, calling and otherwise communicating with others during free periods and in common areas of the school building such as the hallways, cafeteria, study halls, buses and student lounges. Other non- instructional uses may include such things as Internet searches, reading, listening to music, and watching videos. This use during non-instructional time must be conducted in a safe and unobtrusive manner. Devices must be in silent mode to avoid disrupting others.
The District shall not be liable for the loss, damage, misuse, or theft of any personal technology brought to School. The District reserves the right to monitor, inspect, and/or confiscate personal technology when administration has reasonable suspicion to believe that a violation of school policy or criminal law has occurred.
The Board expressly prohibits use of personal technology in locker rooms, restrooms, Health Offices and any other areas where a person would reasonably expect some degree of personal privacy.
Prohibition during State Assessments
All students are prohibited from bringing electronic devices into a classroom or other location where a New York State assessment is being administrated. Test proctors, test monitors and school officials shall have the right to collect prohibited electronic devices prior to the start of the test and hold them while the test is being administered, including break periods. Admission to any assessment will be denied to any student who refuses to relinquish a prohibited device.
Students with disabilities may use certain devices if the device is specified in that student’s IEP or 504 plan or a student has provided medical documentation that they require the device during testing.
Students will not be permitted to use personal technology devices in school or at school functions until they have reviewed the AUP, the applicable sections of the Code of Conduct and associated technology guidelines, and signed the Student Use of Personal Technology (#7000F) Permission Form with their parents. The District reserves the right to restrict student use of District-owned technologies and personal technology on school property or at school-sponsored events, at the discretion of the administration.
Students must follow the guidelines for use set out in the District Code of Conduct and the Acceptable Use Policy at all times. Consequences for misuse will follow guidelines in the District’s Code of Conduct. The District will develop regulations for the implementation of this policy that shall include, but are not limited to, instructional use, non-instructional use, liability, bullying and cyberbullying, and privacy issues.
NOTE: Refer also to Policies #6260 – Bullying: Peer Abuse in the Schools
#6441 — Dignity for All Students Act
#7171 – District Computer Access and Internet Safety
Adoption Date: September 4, 2013
7171: District Computer Access and Internet Safety
Internet access will be provided to the students and staff of BOCES in accordance with the terms of this policy. Internet access through the District’s computer system (“DCS” hereafter) consisting of software, hardware, computer networks and electronic communications systems is reserved solely for educational purposes. Access to the Internet will be under the direction and supervision of the staff assigned to areas with Internet access capabilities. The Tompkins-Seneca-Tioga BOCES reserves the right to view all data files and monitor all Internet activity including transmission and receipt of e-mail. Any violations of this policy will be treated in a manner commensurate with all other student/staff policies.
In addition to penalties set forth in appropriate staff/student discipline codes, a violation of this District Computer System (DCS) Policy may also result in loss of Internet privileges and/or disciplinary action. When applicable, law enforcement agencies may be involved.
BOCES does not guarantee or imply that access to the DCS will always be available when students/staff want to access it or that the software provided by the district will always work as intended. BOCES is not responsible for failures in the operation or technical functioning of the DCS.
If BOCES acts in the capacity of an Internet Service Provider (ISP) for a component school district or other approved “clients”, the client must have an approved Internet Access Policy in place for its organization.
The District Superintendent or his/her designee may access all such files and communications without prior notice to ensure system integrity and that users are complying with the requirements of this policy and accompanying regulations.
Individuals gaining access to the Internet from any access point within the DCS must follow the following guidelines:
Access to the Internet from BOCES’ DCS and facilities must be for educational (curricular related) and/or work related purposes. BOCES cannot be responsible for the accuracy and appropriateness of content on the Internet and all users are cautioned to navigate through the Internet in an intelligent, informed, and critical manner.
Examples of prohibited practices include, but are not limited to: any access, transmission, or retransmission of any information containing pornographic material, material which promotes the destruction of property, promotes violence or hatred against particular individuals or groups of individuals, or advocates or promotes the superiority of one racial group over another.
Users may not use or possess illegal software. Illegal software is defined as any software in possession of a user without the appropriate registration of the software, including the payment of any fees owning to the owner of the software.
Users may not transmit credit card or other personal information for anyone other than themselves or a client, from any access point within the DCS. Users may not transmit e-mail through an anonymous re-mailer.
