UTAH STUDENT DATA PRIVACY AGREEMENT
UTAH STUDENT DATA PRIVACY AGREEMENT
Version 2.0
NORTH SANPETE SCHOOL DISTRICT
and
Naviance, Inc.
March 16, 2020
This Utah Student Data Privacy Agreement (“DPA”) is entered into by and between the North Sanpete School District (hereinafter referred to as “LEA”) and Naviance, Inc. (hereinafter referred to as “Contractor”) on March 16, 2020. The Parties agree to the terms as stated herein.
RECITALS
WHEREAS, the Contractor has agreed to provide the Local Education Agency (“LEA”) with certain digital educational services (“Services”) pursuant to the agreement executed on May 14, 2015 (“Service Agreement”); and
WHEREAS, in order to provide the Services described in the Service Agreement, the Contractor may receive or create, and the LEA may provide documents or data that are covered by several federal statutes, among them, the Family Educational Rights and Privacy Act (“FERPA”) at 20
U.S.C. 1232g (34 CFR Part 99), Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C.
6501-6506; Protection of Pupil Rights Amendment (“PPRA”) 20 U.S.C. 1232h; and
WHEREAS, the documents and data transferred from LEAs and created by the Contractor’s Services are also subject to Utah state student privacy laws, including the Utah Student Data Protection Act UCA Section 53E-9; and
WHEREAS, for the purposes of this DPA, Contractor is a school official with legitimate educational interests in accessing Education Records pursuant to the Service Agreement for the limited purposes of this DPA; and
WHEREAS, the Parties wish to enter into this DPA to ensure that the Service Agreement conforms to the requirements of the privacy laws referred to above and to establish implementing procedures and duties; and
NOW THEREFORE, for good and valuable consideration, the parties agree as follows:
ARTICLE I: PURPOSE AND SCOPE
1. Purpose of DPA. The purpose of this DPA is to describe the duties and responsibilities to protect student data transmitted to Contractor from LEA pursuant to the Service Agreement, including compliance with all applicable statutes, including the FERPA, COPPA, PPRA and other applicable Utah State laws, all as may be amended from time to time. In performing these Services, the Contractor shall be considered a School Official with a legitimate educational interest, and performing services otherwise provided by the LEA. With respect to the use and maintenance of Student Data, Contractor shall be under the direct control of the LEA.
2. Nature of Services Provided. The Contractor has agreed to provide digital educational products and services outlined in Exhibit “A”.
3. Student Data to Be Provided. The Parties shall indicate the categories of student data to be provided in the Schedule of Data, attached as Exhibit “B”.
4. DPA Definitions. The definition of terms used in this DPA is found in Exhibit “C”. In the event of a conflict, definitions used in this DPA shall prevail over term used in the Service Agreement.
ARTICLE II: DATA OWNERSHIP AND AUTHORIZED ACCESS
1. Student Data Property of LEA. All Student Data transmitted to the Contractor pursuant to the
Service Agreement is and will continue to be the property of the student.
2. Parent Access. The LEA shall establish reasonable procedures by which a parent, legal guardian, or eligible student may request the opportunity to inspect and review Student Data in the student's records, and seek to amend Student Data that are inaccurate, misleading or in violation of the student's right of privacy. LEA may access, amend, or correct its Student Data directly in the Services. In the event that a parent of a student or other individual contacts the Contractor to review any of the Student Data accessed pursuant to the Services, the Contractor shall refer the parent or individual to the LEA, who will follow the necessary and proper procedures regarding the requested information.
3. Third Party Request. Should a Third Party, including law enforcement and government entities, request data held by the Contractor pursuant to the Services Agreement, the Contractor shall redirect the Third Party to request the data directly from the LEA. Unless legally prohibited from doing so, Contractor shall notify the LEA in advance of a compelled disclosure to a Third Party. Contractor shall share Student Data with law enforcement if required by law or court order.
4. Subprocessors. Contractor shall enter into written agreements with all Subprocessors performing functions pursuant to the Service Agreement, whereby the Subprocessors agree to protect Student Data in a manner consistent with the terms of this DPA. Contractor shall provide the LEA with a description of the subprocessors or types of subprocessors who have access to the LEA's student data and shall update the list as new subprocessors are added.
