Positive Learning’s mission is to help improve educational outcomes for English Language Learners. We are constantly innovating in order to improve the lives of children, and we recognize our moral and legal responsibility to protect student privacy and ensure data security.
This policy outlines Positive Learning compliance with federal privacy laws and details our data stewardship and security practices.
The primary users of the Positive Learning system are youth. The Children’s Online Privacy Protection Act (COPPA) protects children under the age of 13. School officials and teachers are authorized under COPPA to provide consent on behalf of parents; therefore, Positive Learning does not obtain parental consent directly. A teacher or school district official provides consent for a child under the age of 13 to use the Positive Learning system when they create a Positive Learning account for that child.
For more information about COPPA, you may visit OnGuard Online.
The Family Educational Rights and Privacy Act (FERPA) provides parameters for what is permissible when sharing student information. Positive Learning is authorized by schools and districts under the FERPA “school official” exception to receive and use educational data to provide educational services. This data has significant educational value; apart from enabling the creation of accounts with which students access the their primers and assessments, the data allows teachers and administrators to track student language growth and identify students who need intervention. This information is used only for academic purposes. We do not collect data for collection’s sake, and access is limited and appropriate. See Data Stewardship for more information about how we use and protect data we collect.
This section provides information about Positive Learning data stewardship practices and explains how we collect, use, and maintain student personal information.
Once an account is created, Positive Learning begins to collect information about students. Some of the data stored is personally identifiable information (PII).
The following is a list of data fields that are populated to create a student account.
- First name
- Last name
- Student number
- Student username
- Student course and schedule information
- Student ELP/ELD level
- Organization number
As students use Positive Learning, additional data is collected, including assessment scores and student responses to assessment questions. Positive Learning also collects some personal information about teachers and administrators when a school or district creates accounts. This data potentially includes first and last name, e-mail address, and school or district name.
Data we collect is used to provide educational services. Positive Learning tracks and assesses a student’s development as they progress through the curriculum. This data is used to generate reports that allow teachers to evaluate student progress, identify students who need intervention, and discover students that can be taught together as a group. Positive Learning does not sell student personal information, nor do we use or disclose the student information we collect for behavioral targeting of advertisements to students.We retain some de-identified data (data we have made anonymous by removing all personally identifiable information) to conduct statistical research. This research helps us evaluate the effectiveness of the Positive Learning system and improve our product.
Data disclosure and access
Positive Learning acknowledges the right parents and legal guardians have under FERPA to review any educational data we collect pertaining to their children. Upon request, and after verifying identity, we will provide parents and legal guardians access to this data within 45 days. However, we recommend that parents first contact their child’s school. PII data collected by Positive Learning is accessible only to a limited number of Positive Learning employees who need the data to perform their job.
Data retention and management
Data maintained by Positive Learning is protected in a secure environment. See Security Overview for more information about Positive Learning security practices. All PII provided to Positive Learning will be destroyed upon termination of our relationship with the school or district, or when it is no longer needed for the purpose for which it was provided.
Positive Learning employs United States Office of Education best practice recommendations for data destruction.
Positive Learning uses these processes for data destruction:
- Data is destroyed within 90 days of termination of a relationship with a school or district.
- Data is destroyed using National Institute of Standards and Technology (NIST) guidelines for media sanitization that protects against non-invasive data recovery techniques.
- Sensitive data will not be disposed of using methods (e.g.; file deletion, disk formatting, and one-way encryption) that leaves the majority of data intact and vulnerable to being retrieved.
- The individual who performs the data destruction signs a certification form describing the destruction.
- Occasionally, non-electronic media used within Positive Learning may contain PII. When these documents are no longer required, the non-electronic media is destroyed in a secure manner (most typically using a shredder) that renders it safe for disposal or recycling.
At Positive Learning, we are serious about our data stewardship responsibilities. We have implemented several security measures to protect PII from unauthorized disclosure.
Positive Learning has implemented privacy and security practices which are compliant with FERPA and COPPA; however, to achieve comprehensive protection of student PII, it is necessary for each school or district to use secure practices as well.
Data is encrypted in transit and at rest.
Secure File Transfer
Data is securely transferred to the Positive Learning system using Secure File Transfer Protocol (SFTP), encrypted with SSH cryptographic network protocol.
Anti-virus software and firewalls are installed and configured to scan our system. The firewall is periodically updated and configured so users cannot disable the scans.
Positive Learning conducts security audits and code reviews, both by outside providers and by executive summary.
Secure programming practices
Positive Learning software developers are aware of secure programming practices and strive to avoid introducing errors in our application that could lead to security breaches.
Each user of Positive Learning is required to create an account with a unique account name and password. Single Sign-On (SSO) users are authenticated with secure tokens.
Positive Learning is located inside the continental United States. Physical access is protected by electronic access devices, with monitored security and fire/smoke alarm systems.
Employee compliance with security procedures
Positive Learning has designated a chief security officer to oversee employee security training and compliance. The chief security officer also oversees the storage and destruction of sensitive data.
Changes to our privacy policies
Positive Learning periodically reviews the processes and procedures described in this document to verify that we act in compliance with this policy. If we determine that a change is necessary to improve our privacy practices, we may amend this policy. Changes will be posted 30 days prior to their implementation.
June 1, 2017
Policy last updated: December 11, 2017
If you have questions or concerns about Positive Learning privacy practices, you may send an email to firstname.lastname@example.org.