Data Governance

Purpose

Data governance is an organizational approach to management that is formalized as a set of policies and procedures that encompass the full life cycle of Data, including, Personal Information (PI); from acquisition, to use, to disposal. These rules and policies establish decision rights, as well as the controls that ensure security, accountability, and trustworthiness. Governance is not active day-to-day oversight, but rather a strong foundation for a viable management system. Any governance structure is in place to foster sound policy, clarity of controls, and consistent processes.

1-2-3 Wellness recognizes its responsibility to protect the privacy and ensure security for all users.

1-2-3 Wellness has adopted this Data Governance Policy to comply with all applicable laws and regulations.

 

Complementary Support

The 1-2-3 Wellness™ program can serve as complementary support for the tremendous work orchestrated by teachers, administrators, mental health providers, community partners and other caring adults in schools and organizations. The program offers supports which is educational in nature. The program is intended to serve as a part of a larger framework of support orchestrated by schools and organizations. 1-2-3 Wellness™ is not intended to replace other vital supports or to treat or diagnose any illness. The fidelity of the program occurs when the used in its entirety, complete with ongoing professional development, the full spectrum of resources and in conjunction with the support of your organization’s educational and mental health professionals.  All resources and information provided via the program are entirely voluntary. Individual participants are encouraged to use, or not use, different resources according to what supports their unique well-being needs as guided by your school and/or organizational personnel. Your organization holds exclusive responsibility for all implementation efforts including efforts related to data generated which is associated with the program. Your school or organizations personnel remain solely responsible for monitoring, identifying, supporting and responding to all mental health related issues including, but not limited to, accessing, identifying and responding to your student and staff wellness data in timely and appropriate ways. Accordingly, GrowthWell LLC bears no responsibility for accessing, identifying and/or responding to your student and staff wellness data at any time. Please reach out to our staff at any time and please continue to consult educational and mental health professions as part of ongoing efforts to meet student and other stakeholder needs.  

Scope & Definitions

This policy applies to all employees and consultants of 1-2-3 Wellness. In accordance with 1-2-3 Wellness’s policy and procedures, this policy will be reviewed and adjusted on an annual basis or more frequently, as needed. This policy is designed to ensure only authorized disclosure of Data, including, Personal Information (PI) as well as establishing best practices around governance. Where 1-2-3 Wellness uses contractors such as third party service providers they will be notified of this policy.

See the Definitions section of the policies for certain definitional terms used in this policy.

 

Data Access Policy

1.1-2-3 Wellness restricts access to Data, including, Personal Information (PI) to only those who need to know the information in order to process the Data, including Personal Information (PI) for the intended service or provide customer assistance and any such access will be limited to the Data, including, Personal Information (PI) necessary for the performance of the operation.

 2. 1-2-3 Wellness will conduct background checks on all 1-2-3 Wellness employees and consultants who will have access to Children Data, including Personal Information (PI) as part of the hiring process.

3. Access to Children Data, including Personal Information (PI) may be revoked by 1-2-3 Wellness for any reason, including termination.

4. 1-2-3 Wellness identifies access to Children Data, including, Personal Information (PI) based on roles and need for access.

5.1-2-3 Wellness will protect its Children Data, including thorough security measures.

Data Usage Policy

  1. 1-2-3 Wellness has instituted policies to make sure Data, including, Personal Information (PI) are not misused or abused and are used in accordance with all applicable regulations, rules and laws. Data Owners manage Data, including, Personal Information (PI) according to this policy and all other applicable policies and practices implemented by 1-2-3 Wellness.

  2.  1-2-3 Wellness employees and consultants are only allowed to access Data, including, Personal Information (PI) for the required performance of their job function/role and not for any inappropriate purposes.

De-Identification Method

 

  1. 1-2-3 Wellness may use Data, including Personal Information (PI) in a de-identified or aggregate format. The methods employed to de-identify Children Data, including, Personal Information (PI) are technically reliable and consistent with industry best practices.

  2. Data, including Personal Information (PI) is anonymized in the quality assurance and development environments by running a task to de-identify the Data, including Personal Information (PI).

  3. The de-identification task replaces all first and last names with another XYZ, emails and usernames are changed to XYZ and phone numbers are blanked out, except for a small list of explicitly declared white list users (1-2-3 Wellness employee personal accounts for testing).

 

Third Party Service Providers

  1. 1-2-3 Wellness evaluates third party service providers to ensure they are capable of complying with our policies and practices, including those related to the collection, use, transfer, deletion, confidentiality, security and integrity of user Data, including Personal Information (PI).

  2. Third party service provider will only have access to Data, including, Personal Information (PI) that is necessary for the service they provide to 1-2-3 Wellness.

  3. 1-2-3 Wellness informs third party service providers annually that our service is directed to children and of 1-2-3 Wellness’s Data privacy and security policies and practices.