ARTICLE III: DUTIES OF CONTRACTOR
1. Privacy Compliance. The Contractor shall comply with all applicable state and federal laws and regulations pertaining to data privacy and security, including FERPA, COPPA, PPRA and all other Utah privacy statutes as they relate to Contractor’s collection, use, storage, or sharing of Student Data.
2. Authorized Use. The Student Data shared pursuant to the Service Agreement, including persistent unique identifiers, shall be used for no purpose other than the Services stated in the Service Agreement and/or otherwise authorized under the statutes referenced in the prior subsection. Contractor also acknowledges and agrees that it shall not make any re-disclosure of any
Student Data except to its subprocessors as necessary to provide the Services.
3. Employee Obligation. Contractor shall require all employees who have access to Student Data to comply with all applicable provisions of this DPA with respect to the data shared under the Service Agreement.
4. Use of De-identified information. De-identified information may be used by the Contractor for the purposes of development, research, demonstration of efficacy, and improvement of educational sites, services, or applications, as any other member of the public or party would be able to use de- identified data pursuant to 34 CFR 99.31(b). Contractor agrees not to attempt to re-identify de- identified Student Data.
5. Disposition of Data. Within 6 months of termination of the Service Agreement or within 30 days of receipt of written request Contractor shall dispose or delete all Student Data obtained under the Service Agreement. The duty to dispose of Student Data shall not extend to data that has been de- identified. The LEA may employ a “Request for Return or Deletion of Student Data” form, a copy of which is attached hereto as Exhibit “D”.
6. Additional Acceptable Uses of Student Data. Contractor is prohibited from using Student Data for any secondary use not described in this agreement except:
a. for adaptive learning or customized student learning purposes;
b. to market an educational application or product to a parent or legal guardian of a student if Contractor did not use Student Data, shared by or collected per this Contract, to market the educational application or product;
c. to use a recommendation engine to recommend to a student
i. content that relates to learning or employment, within the third-party contractor's internal application, if the recommendation is not motivated by payment or other consideration from another party; or
ii. services that relate to learning or employment, within the third-party contractor's internal application, if the recommendation is not motivated by payment or other consideration from another party;
d. to respond to a student request for information or feedback, if the content of the response is not motivated by payment or other consideration from another party.; and
e. to use Student Data to allow or improve operability and functionality of the third-party contractor's internal application.
ARTICLE IV: DATA PROVISIONS
1. Data Security. The Contractor agrees to abide by and maintain adequate data security measures, consistent with industry standard practices within the educational technology industry, and to protect Student Data from unauthorized disclosure or acquisition by an unauthorized person. These measures shall include, but are not limited to:
a. Passwords and Employee Access. Contractor shall secure usernames, passwords, and any other means of gaining access to the Services or to Student Data. Contractor shall
only provide access to Student Data to employees or contractors that are performing the Services.
b. Security Protocols. Both parties agree to maintain security protocols that meet industry standards in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so. Contractor shall maintain all data obtained or generated pursuant to the Service Agreement in a secure digital environment and not copy, reproduce, or transmit data obtained pursuant to the Service Agreement, except as necessary to fulfill the purpose of data requests by LEA.
c. Security Technology. Contractor shall employ internet industry standard measures to protect data from unauthorized access while the data is in transit or at rest. The service security measures shall include server authentication and data encryption. Contractor shall host data pursuant to the Service Agreement in an environment using a firewall that is updated according to industry standards.
d. Audit Rights. Upon reasonable notice, and at the request of the LEA, the LEA or the LEA’s designee may audit the Contractor to verify compliance with this DPA, as required by the Utah Student Data Protection Act.
2. Data Breach. In the event that Contractor discovers that Student Data has been accessed or obtained by an unauthorized individual, Contractor shall provide notification to LEA within a reasonable amount of time of the incident, not to exceed 72 hours.
ARTICLE V- GENERAL OFFER OF PRIVACY TERMS
Intentionally omitted.
ARTICLE VI: MISCELLANEOUS
1. Term. The Contractor shall be bound by this DPA for the duration of the Service Agreement or so long as the Contractor maintains any Student Data.
2. Termination. In the event that either party seeks to terminate this DPA, they may do so by mutual written consent so long as the Service Agreement has lapsed or has been terminated. LEA shall have the right to terminate the DPA and Service Agreement in the event of a material breach of the terms of this DPA.
