A data privacy agreement is a legally binding contract between a data controller and a data processor, which defines how data will be used. In this case, the data controller is Carmel Clay Schools, while the data processor is any third-party vendor with whom data are shared.
For schools, a data privacy agreement establishes several key parameters that govern what a third-party vendor can do with data, including:
- Defining student data
- Designating the vendor as a school official under FERPA
- Establishing CCS ownership of the data
- Limiting the use of data to only services defined by the contract
- Requiring compliance with all applicable laws and regulations
- Prohibiting disclosure of the data
- Forbidding the use of data for advertising purposes
- Determining the data destruction process
Depending on the vendor, it may take days or weeks to negotiate a DPA that works for both parties. Most vendors are willing to work with schools to come to an understanding, and data privacy laws in states such as California, Illinois, New York, and Connecticut are helping to push the conversation forward.
The pivot to virtual learning during the pandemic accelerated the already rapidly growing number of EdTech tools in use nationwide. To help us navigate the thousands of tools available, CCS has a new partnership with Learn Platform, an EdTech effectiveness assessment service. We’ll be sharing more about Learn Platform in future posts.