NYS RICs and RIC One ROC

What are the NYS Regional Information Centers (RICs)?   

The Regional Information Centers (RICs) are a division of various NYS Boards of Cooperative Educational Services (BOCES).  The RICs provide educational and related information technology services to support BOCES and districts technology and data needs.  As technology and data services require specialized expertise, typically, RICs provide this specialized support to educational agencies in multiple BOCES regions.  The RICs also support non-public schools, charter schools, and big city school districts, as permitted by applicable laws and regulations.

What is RIC One? 

RIC One is a shared service concept and vision designed to foster collaboration and coordinate efforts between the twelve Regional Information Centers (RICs). The centers work collaboratively as one to provide efficient and unified statewide technology leadership and innovative solutions.

What is the RIC One Risk Operations Center (RIC One ROC)? 

The RIC One Risk Operations Center (ROC) is an extension of the RIC One that manages centralized and standardized vendor management functions to support needs related to technology products used by the NYS K-12 sector.  The RIC One team implements controls to support the protection of data, optimize products’ performance, and influence vendors’ product roadmaps.

One of the primary functions of the ROC is to streamline processes associated with the negotiation of data privacy agreements (DPAs).  Through the ROC, BOCES and districts will be able to piggyback on existing DPAs with vendors that include terms to address the Family Education Rights and Privacy Act (FERPA), New York Education Law Section 2-d (Ed Law 2-d), and other data privacy requirements.  Additionally, agencies can submit requests to the ROC to initiate the negotiation of new DPAs.

The ROC team will also address ongoing vendor management needs.  For example, the ROC will use survey structures to monitor and influence vendors’ data security controls.  RIC staff will review responses and engage with vendors to complete any necessary follow-up.

What is the Relationship of the RIC One ROC to the RIC’s Network Operations Center (NOC) and/or Security Operations Center (SOC)?     

NOCs, SOCs, and ROCs are complementary centers within a RIC as defined below.  Each RIC has a Network Operations Center (NOC).  NOCs are centralized locations used to manage and monitor regional technical services.  To ensure students and staff have access to high performing, reliable, and protected regional services, the RICs are continuously investing in maintaining, and modernizing, the NOCs.  In addition to maintaining the NOCs and building a shared RIC One ROC, the RICs are currently piloting a RIC One approach to maintaining a security operations center (SOC).  SOCs are centralized teams that monitor regional network infrastructure to detect and mitigate cybersecurity events.  Some RICs perform SOC functions using NOC teams. 

National and Multi-state Partners

What is Access for Learning (A4L) and the Student Data Privacy Consortium (SDPC)? 

The New York State Education Department (NYSED) has become a member of A4L on behalf of all of New York State’s educational agencies.  A4L SDPC is a national consortium of schools, state agencies and market place providers addressing data privacy concerns.  A4L has developed the SDPC Resource Registry which provides a model National Data Privacy Agreement (NDPA).  This national approach to DPAs streamlines data privacy related contracting processes for districts and vendors.   It is important to note, to use the agreement, state-specific exhibits are needed to ensure contractors are complying with state-specific laws such as Education Law § 2-d.

Why is the Department partnering with A4L’s SDPC?

The Department and RICs are working with multi-state and national data privacy and security alliances invested in the K-12 vendor ecosystem to support the negotiation of data privacy agreements (DPAs).  At the national level, NYSED maintains the state’s Access 4 Learning (A4L) Community membership.  The community manages a collaborative that focuses on initiatives to support student privacy called the Student Data Privacy Consortium (SDPC).  Through this membership, NYSED, school districts, and BOCES will be able to leverage A4L SDPC’s National Data Privacy Agreement (NDPA).  The new partnerships and the new optional approach to DPA negotiation have been developed in response to field feedback regarding the challenges associated with addressing Education Law 2-d requirements related to agreements with vendors.  Additionally, this approach will support the field and our NYSED CPO (Chief Privacy Officer) in addressing vendor accountability needs, as there will be common contractual obligations in place to protect student data.

