The privacy of students, their families, school-based staff, community partners, schools, and districts is of utmost importance to the National Center for School Mental Health and The SHAPE System. This Privacy and Security Policy ensures our commitment to protect all information entered in The SHAPE System and the privacy of all System users and related groups.
Who can access The SHAPE System and what is their role?
Each SHAPE System user will create his or her own account, accessed by a unique log-in name and password selected by that individual. This ensures that users will be provided with information, surveys, and reports appropriate to their role only.
The SHAPE System users represent either an individual, school, school district, entity or a state. The National Center for School Mental Health and our technology partner, 3C Institute, are SHAPE System Administrators.
State users can view the School Mental Health reports and performance measures of districts and schools. Entity users can view selected schools and districts School Mental Health, Trauma Responsiveness, and performance measures reports. District users can view the School Mental Health reports and performance measures reports of schools. States, entities, and districts have this capability only if schools and/or districts 1) are registered on The SHAPE System and 2) do not prohibit access to the district/entity/state. Schools can view district team members’ names, titles, email addresses, and date of last visit to SHAPE. States, districts, and entities can also view this information about school team members if the school does not prohibit access. Districts can view state team members’ names, titles, email addresses, and last visit to SHAPE.
What data are entered into the SHAPE System?
There are no individual student data entered into SHAPE. Any data about number of students screened or receiving services are entered in aggregate and would not allow for the identification of any individual student. SHAPE is a web-based system for school or district teams to self-report the performance of their school mental health system.
The three types of data that can be entered into the SHAPE System are as follows:
The SHAPE System Administrators (NCSMH and 3C Institute) access education data from the Department of Education website and link it with registration information. The types of data collected include school addresses and phone numbers, and type of school (e.g., public/private/charter, urban/rural/suburban location, percentage of students receiving free and reduced-price lunch).
How are data used?
Whether a school or district has registered with The SHAPE System is publicly available information. The information that school or district teams enter into SHAPE (including the School Mental Health Profile, Quality Assessments, Trauma Responsiveness Assessments, team member names) is not publicly available. Information entered into SHAPE by individuals, schools, districts, entities, or states may be compiled in aggregate by the National Center for School Mental Health to understand:
The National Center for School Mental Health is interested in supporting ongoing quality improvement efforts in the field. As such, NCSMH team members may occasionally reach out to SHAPE users to invite them to participate in NCSMH quality improvement or research efforts.
Once schools share data with districts, entities, or states via default permissions on the SHAPE system, data can be used or shared with third-party requestors. We recommend establishing a data-sharing agreement.
Once districts share data entities or states via default permissions on the SHAPE system, data can be used or shared with third-party requestors. We recommend establishing a data-sharing agreement.
How are data stored?
The SHAPE System uses website cookies and log files to store non-personal data only. Cookies on the SHAPE System are never set across websites to track movement from site to site. We will never sell personally identifiable information to a third party. We will never share information with a third party, except to comply with law enforcement, or if the user explicitly permits the use of this information for other purposes.
Our Commitment to Data Security
To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online, including but not limited to SSL security, encrypted databases, internal security audits, and staff policies.
We respect students’, schools’, and districts’ rights to privacy. In recognition of the sensitive nature of school and district level data and student information collected through the use of any programs on the SHAPE platform, multiple access levels have been developed so that each type of user – district and school – are granted specific data permissions. The SHAPE System does not collect any personal health information or student data, and therefore does not require protection from either the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) or the Health Insurance Portability and Accountability Act (HIPAA).
To ensure the security and privacy of all data entered by School and District Users, several physical, network, hardware, and appropriate software safety precautions are in place. The firewall restricts access to data to those who have requisite permission levels. All logins have strong password rule enforcement and password expiration schedules. Data stored online are protected using algorithms and separation of encrypted data from keys.
When you sign up as an entity in the SHAPE System, you'll:
When you sign up for your state/territory in the SHAPE System, you'll:
When you sign up for your school district in the SHAPE System, you'll:
When you sign up for your preschool in the SHAPE System, you'll:
When you sign up for your school in the SHAPE System, you'll:
When you sign up as an individual in the SHAPE System, you'll: