RIC ONE DATA PRIVACY AGREEMENT STRUCTURES
TERMS
Access for Learning’s Student Data Privacy Consortium (“A4L’s SDPC”): Is a national consortium of schools, educational service agencies, state agencies and vendors addressing data privacy concerns. The Consortium provides a model National Data Privacy Agreement (NDPA) with terms agreed to by third-party contractors and educational agencies (see ‘DPA Collaboratives and Associated Deliverables Table’).
Auto Exhibit E Creator: The Auto Exhibit E Creator Resource Registry functionality supports the automatic creation of a local educational agency’s customized Exhibit E (see ‘Exhibit E').
Boards of Cooperative Educational Services (“BOCES”): Are public organizations created by the New York State Legislature in 1948 as a way for local school districts to collaborate on educational offerings while reducing their individual expenses.
Data Privacy Agreement (“DPA"): Is a document that outlines the agreed upon contract terms and conditions between two or more parties related to the protection of sensitive data.
Local Educational Agency (“LEA”) (also known as an educational agency (“EA”)): In the NDPA, LEA shall include a board of cooperative educational services (“BOCES”) or school as that term is defined in Education Law Section 2-d. If the LEA is a BOCES, the LEA shall encompass participating school districts of the BOCES; each participating school district is a New York State school district that obtains access to the Services through an agreement with the BOCES. In Education Law 2-d, educational agency means a school district, board of cooperative educational services, school, or the education department.
Exhibit E (also known as the General Offer of Privacy Terms): Is the section found in the National Data Privacy Agreement (“NDPA”) that is used by an LEA to create an agreement with the piggybacking LEA and the vendor after a DPA has already been signed by the originating LEA. *Not to be confused with piggybacking under General Municipal Law.
Exhibit G (also known as the New York State Terms): Is the section found in the TEC SDPA National Data Privacy Agreement that addresses New York State data privacy and security laws and regulations.
Exhibit J (also known as the LEA Documents): Is the section of the TEC SDPA National Data Privacy Agreement that is used to address Education Law 2-d requirements related to local educational agency’s data security and privacy policies, and the Parents’ Bill of Rights.
Exhibit K (also known as the Provider Security Policy): Is the section found in the TEC SDPA National Data Privacy Agreement used to address Education Law 2-d requirements related to the provider’s data security and privacy plan.
Exhibit L (also known as the Supplemental Information): Is the section found in the TEC SDPA National Data Privacy Agreement that is used to address Education Law 2-d requirements related to posting supplemental information about each Data Privacy Agreement.
Meta Data: In the NDPA, meta data means information that provides meaning and context to other data being collected. In the SDPC resource registry, “meta data” is an area in the software that can be used to input information about DPAs. If a user completes these optional fields, the information will appear on the public/forward-facing inventory.
National Data Privacy Agreement (“NDPA”): Is a data privacy agreement that includes standardized terms related to national data privacy laws. It is designed to address common student data privacy concerns and streamline the educational application contracting processes for its member states and schools/districts (see ‘DPA Collaboratives and Associated Deliverables Table’).
Original Data Privacy Agreement (also known as an originating agreement): In the NDPA, original data privacy agreement is the Data Privacy Agreement with a provider and an originating local educational agency.
Originating Local Educational Agency (“Originating LEA”): In the NDPA, originating LEA is defined as an LEA who originally executes the DPA in its entirety with the Provider.
Parents Bill of Rights (“PBOR”): Education Law § 2-d and 8 NYCRR § 121.3 require educational agencies to adopt and publish a PBOR on their website and to include their PBOR with every contract entered into with a vendor who will be handling student PII or Teacher or Principal APPR data.
Participating Local Educational Agency (also known as a participating district): Is a school district or BOCES in New York State that obtains access to a provider's services through participation in a BOCES or RICs service/CoSer. In the SDPC Resource Registry, the term “participating district” is used to identify information about educational agencies using A4L’s services and the use of that term in the Resource Registry is not related to BOCES services.
Participating Local Educational Agency Tagging: Is the process used by BOCES and RICs to link local educational agencies to Data Privacy Agreements associated with BOCES/RIC services.
Platform Notification: Is an email alert generated when a specific action is taken within the registry platform as a means of tracking the progress of Data Privacy Agreement negotiation work.
Provider (also known as a third party, a third party contractor, an operator, or a vendor): In the NDPA, provider means any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such local educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs.
