Agreement is made and entered into by and between the Rhode
Island Department of Elementary and Secondary Education,
to as “RIDE”, and XXXX,
hereinafter referred to as “XX”,
pursuant to the authority granted by Rhode Island state law,
relevant federal statutes, and related regulations.
CONTACTS: Rhode Island Department of Elementary and Secondary
David Abbott Michael Ferry
Commissioner Director, Data Analysis and Research
purpose of this Data Sharing Agreement is to provide XX(Describe
the project here ….from Data Request Form).
“Agreement” means this Data Sharing Agreement, including all
documents attached or incorporated by reference.
“Data Encryption” refers to ciphers, algorithms or other
encoding mechanisms that will encode data to protect its
confidentiality. Data encryption can be required during data
transmission or data storage depending
on the level of protection required for this data.
“Data Storage” refers to the state data is in when at rest. Data
shall be stored on secured environments.
“Data Transmission” refers to the methods and technologies to be
used to move a copy of the data between
systems, networks, and/or workstations.
“Disclosure” means to permit access to or release, transfer, or
other communication of personally identifiable information contained
in education or employment records by any means including oral,
or electronic means, to any party except the party identified or the
party that provided or created the record.
“RIDE Data” means data provided by RIDE, whether that data
originated in RIDE or in another entity.
“Personally Identifiable Information” means information that can
be used to distinguish or trace an individual’s
identity, such as their name, Social Security Number, student number
(SASID), biometric records, etc. alone,
or when combined with other personal or identifying information which
is linked or linkable to a specific
individual, such as date and place of birth, mother’s maiden name,
etc. Personally Identifiable Information
also includes other information that, alone or in combination, would
allow a reasonable person
in the school community, who does not have personal knowledge of the
relevant circumstances, to
identify the student with reasonable certainty. In the case of
employment data, this means information
which reveals the name or any identifying particulars about any
individual or any past or present
employer or employing unit, or which could foreseeably be combined
with other publicly available
information to reveal any such particulars.
This Agreement shall begin on (date),
or date of execution,
whichever is later, and end on (date),
sooner or extended as provided herein.
OF DATA TO BE SHARED
the Data Request Form
To ensure data is encrypted during data transmission, all data
transfers to/from XX
shall be transmitted using
the Consolidated Technology Services FTP Service with login and
hardened password security. RIDE shall
create an account for data requestor if an account does not already
All data provided by RIDE shall be stored on a secure environment
with access limited to the least number of staff needed to complete
the purpose of this Agreement.
agrees to store data on one or more of the following media and
protect the data as described:
Hard disk drives. Data is stored on local workstation hard disks.
Access to the data will be restricted
to authorized users by requiring logon to the local workstation
using a unique user ID and
password or other authentication mechanisms which provide equal or
greater security, such as biometrics or smart cards. If the
workstation is located in an unsecured physical location the hard
must be encrypted to protect RIDE data in the event the device is
server disks. Data is stored on hard disks mounted on network
servers and made available through shared folders. Access to the
data will be restricted to authorized users through the use of
access control lists which will grant access only after the
authorized user has authenticated to the network
using a unique user ID and complex password or other authentication
mechanisms which provide equal or greater security, such as
biometrics or smart cards. Data on disks mounted to such servers
must be located in an area which is accessible only to authorized
personnel, with access controlled
through use of a key, card key, combination lock, or comparable
mechanism. Backup copies
for data recovery purposes must be encrypted if recorded to
documents. Any paper records must be protected by storing the
records in a secure area which is
only accessible to authorized individuals. When not in use, such
records must be stored in a locked container,
such as a file cabinet, locking drawer, or safe, to which only
authorized persons have access.
storage on portable devices or media.
data shall not be stored by XX
on portable devices or media unless specifically authorized within
this Agreement. If so authorized, the data shall be given the
Encrypt the data with a key length of at least 128 bits
access to devices with a unique user ID and password or stronger
such as a physical token or biometrics.
lock devices whenever they are left unattended and set devices to
after a period of inactivity, if this feature is available. Maximum
period of inactivity
is 20 minutes.
protect the portable device(s) and/or media by:
them in locked storage when not in use;
check-in/check-out procedures when they are shared; and
When being transported outside of a secure area, portable devices
and media with confidential RIDE data must be under the physical
control of XX
staff with authorization to access the data.
