STUDENT DATA PRIVACY AGREEMENT VERSION (2018) - MODELED AFTER THE STUDENT DATA PRIVACY CONSORTIUM’S MODEL CONTRACT
This Student Data Privacy Agreement (“DPA”) is incorporated by reference into the Service Agreement (as defined below) entered into by and between the customer located solely within the United State set forth below (hereinafter referred to as “LEA”) and Xxxx.xxx (hereinafter referred to as “Provider”) effective as of the date the DPA is accepted by LEA (“Effective Date”) (each of Provider and LEA, a “Party” and together “Parties”). The Parties agree to the terms as stated herein.
WHEREAS, the Provider has agreed or will agree to provide the LEA with certain digital educational services as described in Section I pursuant to the Xxxx.xxx Terms of Service located at xxxxx://xxxx.xxx/xxx entered into the same date as this DPA (the “Service Agreement”); and
WHEREAS, in order to provide the Services described in Section 1, the Provider may receive or create and the LEA may provide documents or data that are covered by several applicable federal statutes, among them, the Federal Educational Rights and Privacy Act (“FERPA”) at 20 U.S.C.
1232g and 34 CFR Part 99, Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. 6501-6502; Protection of Student Rights Amendment (“PPRA”) 20 U.S.C. 1232h; the Individuals with Disabilities Education Act (“IDEA”), 20 U.S.C. §§ 1400 et. seq.; and
WHEREAS, the documents and data transferred from LEAs and created by the Provider’s Services are also subject to various state student privacy laws; and
WHEREAS, the Parties wish to enter into this DPA to ensure that the Services and Service Agreement provided conform to the requirements of the privacy laws referred to above and to establish implementing procedures and duties.
NOW THEREFORE, for good and valuable consideration, the parties agree as follows:
1. PURPOSE AND SCOPE
1.1.Purpose of DPA. The purpose of this DPA is to describe the duties and responsibilities to protect Student Data (as defined in Exhibit “C”) transmitted to Provider from the LEA and Provider’s users pursuant to the Service Agreement including compliance with all applicable federal and state privacy statutes including the FERPA, PPRA, COPPA, and IDEA This DPA, together with the Service Agreement, is the “Agreement”.
1.2.Nature of Services Provided. Pursuant to and as fully described in the Service Agreement, Provider has agreed to provide the digital educational services as set forth in Exhibit “A” hereto and any other products and services that Provider may provide now or in the future (the “Services”).
1.3.Student Data to Be Provided. In order to perform the Services described in this Section and the Service Agreement, LEA shall provide only the elements of data marked by the Provider in the Schedule of Data, attached hereto as Exhibit “B”.
1.4.DPA Definitions. The definition of terms used in this DPA is found in Exhibit “C”. In the event of a conflict, definitions used in this DPA shall prevail over terms used in all other
writings, including, but not limited to, the Service Agreement, privacy policies or any terms of service.
2. DATA OWNERSHIP AND AUTHORIZED ACCESS
2.1.Student Data Property of LEA. All Student Data or any other Education Records (as defined on Exhibit C) transmitted to the Provider pursuant to this Agreement is and will continue to be the property of and under the control of the LEA, or to the party who provided such data (such as the student or parent). The Provider further acknowledges and agrees that all copies of such Student Data or any other Education Records transmitted to the Provider, including any modifications or additions or any portion thereof from any source, are also subject to the provisions of this Agreement in the same manner as the original Student Data or Education Records. The Parties agree that as between them, all rights, including all intellectual property rights, in and to Student Data or any other Education Records contemplated per this Agreement shall remain the exclusive property of the LEA or the party who provided such data (such as the student or parent).
2.2.Exemptions under FERPA. LEA may not generally disclose Personally Identifiable Information from an eligible student’s Education Record to a third-party without written consent of the parent and/or eligible student or without meeting one of the exemptions set forth in FERPA (“FERPA Exemption(s)”), including the exemption for Directory Information (“Directory Information Exemption”) or School Official exemption (“School Official Exemption”). For the purposes of FERPA, to the extent Personally Identifiable Information from Education Records are transmitted to Provider from LEA or from students using accounts at the direction of the LEA, the Provider shall be considered a School Official (as defined on Exhibit C), under the control and direction of the LEAs as it pertains to the use of Education Records. Additionally, certain information, provided to Provider by LEA about a student, such as student name and grade level, may be considered Directory Information (as defined on Exhibit C) under FERPA and thus not an Education Record.
