Student InformationMackin uses Student Information for the sole purpose of providing user access to and operation of MackinVIA™. Student Information shall mean personally identifiable information of a student and their “education records” as defined in the Family Educational Rights and Privacy Act (FERPA) 20 U.S.C. § 1232g and Personally Identifiable Information as defined in the Children’s Online Privacy Protection Act of 1998 (COPPA) 15 U.S.C. § 6501-6506. Student Information shall not include anonymous information which does not enable identification of an individual student, or de-identified information for which all personally identifiable information has been removed and an individual student is not identifiable.
Student Privacy PledgeMackin is a proud signatory of the Student Privacy Pledge, sponsored by The Future of Privacy Forum (FPF) and Software & Information Industry Association (SIIA). As a signatory, Mackin reaffirms its commitment to “safeguard student privacy regarding the collection, maintenance, and use of student personal information.” It joins several other K-12 education technology companies that also share the same concerns and responsibilities.
The Student Privacy Pledge signees are held accountable to:
- Not sell student information
- Not behaviorally target advertising
- Use data for authorized education purposes only
- Not change privacy policies without notice or choice
- Enforce strict limits on data retention
- Support parental access to, and correction of errors in, their children’s information
- Provide comprehensive security standards
- Be transparent about collection and use of data
COPPA ComplianceMackin complies with the provisions of the Children’s Online Privacy Protection Act (COPPA). COPPA imposes restrictions on how websites collect information from children 13 and under. The key goals of COPPA are to place parents in control over what information is collected from their children online and to protect children while recognizing the dynamic nature of the Internet. Students are never required to enter first names, last names, or email addresses when creating personal accounts in MackinVIA. A username and password are the minimum requirements. Mackin may collect the following types of personal information from administrators for the purpose of creating user accounts: first name, middle name, last name, username, student number, password, school, grade, email, graduation year, access level, and user role. The decision to include data beyond username and password is at the discretion of administrators. Information collected is used for the sole purpose of providing access to and usage of the MackinVIA system. Mackin will not require children to disclose more information than is reasonably necessary to participate in an activity as a condition of participation in the MackinVIA system. Parents can review their children’s personal information, ask to have it deleted, and/or refuse to allow Mackin any further collection or use of their children’s information by directing their request in writing to: Mackin Educational Resources 3505 County Road 42 West Burnsville, MN 55306
FERPA ComplianceMackin takes numerous measures to maintain the security and confidentiality of all student records and comply with requirements of the Family Educational Record Privacy Act (FERPA) applicable to the educational records of students. We will not use any information provided for the creation and maintenance of students’ Backpack accounts for any purpose other than preserving seamless access to licensed materials, and we will not disclose such information to any third party unless required by law. Any Student Information collected online or otherwise is used solely for the contracted purposes of the MackinVIA system. Mackin will not use nor sell Student Information for the purposes of marketing to students.
Storage of Student InformationStudent Information is stored, encrypted, and served from Mackin’s on-premise data center, which has comprehensive monitoring systems in place using industry best practice tools. Additionally, a standby diesel generator provides uninterrupted power during outages. Backup servers are stored at a SSAE 16 (SOC 2 Type 2) attested facility in Minnetonka, MN, and data backups are encrypted using AES 256-bit keys. No Student Information is stored outside the US.
District Sharing of Student InformationUser accounts may be created by the district, end-user, or Mackin. Frequently, the district requests Mackin’s assistance with this step. The district has many options for communicating Student Information to Mackin for the creation of Backpack accounts. The information may be shared by automation through LDAP, SIP2, LTI, or SSO; by sending a CSV file of Student Information through Mackin’s self-import tool or automated FTP import capabilities; or by sending it in a variety of file formats. Once account setup is complete, any files containing Student Information (not automated) sent to Mackin may be returned to the district, but all copies in Mackin’s possession will be destroyed. Automated Student Information uploads are not visible to Mackin employees and are protected by TLS encryption. When transferring Student Information, Mackin appropriates TLS/HTTPS encryption.
Password SecurityUser passwords are not visible to MackinVIA administrators or Mackin employees. For external authentication schemes, users enter passwords on a TLS-protected login page and their passwords are not stored. In all other cases, stored passwords are protected using salted hashes and MackinVIA user authentication is protected by TLS/HTTPS encryption.
Other InformationMackin collects anonymous information which does not enable identification of an individual student, or de-identified information for which all personally identifiable information has been removed and an individual student is not identifiable. This type of information is collected as part of the standard operation of the platform. This may include browser type, operating system, IP address, and the domain name from which the application was accessed. In addition, Mackin may collect information about browsing behavior, such as the date and time of access, the areas or pages visited, the amount of time spent viewing each page, the number of times returned to the application, the referring web page, pages visited, location, mobile carrier, device, and application IDs. Mackin analyzes de-identified, non-personal information and/or aggregated data solely for the purpose of improving service. No information at any point will be transferred or sold.
Secure InfrastructureMackin has implemented administrative, physical, and technical infrastructure, as well as procedural safeguards, to protect and maintain the integrity of Student Information. Operating systems and commercial applications are patched to current levels. Critical security patches are deployed within one week of release. Anti-virus software is deployed to all desktops and servers in the Mackin facility and kept up-to-date with the latest definitions. The firewall and DMZ configuration is deployed to prevent public access to Student Information and to segregate that environment from the Internet using a firewall appliance. Only HTTP/HTTPS ports 80 and 443 are allowed through from the Internet to the web server. Third party audits of security operations are conducted quarterly by an approved 3rd party service for compliance with PCI-DSS standards. Mackin is PCI-DSS compliant. For district-initiated security audits, requests may be submitted in writing to Mackin’s point of contact.
Student Information Security Breach ResponseIn the event that an unauthorized disclosure of Student Information, unauthorized access, or other incident that threatens the security of Student Information comes to Mackin’s attention, the district will be notified immediately. Mackin’s Computer Security Incident Response Team (CSIRT) deals with security incidents as recommended by the Handbook for Computer Security Incident Response Teams (CSIRTs), published by the Software Engineering Institute, Carnegie Mellon University.
In the case of a security breach, Mackin’s CSIRT is trained to:
- Make an initial assessment
- Communicate the incident
- Contain the damage and minimize the risk
- Identify the type and severity of the compromise
- Protect evidence
- Notify external agencies if appropriate
- Recover systems
- Compile and organize incident documentation
- Assess incident damage and cost
- Review the response
- Update policies