3. Effect of Termination Survival. If the Service Agreement is terminated, the Contractor shall
destroy all of LEA’s data pursuant to Article III, section 5 above.
4. Priority of Agreements. This DPA shall govern the treatment of Student Data in order to comply with privacy protections, including those found in FERPA and all applicable privacy statutes identified in this DPA. In the event there is conflict between the DPA and the Service Agreement, the DPA shall apply and take precedence. Except as described in this paragraph herein, all other provisions of the Service Agreement shall remain in effect.
5. Notice. All notices or other communication required or permitted to be given hereunder must be in writing and given by personal delivery, or e-mail transmission (if contact information is provided for the specific mode of delivery), or first-class mail, postage prepaid, sent to the designated representatives below:
a. Designated Representatives
The designated representative for the LEA for this Agreement is: Name: Xxxxxx Xxxxxx
Title: Data Specialist
Contact Information:
North Sanpete School District
000 X 000 X, Xx. Xxxxxxxx, XX 00000
The designated representative for the Contractor for this Agreement is:
Name: Xxxxxx Xxxxxxx Title: General Manager
Contact Information:
Naviance, Inc. 0000 Xxxxxx Xxxxxxxxx, Xxxxx 000
Xxxxxxxxx, XX 00000 xxxxxx.xxxxxxx@xxxxxxx.xxx
The designated representative for notice of acceptance of the General Office of Privacy Terms is: Name: Xxxxxx Xxxxxxx
Title: General Manager
Contact Information:
See above
6. Entire Agreement. This DPA constitutes the entire agreement of the parties relating to the subject matter hereof and supersedes all prior communications, representations, or agreements, oral or written, by the parties relating thereto. This DPA may be amended and the observance of any provision of this DPA may be waived (either generally or in any particular instance and either retroactively or prospectively) only with the signed written consent of both parties.
7. Severability. Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this DPA, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. Notwithstanding the foregoing, if such provision could be more narrowly drawn so as not to be prohibited or unenforceable in such jurisdiction while, at the same time, maintaining the intent of the parties, it shall, as to such jurisdiction, be so narrowly drawn without invalidating the remaining provisions of this DPA or affecting the validity or enforceability of such provision in any other jurisdiction.
8. Governing Law; Venue and Jurisdiction. THIS DPA WILL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE STATE OF UTAH, WITHOUT REGARD TO CONFLICTS OF LAW PRINCIPLES. EACH PARTY CONSENTS AND SUBMITS TO THE SOLE AND EXCLUSIVE JURISDICTION TO THE STATE AND FEDERAL COURTS OF UTAH FOR ANY DISPUTE ARISING OUT OF OR RELATING TO THIS SERVICE AGREEMENT OR THE TRANSACTIONS CONTEMPLATED HEREBY.
9. Authority. Contractor represents that it is authorized to bind to the terms of this DPA, including confidentiality and destruction of Student Data and any portion thereof contained therein, all related or associated institutions, individuals, employees or contractors who may have access to the Student Data and/or any portion thereof, or may own, lease or control equipment or facilities of any kind where the Student Data and portion thereof stored, maintained or used in any way. Contractor agrees that any purchaser of the Contractor shall also be bound to this DPA.
10. Waiver. No delay or omission of the LEA to exercise any right hereunder shall be construed as a waiver of any such right and the LEA reserves the right to exercise any such right from time to time, as often as may be deemed expedient. LEA hereby waives and releases any and all claims against the Utah State Board of Education and/or its members, departments, office, and staff (collectively, “USBE”), for USBE’s efforts and conduct related to the negotiations and/or formation of this DPA. The parties agree that USBE is not an agent nor a representative of LEA in the formation or execution of this DPA, and that LEA negotiated with Contractor at arm’s length in the creation of this DPA. USBE is thus not responsible or liable to either party under this DPA, and owes no duty to either party under this DPA.
10. Successors Bound. This DPA is and shall be binding upon the respective successors in interest to Contractor in the event of a merger, acquisition, consolidation or other business
reorganization or sale of all or substantially all of the assets of such business.
IN WITNESS WHEREOF, the parties have executed this Utah Student Data Privacy Agreement as of the last day noted below.
Contractor: NAVIANCE, INC.