What is The Education Cooperative (TEC) and the Student Data Privacy Alliance (TEC SDPA)?

The Education Cooperative (TEC) is a Massachusetts based educational service agency and 501(c)(3) non-profit organization.  The Massachusetts Education Cooperatives are like New York’s BOCES.  TEC maintains a Student Data Privacy Alliance (called the TEC SDPA).  TEC SDPA is a multi-state data privacy alliance.  TEC SDPA supports K-12 agencies in New York, Maine, Massachusetts, Missouri, New Hampshire, Ohio, Rhode Island, and Vermont.  The RIC One ROC maintains a membership with the TEC SDPA.  Through this membership, and the membership with A4L/SDPC, your school district can access DPAs that include terms that address requirements associated with federal and state student data privacy laws (FERPA and Education Law § 2-d). 

Why are the RICs partnering with the TEC SDPA?

In partnership with NYSED, the RICs are working with multi-state and national data privacy and security alliances invested in the K-12 vendor ecosystem to support the negotiation of data privacy agreements (DPAs).  TEC SDPA is a multi-state data privacy alliance that negotiates agreements using the A4L SDPC NDPA.  To complement the standard national terms, state-specific terms have been developed by NYSED leaders/attorneys, TEC attorneys, BOCES attorneys, RIC cybersecurity specialists, and RIC leaders.  A centralized NYS structure was needed to ensure the new process was rolled out with fidelity.  Other states have rolled the national structure out without a comprehensive centralized support structure.  This has resulted in agreements with different quality levels.  In New York State, negotiation work will be managed by a contract manager through the multi-state alliance.  No changes are approved without the involvement of an attorney.  If changes are specific to New York State terms, the multi-state alliance consults members of the centralized NYS team, as necessary. This team includes Department of Education representatives, BOCES attorneys, RIC Directors, and RIC cybersecurity specialists. Prior to serving New York State, the TEC SDPA provided services to educational agencies in Maine, Massachusetts, Missouri, New Hampshire, Ohio, Rhode Island, and Vermont.  Working with this partner will support the state in leveraging the experience and negotiation power of this alliance.  The TEC SDPA started doing this work in 2017.  

New Standardized DPAs

What is a Data Privacy Agreement (DPA)? 

A data privacy agreement (DPA) is a document that outlines the agreed upon contract terms and conditions between two or more parties related to the protection of sensitive data.  In accordance with Ed Law 2-d, Education agencies in New York State enter into DPAs with vendors and third-party contractors to support the protection of student data and certain staff data (for example Annual Professional Performance Review (APPR) data).  DPAs are used to address federal (FERPA) and state (Ed Law 2-d) requirements. 

What is the National Data Privacy Agreement (NDPA)? 

The National Data Privacy Agreement (NDPA) is a data privacy agreement that includes standardized terms related to national data privacy laws.  It is designed to address common student data privacy concerns and streamline the educational application contracting processes for its member states and schools/districts. The NDPA includes standardized contract terms and conditions to address the Family Education Rights and Privacy Act (FERPA) and other common data privacy requirements.  The NDPA also includes an exhibit, Exhibit G, that states use to customize the agreement to address state laws and regulations.     

What is a TEC SDPA NYS National Data Privacy Agreement (TEC SDPA NYS NDPA)? 

TEC SDPA NY NDPAs are data privacy agreements negotiated through the RIC One ROC, in partnership with the TEC SDPA.  These agreements use the NDPA and incorporate NYS protective terms. To view a copy of the TEC SDPA NYS NDPA, click here.  Currently, the TEC SDPA NYS NDPA is based on NDPA Version 1.  In April 2024, a new version of the NDPA, Version 2, was released.  NYSED, the RICs, and TEC SDPA will work together to examine the new version, develop a new Exhibit G that addresses New York State’s requirements, and adapt existing structures.  Once plans are finalized, information will be communicated to support the transition to Version 2.  

What laws are addressed by the standard DPA (TEC SDPA NYS NDPA) terms?