2.3.Parent Access. LEA shall establish reasonable procedures by which a parent, legal guardian, or eligible student may review Personally Identifiable Information contained in the related student’s Education Records and correct erroneous information, consistent with the functionality of services. Provider shall cooperate and respond within thirty (30) days to the LEA’s request for Personally Identifiable Information contained in the related student’s Education Records held by the Provider to view or correct as necessary. In the event that a parent/legal guardian of a student, an eligible student or other individual contacts the Provider to review any of the Education Records or Student Data accessed pursuant to the Services, the Provider shall refer the parent, eligible student or individual to the LEA, who will follow the necessary and proper procedures regarding the requested information.
2.4.Third Party Request. Should a third party, excluding a Service Provider, including, but not limited to law enforcement, former employees of the LEA, current employees of the
LEA, and government entities, contact Provider with a request for Student Data held by the Provider pursuant to the Services, the Provider shall redirect the third party to request the data directly from the LEA, unless and to the extent that Provider reasonably believes it must grant such access to the third party because the data disclosure is necessary: (i) pursuant to a court order or legal process, (ii) to comply with statutes or regulations, (iii) to enforce the Agreement, or (iv) if Provider believes in good faith that such disclosure is necessary to protect the rights, property or personal safety of Provider’s users, employees or others. Provider shall notify the LEA in advance of a compelled disclosure to a Third Party, unless legally prohibited.
0.0.Xx Unauthorized Use. Provider shall not use Personally Identifiable Information contained in Student Data or in an Education Record for any purpose other than as explicitly specified in this Agreement.
3. DUTIES OF LEA
3.1.Provide Data In Compliance With Laws. LEA shall provide Student Data for the purposes of the Agreement in compliance with any applicable state or federal laws and regulations pertaining to data privacy and security, including, without limitation, the FERPA, PPRA, and IDEA. If LEA is providing Directory Information or any Education Record to Provider, LEA represents, warrants and covenants to Provider, as applicable, that LEA has:
(i) complied with the Directory Information Exemption, including, without limitation, informing parents and eligible students what information the XXX xxxxx to be Directory Information and may be disclosed and allowing parents and eligible students a reasonable amount of time to request that schools not disclose Directory Information about them; and/or
(ii) complied with the School Official Exemption, including, without limitation, informing parents in their annual notification of FERPA rights that the Institution defines “school official” to include service providers and defines “legitimate educational interest” to include services such as the type provided by Provider; or
(iii) obtained all necessary parental or eligible student written consent to share the Student Data with Provider, in each case, solely to enable Provider’s operation of the Service.
LEA represents, warrants, and covenants to Provider that it shall not provide information to Provider from any student or parent/legal guardian that has opted out of the disclosure
of Directory Information. Provider depends on LEA to ensure that LEA is complying with the FERPA provisions regarding the disclosure of any Student Data that will be shared with Provider.
3.2.Reasonable Precautions. LEA shall take reasonable precautions to secure usernames, passwords, and any other means of gaining access to the Services and/or hosted data shared pursuant to the Agreement.
3.3.Unauthorized Access Notification. LEA shall notify Provider promptly of any known or suspected unauthorized use or access of the Services, LEA’s account, or Student Data.
LEA will assist Provider in any efforts by Provider to investigate and respond to any unauthorized use or access.
4. DUTIES OF PROVIDER
4.1.Privacy Compliance. The Provider shall comply with all applicable state and Federal laws and regulations pertaining to data privacy and security, applicable to the Provider providing the Service to LEA. Provider will ensure that it’s Services help LEA comply with FERPA and PPRA.
4.2.Authorized Use. Student Data shared pursuant to this Agreement, including persistent unique identifiers, shall be used for no purpose other than the Services and for the uses set forth in the Agreement and/or as otherwise legally permissible, including, without limitation, for adaptive learning or customized student learning. The foregoing limitation does not apply to any De-Identified Data (as defined in Exhibit C).