BY: Date: 03/23/2020
Printed Name: Xxxxxx Xxxxxxx Title/Position: General Manager
Local Education Agency: NORTH SANPETE SCHOOL DISTRICT
BY: Date: 03/16/2020
Printed Name: Xxxxxx Xxxxxx Title/Position: Data Specialist
EXHIBIT “A”
DESCRIPTION OF SERVICES
The Service is a web and mobile-based college and career readiness platform that helps students explore goal setting, academic planning, career exploration, and college and related post- secondary education preparation and planning. The Service also helps to identify and facilitate student connection with higher education institutions and scholarship providers that are of interest, while simultaneously operating as the system of records for LEA. Many core features of the Service may be activated solely at the discretion of LEA.
EXHIBIT “B”
SCHEDULE OF STUDENT DATA
Check | ||
Category of Data | Elements | if used by your |
system | ||
IP Addresses of | X | |
users, Use of | ||
Application Technology Meta Data | cookies etc. | |
Other application technology meta | X | |
data-Please | ||
specify: | ||
Application Use Statistics | Meta data on user interaction with application | X |
Assessment | Standardized test scores | X |
Observation data | N/A | |
Other assessment data- Please specify: | X | |
Attendance | Student school (daily) attendance data | N/A |
Student class attendance data | N/A | |
Online | Email sent | |
Communication s | communications that are captured (emails, blog | in Naviance |
entries) | ||
Conduct | Conduct or behavioral data | N/A |
Demographics | Date of Birth | X |
Category of Data | Elements | Check if used by your system |
Place of Birth | N/A | |
Gender | X | |
Ethnicity or race | X | |
Language information (native, preferred or primary language spoken by student) | X | |
Other demographic information- Please specify: | ||
Enrollment | Student school enrollment | X |
Student grade level | X | |
Homeroom | X | |
Guidance counselor | X | |
Specific curriculum programs | X | |
Year of graduation | X | |
Other enrollment information- Please specify: | ||
Parent/Guardian Contact Information | Address | X |
X | ||
Phone | X | |
Parent/Guardian ID | Parent ID number (created | X |
Category of Data | Elements | Check if used by your system |
to link parents to students) | ||
Parent/Guardian Name | First and/or Last | X |
Schedule | Student scheduled courses | N/A |
Teacher names | X | |
Special Indicator | English language learner information | Handled through student groups |
Low income status | Handled through student groups | |
Medical alerts /health data | Handled through student groups | |
Student disability information | Handled through student groups | |
Specialized education services (IEP or 504) | Handled through student groups | |
Living situations (homeless/xxxxxx care) | Handled through student groups | |
Other indicator information- Please specify: | Handled through student groups | |
Student Contact Information | Address | X |
X | ||
Phone | X | |
Student Identifiers | Local (School district) ID | X |
Category of Data | Elements | Check if used by your system |
number | ||
State ID number | X | |
Vendor/App assigned student ID number | X | |
Student app username | X | |
Student app passwords | X | |
Student Name | First and/or Last | X |
Student In App Performance | Program/applica tion performance (typing program-student types 60 wpm, reading program-student reads below grade level) | N/A |
Student Program Membership | Academic or extracurricular activities a student may belong to or participate in | X |
Student Survey Responses | Student responses to surveys or questionnaires | X |
Student work | Student generated content; writing, pictures etc. | X |
Other student work data - | X |
Category of Data | Elements | Check if used by your system |
Please specify: | ||
Transcript | Student course grades | X |
Student course data | X | |
Student course grades/performa nce scores | X | |
Other transcript data -Please specify: | ||
Transportation | Student bus assignment | N/A |
Student pick up and/or drop off location | ||
Student bus card ID number | X | |
Other transportation data -Please specify: | ||
Other | Please list each additional data element used, stored or collected by your application |
No Student Data Collected at this time .
*Contractor shall immediately notify LEA if this
designation is no longer applicable.
OTHER: Use this box, if more space needed
EXHIBIT “C”
DEFINITIONS
Contractor: For purposes of the Service Agreement, the term “Contractor” means Contractor of digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of pupil records. Within the DPA the term “Contractor” includes the term “Third Party Contractor” as used in the Student Data Protection Act and “Operator” as used in COPPA.
De-Identified Information (DII): De-Identification refers to the process by which the Contractor removes or obscures any Personally Identifiable Information (“PII”) from Education Records in a way that removes or minimizes the risk of disclosure of the identity of the individual and information about them.