The student data privacy consortium and alliances that partner on these agreements are focused on the protection of student data.  As a result, the agreements support compliance related to state and federal laws that protect student data.  For New York State educational agencies, generally this means FERPA and Education Law 2-d.  In addition to the specific New York State terms, outlined in Exhibit G, the DPA states that providers must agree to comply with all applicable federal and state laws, rules, and regulations pertaining to student data privacy and security.

What kinds of DPAs are addressed through the RIC One ROC and TEC SDPA?  

The centralized and standardized DPA structures are primarily focused on compliance with data privacy requirements and standards as they relate to vendors that have access to student data used by the K-12 sector.  Generally, the contract terms are not the most appropriate for use with other vendors.  (Note:  Some CTE products/vendors may require more extensive DPA changes and guardian consent considerations, as these vendors and organizations traditionally serve professionals and support employment needs both during and beyond the k-12 program.)

Where is the protective language in the contract related to NYS laws and regulations?

The state terms are outlined in Exhibit G. TEC SDPA agreements include eight Exhibit Gs.  There is one associated with each state in the alliance. Additionally, Exhibit J, Exhibit K, and Exhibit L are related to Education Law 2-d. If a DPA is new (original DPA), Exhibit J is used to insert the originating NYS districts’ data security and privacy policy and Parents Bill of Rights.  Exhibit K includes a link to or a copy of the vendor’s security plan.  Exhibit L outlines the supplemental information.  Please note that some of this information will change, as the state implements Version 2 of the NDPA.  

How do I read a TEC SDPA NYS NDPA?

Districts should become familiar with the contract recitals, standard clauses, and exhibits. The state terms are outlined in Exhibit G. TEC SDPA agreements include eight Exhibit Gs.  There is one associated with each state in the alliance. Exhibit G amends and replaces many terms in the NDPA.   

In addition to NYS specific Exhibit G, Exhibit J, Exhibit K, and Exhibit L are also related to Education Law 2-d. If a DPA is new (original DPA), Exhibit J is used to insert the originating NYS districts’ data security and privacy policy and Parents Bill of Rights.  Exhibit K includes a link to or a copy of the vendor’s security plan.   Exhibit L outlines the supplemental information.  Please note that some of this information will change, as the state implements Version 2 of the NDPA.  

What version of the National Data Privacy Agreement does TEC SDPA use?

Currently, TEC SDPA agreements are negotiated using Version 1.0.  In April 2024, a new version of the NDPA, Version 2, was released.  NYSED, the RICs, and TEC SDPA will work together to examine the new version, develop a new Exhibit G that addresses New York State’s requirements, and adapt existing structures.  Once plans are finalized, information will be communicated to support the transition to Version 2.   

Implementing and Onboarding

How can I access a DPA through the RIC One ROC?

One of the primary ROC functions is to streamline processes associated with the negotiation of Data Privacy Agreements.  Via the ROC, BOCES and school districts will be able to piggyback on existing DPAs that address FERPA, Ed Law 2-d, and other data privacy requirements.  Additionally, educational agencies can submit requests to initiate the negotiation of new DPAs.  In 2024, your local RIC will provide training regarding this new structure.  Specifically, attendees will learn how to request new DPAs and piggyback on existing agreements.  Using this structure is optional, however it is expected to make DPA negotiations easier for all educational agencies.  If electing this option, the RIC will onboard your district to an A4L/SDPC national platform that manages the workflow associated with the DPAs.

Do I need to join a service and/or pay a fee to access these new RIC DPA structures?

The new centralized structures leverage NYSED, RIC, multi-state, and national expertise and resources.  The Department maintains a membership with A4L.  This enables educational agencies to use the National Data Privacy Agreement (NDPA).  The RICs maintain a membership with the TEC SDPA.  This membership supports the negotiation of NDPAs that include NYS terms.  Additionally, RICs are leveraging BOCES attorneys, RIC cybersecurity specialists, RIC data privacy and security specialists, and other staff to address needs associated with the implementation of these new structures.  RICs are building these expenses into data security and privacy operational budgets.  As school districts’ participation in services supports the development and maintenance of regional support structures, there may be an impact on regional budgets, service structures, and/or service costs. 

