AI, EdTech Compliance & Data Protection
Summit operates a secure, ethical, and student-centered digital ecosystem. We align with FERPA, COPPA, PPRA, and GDPR principles; we uphold rigorous academic integrity and testing security; and we keep humans in the loop for all consequential decisions.
Purpose & Scope
This policy unifies how Summit selects technology, protects records, governs responsible AI, and secures testing. Accordingly, it applies to students, staff, contractors, and approved vendors across instruction, assessment, counseling, and operations. When another authority imposes stricter rules, we adopt the higher standard to preserve access, safety, and integrity.
Governance & Accountability
Policy owner. The Principal chairs the Technology & Compliance Review. The Registrar manages academic records; the Counselor monitors integrity; the Technology Lead administers platforms and access.
Risk review & DPIA. Before we adopt or materially change a tool, we evaluate educational purpose, data flows, access scope, and exit plans; when warranted, we complete a Data Protection Impact Assessment. Consequently, approvals include controls and monitoring points.
Change control. We version policies, document exceptions with compensating controls, and schedule periodic audits; therefore, improvements stay continuous and traceable.
Legal & Standards Alignment
FERPA. We treat education records as confidential; parents and eligible students may inspect and request amendment. We disclose only under consent or a FERPA exception, and we log directory information choices.
COPPA & PPRA. For children under 13, we obtain verifiable parent consent where required. For protected survey topics, we provide notice and opt-out opportunities.
GDPR principles. For international families, we apply lawful basis, data minimization, purpose limitation, accuracy, and rights of access, rectification, erasure, restriction, portability, and objection when applicable.
Accessibility. We select tools that support WCAG-aligned features and reasonable accommodations under Section 504/ADA; thus, students can participate fully.
Vendor Vetting & Contracts
Approval criteria. We review privacy notices, data-processing terms, encryption posture, access controls, uptime SLAs, support, and deletion commitments. We prefer vendors with independent controls assurance; however, we verify safeguards even when certifications are present.
Data Processing Agreements. Contracts define permitted purposes, sub processor transparency, incident notice, cooperation on rights requests, and end of contract deletion or return. We maintain an internal Approved Tools List to prevent shadow IT.
Data Categories & Minimization
Limited collection. We collect only what instruction, advising, assessment, and reporting require. We avoid unnecessary identifiers and remove sensitive elements from training or analytics datasets.
Student work & IP. Students own their original academic work; the school holds a limited license to use it for instruction, assessment, accreditation, and compliance, with attribution and minimal exposure.
Security Controls
Identity & access. We enforce role-based access and multi factor authentication for administrative roles. We use ClassLink and Microsoft 365 for SSO and audit logs. Shared accounts are not permitted.
Encryption & storage. We require TLS 1.2+ in transit and vendor level encryption at rest. Public links remain disabled for academic records; exports are restricted to school accounts with time bound access.
Backups & continuity. We perform routine backups, test restores each term, and maintain RTO/RPO targets. When outages occur, teachers switch to a documented low tech plan and extend deadlines as needed.
Responsible AI in Teaching & Operations
Purpose & human oversight. We use AI to support brainstorming, language practice, accessibility, and workflow efficiency; however, teachers and staff make all consequential judgments about grading, placement, or discipline.
Privacy by default. We do not allow student education record data to train public models. By default, we disable provider training on student inputs. If a tool requires opt-in, we present a clear notice and a no-penalty alternative.
Fairness & limitations. Staff receive guidance on bias, hallucinations, and prompt risks. Accordingly, significant AI assisted outputs require human review before they influence instruction or records.
Disclosure & provenance. Students identify AI assistance when used and follow citation norms. We treat “AI detection scores” as unreliable on their own; therefore, we evaluate drafts, process notes, and oral checks instead.
Assessment Integrity & Authorship
We design assessments that value process and demonstrate mastery. Teachers use version history, annotated feedback, short oral defenses, and problem-solving interviews. If authorship is uncertain, instructors may require a supervised re-assessment. The Handbook specifies consequences and appeals; records are retained narrowly and for limited periods.
Secure Testing & Proctoring
Identity & environment. Students join live on Zoom Pro with their school account and present photo ID on request. Cameras remain on; microphones stay available; proctors may request a brief 360° scan. Only approved materials remain at the desk.
Digital controls. During digital exams, students share their screen when instructed and close unapproved apps and tabs. A lockdown utility may be used with advance notice and a practice check. Smart watches and phones remain off and out of reach.
Timing & submissions. Proctors manage timing and record section start/stop. Unscheduled breaks end the section unless accommodations apply. Students submit in Microsoft 365; version history and timestamps remain intact. Paper work is scanned immediately to preserve chain-of-custody.
Proctoring standards. Proctors monitor cameras and screens, log anomalies, and, when feasible, differ from the course instructor. We do not store biometric identifiers. We retain proctor notes, attendance, and timing records according to our retention schedule.
External alignment. When an external program governs an exam, we follow its current manuals, device rules, accommodations letters, and incident reporting. If external rules are stricter, the higher standard applies.
Privacy Rights & Consent
Access & amendment. Parents and eligible students may inspect records and request corrections under FERPA. We verify identity before fulfilling requests and respond within required timelines.
Consent. Where COPPA applies, we obtain verifiable parent consent. For international families, we address GDPR rights requests when applicable and document our legal basis for processing.
Directory preferences. Families may set or update directory information preferences; the Registrar records selections promptly.
International Data Transfers
When data moves across borders, we use appropriate safeguards, including standard contractual clauses and vendor commitments on sub-processors and deletion. We keep records of transfer assessments and update them when providers change their hosting or sub-processor lists.
Retention & Deletion
Transcripts. Retained permanently by the Registrar.
Assessment artifacts & logs. Retained only as long as needed for instruction, verification, integrity reviews, or compliance; then securely deleted.
Vendor-hosted data. Deleted at contract end or upon verified request, subject to lawful retention obligations; vendors provide certificates of destruction on request.
Incident Response
We triage and contain incidents immediately, notify leadership, preserve logs, and assess scope. We reset credentials when necessary, close exploited gaps, and document corrective actions. When law or contract requires notice, we inform affected parties and authorities within required timeframes and provide support guidance.
Accessibility & Equity
We provide reasonable accommodations under Section 504/ADA, support language access on request (English, Spanish, French, German, Chinese), and monitor the digital environment for barriers. Consequently, students can participate fully regardless of disability or language background.
Transparency, Training & Reviews
We publish this policy, train staff annually on privacy, security, accessibility, and AI ethics, and post version dates. Each summer, we review metrics uptime, incidents, privacy requests, assessment integrity and update our risk register. Subsequently, we adjust the Technology Plan and communicate material changes.
Contacts & Related Policies
Registrar & Records
Registrar - transcripts, enrollment verification, official records.
Data Protection & Rights
Data Protection & Rights - privacy practices and data requests.
Non-Discrimination
Policy - protections, reporting, and equal access.
Title IX & Civil Rights
Compliance - procedures, reporting, and contacts.
Student & Parent Handbook
Handbook - policies, academics, community standards.