(the “Vendor”) and Cattaraugus Little Valley Central
WHEREAS, Cattaraugus Little Valley Central School and Gimkit are parties to a contract (the “Contract”) pursuant to which Gimkit will receive student data and/or teacher or principal data (“Protected Data”) that is protected under New York Education Law Section 2-d and Part 121 of the Regulations of the Commissioner of Education (collectively referred to as “Section 2-d”) from CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL for purposes of providing certain products or services to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL; and
WHEREAS, both CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL and Gimkit are
desirous of fulfilling their respective obligations under New York Education Law Section 2-d;
NOW THEREFORE, in consideration of the mutual promises and covenants contained in the Contract, as well as, this Agreement the parties hereto mutually agree as follows:
a. Gimkit, its employees, and/or agents agree that all information obtained in connection with the services provided for in the Agreement is deemed confidential information.
b. Gimkit further agrees to maintain the confidentiality of the Protected Data it receives in accordance with federal and state law and that any information obtained will not be revealed to any persons, firms or organizations.
2. Data Protections and Internal Controls
a. Gimkit acknowledges that it may receive and/or come into contact with personally identifiable information, as defined by New York Education Law Section 2-d, from records maintained by CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL that directly relate to a student(s) (hereinafter referred to as “education record”).
b. Gimkit understands and acknowledges that it shall have in place sufficient protections and internal controls to ensure that information is safeguarded in accordance with applicable laws and regulations, and understands and agrees that it is responsible for complying with state data security and privacy standards for all personally identifiable information from education records, and it shall:
1. Limit internal access to education records to those individuals that are determined to have legitimate educational interests; and
2. Not use the education records for any other purpose than those explicitly authorized in the Contract and/or Agreement; and
3. Maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of education records in
its custody; and
4. To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5.
3. Data Securityand Privacy Plan
a. Gimkit agrees to have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives from CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL.
b. Gimkit understands and agrees that it is responsible for submitting a Data Security and Privacy Plan to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL prior to the start of the term of the Agreement, and it shall:
1. Outline how all state, federal and local data security and privacy contract requirements will be implemented over the life of the contract consistent with CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL’s policy on data security and privacy, as adopted.
2. Outline specific administrative, operational and technical safeguards and practices in place to protect Protected Data that it receives from CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL under the Contract.
3. Outline the training requirement established by Gimkit for all employees who will receive personally identifiable information from student records (hereinafter referred to as “student data”).
4. Notice of Breach andUnauthorizedRelease
a. In the event of a breach of this Agreement and unauthorized release of student data, Gimkit shall:
1. Immediately notify CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL in the most expedient way possible and without unreasonable delay, but no more than seven (7) calendar days after Gimkit has discovered or been informed of the breach or authorized release.
2. Advise CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL as to the nature of the breach and steps Gimkit has taken to minimize said breach.
b. In the case of required notification to a parent or eligible student, Gimkit shall:
1. Promptly reimburse CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL for the full costs of such notification.
c. Gimkit will cooperate with CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL and provide as much information as possible directly to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL about the incident, including but not limited to:
1. The description of the incident;
2. The date of the incident;
3. The date Gimkit discovered or was informed of the incident;
4. A description of the types of Protected Data involved;
5. An estimate of the number of records affected;
6. The schools within CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL affected;
7. What Gimkit has done or plans to do to investigate the incident, stop the breach and mitigate any further unauthorized access or release of Protected Data; and
8. The contact information for Gimkit representatives who can assist affected individuals that may have additional questions.
d. The Gimkit shall indemnify and hold CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL harmless from any claims arising from its breach within the Data Sharing and Confidentiality Agreement confidentiality and data security and privacy standards provision.
e. Gimkit acknowledges that upon initial notification from Gimkit, CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL, as the educational agency with which Gimkit contracts, has an obligation under Section 2-d to in turn notify the Chief Privacy Officer in the New York State Education Department (“CPO”). Gimkit agrees not to provide this notification to the CPO directly unless requested by CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL or otherwise required by law. In the event the CPO contacts Gimkit directly or requests more information from Gimkit regarding the incident after having been initially informed of the incident by CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL, Gimkit will promptly inform CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL of the same.
5. Gimkit Information
Gimkit understands that as part of CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL’s obligations under New York Education Law Section 2-d, Gimkit is responsible for providing CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL with Gimkit information (see Gimkit Information for Data Privacy and Security) to include:
a. Exclusive purposes for which the student data will be used;
b. How Gimkit will ensure that subcontractors, persons or entities that Gimkit will share the student data with, if any, will abide by data protection and security requirements;
c. That student data will be returned or destroyed upon expiration of the Agreement;
d. If and how a parent, student, or eligible teacher may challenge the accuracy of the student/teacher data that is collected; and
e. Where the student data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.