Education Records: Educational Records are official records, files and data directly related to a student and maintained by the school or local education agency, including but not limited to, records encompassing all the material kept in the student’s cumulative folder, such as general identifying data, records of attendance and of academic work completed, records of achievement, and results of evaluative tests, health data, disciplinary status, test protocols and individualized education programs. For purposes of this DPA, personally identifiable information in Education Records is referred to as Student Data.
Personally Identifiable Information (PII): The terms “Personally Identifiable Information” or “PII” has the same meaning as that found in U.C.A § 53E-9-301, and includes both direct identifiers (such as a student’s or other family member’s name, address, student number, or biometric number) and indirect identifiers (such as a student’s date of birth, place of birth, or mother’s maiden name). Indirect identifiers that constitute PII also include metadata or other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. For purposes of this DPA, Personally Identifiable Information shall include the categories of information listed in the definition of Student Data.
Student Generated Content: The term “student-generated content” means materials or content created by a student during and for the purpose of education including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, photographs, videos, and account information that enables ongoing ownership of student content.
R277-487, Public School Data Confidentiality and Disclosure: The implementing Rule authorized by Utah Constitution Article X, Section 3, which vests general control and supervision over public education in the Board, and further authorizes the Board to make rules to establish student data protection standards for public education, pursuant to Subsection 53E-9- 302(1) of the Utah Student Data Protection Act.
Service Agreement: Refers to the Contract or Purchase Order to which this DPA supplements
and modifies.
School Official: For the purposes of this Agreement and pursuant to 34 CFR 99.31 (B), a School Official is a contractor that: (1) Performs an institutional service or function for which the agency or institution would otherwise use employees; (2) Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and (3) Is subject to 34 CFR 99.33(a) governing the use and re-disclosure of personally identifiable information from Education Records.
Student Data: Student Data means personally identifiable information, whether gathered by Contractor or provided by LEA or its users, students, or students’ parents/guardians, that identifies or is used by the holder to identify the student. Student Data may include, but is not limited to, information in the student’s educational record or email, first and last name, home address, telephone number, email address, or other information allowing online contact, discipline records, videos, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security numbers, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information text messages, documents, student identifies, search activity, photos, voice recordings or geolocation information. Student Data shall constitute Education Records for the purposes of this Agreement, and for the purposes of Utah and federal laws and regulations. Student Data as specified in Exhibit “B” is confirmed to be collected or processed by the Contractor pursuant to the Services. Information that has been anonymized or de-identified, or anonymous usage data regarding a student’s use of Contractor’s Services shall not constitute Student Data.
Subscribing LEA: An LEA that was not party to the original Services Agreement and who accepts
the Contractor’s General Offer of Privacy Terms.
Subprocessor: For the purposes of this Agreement, the term “Subprocessor” (sometimes referred to as the “Subcontractor”) means a party other than LEA or Contractor, who Contractor uses for data collection, analytics, storage, or other service to operate and/or improve its software, and who has access to PII.
Targeted Advertising: means presenting advertisements to a student where the advertisement is selected based on information obtained or inferred over time from that student's online behavior, usage of applications, or student data. Targeted advertising does not include advertising to a student (i) at an online location based upon that student’s current visit to that location; or (ii) in response to that student’s request for information or feedback, without retention of that student’s online activities over time for the purpose of targeting subsequent ads.
Utah Student Data Protection Act (Utah Title 53E-9-301 through 53E-9-310): Means the applicable Utah regulations regarding student data, as further implemented by the Superintendent pursuant to R277-487.
EXHIBIT “D”
DIRECTIVE FOR DISPOSITION OF STUDENT DATA
[Name or District or LEA] directs [Name of Contractor] to dispose of data obtained by Contractor pursuant to the terms of the Service Agreement between LEA and Contractor. The terms of the Disposition are set forth below:
Destruction or deletion of data.
As soon as commercially practicable
By (Insert Date)
Special Instructions
Timing of Disposition
Data shall be disposed of by the following date:
Timing of Disposition
Nature of Disposition
Disposition shall be by:
Nature of Disposition
Complete. Disposition extends to all categories of data.
Partial. The categories of data to be disposed of are as follows:
Extent of Disposition
Disposition shall be:
Extent of Disposition
Authorized Representative of LEA
Verification of Disposition of Data
by Authorized Representative of Contractor
Date Date