Wisconsin Student Data Privacy Agreement Lake Mills Area ..., Study notes of Law

Download Wisconsin Student Data Privacy Agreement Lake Mills Area ... and more Study notes Law in PDF only on Docsity! WISCONSIN STUDENT DATA PRIVACY AGREEMENT Lake Mills Area School District AND Desmos, Inc. January 25, 2021 2 This Wisconsin Student Data Privacy Agreement (“DPA”) is entered into by and between the Lake Mills Area School District (hereinafter referred to as “LEA”) and Desmos, Inc. (hereinafter referred to as “Provider”) on January 25, 2021. The Parties agree to the terms as stated herein. RECITALS WHEREAS, the Provider has agreed to provide the Local Education Agency (“LEA”) with certain digital educational services (“Services”) pursuant to a contract dated January 25, 2021 (“Service Agreement”); and WHEREAS, in order to provide the Services described in the Service Agreement, the Provider may receive or create, and the LEA may provide documents or data that are covered by several federal statutes, among them, the Family Educational Rights and Privacy Act (“FERPA”) at 20 U.S.C. 1232g and 34 CFR Part 99, Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. 6501-6506; Protection of Pupil Rights Amendment (“PPRA”) 20 U.S.C. 1232h; and WHEREAS, the documents and data transferred from LEAs and created by the Provider’s Services are also subject to Wisconsin state student privacy laws, including pupil records law under Wis. Stat. § 118.125 and notice requirements for the unauthorized acquisition of personal information under Wis. Stat. § 134.98; and WHEREAS, for the purposes of this DPA, Provider is a school district official with legitimate educational interests in accessing educational records pursuant to the Service Agreement; and WHEREAS, the Parties wish to enter into this DPA to ensure that the Service Agreement conforms to the requirements of the privacy laws referred to above and to establish implementing procedures and duties; and WHEREAS, the Provider may, by signing the “General Offer of Privacy Terms” (Exhibit “E”), agree to allow other LEAs in Wisconsin the opportunity to accept and enjoy the benefits of this DPA for the Services described herein, without the need to negotiate terms in a separate DPA. NOW THEREFORE, for good and valuable consideration, the parties agree as follows: ARTICLE I: PURPOSE AND SCOPE 1. Purpose of DPA. The purpose of this DPA is to describe the duties and responsibilities to protect student data transmitted to Provider from LEA pursuant to the Service Agreement, including compliance with all applicable statutes, including the FERPA, PPRA, COPPA, and applicable Wisconsin law, all as may be amended from time to time. In performing these services, the Provider shall be considered a School District Official with a legitimate educational interest, and performing services otherwise provided by the LEA. With respect to the use and maintenance of Student Data, Provider shall be under the direct control and supervision of the LEA. 5 5. Disposition of Data. Upon written request and in accordance with the applicable terms in subsection a or b, below, Provider shall dispose or delete all Student Data obtained under the Service Agreement when it is no longer needed for the purpose for which it was obtained. Disposition shall include (1) the shredding of any hard copies of any student data; (2) erasing; or (3) otherwise modifying the personal information in those records to make it unreadable or indecipherable by human or digital means. Nothing in the Service Agreement authorizes Provider to maintain Student Data obtained under the Service Agreement beyond the time period reasonably needed to complete the disposition. Provider shall provide written notification to LEA when the Student Data has been disposed. The duty to dispose of Student Data shall not extend to data that has been de-identified or placed in a separate Student account, pursuant to the other terms of the DPA. The LEA may employ a “Request for Return or Deletion of Student Data” form, a copy of which is attached hereto as Exhibit “D”. Upon receipt of a request from the LEA and where possible, the Provider will immediately provide the LEA with any specified portion of the Student Data within ten (10) calendar days of receipt of said request. a. Partial Disposal During Term of Service Agreement. Throughout the Term of the Service Agreement, LEA may request partial disposal of Student Data obtained under the Service Agreement that is no longer needed. Partial disposal of data shall be subject to LEA’s request to transfer data to a separate account, pursuant to Article II, section 3, above. b. Complete Disposal Upon Termination of Service Agreement. Upon Termination of the Service Agreement Provider shall dispose or delete all Student Data obtained under the Service Agreement. Prior to disposition of the data, Provider shall notify LEA in writing of its option to transfer data to a separate account, pursuant to Article II, section 3, above. In no event shall Provider dispose of data pursuant to this provision unless and until Provider has received affirmative written confirmation from LEA that data will not be transferred to a separate account. 