Security

10 Terms You Must Include in Contracts With Online Providers

A responsible approach to student data privacy requires careful scrutiny of the agreements that schools make with vendors.

• By Keith R. Krueger
• 11/17/14

You can see more great feature articles in the latest issue of our monthly digital edition.

Our nation’s schools are increasingly becoming learning ecosystems reliant on the use of technology, and this is great news. Ushering in a new era of connected learning holds countless possibilities for transforming the way our school systems function and how we meet the needs of students — but administrators and other school leaders face the challenges associated with connectivity every day. One of the most pressing challenges is protecting privacy.

Protecting student privacy and data has been an issue since at least the 1970s, when the Family Education Rights and Privacy Act (FERPA) became law, and even before. The issue of privacy again came to the fore with the enactment of the Children’s Online Privacy Protection Act (COPPA), which went into effect in 2000 and applies to websites providing content for children. While both laws impact schools’ use of data, the reality is that they are static, while the world we live (and educate) in is fluid, ever-evolving and fast-paced.

To promote conversation about protecting privacy in schools today, the Consortium for School Networking (CoSN) is developing a suite of resources as part of our Protecting Privacy in Connected Learning initiative. Created in partnership with Harvard Law School’s Cyberlaw Clinic at the Berkman Center for Internet & Society, and with support from Microsoft and Lightspeed Systems, our toolkit details factors that education leaders should consider when choosing an online service provider for their school district. It includes the nuts and bolts, from determining a school’s needs to obtaining parental notification and consent. A key section of the toolkit is focused on evaluating and contracting with online service providers. Here are the top 10 suggested contract terms:

1) Contract scope: Identify all elements that comprise the agreement and what order of precedence will be followed in the event of a contradiction in terms. Identify any contract terms that are incorporated by reference (such as a URL).

2) Purpose: If you have determined that the provider qualifies as a “school official” under FERPA and you will use the school officials’ exception as the vehicle for disclosing FERPA-protected information to a provider, specify: a) that the provider is considered a school official; b) the legitimate educational interest that the provider is fulfilling; c) the nature of the data collected; and d) the purpose for which any FERPA-protected information is being disclosed.

3) Data collection, use and transmission: Specify how the provider may use or collect data from the school system and your students, and any restrictions that may apply to the provider’s use of that data. Ensure that you bind the provider to those uses and restrictions.

4) Data security: Detail any security requirements that the provider must follow to the extent that it maintains, processes or stores any information on behalf of the school system. Below is a video of Rich Contartesi, the assistant superintendent for technology services at the Loudoun County Public Schools (VA), discussing his district’s provisions for data security.

5) Data retention and disposal: Assure the proper management and disposal of data or information pertaining to the school or its students. All data disclosed to the provider or collected by the provider must be disposed of by secure means to ensure that it is protected from unauthorized access or use.

6) Bankruptcy or acquisition: Specify what happens to your district’s data if the provider goes out of business or is acquired by another firm. Is there a source code or data escrow provision?

7) Service levels and support: Be clear about the service levels that the provider must meet and any credits you will receive for any failure by the provider to meet these service levels. Require the provider to supply the school with all the technical assistance you may need to use the services.

8) Governing law and jurisdiction: Typically, a provider’s default contract will state that it is governed by the law of the provider’s home state. Public institutions generally have significant restrictions on their ability to consent to such provisions under the school system’s state laws.

9) Modification, duration and termination provisions: Establish how long the agreement will be in force, what the procedures will be for modifying the terms of the agreement (mutual written consent to any changes is a best practice) and what both parties’ responsibilities will be upon termination of the agreement — particularly regarding disposition of student information maintained by the provider. Upon termination of the contract, the provider should return all records or data and properly delete any copies still in its possession, including archives and/or backups.

10) Liability: The provider should be held liable for the activities of its staff and subcontractors.

These are the basic rules of engagement for contracting with an online service provider to help protect privacy in connected learning environments. You can learn more by visiting the toolkit here.