Users may not commit or attempt to commit any willful act involving the use of the DCS which disrupts the operation of the DCS or any network connected to the Internet including the use or attempted use (or possession) of computer viruses.
Users may not violate any other aspect of the Tompkins-Seneca-Tioga BOCES policy and/or regulations, as well as local, state or federal laws or regulations.
Any website or webpage containing content created by an employee or TST student which promotes itself as an official or semi-official TST website or offshoot thereof must have the approval of the Superintendent or his/her designee.
A version of this policy will be handed out to student internet users, at the start of classes. Staff will be given a version of this policy at the start of employment. All Staff will be required to at least annually acknowledge acceptance of this policy.
*Option B: “Passive Consent” (Opt-out) Student access to the DCS will automatically be provided unless the parent has submitted written notification to the BOCES that such access not be permitted. Procedures will be established to define the process by which parents may submit a written request to deny or rescind student use of the DCS in accordance with law, Commissioner’s Regulations and/or BOCES policies and procedures.
Internet Content Filtering
The BOCES, in accordance with the provisions of the Children’s Internet Protection Act, requires all BOCES computers with Internet access that are available to students and staff to be equipped with filtering or blocking technology. Once this filtering/blocking technology is in place, newly acquired computers with Internet access used by students and staff must be linked to this technology.
Proper supervision must be provided while accessing the Internet to further ensure appropriate usage. Under certain supervised circumstances, authorized personnel may override the filtering/blocking technology for a limited, prescribed period of time to assist students and staff with special projects or research. If the District Superintendent deems it necessary the District Superintendent shall develop guidelines to implement this component of the policy.
The District is not responsible for inappropriate content or material accessed via a student’s own personal technology or electronic device or via an unfiltered internet connection received through a student’s own personal technology or electronic device.
The appropriate/acceptable use of standards outlined in this policy apply to student use of technology via the District Computer Access and Internet Safety or any other electronic media, including a student’s own personal technology or electronic device on school grounds or at school events.
a. The District will provide for the education of students regarding appropriate online behavior including interacting with other individuals on social networking Web sites and in chat rooms, and regarding cyberbullying awareness and response. Under the Protecting Children in the 21st Century act, students will also be educated on appropriate interactions with other individuals on social networking Web sites and in chat rooms, as well as cyberbullying awareness and response.
b. Ensuring the presence of a teacher and/or other appropriate District personnel when students are accessing the Internet including, but not
limited to, the supervision of minors when using electronic mail, chat rooms, instant messaging and other forms of direct electronic communications. As determined by the appropriate building administrator, the use of e-mail, chat rooms, as well as social networking Web sites, may be blocked as deemed necessary to ensure the safety of such students.
17 United States Code (U.S.C.)
Section 1701 et seq.
47 United States Code (U.S.C.)
Section 254(h)(5) and (6) and 254 (l)
47 Code of Federal Regulations (CFR) Part 54
Education Law Section 814
Adoption Date: December 4, 1996
Revision Date: June 2, 2005
Revision Date: January 3, 2007
Revision Date: November 4, 2009
Revision Date: July 7, 2010
Revision Date: June 1, 2011
Revision Date: January 4, 2012
Revision Date: March 7, 2012
Revision Date: August 7, 2013
Revision Date: October 1, 2014
7172: Social Media and Digital Communications
The Tompkins-Seneca-Tioga BOCES recognizes the value of using social networking and media sharing sites. These sites allow for effective communication and engagement with parents teachers, students, and other stakeholders alike. Many of these sites are designed for commercial, non-educational use and therefore warrant caution in their utilization by a school district. It is the intent of TST BOCES to use Social Networking as a means of one-way (messaging) communication between parents, students and stakeholders. Social Media sharing sites are intended to be used to share media with parents, students and stakeholders. This procedure is intended to outline the necessary rules and guidance for the use of social networking and media sharing sites. This policy applies to situations where a person is acting as an employee of TST BOCES while using any part of the District’s Computer System (“DCS” hereafter) consisting of software, hardware, computer networks and electronic communications systems in accordance with Policy #7171 – District Computer Access and Internet Safety.
- Social Networking — Users create individual sites that allow for a customized profile which in turn are then linked to other users based on shared characteristics and interests. These sites then create a network of users to foster social contact either based on professional or personal interests. Examples of these sites include, but are not limited to: Facebook, MySpace, Linkedln, Google+, Twitter.