How and when can I start using the new DPA structures?

Your local RIC will be discussing regional rollout plans in Spring/Summer 2024.  

DPA Negotiation and DPA Execution

As NYS school districts have policies related to contracting with vendors, do these new processes require Board of Education action?   

The RICs recommend data protection officers (DPOs) and/or technology coordinators consult with their district administrators to discuss this new opportunity and the potential impact on existing policies and/or procedures.  Districts may consider having their Boards approve new procedures associated with these DPA structures.  This could be addressed through a policy or resolution.    

Which parties are named in the new Data Privacy Agreements (DPAs)? 

Whether your educational agency enters into a DPA as an originating district or a subscribing/piggybacking district, the agreement is between your educational agency and the vendor/provider named in the agreement. If the district is a subscribing or piggybacking district, Exhibit E will reference the parties that entered into the original agreement.   

By piggybacking on an existing agreement using Exhibit E, the same privacy protections found in the existing DPA between the provider and the originating local educational agency (LEA) are available to the subscribing local educational agency.  

BOCES and RICs will continue to maintain Master Service Agreements (MSAs) and Data Privacy Agreements (DPAs) associated with products incorporated into their services.  In these situations, when a school district participates in a BOCES service that utilizes these MSAs and DPAs, school districts should not piggyback on existing agreements using the new structures (see ‘BOCES and RIC Services’). 

What does it mean to piggyback on a DPA?  

The National Data Privacy Agreement (NDPA) includes a General Offer of Privacy Terms exhibit.  This exhibit is often referred to as the piggybacking exhibit and/or Exhibit E. The piggybacking exhibit helps streamline the process for BOCES and school districts to enter into a DPA with a vendor.  If a BOCES or school district locates an existing NYS agreement on the SDPC platform, they can use (piggyback on) Exhibit E to enter into an agreement with that vendor.  Exhibit E is the mechanism used to create an agreement with the piggybacking BOCES or school district and the vendor.  By piggybacking on the existing agreement, the same privacy protections found in the original agreement, between the vendor and the local educational agency (LEA) (the originating BOCES or school district) can also be made available to the subscribing local educational agency (the BOCES or school district seeking to piggyback on the agreement). 

How will the District’s data security and privacy policy and Parents’ Bill of Rights be incorporated into the agreement when Exhibit E is used (i.e. piggybacking)? 

Exhibit E outlines the General Offer of Privacy Terms and is used to support piggybacking.  When school districts set up their instance in the platform, a link to the district’s policy and bill of rights will be included to support the Education Law 2-d data privacy agreement requirements related to these two obligations. Upon signing Exhibit E, the included local parents bill of rights and policy are incorporated in the DPA. 

If there is no existing NY TEC DPA to piggyback on, how long does it take to negotiate a new agreement? 

The amount of time it takes to finalize an agreement will vary based on several factors.  Generally, the negotiations are short if a vendor has prior experience with A4L, TEC, and NYS data privacy laws.  It is important to note that there will be vendors that are unable to agree to national and/or New York State terms required by law.  In these situations, school districts will be notified that negotiations were unsuccessful.  Those involved in the New York State pilots have expressed positive feedback about the turnaround time for a new DPA. 

How many contracts are available for piggybacking?  

The number of TEC SDPA DPAs with NYS terms grows weekly.  Through a pilot relationship, the RICs and TEC started to negotiate agreements for 3 NYS school districts in late September 2023.  During that pilot window, about 25 NYS agreements were negotiated per month.  TEC maintains over 1,000 multi-state agreements.  As the partnership is new, TEC is in the process of adding New York State to many of these agreements.  The number of agreements available for Districts to piggyback on will grow quickly as we onboard more New York State educational agencies.

Will the new DPA structures support needs related to free applications?