Portable devices include, but are not limited to; handhelds, flash
(e.g. USB flash drives, personal media players), portable hard disks,
and laptop/notebook computers.
media includes, but is not limited to; optical media (e.g. CDs,
DVDs,), magnetic media
(e.g. Zip Drive ), or flash media (e.g. CompactFlash, SD, MMC).
Against Unauthorized Access and Re-disclosure
shall exercise due care to protect all Personally Identifiable data
from unauthorized physical and
access. Both parties shall establish and implement the following
minimum physical, electronic and
managerial safeguards for maintaining the confidentiality of
information provided by either party
to this Agreement:
to the information provided by RIDE will be restricted to only those
authorized staff, officials, and
agents of the parties who need it to perform their official duties
in the performance of the work requiring
access to the information as detailed in the Purpose of this
will store the information in an area that is safe from access by
unauthorized persons during duty hours
as well as non-duty hours or when not in use.
specifically authorized in this Agreement, XX
will not store any confidential or sensitive RIDE data on portable
electronic devices or media, including, but not limited to laptops,
flash memory devices, optical discs (CDs/DVDs), and portable
will protect the information in a manner that prevents unauthorized
persons from retrieving the information
by means of computer, remote terminal or other means.
shall take precautions to ensure that only authorized personnel and
agents are given access to online
files containing confidential or sensitive data.
shall instruct all individuals with access to the Personally
Identifiable Information regarding the confidential
nature of the information, the requirements of Use of Data and
Safeguards Against Unauthorized
Access and Re-Disclosure clauses of this Agreement, and the sanctions
specified in federal
and state laws against unauthorized disclosure of information covered
by this Agreement.
shall take due care and take reasonable precautions to protect RIDE’s
data from unauthorized physical
and electronic access. Both parties will strive to meet or exceed the
requirements of the State
of Rhode Island’s policies and standards for data security and
access controls to ensure the confidentiality,
availability, and integrity of all data accessed.
RIDE data must be segregated or otherwise distinguishable from
non-RIDE data. This is to ensure that when
no longer needed by XX,
all RIDE data can be identified for return or destruction. It also
in determining whether RIDE data has or may have been compromised in
the event of a security breach.
RIDE data will be kept on media (e.g. hard disk, optical disc, tape,
etc.) which will contain no non-RIDE data.
RIDE data will be stored in a logical container on electronic media,
such as a partition or folder dedicated
to RIDE data. Or,
RIDE data will be stored in a database which will contain no
non-RIDE data. Or,
RIDE data will be stored within a database and will be
distinguishable from non-RIDE data by the value
of a specific field or fields within database records. Or,
When stored as physical paper documents, RIDE data will be
physically segregated from non-RIDE data
in a drawer, folder, or other container.
When it is not feasible or practical to segregate RIDE data from
non-RIDE data, then both the RIDE data
and the non-RIDE data with which it is commingled must be protected
as described in this Agreement.
or its agents detect a compromise or potential compromise in the IT
security for this data such that personal
information may have been accessed or disclosed without proper
authorization, XX shall give notice
to RIDE within one (1) business day of discovering the compromise or
potential compromise. XXshall
take corrective action as soon as practicable to eliminate the cause
of the breach and shall be responsible
for ensuring that appropriate notice is made to those individuals
whose personal information may
have been improperly accessed or disclosed.
acknowledges the personal or confidential nature of the information
and agrees that their staff and contractors
with access shall comply with all state and federal laws (FERPA,
HIPPA), regulations, and policies that apply to protection of the
of the data. If data provided under this Agreement is to be shared
with a subcontractor, the
contract with the subcontractor must include all of the data security
provisions within this Agreement and
within any amendments, attachments, or exhibits within this
Agreement. If the Contractor cannot protect
the data as articulated within this Agreement, then the Contract with
the subcontractor must be submitted
to the RIDE Agreement Administrator specified for this Agreement for
review and approval.
Individuals will access data gained by reason of this Agreement only
for the purpose of this Agreement.
Each individual (staff and their contractors) with data access shall
read and sign Exhibit A, Statement
of Confidentiality and Non-Disclosure, prior to access to the data.