4.3.Employee Obligation. Provider shall require all employees and agents who have access to Student Data to comply with all applicable provisions of this DPA with respect to the Student Data shared under this DPA. Provider agrees to require and maintain an appropriate confidentiality agreement from each employee or agent with access to Student Data pursuant to the DPA.
0.0.Xx Disclosure. Provider shall not disclose, transfer, share or rent any Student Data obtained under the Agreement in a manner that directly identifies an individual student to any other entity other than LEA, except: (i) as authorized by the Agreement; (ii) as directed by LEA; (iii) to authorized users of the Services, including parents or legal guardians; (iv) as permitted by law; (v) in response to a judicial order as set forth in Section 2.4; (vi) to protect the safety or integrity of users or others, or the security of the Services; or (vii) to Service Providers, in connection with operating or improving the Service. Provider will not Sell (as defined in Exhibit C) Student Data.
4.5.De-Identified Data. De-Identified Data may be used by the Provider for any lawful purpose, including, but not limited to, development, research, and improvement of educational sites, services, or applications, and to demonstrate the market effectiveness of the Services. Provider’s use of such De-Identified Data shall survive termination of this DPA or any request by LEA to return or destroy Student Data. Provider agrees not to
attempt to re-identify De-identified Data and not to transfer De-identified Data to any party unless that party agrees in writing not to attempt re-identification.
4.6.Disposition of Data. Provider shall, at LEA’s request, dispose of or delete all Personally Identifiable Information contained in Student Data within a reasonable time period following a written request. Additionally, if a written request is received from LEA to transfer Personally Identifiable Information contained in Student Data to LEA, Provider shall transfer said Personally Identifiable Information contained in Student Data to LEA or LEA’s designee within sixty (60) days of the date of such written request by LEA, or as required by law, and according to a schedule and procedure as the Parties may reasonably agree. If no written request is received, Provider shall dispose of or delete all Personally Identifiable Information contained in Student Data at the earliest of (a) when it is no longer needed for the purpose for which it was obtained or (b) as required by applicable law. Nothing in the DPA authorizes Provider to maintain Personally Identifiable Information contained in Student Data obtained under the Agreement beyond the time period reasonably needed to complete the disposition, unless a student, parent or legal guardian of a student chooses to establish a personal login to their account with Provider for the purpose of storing Student Generated Content. Disposition shall include
(1) the shredding of any hard copies of any Personally Identifiable Information contained in Student Data; (2) erasing any Personally Identifiable Information contained in Student Data; or (3) otherwise modifying the Personally Identifiable Information contained in Student Data to make it unreadable or indecipherable or De-Identified. Provider shall provide written notification to LEA when the Personally Identifiable Information contained in Student Data has been disposed pursuant to the LEA’s request for deletion. The duty to dispose of Student Data shall not extend to data that has been De-Identified. The LEA may employ a “Request for Return or Deletion of Student Data” FORM, a copy of which is attached hereto as Exhibit “D”.
4.7.Advertising Prohibition. Provider is prohibited from using Personally Identifiable Information contained in Student Data to (a) serve Targeted Advertising to students or families/guardians unless with the consent of parent/guardian or LEA; (b) develop a profile of a student for any commercial purpose other than providing the Service to LEA or as authorized by the parent/guardian or LEA; or (c) use the Student Data for the development of commercial products or services, other than as necessary to provide the Service to Client, as authorized by the parent or legal guardian, or as permitted by applicable law. Personally Identifiable Information contained in Student Data should never be used or disclosed for Third-Party Advertising (as defined in Exhibit C).