Districts will find NDPA TEC NYS Agreements associated with free applications.  By using Exhibit E and signing a separate Service Agreement (also known as a Master Service Agreement), the subscribing LEA can accept the General Offer of Privacy Terms.  Also, districts can submit requests for a DPA to be negotiated for a free product.  Some vendors offering free tools may not be able to enter into an agreement, as their practices may not comply with FERPA and/or Education Law 2-d requirements.  When New York State launches the program, the agreements negotiated by Erie 1 BOCES related to free products will be loaded into the environment to support current needs. Generally, free product DPA needs will be addressed through TEC DPA structures moving forward.  Educational agencies should be attentive to the Service Agreement.  The new structures do not support the negotiation of Service Agreements. 

How does the new DPA process work for products that are purchased from a reseller?

Education Law 2-d requires data privacy and security terms to be negotiated into agreements when a provider receives data protected by the law.  As a result, generally a data privacy agreement must be negotiated directly with the vendor that produces the product. As reseller relationships are complex, educational agencies should discuss the topic of resellers with their attorney.   

As there are 30 states using the (SDPC Resource Registry) platform, will NYS educational agencies be able to leverage the agreements associated with other states (outside of the TEC SDPA)?  

No. The National Data Privacy Agreement (NDPA) is primarily focused on FERPA.  In order to address the needs of Education Law 2-d, New York State specific terms need to be added to the NDPA.  Districts are encouraged to look for the TEC designation and to use the centralized processes developed by the RICs and the Department.  Not all agreements in the SDPC Resource Registry have been negotiated with attorneys representing educational agencies.  In New York State, via the RICs’ TEC membership, all negotiation work will be managed by an attorney through the multi-state alliance.  No changes are approved without the involvement of an attorney.  If changes are specific to New York State terms, the multi-state alliance consults members of the centralized NYS team, as necessary.  This team includes Department of Education representatives, BOCES attorneys, RIC Directors, and RIC cybersecurity specialists.  It is important to note that some vendors may not be able to agree to NYS terms, as our state’s law includes more robust requirements than other states.

Will NYS be added to all TEC SDPA agreements?

No. Some vendors may not be able to agree to NYS terms, as our state’s law includes more robust requirements than other states in the alliance.  

Who makes the decisions during the contract negotiation process?   

Negotiation work is managed by an attorney through the TEC multi-state alliance.  No changes are approved without the involvement of the attorney.  If changes are specific to New York State terms, the multi-state alliance consults members of the centralized NYS team, as necessary.  The centralized team includes Department of Education representatives, BOCES attorneys, RIC Directors, and RIC cybersecurity specialists.

What should I do if I am notified that TEC SDPA NYS NDPA negotiations were unsuccessful, and my district still uses or desires to use the product?

In general, negotiations are unsuccessful because of one of the following reasons:

• The vendor is unwilling to engage in the process.  In these situations, the vendor may not have and/or be willing to allocate legal resources to negotiate.  

• The vendor is unable to agree to comply with terms in the standard DPA that are required by law.  In these situations, the vendor may not be able to and/or willing to agree to implement controls required by federal and/or state law. 

• The vendor is unable to agree to comply with terms in the standard DPA that are required based on Department and BOCES assessment of risk.  In these situations, the vendor may not be able to and/or willing to agree to implement required controls established by state leaders and data privacy specialists.  

If negotiations are unsuccessful, then the district should not use the product until it can negotiate a DPA with appropriate protections.  The agency can use local legal resources to pursue an agreement using traditional contract negotiation processes.

DPA Duration, Expiration, and Termination 

What is the process for managing an expiring TEC SDPA NYS NDPA?

TEC NY Version 1 NDPAs are effective for three years.  An Exhibit E expires 3 years from the date the original DPA was signed.  Educational agencies will receive training regarding processes and Resource Registry workflow functionality used to support agencies in entering into new agreements as they near the end of the contract duration.  Version 2 agreements are effective for as long as the provider retains the student data.  In the event that either party seeks to terminate a DPA, they may do so by written notice if the service agreement has lapsed or has been terminated.