Regional Information Center (“RIC”): Is a division of 12 NYS Boards of Cooperative Educational Services (BOCES). The RICs provide educational and related information technology services to support BOCES and school districts’ technology and data needs. The 12 RICs provide regional field training and support related to the new data privacy agreement structures.
Resource: In the Resource Registry, resource means the software, application, add-on, extension, or other product provided by the vendor.
Resource Registry (also known as the A4L SDPC Resource Registry): Is the platform used to manage workflow and management needs related to Data Privacy Agreements (see ‘DPA Collaboratives and Associated Deliverables Table’).
RIC One: RIC One is a shared service concept and vision designed to foster collaboration and coordinate efforts between the twelve Regional Information Centers (RICs). The centers work collaboratively as one to provide efficient and unified statewide technology leadership and innovative solutions.
RIC One Vendor Management Risk Operations Center (“RIC One ROC”) (also known as the Risk Operations Center (“ROC”)): Is an intermunicipal agreement with a goal of centralizing and standardizing vendor management functions to support needs related to technology products used by New York’s educational agencies. The team implements controls to support the protection of data, optimize products’ performance, and influence vendors’ product roadmaps. One of the primary functions is to streamline processes associated with contractual needs to support the protection of student data by negotiating DPAs using the NDPA.
Service Agreement (“SA”) (also known as a master service agreement (“MSA”), a software as a service agreement (“SAAS”), or a memorandum of agreement (“MOA”)): Service agreement means the contract, purchase order or terms of service or terms of use. It is a document that outlines the contract terms and conditions between two or more parties. The ROC, in partnership with the TEC SDPA, negotiates DPAs. Service Agreements are not negotiated by the ROC. Important terms are defined in Service Agreements. The NDPA contains language that states in the event there is conflict between the terms of the DPA and the Service Agreement, Terms of Service, Privacy Policies, or with any other bid/RFP, license agreement, or writing, the terms of the NDPA apply and take precedence. It is important to check the SA for a possible conflicting clause. Educational agencies should consult with their legal counsel regarding contract needs.
Signer/Signatory: Is an individual designated by the Board and authorized to sign on behalf of a local educational agency.
Subscribing Local Educational Agency (also known as a piggybacking local educational agency): Is a BOCES or district that was not a party to the original agreement and accepts the Provider’s General Offer of Privacy Terms. A subscribing local educational agency leverages Exhibit E to enter into a DPA with a vendor (see Exhibit E).
Supplemental Information: Education Law § 2-d and 8 NYCRR § 121.3 require each educational agency to include supplemental information for each contract a local educational agency enters into with a vendor. This information must be published on the educational agency’s website. The supplemental information must include (see Exhibit L):
· the exclusive purposes for which the student or teacher/principal data will be used by the vendor;
· how the vendor will ensure subcontractors abide by the legal requirements for data privacy and protection;
· the duration of the contract and what will happen to the data upon expiration;
· if and how parents and eligible students may challenge the accuracy of data;
· where data will be stored and the security protections in place, and
· how data will be protected by encryption at rest and in transit.
The Education Cooperative (“TEC”): Is a Massachusetts educational service agency and 501(C)(3) non-profit organization. The Massachusetts Education Cooperatives are similar to the BOCES (see ‘DPA Collaboratives and Associated Deliverables Table’).
The Education Cooperative Student Data Privacy Alliance (“TEC SDPA”): Is a multi-state data privacy alliance. TEC SDPA supports K-12 agencies in New York, Maine, Massachusetts, Missouri, New Hampshire, Ohio, Rhode Island, Tennessee, Virginia, and Vermont. Through the TEC SDPA and RIC One ROC partnership, NDPAs are negotiated that include NYS specific terms (see ‘DPA Collaboratives and Associated Deliverables Table’).
The Education Cooperative Student Data Privacy Alliance New York State Data Privacy Agreement (“TEC SDPA NYS NDPA”): Are data privacy agreements negotiated through the RIC One ROC, in partnership with the TEC SDPA. These agreements use the NDPA and incorporate NYS protective terms.
Traditional Data Privacy Agreement (also referred to as a legacy data privacy agreement): Is an agreement that is negotiated outside of the new structures and Resource Registry using local negotiation practices and resources.
PRINTABLE RESOURCES
DPA
TERMS
PDF
COLLABORATIVES AND DELIVERABLES
PDF
NEW DPA STRUCTURES PARTNERS
PDF