Additionally, Provider does not allow Third-Party Advertising on its Service in user logged in areas of the Service. This section shall not be construed to (i) prohibit Provider from marketing or advertising directly to parents or other users so long as the marketing or advertising did not result from the use of Personally Identifiable Information contained in Student Data obtained by Provider from providing the Services; (ii) apply to the marketing of school memorabilia such as photographs, yearbooks, or class rings, (iii) prohibit Provider from using aggregate or De-Identified Data to inform, influence or enable marketing, advertising or other commercial efforts by Provider, (iv) limit the ability of Provider to use Student Data for adaptive learning or customized student learning purposes, (v) prohibit Provider from using Student Data to recommend
educational products or services to parents/guardians, students, or LEAs so long as the recommendations are not based in whole or part by payment or other consideration from a third party, (vi) prohibit Provider from using Student Data with parent/guardian consent to direct advertising to students to identify higher education or scholarship providers that are seeking students who meet specific criteria.
0.XXXX SECURITY AND DATA BREACH
0.0.Xxxx Security. The Provider agrees to employ administrative, physical, and technical safeguards consistent with industry standards designed to protect Student Data from unauthorized access, disclosure, use or acquisition by an unauthorized person, including when transmitting and storing such information. The general security duties of Provider are set forth below. Provider may further detail its security programs and measures in Exhibit “E” hereto. These measures shall include, but are not limited to:
i. Passwords and Employee Access. Provider shall secure usernames, passwords, and any other means of gaining access to the Services or to Student Data, at a level suggested by Article 4.3 of NIST 800-63-3. Provider shall only provide access to Student Data to employees, contractors or Service Providers that are performing the Services. Employees with access to Student Data shall have signed confidentiality agreements regarding said Student Data. All employees with access to Student Data shall pass criminal background checks.
ii. Destruction of Data. Provider shall destroy or delete all Personally Identifiable Data contained in Student Data and obtained under the Agreement as set forth in Section 4.6.
iii. Security Protocols. Both parties agree to maintain security protocols that meet industry best practices in the transfer or transmission of any Student Data, including ensuring that Student Data may only be viewed or accessed by parties legally allowed to do so. Provider shall maintain all Student Data obtained or generated pursuant to the Agreement in a secure computer environment and not copy, reproduce, or transmit data obtained pursuant to the Agreement except as necessary to fulfill the purpose of data requests by LEA or as otherwise set forth in the Agreement. The foregoing does not limit the ability of the Provider to allow any necessary Service Providers to view or access data as set forth in Section 4.4.
iv. Employee Training. The Provider shall provide periodic security training to those of its employees who operate or have access to the Services.
v. Security Technology. When the Service is accessed using a supported web browser, the Provider will ensure that Secure Socket Layer (“SSL”), or equivalent technology that protects information, using both server authentication and data encryption, shall be employed to protect
Student Data from unauthorized access. Provider shall host Student Data pursuant to the Agreement in an environment using a firewall that is periodically updated according to industry standards.
vi. Security Coordinator. Provider shall provide the name and contact information of Provider’s security coordinator for the Student Data received pursuant to the Agreement (“Security Coordinator”).
vii. Service Provider Bound. Provider shall enter into written agreements whereby Service Providers agree to secure and protect Student Data in a manner consistent with the terms of this Section 5.
viii. Backups. Provider agrees to maintain backup copies, backed up at least daily, of Student Data in case of Provider’s system failure or any other unforeseen event resulting in loss of Student Data or any portion thereof.
0.0.Xxxx Breach. In the event that Provider becomes aware of any actual or reasonably suspected unauthorized disclosure of or access to Student Data (a “Security Incident”), Provider shall provide notification to LEA as required by the applicable state law (each a “Security Incident Notification”) Provider shall follow the following process:
i. Unless otherwise required by the applicable law, the Security Incident Notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described herein under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.
ii. The Security Breach Notification described above in Section 5.2(i) shall include such information required by the applicable state law, and at a minimum, the following information:
• The name and contact information of the reporting Provider subject to this section.
• A list of the types of Personal Identifiable Information that were or are reasonably believed to have been the subject of the Security Incident.
• If the information is possible to determine at the time the notice is provided, then either (1) the date of the Security Incident, (2) the estimated date of the Security Incident, or
(3) the date range within which the Security Incident occurred. The Security Incident Notification shall also include the date of the notice.