BOCES and RIC Services

Should I use this new structure to enter into a DPA with a vendor, if I access a product through participation in a BOCES or RIC service?

No. BOCES and RICs will continue to maintain Master Service Agreements (MSAs) and Data Privacy Agreements (DPAs) associated with products that are incorporated into services.  In these situations, school districts should not piggyback on existing agreements.  Importantly, districts need to make sure information about these BOCES DPAs is included on their district’s website to support effective communication with the community and to comply with the Education Law 2-d supplemental information requirements.  The RICs and BOCES will provide information and/or training regarding how to access supplemental information related to products you access through a BOCES service.

How does our school district enter information about BOCES and RIC contracts on our districts’ environment in the new platform? 

Generally, if your district participates in a BOCES/RIC service, that service agency will populate information about the DPAs associated with your services into your district's instance.  BOCES are able to link “participating school districts” to BOCES DPAs.  Your district will then be able to make that information available to parents on a public facing website associated with the platform.  Initially, many BOCES DPAs in the platform will be DPAs negotiated locally.  Overtime, BOCES will begin using the new DPA structures.  

I purchase applications through services offered by BOCES and/or RICs outside of my geographic region. Will they be adding the DPAs associated with these products to my educational agency’s SDPC Resource Registry? 

Generally, if your district participates in a BOCES/RIC service, that service agency will populate information about the DPAs associated with your services into your district's instance, even if purchased outside of your geographic region.  BOCES are able to link “participating school districts” to BOCES DPAs.  Your district will then be able to make that information available to parents on a public facing website associated with the platform.  Initially, many BOCES DPAs in the platform will be negotiated locally.  Over time, as contracts are renewed and renegotiated, BOCES will begin using the new DPA structures. 

Resource Registry 

Where is the SDPC Resource Registry?  

The SDPC Resource Registry is available at https://sdpc.a4l.org/.  In Spring/Summer 2024, your local Regional Information Center will support your district in accessing your district’s environment and provide the Data Protection Officer (DPO) with credentials to use the platform.  

What can the DPA platform, also called the SDPC Registry, be used for?

When the DPA platform is rolled out, the number of district accounts and the scope of training will initially be limited.  Specifically, the platform will be used to support educational agencies in entering into new agreements, as originating districts and/or through piggybacking.  Additionally, the platform will be used to support the field in addressing Education Law 2-d supplemental information requirements. Finally, RICs will train districts regarding how to upload locally developed DPAs.  Over time, the RICs will provide training regarding other functionality available on the platform.  The purpose of initially limiting the scope is to support the state in efficiently and effectively onboarding New York’s more than 700 school districts to the platform as efficiently and effectively as possible.  The RICs have been expediting implementation plans, in response to districts’ feedback regarding the value of having access to these structures as soon as possible.  

Education Law 2-d requires educational agencies to post supplemental information related to contracts with vendors.  Can districts use the SDPC Resource Registry to address this requirement?  

Yes.   In the TEC SDPA NYS NDPA, supplemental information about each DPA is outlined in Exhibit L. To complement the information in Exhibit L, educational agencies should also enter information into the Resource Registry about when the service agreement expires.  Please note this is important as the DPA and service agreement duration information may be different.  Agencies can also post supplemental information related to DPAs negotiated using local practices.  It should be noted that, while the system supports the management and public display of new DPAs, Education Law 2-d does not require educational agencies to post the DPA on districts’ websites.  Previously, many educational agencies incorporated the DPA into the MSA.  Educational agencies using this approach may find it difficult to extract the DPA from the MSA and may prefer to only post the supplemental information on the platform.  Finally, please keep in mind that the supplemental information will no longer be found in Exhibit L when the state transitions to Version 2.0.  More information will be available to support districts in locating the supplemental information when the new TEC SDPA NYS NDPA is available. 

Can supplemental information and/or DPAs be uploaded into the Resource Registry that are with vendors that are not IT vendors?  

