Privacy is Paramount

ScholarChip takes privacy very seriously

Depending on the services ScholarChip provides, we gather identification data every day about students, teachers, visitors, vendors, or anyone who goes into a school building, in schools and universities across the country.

The Federal Information Security Management Act (FISMA), which is part of the Electronic Government Act of 2002, defines a comprehensive framework to protect information, operations and assets against natural or man-made threats. These guidelines help administrators navigate data security issues, such as keeping student data private. ScholarChip is dedicated to following these important guidelines, as well as many other data security rules, to keep your information private and safe.

Type of Data Collected

Student data is personal information gathered that includes name, address, names of parents or guardians, date of birth, grades, attendance, disciplinary records, eligibility for lunch programs, special needs, and other information necessary for basic administration and instruction.

Teacher data includes name, address, phone number(s), in case of emergency contacts, etc.; volunteer or visitor data is scanned from a driver’s license and saved in a school’s database.

Why We Gather Data

ScholarChip is the largest provider of smart ID cards for K12; these cards are the key to the services ScholarChip provides, like building, classroom, event, and bus attendance; secure door access; visitor management services; cafeteria POS; and even behavior and discipline tracking. These cards are coded with a unique ID number that is assigned to one individual; they are inherently secure because they provide an encrypted digital identity. It’s the back-end computer that maintains all the information on that person.

The data we gather provides access to over 100 reports when a school has full program implementation. These reports, based on the materials we gather, provide identifiable, actionable information for school districts. The detail captured helps keep schools safer, and provides a host of information that can be analyzed and used to improve student performance as well as administrative effectiveness.

Sharing the Data

We never sell our data. We do not deliver advertisements to any of our users. We sometimes share information for marketing purposes, but only school-wide trends and we receive prior written authority from school district(s) being cited and/or the person(s) being quoted.

Information collected may disclose personally identifiable information in the following situations: (a) in response to a subpoena, court order or legal process, to the extent permitted and required by law; (b) to protect user security or the security of other persons, consistent with applicable laws; or (c) in connection with a sale, joint venture or other transfer to some or all of the assets of ScholarChip.

We exercise reasonable care to not share or disclose the names of users or any personally identifiable information with third parties, except with the prior approval of the user. We may disclose personally-identifying information when we believe in good faith that the law requires it.

Serious Security

Our servers, databases, backups and firewall technologies protect the information provided to us. All data resides in a tightly controlled, highly secure area, and is not stored on, or accessible via, the Internet.

In addition to its K12 services, ScholarChip provides high speed financial services to 1.8 million post-secondary students attending 490 colleges and universities. ScholarChip’s K12 system and higher education financial services share the same database infrastructure, with data security certifications that are the most stringent. These standards are verified by quarterly, independent, third-party testing.

All electronic communication is encrypted or sent via a private link to approved recipients. ScholarChip uses industry-standard hardware and software in combination with authentication and certification by third parties, and we encrypt all sensitive information and financial data.

ScholarChip uses the following standards:

PCI-DSS (Payment Card Industries Data Security Standard) – a comprehensive standard designed by the payment card brands (VISA, Mastercard, etc) to help organizations proactively protect customer account data. The PCI standard includes requirements for secure network architecture, software design, policies, procedures and other critical protective measures. By providing a secure infrastructure, ScholarChip protects school districts from the costs associated with a data breach.

SSAE16 (Statement on Standards for Attestation Engagements 16) – a financial systems auditing standard published by the AICPA (American Institute of CPAs) which validates the effectiveness of an organization’s processes and controls. Companies provide a detailed description of their rules and objectives to an independent assessor, who then verifies whether they were suitably designed, placed in operation as described, and functioning effectively over an extended period of time (usually one year).

FISMA – an information systems standard originally designed for use by federal agencies. The requirements, outlined in NIST (National Institute of Standards) Special Publication 800-53, consist of 18 families of technical, development and management controls, and include a dual focus on protecting both information security and privacy. Systems are categorized according to assessed risks and then a set of baseline controls are selected from SP 800-53 to provide the appropriate level of protection.

NIST SP 800-171 – a standard closely related to FISMA but designed for the protection of data in nonfederal information systems. This standard includes the critical components of NIST 800-53 without imposing unnecessary formal procedures that may be too restrictive for nonfederal organizations.

These certifications provide a high level of security for student data against various types of risks such as:
  • Theft by electronic means (hacking).
  • Accidental disclosure due to improper activities, intentional or otherwise, by those with access to the data.
  • Faulty business processes that can result in accidental release of student data.
  • Improper use of student data for purposes other than those designated by the school.

In addition to FERPA (Federal Education Rights and Privacy Act), the ScholarChip system natively complies with all major federal and financial industry mandates including GLBA (Financial Services Modernization Act of 1999), COPPA (The Children’s Online Privacy Protection Act of 1998), CIPA (The Children’s Internet Protection Act) and CIPA-2.

Coherent Control/ Software Change Management

Because ScholarChip works with thousands of schools, the company maintains a production version of all management and reporting site software, as well as several development and training versions to allow schools to preview upcoming developments prior to rollout.

On boot-up the device queries for any changes in its software version and downloads the new version automatically if necessary. It is possible to both advance to new versions and return to older versions as the need arises. The version numbers are available to the users of the management site as read-only. Each version has a description of changes enacted from previous versions.

Data Retention

Since the records are contained in one location rather than at hundreds of schools, record retention policies can be easily enacted and archived records storage can be made and maintained on an ongoing basis.

As a rule, ScholarChip retains records for a reasonable period of time post-high school graduation unless directed by a school district or they are otherwise no longer needed. Records can be exported in any industry standard format for separate retention as well.

Attendance data collection and reporting for close to a half-million students on a daily basis requires an advanced and vigorous system. ScholarChip’s approach is to provide schools with the most robust, yet simple to use devices to collect data, and then to provide all services in a single central location where skilled developers and technicians can maintain a close watch over system operations.

ScholarChip houses all advanced database servers, application servers, report servers and document generation and storage servers in a single sophisticated data center, with backup power, local generator and multiple high-speed fiber connections to the net. None of these innovative and maintenance-heavy systems reside in any school building.

Merger and Acquisition Policy

All electronic communication is encrypted or sent via a private link to approved recipients. ScholarChip uses industry-standard hardware and software in combination with authentication and certification by third parties, and we encrypt all sensitive information and financial data.

All access to computer networks, including remote access, is granted to employees on a case by case basis, according to business needs. ScholarChip also requires that all contracted partners and third parties adhere to its Privacy Policy guidelines.

Data Access Policy

ScholarChip’s Management Portal serves data to all users at the appropriate level. Teachers have access only to their classroom data; school administrators have access only to their school’s data; central office or district administrative personnel have access to all data. Parents and/or students have the ability to access their own private information and make updates, corrections, or changes to their individual record.