• Whether, to the knowledge of Provider at the time the Security Incident Notice was provided the notification was delayed as a result of a law enforcement investigation
• A general description of the Security Incident, if that information is possible to determine at the time the notice is provided.
iii. At Provider’s discretion, the Security Breach Notification may also include any of the following:
• Information about what the Provider has done to protect individuals whose Personally Identifiable Information has been breached by the Security Incident.
• Advice on steps that the person whose Personally Identifiable Information has been breached may take to protect himself or herself.
6.1.Term. The Provider shall be bound by this DPA for the duration of the Service Agreement or as required by law.
6.2.Termination. In the event that either party seeks to terminate this DPA, they may do so by terminating the Service Agreement as set forth therein. The LEA may terminate this DPA and the Service Agreement or contract with the Provider if the Provider breaches any terms of this DPA.
6.3.Effect of Termination Survival. If the DPA is terminated, the Provider shall destroy all of LEA’s Personally Identifiable Information contained in Student Data pursuant to Section 4.6.
6.4.Priority of Agreements. This DPA shall govern the treatment of Student Data. With respect to the treatment of Student Data, in the event there is conflict between the terms of the DPA, the Service Agreement, or any other agreement between Provider and LEA, the terms of this DPA shall apply and take precedence. Except as described in this paragraph herein, all other provisions of the Service Agreement, or any other agreement shall remain in effect.
6.5.Notice. All notices or other communication required or permitted to be given under this DPA must be in writing and given by e-mail transmission, sent to the designated representatives listed below:
The designated representative for the Provider for this DPA is:
The designated representative for the LEA for this DPA is:
Name Xxxxxxx Xxxx
6.6.Entire Agreement. This DPA constitutes the entire agreement of the parties relating to the subject matter hereof and supersedes all prior communications, representations, or agreements, oral or written, by the parties relating thereto. This DPA may be amended and the observance of any provision of this DPA may be waived (either generally or in any particular instance and either retroactively or prospectively) only with the signed written consent of both parties. Neither failure nor delay on the part of any party in exercising any right, power, or privilege hereunder shall operate as a waiver of such right, nor shall any single or partial exercise of any such right, power, or privilege preclude any further exercise thereof or the exercise of any other right, power, or privilege.
6.7.Severability. Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this DPA, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. Notwithstanding the foregoing, if such provision could be more narrowly drawn so as not to be prohibited or unenforceable in such jurisdiction while, at the same time, maintaining the intent of the parties, it shall, as to such jurisdiction, be so narrowly drawn without invalidating the remaining provisions of this DPA or affecting the validity or enforceability of such provision in any other jurisdiction.
6.8.Governing Law; Venue and Jurisdiction. THIS DPA WILL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE STATE OF THE LEA SIGNING THE DPA, WITHOUT REGARD TO CONFLICTS OF LAW PRINCIPLES. EACH PARTY CONSENTS AND SUBMITS TO THE SOLE AND EXCLUSIVE JURISDICTION TO THE STATE AND FEDERAL COURTS FOR COUNTY THE LEA RESIDES IN, OF THE STATE OF THE LEA SIGNING THE DPA FOR ANY DISPUTE ARISING OUT OF OR RELATING TO THIS DPA OR THE TRANSACTIONS CONTEMPLATED HEREBY.
6.9.Electronic Signature: The Parties understand and agree that they have the right to execute this Agreement through paper or through electronic signature technology, which is in compliance with applicable state and Federal law governing electronic signatures. The parties agree that to the extent they sign electronically, their electronic signature is the legally binding equivalent to their handwritten signature. Whenever they execute an electronic signature, it has the same validity and meaning as their handwritten signature. They will not, at any time in the future, repudiate the meaning of their electronic signature or claim that their electronic signature is not legally binding. They agree not to object to the admissibility of this Agreement as an electronic record, or a paper copy of an electronic document, or a paper copy of a document bearing an electronic signature, on the grounds that it is an electronic record or electronic signature or that it is not in its original form or is not an original.
6.10.Multiple Counterparts: This Agreement may be executed in any number of identical counterparts. If so executed, each of such counterparts shall constitute this Agreement. In proving this Agreement, it shall not be necessary to produce or account for more than one
such counterpart. Execution and delivery of this Agreement by .pdf or other electronic format shall constitute valid execution and delivery and shall be effective for all purposes (it being agreed that PDF email shall have the same force and effect as an original signature for all purposes).
