Student Data Privacy
Third Party Ed Law 2D Privacy Agreement
The À¶Ý®ÊÓƵ will ensure that whenever it enters into a contract or other written agreement with a third-party contractor under which the third-party contractor will receive student data or teacher or principal data from the À¶Ý®ÊÓƵ, the contract or written agreement will include provisions requiring that confidentiality of shared student data or teacher or principal data be maintained in accordance with law, regulation, and À¶Ý®ÊÓƵ policy.
In addition, the À¶Ý®ÊÓƵ will ensure that the contract or written agreement includes the third-party contractor's data privacy and security plan that has been accepted by the À¶Ý®ÊÓƵ. The third-party contractor's data privacy and security plan must, at a minimum:
- Outline how the third-party contractor will implement all state, federal, and local data privacy and security contract requirements over the life of the contract, consistent with À¶Ý®ÊÓƵ policy;
- Specify the administrative, operational, and technical safeguards and practices the third party contractor has in place to protect PII that it will receive under the contract;
- Demonstrate that the third-party contractor complies with the requirements of 8 NYCRR Section 121.3(c);
- Specify how officers or employees of the third-party contractor and its assignees who have access to student data or teacher or principal data receive or will receive training on the laws governing confidentiality of this data prior to receiving access;
- Specify if the third-party contractor will utilize subcontractors and how it will manage those relationships and contracts to ensure PII is protected;
- Specify how the third-party contractor will manage data privacy and security incidents that implicate PII including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the À¶Ý®ÊÓƵ;
- Describe whether, how, and when data will be returned to the À¶Ý®ÊÓƵ, transitioned to a successor contractor, at the À¶Ý®ÊÓƵ's option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires; and
- Include a signed copy of the Parents' Bill of Rights for Data Privacy and Security