Copies of the signed forms
shall be sent to the RIDE Agreement Administrator identified on Page
1 of this Agreement, who will
distribute them to the other educational agencies as appropriate.
RIDE may at its discretion disqualify at any time any person
authorized access to confidential information
by or pursuant to this Agreement. Notice of disqualification shall be
in writing and shall terminate
a disqualified person’s access to any information provided by RIDE
pursuant to this Agreement immediately upon delivery of notice to XX.
Disqualification of one or more persons by RIDE does not affect other
persons authorized by or pursuant to this Agreement.
for Unauthorized Disclosure of Information
the event XX
fails to comply with any terms of this Agreement, RIDE shall have
the right to take such action
as it deems appropriate. The exercise of remedies pursuant to this
paragraph shall be in addition to
all sanctions provided by law, and to legal remedies available to
parties injured by unauthorized disclosure.
Data provided by RIDE will remain the property of RIDE and will be
returned to RIDE or destroyed when the work for which the information
was required has been completed.
This Agreement does not constitute a release of the data for XX’s
discretionary use, but may be accessed only to carry out the
responsibilities specified herein. Any ad hoc analyses or other use
of the data, not specified
in this Agreement, is not permitted without the prior written
agreement of RIDE. XX
shall not disclose, transfer, or sell any such information to any
party, except as provided by law. XX
shall maintain the
confidentiality of all Personally Identifiable Information and other
information gained by reason of this
is not authorized to update or change any RIDE data, and any updates
or changes shall be cause for immediate
termination of this Agreement
If a discrepancy in the RIDE data is discovered, XX
will contact RIDE to make corrections as necessary.
Neither the state of Rhode Island nor RIDE guarantees the accuracy
of the data provided. All risk and liabilities of use
and misuse of information provided pursuant to this Agreement are
understood and assumed by XX.
Data provided by RIDE cannot be linked with other data or data sets
as a way to determine the identity of individuals
or employers; the data in any data set shall be used for statistical
purposes only. Using RIDE data to identify students or employers
shall be cause for immediate termination of this Agreement and may
prevent data sharing agreements with the organization in the future.
If the identity of any student or employer
is discovered inadvertently, XX
shall not use this information and shall advise RIDE of any such
Data provided by RIDE cannot be re-disclosed or duplicated unless
specifically authorized in this Agreement.
shall follow applicable federal and state laws protecting student and
when displaying student information in public reports.
Publicly-reported aggregated results will not contain any group of
fewer than 10 individuals.
shall include the following excerpts with any public release using
research presented here utilizes confidential data from the Rhode
Island Department of Education.
The views expressed here are those of the author(s) and do not
necessarily represent those of RIDE or other data contributors. Any
errors are attributable to the author(s).”
Provide draft report to RIDE at least ten (10) working days prior to
any public release
of reports and communicate with RIDE when questions arise regarding
The requirements in this section shall survive the termination or
expiration of this agreement or any subsequent
agreement intended to supersede this Data Sharing Agreement.
Upon termination of the agreement, XX
shall dispose of the data received and provide written notification
disposal (See Exhibit B). Failure to do so may prevent data sharing
agreements with the organization in the future.
Upon the destruction of RIDE data, XX
shall complete Exhibit B Certification of Data Disposition, and
it to the RIDE Agreement Administrator within fifteen (15) days of
the date of disposal.
Acceptable destruction methods for various types of media include:
paper documents containing confidential or sensitive information, a
contract with a recycling firm to recycle confidential documents is
acceptable, provided the contract ensures that the confidentiality
the data will be protected. Such documents may also be destroyed by
on-site shredding, pulping, or
paper documents containing Confidential Information requiring
special handling, recycling is not an
option. These documents must be destroyed by on-site shredding,
pulping, or incineration.
confidential or sensitive information has been contained on optical
discs (e.g. CDs, DVDs,), the
data recipient shall either destroy by incineration the disc(s),
shredding the discs, or completely deface the readable surface with
a coarse abrasive.
data has been stored on server or workstation data hard drives or
similar media, the data recipient shall destroy the data by using a
“wipe” utility which will overwrite the data at least three (3)
either random or single character data, degaussing sufficiently to
ensure that the data cannot be
reconstructed, or physically destroying disk(s).