[Signatory Information Follows]
DocuSign Envelope ID: C7A0A937-808F-49B7-A8AC-E26DED8CBE79
DocuSign Envelope ID: 6C3EE3EF-75E9-48C5-B84B-33A7C550A250
Name: Xxxxx Xxxxxxxxxx Authorized Representative: Xxxxxxx Xxxx
Title: President Title: CTO
Bass Lake School District
Address:1501 Xxxxxx Xxxxxx, Xxxxx 000 Address: 00000 Xxxxxx Xxxxxxx XX
Xxxxxxx, XX 00000
9/11/2018 | 05:59:56 PDT
Date: 12/4/2018 | 08:08:38 PST
DESCRIPTION OF SERVICES
Xxxx.xxx is a nonprofit dedicated to expanding participation in computer science by making it available in more schools, and increasing participation by women and underrepresented students of color.
As part of its mission to expand access to computer science Xxxx.xxx provides the following services and resources:
● An online curriculum for teaching computer science, and an online learning platform for students to learn coding and computer science and to display and share their work
● Professional learning program for teachers to prepare to teach computer science
● Resources to support schools, districts, teachers, administrators, students, volunteers, parents, and advocates who want to expand the availability of computer science education, including recommendations of third party curriculum and course providers, links to educational resources, etc.
● Information about the state of computer science education in K-12 schools in America and globally
● Advocacy in support of Computer Science education in the K-16 education system
● The coordination and leadership of the global Hour of Code campaign for celebrating participation in computer science
Category of Data
Check if used by your system
Application Technology Meta Data
Other application technology
meta data-Please specify: standard log files, web beacons, and pixel tags
Application Use Statistics
Meta data on user interaction with
Standardized test scores
Other assessment data-Please specify:Student answers to assessments
in Xxxx.xxx coursework
Student school (daily) attendance data
Student class attendance data
Online communications that are captured (emails, blog
Conduct or behavioral data
Date of Birth (year only)
Place of Birth
Ethnicity or race
Language information (native, preferred or primary language spoken by student)
Other demographic information-Please specify: Age
Student school enrollment
Student grade level
Specific curriculum programs
Year of graduation
Other enrollment information-Please specify:
Category of Data
Check if used by your system
Student scheduled courses
English language learner information
Low income status
Student disability information
Specialized education services (IEP or 504)
Living situations (homeless/xxxxxx care)
Other indicator information- Please specify:
Student Contact Information
Email (used temporarily to recover an
account, not stored)
Local (School district) ID number
State ID number
Vendor/App assigned student ID number
Student app username
Student app passwords
First and/or Last
Student In App Performance
Program/application performance (typing program-student types 60 wpm, reading program- student reads below grade
Student Program Membership
Academic or extracurricular activities a student may
belong to or participate in
Student Survey Responses
Student responses to surveys or questionnaires
Student generated content; writing, pictures etc.
Parent/Guardian Contact Information
Parent ID number (created to link parents to students)
First and/or Last
SCHEDULE OF DATA
Category of Data
Check if used by your system
Other student work data - Please specify: Projects and Xxxx.xxx
Student course grades
Student course data
Student course grades/performance scores
Other transcript data -Please specify:
Category of Data
Check if used by your system
Student bus assignment
Student pick up and/or drop off location
Student bus card ID number
Other transportation data - Please specify:
Please list each additional
data element used, stored or collected by your application
“De-Identified Data” means information that has all Personally Identifiable Information, including direct and indirect identifiers removed or obscured, such that the remaining information does not reasonably identify an individual. This includes, but is not limited to, name, date of birth, demographic information, location information and school identity.
“Directory Information” shall have the meaning set forth under FERPA cited as 20 U.S.C. 1232 g(a)(5)(A)
“Education Record” shall have the meaning set forth under FERPA cited as 20 U.S.C. 1232 g(a)(4)
“Indirect Identifiers” means any information that, either alone or in aggregate, would allow a reasonable person to be able to identify a student to a reasonable certainty. When anonymous or non-personal information is directly or indirectly linked with Personally Identifiable Information, this anonymous or non-personal information is also treated as personal information. Persistent identifiers that are not anonymized, De-Identified or aggregated are personal information.
