Student Data Privacy and FERPA Policy
Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Data Governance Lead
This policy establishes how Aina Design Corp collects, uses, protects, and discloses student education records in compliance with the Family Educational Rights and Privacy Act (FERPA) and applicable Hawaii state student privacy requirements. It communicates our commitments to district partners and the families they serve.
Aina Design Corp operates as a School Official under FERPA when it processes student education records on behalf of a district. This means:
•
We access student data only to fulfill our contracted educational purpose.
•
We do not use student data for commercial purposes (advertising, resale, profiling).
•
We are subject to the same restrictions as district employees handling education records.
•
We do not re-disclose student data to third parties without district authorization.
This policy applies to all student data processed through Aina Design Corp platforms, including:
•
Student names, identifiers, and demographic information
•
Student-created work (assignments, projects, artifacts, media uploads)
•
Assessment and rubric data
•
Attendance and participation logs
•
Any other data that constitutes an “education record” under FERPA
4. Data Collection Principles
Aina Design Corp collects only the minimum student data necessary to deliver the agreed educational service. We do not:
•
Collect student behavioral data for non-educational purposes
•
Build student profiles beyond the scope of the educational project
•
Sell, rent, or license student data to any third party
•
Use student data to serve commercial advertising
5. Permitted Uses of Student Data
Student data may be used only for the following purposes:
Providing the educational platform features the district contracted for
Identifying and responding to threats to student or school safety
Anonymized, aggregate analysis to improve educational effectiveness
Responding to lawful subpoenas or government requests (with district notice where permitted)
Supporting internal and external compliance reviews
6. Student and Parent Rights Under FERPA
Districts retain full ownership of student education records. Aina Design Corp supports the exercise of FERPA rights by:
Districts can export student data upon written request
Right to request correction
Documented correction process via district admin
Right to consent to disclosure
No cross-district sharing without district authorization
Right to request disclosure log
FERPA disclosure logs available to districts upon request
7. Data Sharing and Disclosure
Student data is not disclosed outside the originating school or district except:
•
With explicit written authorization from the district
•
As required by law (e.g., court order, health/safety emergency)
•
To authorized sub-processors listed in the applicable Data Processing Agreement
All disclosures are logged per the Data Request and Disclosure Logging Procedure.
8. Sub-Processors and Third-Party Services
Aina Design Corp uses a limited number of vetted third-party services that may process student data as part of platform operations. These include:
Database and authentication infrastructure
Data Processing Agreement in place
SOC 2 certified; student data in US regions
A current sub-processor list is maintained by the Data Governance Lead and provided to districts upon request.
9. Data Security for Student Records
Student data is protected by the full set of controls described in the Information Security Policy, Access Control Policy, and Cryptography Standard, including:
•
Encryption in transit and at rest
•
Role-based access control (students access only their own data)
•
Comprehensive access logging
In the event of a data breach affecting student records, Aina Design Corp will:
1.
Notify affected districts within 72 hours of confirmed breach discovery.
2.
Provide a written description of the nature of the breach, data affected, and remediation steps.
3.
Cooperate fully with district notification obligations to families.
This policy is reviewed annually. Material changes — including changes to sub-processors or data use practices — are communicated to district partners at least 30 days before taking effect.
Questions about this policy or to submit a data request:
Data Governance Lead — Aina Design Corp
Email: privacy@ainadesign.org
Data Governance Lead: _________________________
Compliance Officer: _________________________
Date Approved: _________________________