If data has been stored on removable media (e.g., USB flash drives,
portable hard disks, or similar
disks), the data recipient shall destroy the data by using a “wipe”
utility which will overwrite the data at least three (3) times using
either random or single character data, degaussing sufficiently to
ensure that the data cannot be reconstructed, or physically
OVERSIGHT AND RECORDS MAINTENANCE
agrees that RIDE shall have the right, at any time, to monitor, audit
and review activities and methods
implementing the Agreement in order to assure compliance therewith,
within the limits of XX’s
Both parties hereto shall retain all records, books, or documents
related to this Agreement for six years, except
data destroyed in Section 9. The Office of the State Auditor, federal
auditors, and any persons duly authorized
by the parties shall have full access to and the right to examine any
of these materials during this
party to this Agreement shall be responsible for any and all acts and
omissions of its own staff, employees,
officers, agents and independent contractors. Each party shall
furthermore defend and hold harmless
the other party from any and all claims, damages, and liability of
any kind arising from any act or omission
of its own staff, employees, officers, agents, and independent
AND ALTERATIONS TO THIS AGREEMENT
With mutual consent, RIDE and XX
may amend this Agreement at any time, provided that the amendment is
in writing and signed by authorized staff.
In the event of an inconsistency in this Contract, unless otherwise
provided herein, the inconsistency shall be resolved by giving
precedence in the following order:
Federal and State laws;
Any other provisions of the Contract whether by reference or
Either party may terminate this Agreement with thirty (30) days’
written notice to the other party’s Agreement
Administrator named on Page 1. In case of termination, any and all
information provided by RIDE
pursuant to this agreement shall either be immediately returned to
RIDE or immediately destroyed. Written
notification of destruction to RIDE is required.
may terminate this Agreement at any time prior to the date of
completion if and when it is determined that XX
has failed to comply with the conditions of this Agreement. RIDE
shall promptly notify
in writing of the termination and the reasons for termination,
together with the effective date of termination.
In case of termination, the data provided by RIDE shall be returned
to RIDE or destroyed on or before the date of termination. Written
notification of destruction to RIDE is required.
This Agreement shall be construed under the laws of the State of
Rhode Island. Venue shall be proper in Superior
Court in Providence County, Rhode Island.
The provisions of this Agreement are severable. If any provision of
this Agreement is held invalid by any court; that invalidity shall
not affect the other provisions of this Agreement and the invalid
provision shall be considered modified to conform to the existing
signatures below indicate agreement between the parties.
OF DEPUTY COMMISSIONER/GENERAL COUNSEL XXXX
OF CONFIDENTIALITY AND NON-DISCLOSURE between
Island Department of Elementary and Secondary Education and
an employee of XX,
I have access to information provided by the Rhode Island Department
of Elementary and Secondary Education (RIDE).
This information is confidential, and I understand that I am
responsible for maintaining this confidentiality.
I understand that the information may be used solely for the purposes
of work under Data
Sharing Agreement #
have been informed and understand that all information related to
this Data Sharing Agreement is confidential and may not be disclosed
to unauthorized persons. I agree not to divulge, transfer, sell, or
otherwise make known to unauthorized
persons any information contained in this system.
also understand that I am not to access or use this information for
my own personal information but only to the
extent necessary and for the purpose of performing my assigned
duties as an employee of XX
under this Agreement.
I understand that a breach of this confidentiality will be grounds
for disciplinary action which may
also include termination of my employment and other legal action.
agree to abide by all federal and state laws and regulations
regarding confidentiality and disclosure of the information
related to this Data Sharing Agreement.
have read and understand the above The
employee has been informed of their
of Nondisclosure of information. obligations
including any limitations, use or
return signed forms to Rhode Island Department of Education, 255
Westminster St. Providence, RI 02903
Certification of Data Disposition
of Disposition: ______________________________
copies of any data sets related to Data Sharing Agreement #
have been wiped from data
materials and non-wiped computer media containing any data sets
related to Data Sharing Agreement
have been destroyed.
data recipient hereby certifies, by signature below, that the data
disposition requirements as provided in Data Sharing Agreement #
Data Disposition section of this Agreement have been
fulfilled as indicated above.
original to RIDE representative indicated on page 1 of this Contract.
Retain a copy for your records.