“NIST 800-63-3” shall mean the National Institute of Standards and Technology (“NIST”) Special Publication 800-63-3 Digital Authentication Guideline.
“Personally Identifiable Information” or “PII” means data that can be used to identify or contact a particular individual, or other data which can be reasonably linked to that data or to that individual’s specific computer or device. Student PII includes, without limitation, those items set forth in the definition of PII under FERPA.
“Sell” consistent with the Future of Privacy Forum Student Privacy Pledge, does not include or apply to a purchase, merger or other type of acquisition of a company by another entity, provided that the company or successor entity continues to treat the Personally Identifiable Information contained in Student Data in a manner consistent with this DPA with respect to the previously acquired Personally Identifiable Information contained in Student Data.
“Service Provider” means a party other than LEA or Provider, who Provider uses for data collection, analytics, storage, or other service to operate and/or improve its Services, and who has access to PII.
“School Official” means for the purposes of this DPA and pursuant to FERPA (34 CFR 99.31 (B)), a contractor that: (1) Performs an institutional service or function for which the agency or institution would otherwise use employees; (2) Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and (3) Is subject to FERPA restrictions (34 CFR 99.33(a)) governing the use and re-disclosure of personally identifiable information from student records.
“Student Data” means any data, whether gathered by Provider or provided by LEA or its users, students, or students’ parents/guardians, that is descriptive of the student including, but not limited to, information in the student’s Educational Record or email, first and last name, home address, telephone number, email address, or other information allowing online contact, discipline records, videos, test results, special education data, juvenile dependency records,
grades, evaluations, criminal records, medical records, health records, social security numbers, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings or geolocation information. To the extent U.S. law applies, Student Data may include Education Records. Student Data as specified in Exhibit B is confirmed to be collected or processed by the Provider pursuant to the Services. Student Data shall not include De-Identified Data or information that has been anonymized, or anonymous usage data regarding a student’s use of Provider’s Services.
“Student Generated Content” means materials or content created by a student including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, photographs, videos, and account information that enables ongoing ownership of student content. “Student Generated Content” does not include student responses to a standardized assessment where student possession and control would jeopardize the validity and reliability of that assessment.
“Targeted Advertising” means presenting an advertisement to a student where the selection of the advertisement is based on Student Data or inferred over time from the usage of the Provider’s website, online service or mobile application by such student or the retention of such student’s online activities or requests over time and across non-affiliate websites for the purpose of targeting subsequent advertising. “Targeted Advertising” does not include advertising to a student based on the content of a web page, search query or a user’s contemporaneous behavior on the web site or a response to a student’s response or request for information or feedback, both of which are permitted.
“Third-Party Advertising” means direct advertising by third-parties and their products or services on the Service (i.e., such as when an advertiser would bid to place an advertisement directly on a platform). “Third-Party Advertising” does not include serving advertising to a student or others based on the content of a web page, search query or a user’s contemporaneous behavior on the web site for third-party products and services themselves that Provider believes may be of interest to users.
DIRECTIVE FOR DISPOSITION OF STUDENT DATA
LEA directs Xxxx.xxx to dispose of Student Data obtained by Provider pursuant to the terms of the DPA between LEA and Provider. The terms of the Disposition are set forth below:
1. Nature of Disposition
_ Disposition shall be by destruction or deletion of Student Data, including De-Identification of Student Data.
_ Disposition shall be by a transfer of Student Data. The Student Data shall be transferred to the following site as follows:
[Provide directions of where data files should be sent or uploaded]
2. Timing of Disposition
Student Data shall be disposed of by the following date:
_ As soon as commercially practicable
_ By [ ] - such date shall be no sooner than 30 days from the date of signature on this notice
*Note: any user account actively deleted by a user will have all personal information hard deleted 30 days after the account is deleted (meaning the personal information is not recoverable)
(Authorized Representative of LEA
4. Verification of Disposition of Data
Authorized Representative of Company Date