Yes.  Educational agencies may have agreements with local businesses, partner agencies, and other entities that have access to student data. Educational agencies can use the Resource Registry as a repository to store all DPAs and/or to post supplemental information about all vendors.  As these agreements are negotiated using local practices, agencies will not be able to piggyback on these agreements.  

Our educational agency has been using our existing data privacy and security inventory tool to track all applications, including those that are not subject to Education Law 2-d requirements. Can I use the new SDPC Resource Registry tool to continue this practice?

Yes.  It is possible to enter information about these resources into the SDPC Resource Registry.  

Can a user download a DPA from the SDPC Resource Registry?

Yes.  Users can download DPAs, Exhibit Es, and Exhibit Ls from the SDPC Resource Registry.  

Does my educational agency have to use the new platform associated with the DPA approach?
Educational agencies planning to use the new structure will need to use the platform.  The platform supports the piggybacking process and includes other functionality essential to managing the workflow associated with this standardized and centralized approach to DPA negotiation.

Traditional/Legacy DPAs

What should I do if I have a current DPA that was negotiated outside of the new DPA system?
Districts can continue to use traditional local DPA practices.  Additionally, districts and BOCES can upload existing DPAs, negotiated before New York became a member of A4L and TEC, to the platform used to manage the workflow associated with the new DPA structure.  Other entities will not be able to piggyback on these agreements, as the agreements weren’t built for this piggybacking model and don’t include the standardized national and state terms. Districts should consider uploading information about agreements negotiated prior to the implementation of this new system to support parents in accessing information about all the district’s DPAs in one location. As these DPAs approach the renewal dates, districts should consider using the new process to address ongoing DPA needs. As New York State educational agencies have been negotiating DPAs that address Education Law 2-d requirements for 10 years, there will be many DPAs loaded into the platform that do not include piggybacking capabilities.  

Sourcing, Procurement, and Master Service Agreements

Traditionally, the Data Privacy Agreement (DPA) is negotiated with the Master Service Agreement (MSA).  How is the MSA negotiated?

The RIC One ROC is partnering with TEC, NYSED, and A4L to address data privacy contractual needs.  These partners are not addressing the needs associated with Master Service Agreements.  Districts should continue to use traditional processes to address legal requirements and local policy requirements associated with product sourcing, product procurement, and the negotiation of Master Service Agreements (MSAs).  BOCES and BOCES consortiums (including Erie 1 BOCES/WNYRIC and Capital Region BOCES), will continue to negotiate MSAs associated with BOCES and RIC services. Districts should discuss the new DPA structure with the educational agency’s attorney.  Attorneys may recommend incorporating terms about the district's use of the A4L NDPA into MSAs. 

What terms are included in a Master Service Agreement (MSA)? 

Districts should continue to use traditional processes to address legal requirements and local policy requirements associated with product sourcing, product procurement, and the negotiation of Master Service Agreements (MSAs).  Below is a list of sample categories of terms commonly addressed in MSAs. This list is not intended to be exclusive/exhaustive. Districts should discuss the new DPA structure with the educational agency’s attorney.  Attorneys may recommend incorporating terms about the district's use of the A4L NDPA into MSAs.

• Amendments (Conditions by which amendments can be made)

• Audits (Vendor’s ability to conduct a usage audit)

• Compliance (Either or both parties’ compliance with laws)

• Confidentiality (Responsibilities related to confidential information)

• Fee and Payment (Sometimes in the form of a pricing exhibit)

• Governing Laws (Could be where the vendor resides)

• Indemnification (Compensation for harm or loss)

• Jurisdiction and/or Venue (Physical location of any legal action)

• License or Grant (Customers’ ability to use the software)

• Non-solicitation (Prevent hiring the other party’s employees)

• Pricing Increases (Future pricing of the software)

• Problems (Support and response/resolution time)

• Maintenance (Upgrades, updates, and technical assistance)

• Termination (Acceptable agreement termination circumstances)

• Warranties (Customer protections against software defects)

What impact do these new structures have on traditional sourcing, procurement, and contract management practices?  