6. Termination or Expiration of Contract and/or Agreement
a. Upon termination of the Agreement, Gimkit shall return or destroy all confidential information obtained in connection with the services provided therein and/or student data. Destruction of the confidential information and/or student data shall be accomplished utilizing an approved method of confidential destruction, including, shredding, burning or certified/witnessed destruction of physical materials and verified erasure of magnetic media using approved methods of electronic file destruction. The parties further agree that the terms and conditions set forth herein shall survive the expiration and/or termination of the Agreement.
b. If requested by CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL, Gimkit will assist CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL in exporting all Protected Data previously received back to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL for its own use, prior to deletion, in such formats as may be requested by CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL.
c. In the event the Contract is assigned to a successor Gimkit (to the extent authorized by the Contract), will cooperate with CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL as necessary to transition Protected Data to the successor Gimkit prior to deletion.
d. Neither Gimkit nor any of its subcontractors or other authorized persons or entities to whom it has disclosed Protected Data will retain any Protected Data, copies, summaries or extracts of the Protected Data, or any de-identified Protected Data, on any storage medium whatsoever. Upon request, Gimkit and/or its subcontractors or other authorized persons or entities to whom it has disclosed Protected Data, as applicable, will provide CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL with a certification from an appropriate officer that these requirements have been satisfied in full.
PARENTS’ BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY
CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL informs the school community of the following:
1. A student's personally identifiable information cannot be sold or released for any commercial purposes.
2. Parents have the right to inspect and review the complete contents of their child's education record.
3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred.
4. A complete list of all student data elements collected by New York State is available for
public review at the following website http://www.nysed.gov/data-privacy- security/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 89 Washington Avenue, Albany, New York 12234.
5. Parents have the right to submit complaints about possible breaches of student data addressed. Complaints should be directed in writing to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL Data Privacy Officer, 1825 Windfall Road, Olean, New York 14760 or by using the form available at the following website: https://caboces.org/resources/new-york-state-education-law-2d/report-an-improper-
disclosure/. Complaints may also be directed in writing to Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, New York 12234 or by using the form available at the following website: http://www.nysed.gov/data-privacy- security/report-improper-disclosure
IN WITNESS WHEREOF, the parties hereto have executed this agreement as of the day and year first written above.
Authorized Gimkit Signature Date
Authorized CATTARAUGUS LITTLE VALLEY
CENTRAL SCHOOL Signature
GIMKIT INFORMATION REGARDING DATA PRIVACY AND SECURITY
Collects: ☐ Student Data ☐ Teacher or Principal Data ☐ Does not collect either
Educational agencies including Cattaraugus-Allegany-Erie-Wyoming BOCES are required to
post information aboutthird-party contracts on the agency’s website with the Parents Bill of Rights. To that end, please complete the table below with information relevant to NYS
Education Law 2-d and Part 121.3 of the Commissioner’s Regulations. Note that this applies to all software applications and to mobile applications (“apps”).
Part 1: Exclusive Purposes for Data Use The exclusive purposes for which the student data (or teacher or principal data) will be used by the third-party contractor:
Part 2: Subcontractor Oversight Details – Select the appropriate option below.
☐ This contract has no subcontractors.
☐ This contract has subcontractors. As such, the third-party contractor will take the following steps to ensure that any subcontractors, assignees, or other agents who see, or receive, this protected data are contractually required to obey the same data protection and security requirements that the third-party contractor is required to obey under state and federal law:
Part 3: Contract Lifecycle Practices The contract expires on unless renewed or automatically extended for a term pursuant to the agreement. When the contract expires, protected data will be deleted by the contractor, via shredding, returning of data, mass deletion, and upon request, may be
exported for use by Sa before deletion.
Part 4: Student Educational Records / Improper Disclosure
A. For information on FERPA (Family Educational Rights and Privacy Act), which is the federal law that protects the privacy of student education records, visit the U.S. Department of
Education FERPA website.
B. A complaint or report of improper disclosure may be completed by submitting the Improper
Disclosure Report form.
Part 5: Security Practices
A. Protected data provided to the contractor will be stored: (include where and how)
B. The security protections taken to ensure data will be protected that align with theNIST
CybersecurityFramework and industry best practices include:
Part 6: Encryption Practices
☐ By checking this box, contractor certifies that data encryption is applied in accordance with