- Microblog — an online space where authors create communities to share information, ideas, personal messages, and other content
- Listserv, newsgroup – An email exchange where messages are broadcast to every member of a group at once.
- Forum – A web-based place where users post their comments or opinions on topics. Users may comment on or respond to previous posts. Readers can read and/or respond to all prior posts
- Chatroom – An internet space where groups of people meet for live conversations via typed messages.
- Text message – an exchange, usually one-to-one, of communication typically typed into a smartphone or hand-held device.
- All laws and TST BOCES’ policies/procedures must be adhered to in regard to privacy.
- All employees who wish to utilize a social network and/or media sharing site must:
- Get approval from the department administrator to determine the adherence to policies, procedures, and the TST BOCES mission statement;
- Register for the site using a TST BOCES email address;
- Allow administrators access to the sites via their user email address upon request. This may be done in order to review or edit content of the site and/or reset the password for the site;
- Understand the fact that all content posted on these sites may be subject to FOIL and eDiscovery requests. Users must understand that content posted on the web may be very difficult to remove once published;
- Receive training on the proper setup and use of the intended site prior to creation. This training will be assigned by the employee’s or department’s supervisor, and;
- Take full responsibility and liability for any and all content posted on the site.
- The following communications may not be included in the Users social network or media sharing site:
- Defamatory or discriminatory statements and images;
- Infringed upon intellectual property, such as copyright ownership;
- Illegal items and activities;
- Proprietary information of the TST BOCES and/or TST BOCES’ vendors;
- Child pornography, sexual exploitation, bullying/cyberbullying;
- Confidential, personally identifiable, and sensitive school district information about students, employees, and guests;
- Links to entities whose primary purpose is commercial or political advertising.
- Staff sites that violate the law, do not align with the TST BOCES educational mission, do not align with this policy/procedure, disrupt the educational process, or hinder the integrity of the TST BOCES will be removed upon request of administration and may result in disciplinary action;
- Pictures, audio, or videos of current, former or future students may not be used unless a signed opt-in agreement for publishing has been completed;
- The following student information is generally acceptable to include, if parent(s) have given permission/consent to use it on the TST BOCES release form:
- Elementary Students — student’s picture or work with first name;
- Secondary Students — Student’s picture or work with first name and last name and;
- No other personal information about students may be allowed.
District Sanctioned vs. Personal Accounts
- Do not “friend”, “follow” or otherwise interact with students from your personal social media accounts. Permission is granted for TST BOCES authorized professional accounts as long as the regulations listed above are adhered to.
- Staff must avoid posting student information, pictures, work-product exemplars on personal social media sites, blogs etc. Current parental consents apply only to TST BOCES-sanctioned sites.
- Staff who have identified themselves as associated with the TST BOCES should use the following disclaimer on personal social media sites, including blogs, “The views on this site are my own and do not necessarily represent the views, opinions or strategies of TST BOCES.”
- Even with the most stringent privacy settings, when posting online comments that are related to school, students, families or the district, even in a personal capacity, staff should act as if all comments/posting are in the public domain.
- Personal and Private accounts may be subject to FOIL and eDiscovery requests if used for posting/receiving items related to school matters. This also applies to personal/private email.
Staff will be given a version of this policy at the start of employment. All staff will be required to at least annually acknowledge acceptance of this policy.
Use caution when posting any comment and/or images to the internet that may reflect negatively on our professional images. Be advised that failure to adhere to these guidelines may result in disciplinary action.
NOTE: Refer also to Policies:
Policy 2261 – Solicitation of Charitable Contributions and Fund Raisers from Students
Policy 2410 – Maintenance of Public Order and the Prohibition of Harassment
Policy 3110 – Non-Discrimination and Anti-Harassment in the School District
Policy 5110 – Code of Ethics for All BOCES Personnel
Policy 5120 – Sexual Harassment (Personnel)
Policy 6270 – Student Use of Personal Technology
Policy 6320 – Student Records: Access and Information Disclosure
Policy 6430 – Child Abuse and Neglect
Policy 6441 – Dignity for all Students Act
Policy 7171 -District Computer Access and Internet Safety
Policy 7230 – Use of Copyrighted Materials
Adopted: March 2, 2016