The RIC One ROC is partnering with TEC, NYSED, and A4L to develop new centralized structures to address Data Privacy Agreement (DPA) needs.  These partners are not addressing sourcing, procurement, and Master Service Agreement (MSA) needs.  Educational agencies will continue to use traditional processes to address legal requirements and local policy requirements associated with product sourcing, product procurement, and the negotiation of Master Service Agreements (MSAs).   

Districts should discuss the new DPA structures and incorporating terms and language into RFPs and MSAs to include the NDPA by reference with the educational agency’s procurement specialists and their attorneys. 

BOCES and BOCES consortiums (including Erie 1 BOCES/WNYRIC and Capital Region BOCES DREAM), will continue to negotiate MSAs associated with BOCES and RIC services.   

Generally, when educational agencies use the new DPA structures, the MSA and DPA dates will not align.  What should I do to mitigate associated risks?

Districts should discuss the new DPA structure with the educational agency’s procurement specialists and attorneys.  Many educational agencies will be incorporating terms and language about these new structures into RFPs and MSAs.  The DPA requires local educational agencies to enter into a Service Agreement with a vendor before entering into a DPA.  Local educational agencies should enter into a DPA prior to importing protected data into a system.  The Resource Registry includes fields that can be used to track information about the duration of the MSA and DPA.  As agencies are required to post this information in the supplemental information, entering this information supports DPA management and communication needs.  Educational agencies will receive training regarding processes and Resource Registry workflow functionality used to support agencies in entering into new DPAs as agreements near the end of the contract duration.  

At times, the products included in a MSA and a NDPA may be different.  What should I do to mitigate associated risks? 

Districts should discuss the new DPA structure with the educational agency’s procurement specialists and attorneys.  Educational agencies should review the MSA and DPA to determine product alignment. DPAs are needed to address needs related to all products/services that involve the sharing of protected data.     

Regional Support Structures

Who do I contact for support with the new Data Privacy Agreement (DPA) structures and related platform/registry?

Each RIC has support structures in place to assist educational agencies in using the new platform and centralized DPA structures.  Your local RIC will onboard districts, train users, and provide ongoing support.  The list below identifies the primary support contact at each RIC.  

CNYRIC

Josh Becker

jbecker@cnyric.org

EduTech

Sue Marcano

sue.marcano@edutech.org

GST RIC

Robert McKenzie

rmckenzie@gstboces.org

LHRIC

Madalyn Romano

mromano@lhric.org

MHRIC

Alan Monsanto

amonsanto@mhric.org

MORIC

Brittany Rizzo

brizzo@moric.org

Monroe

Dan Fullerton

daniel_fullerton@boces.monroe.edu

Nassau RIC

Laura Pollak

LPollak@nasboces.org

NERIC

Monica Statile

monica.statile@neric.org   

SCRIC

Ashleen Speen

aspeen@btboces.org

Suffolk RIC

Janet Mahon

jmahon@esboces.org

WNYRIC

Dave Scalzo

dscalzo@e1b.org

Do I contact TEC SDPA if I need assistance and/or have a request?  

No.  Field support related to the new DPA structures is available from your local Regional Information Center (RIC).  As necessary, your local RIC will interface with the centralized vendor management team (the ROC) to escalate issues, request enhancements, and/or address other needs.  

Are there optional services available related to these new structures?

Please contact your RIC for more information about optional services. 

Data Breaches

What is the notification process for a data breach or unauthorized disclosure involving a TEC SDPA NYS NDPA product/vendor?

The terms in the NDPA require providers to notify local educational agencies within 72 hours of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement.  As a reminder, educational agencies must report every discovery or report of a breach or unauthorized release of protected student, teacher or principal data to the Chief Privacy Officer no more than 10 calendar days after a discovery.  Additionally, the agency must notify affected parents, eligible students, teachers and/or principals no more than 60 calendar days after the receipt of a notification of a breach or unauthorized release from a vendor.  Specific information must be included in these communications.