  4. 1-2-3 Wellness will review and assess third party data and security practices annually, any time 1-2-3 Wellness policies or practices changes and any time 1-2-3 Wellness is made aware of changes to third party service provider’s policies or practices. 

  5. 1-2-3 Wellness will submit a certification that the requirements regarding third party service providers have been met at the initial certification and annually as part of the renewal process.

Training

  1. 1-2-3 Wellness will provide an annual training program for all employees and consultants who are directly or peripherally involved in design, production, development, monetization and operations of the products and employees and consultants involved in the collection, use, storage, disclosure or any other handling of Data, including Personal Information (PI).

  2. 1-2-3 Wellness will provide training to any employees and consultants who have access to Children Data on the federal and state laws governing confidentiality prior to receiving access to such Data, including Personal Information (PI).

  3. 1-2-3 Wellness will participate in iKeepSafe FERPA training within 2 months of certification and thereafter on an annual basis.

  4. 1-2-3 Wellness will submit a certification to iKeepSafe that the above training has been completed.

 

Security, Security Audit and Remediation 

  1. 1-2-3 Wellness uses and maintains reasonable security procedures and practices, taking into account available technologies to safeguard and protect the Data, including, Personal Information (PI) from unauthorized access, destruction, use, modification, or disclosure and ensure the confidentiality of Data, including Personal Information (PI) collected from and about Children.

  2. 1-2-3 Wellness stores all Data, including Personal Information (PI) with XYZ and relies upon the security audits conducted by XYZ. 1-2-3 Wellness reviews the security audits conducted by XYZ on a regular basis or as needed.

  3. 1-2-3 Wellness periodically reviews its practices to protect against unauthorized access.

  4. Personal Information (PI) is encrypted at rest and in motion.

  5. All accounts are protected by a password. All passwords are stored and transferred securely using encryption and salt hashing.

  6. 1-2-3 Wellness has remediation plans to address identified security issues as they arise.

 

Data Integrity

1-2-3 Wellness ensures that its storage for data, including Personal Information (PI) is accurate and kept up-to-date through the means of auditing, review processes, and the implementation of security controls (e.g. integrity monitoring).

Business Continuity Plan (“BCP”) & Disaster Recovery Plan (“DRP”) 

To ensure that essential business functions will continue to operate during and after a disaster, ™ has a business continuity plan.

The objective of the BCP is to coordinate recovery of critical business functions in managing and supporting the business recovery in the event of a facilities (office building) disruption or disaster.  A disaster is defined as any event that renders a business facility inoperable or unusable so that it interferes with the organization’s ability to deliver essential business services.

The priorities in a disaster situation are to:

1.     Ensure the safety of employees and visitors in the office.

2.     Mitigate threats or limit the damage that threats can cause.

3.     Have advanced preparations to ensure that critical business functions can continue.

The BCP is dependent upon the ability of the third party service providers that 1-2-3 Wellness uses for its services and website to provide uptime and system availability.  The third party service providers used for 1-2-3 Wellness’s services and website does geographically redundant backup of 1-2-3 Wellness’s database allowing 1-2-3 Wellness to access a backup very quickly if necessary.

1-2-3 Wellness would be able to recover from any disaster at its office site by relying upon access to all data through the third party service provider.

To ensure that 1-2-3 Wellness will be able to recover specific business applications after a disaster, 1-2-3 Wellness has a DRP.

 

  1. 1-2-3 Wellness uses a third-party service provider for 1-2-3 Wellness services and website.

  2. If a disaster occurs, 1-2-3 Wellness will notify users via the home page of its web site and through other available communication channels.

  3. Response times will be dependent upon the third party service provider’s ability to recover from the disaster.

  4. If necessary, 1-2-3 Wellness can restore the database.

  5. 1-2-3 Wellness can redeploy our services to the instances, if necessary and test and monitor for stability.

  6. 1-2-3 Wellness has a backup of the object code, source code and documentation at secured location. 

Exceptions

 Any exceptions to the Data Governance Policy are highly discouraged, but in the event, there is a legitimate business need, it must be approved by the Chief Executive Officer and the exception will be documented.  All exceptions will be reviewed quarterly and will be prohibited after no longer necessary.

Governing Laws and Regulations

 Family Educational Rights and Privacy Act (FERPA)

Children’s Online Privacy Protection Act (COPPA)

Non-Compliance

Violations of this policy will be treated in accordance with 1-2-3 Wellness’s policies. 1-2-3 Wellness may face significant fines if non-compliant with regulations. Individuals subject to this policy will be subject to sanctions for non-compliance that may include, but are not limited to, one or more of the following:

1.     Disciplinary action according to applicable 1-2-3 Wellness policies.

2.     Termination of employment.

3.     Legal action according to applicable laws and contractual agreements.

Relevant Policies, Procedures, Standards, and Processes

●      Data Breach Policy

●      Data Retention and Deletion Policy

●      Data Table

●      Third Party Service Providers