This overview is intended to provide education agencies with information about Benetech’s data privacy and security policies. The following is provided for information purposes only and should not be considered a legal statement or advice. For more information, please contact privacy@benetech.org
Benetech® the company that operates the Bookshare service, takes student data privacy and security very seriously. We have implemented a range of physical, technical, and administrative measures to prevent unauthorized access, disclosure, or misuse, and to maintain data accuracy. We regularly review our information collection, storage, and processing practices to ensure the security and integrity of the data we collect.
We comply with applicable state and federal laws and regulations pertaining to data privacy and security, including but not limited to FERPA, PPRA, COPPA, IDEA. Benetech operates under FERPA’s “School Official” Exception which enables us to collect and utilize student data. All data provided by education agencies remains under the control and direction of the education agency providing said information.
Student data is only used for the purpose of providing access to Bookshare. Student data is never shared, sold, or used for marketing purposes. Anonymized and aggregated data on age, grade, disability type, IEP and/or 504 plans may be provided to fulfill the purpose of data requests by an education entity or by the U.S. Department of Education under the Cooperative Agreement that fully funds Bookshare.
Why does Bookshare collect student Personally Identifiable Information (PII)?
The Bookshare platform collects student PII to meet obligations under the U.S. Copyright Act of 1976, as amended, that allows non-profit organizations, such as Benetech, to provide accessible versions of published works to qualified individuals. Benetech does so with its Bookshare platform, which uses the information it collects to confirm that students have a qualifying print disability and that their use of Bookshare complies with the law. The Bookshare platform collects only the information required to perform in compliance with the law and to provide the service effectively.
The Bookshare platform currently requires first name, last name, date of birth, grade, and disability type. However, we understand that some educational agencies must keep student names private. We offer an alternative that allows for student numbers or pseudonyms to be used in place of student names if the educational agency submits a Confidentiality Rider Form and agrees to maintain a database in which the student’s real name is paired with the pseudonym or coded username of each student accessing Bookshare. This is necessary in case any student misuses the Bookshare service (e.g., shares a book with anyone who is not a qualified print-disabled user) so that they can be contacted and disciplined, if necessary, by the school or school district. A Confidentiality Rider form can be obtained from Bookshare Customer Support.
Student Data Retention and Destruction
We do not retain student PII beyond what is necessary for educational purposes, legal obligations, or to provide the services for which we receive or collect such information. In addition, student PII is retained only for as long as their student accounts remains active, unless retention is required by law, by the student’s school, or is necessary to ensure the safety of our community, our services, or to enforce our Terms. Protected data will, upon the written request of the education agency, be deleted or rendered un-identifiable by Benetech, as soon as reasonably practicable after the date of the request. Additionally, on organizational accounts, which are those created by organizations such as schools or districts, staff can delete student information from the account any time they wish to do so.
Correcting Information
Education agencies can correct or update information within their Bookshare organizational account anytime they wish and may also contact Bookshare by email at support@bookshare.org if they need further assistance in correcting or deleting data.
Data Storage and Protection
All student data is hosted on Amazon Web Services (“AWS”) within the U.S. Region. AWS publishes their CAIQ/CSA agreement which includes information on their security, control, and processes.
We regularly review our information collection, storage and processing practices, including physical security measures, to prevent unauthorized access to our systems. We conduct application security testing, penetration testing, risk assessments, and continuous monitoring to ensure compliance with security policies.
Cybersecurity Framework
Benetech’s cybersecurity framework is not designed in accordance with any one established set of specifications, it is custom designed by Benetech’s engineering team in accordance with industry standard best practices with respect to protected data storage and privacy, including, but not limited to, encryption, firewalls, passwords, protection of off-site records, and limitations of access to stored protected data to authorized staff.
In particular:
- When users enter any information on the Bookshare website, we encrypt the transmission of that information using Hypertext Transfer Protocol Secure (HTTPS) by default.
- The database where we store user PII is encrypted at rest and in transit.
- We ensure passwords are stored securely using encryption.
Access to Protected Data
Benetech restricts access to protected data to those individuals that are determined to have legitimate needs to operate the Bookshare platform such as authorized Benetech employees, agents, or independent contractors who require the information to perform necessary processing on our behalf. These individuals are bound by stringent confidentiality obligations and may face disciplinary action or termination if they fail to meet these obligations. All Benetech employees are required to sign a confidentiality agreement with Benetech as part of the onboarding process and to undergo criminal background checks.
Employee Training
Benetech employees and independent contractors receive yearly training on FERPA, Foundations of Security Awareness, Phishing Prevention, Data Privacy Basics and Data Security Basics. This training is mandatory when new employees are onboarded with the company.
Data Breach Procedures
If student data is accessed or obtained by an unauthorized individual, Benetech shall provide notification to the affected organization (such as a school district or an individual school) or the individual member without unreasonable delay, but not more than 72 hours after discovery of the incident. Benetech shall take the following steps:
The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described herein under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice. The security breach notification shall include, at a minimum, the following information:
- The name and contact information of the reporting school district or individual school subject to this section.
- A list of the types of personal information that were, or are reasonably believed to have been, the subject of a breach.
- If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred.
- The notification shall also include the date of the notice. Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided. It will also include a general description of the breach incident, if that information is possible to determine at the time the notice is provided.
At Benetech’s discretion, the security breach notification may also include any of the following:
• Information about what Benetech has done to protect individuals whose information has been breached.
• Advice on steps that the person whose information has been breached may take to protect himself or herself.
With approval of District, Benetech will notify affected students or staff of District who’s personally identified data is reasonably believed to have been affected by an unauthorized release of such data due to a breach of security. Such notification shall be provided without unreasonable delay and in any case, no later than 30 days after the unauthorized release of data has been confirmed by Benetech.