6. Advertising Prohibition. Provider is prohibited from using or selling Student Data to (a) market or advertise to students or families/guardians; (b) inform, influence, or enable marketing, advertising, or other commercial efforts by a Provider; (c) develop a profile of a student, family member/guardian or group, for any commercial purpose other than providing the Service to LEA; or (d) use the Student Data for the development of commercial products or services, other than as necessary to provide the Service to LEA. This section does not prohibit Provider from using Student Data for adaptive learning or customized student learning purposes. ARTICLE V: DATA PROVISIONS 1. Data Security. The Provider agrees to abide by and maintain adequate data security measures, consistent with industry standards and technology best practices, to protect Student Data from unauthorized disclosure or acquisition by an unauthorized person. The general security duties of Provider are set forth below. Provider may further detail its security programs and measures in Exhibit “F” hereto. These measures shall include, but are not limited to: a. Passwords and Employee Access. Provider shall secure usernames, passwords, and any other means of gaining access to the Services or to Student Data, at a level suggested by 6 the applicable standards, as set forth in Article 4.3 of NIST 800-63-3. Provider shall only provide access to Student Data to employees or contractors that are performing the Services. Employees with access to Student Data shall have signed confidentiality agreements regarding said Student Data. All employees with access to Student Records shall be subject to criminal background checks in compliance with state and local ordinances. b. Destruction of Data. Provider shall destroy or delete all Student Data obtained under the Service Agreement in accordance with Article IV, section 5, above. Nothing in the Service Agreement authorizes Provider to maintain Student Data beyond the time period reasonably needed to complete the disposition. c. Security Protocols. Both parties agree to maintain security protocols that meet industry standards in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so. Provider shall maintain all data obtained or generated pursuant to the Service Agreement in a secure digital environment and not copy, reproduce, or transmit data obtained pursuant to the Service Agreement, except as necessary to fulfill the purpose of data requests by LEA. d. Employee Training. The Provider shall provide periodic security training to those of its employees who operate or have access to the system. Further, Provider shall provide LEA with contact information of an employee who LEA may contact if there are any security concerns or questions. e. Security Technology. When the service is accessed using a supported web browser, Provider shall employ industry standard measures to protect data from unauthorized access. The service security measures shall include server authentication and data encryption. Provider shall host data pursuant to the Service Agreement in an environment using a firewall that is updated according to industry standards. f. Security Coordinator. If different from the designated representative identified in Article VII, section 5, Provider shall provide the name and contact information of Provider’s Security Coordinator for the Student Data received pursuant to the Service Agreement. g. Subprocessors Bound. Provider shall enter into written agreements, including, but not limited to, terms of service, whereby Subprocessors agree to secure and protect Student Data in a manner consistent with the terms of this Article V. Provider shall periodically conduct or review compliance monitoring and assessments of Subprocessors to determine their compliance with this Article. h. Periodic Risk Assessment. Provider further acknowledges and agrees to conduct digital and physical periodic risk assessments and remediate any identified security and privacy vulnerabilities in a timely manner. 2. Data Breach. In the event that Student Data is accessed or obtained by an unauthorized 7 individual, Provider shall provide notification to LEA within a reasonable amount of time upon discovery of the incident, and not exceeding forty-eight (48) hours. Provider shall follow the following process: a. The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described herein under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice. b. The security breach notification described above in section 2(a) shall include, at a minimum, the following information: i. The name and contact information of the reporting LEA subject to this section. ii. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach. iii. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice. iv. Whether the notification was delayed because of a law enforcement investigation, if that information is possible to determine at the time the notice is provided. v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided. c. At LEA’s discretion, the security breach notification may also include any of the following: i. Information about what the agency has done to protect individuals whose information has been breached. ii. Advice on steps that the person whose information has been breached may take to protect himself or herself. d. Provider agrees to adhere to all requirements in applicable state and federal law with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach. e. Provider further acknowledges and agrees to have a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide LEA, upon request, with a copy of said written incident response plan. f. Provider is prohibited from directly contacting parent, legal guardian or eligible pupil unless expressly requested by LEA. If LEA requests Provider’s assistance providing notice 10 CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE STATE OF WISCONSIN, WITHOUT REGARD TO CONFLICTS OF LAW PRINCIPLES. EACH PARTY CONSENTS AND SUBMITS TO THE SOLE AND EXCLUSIVE JURISDICTION TO THE STATE AND FEDERAL COURTS FOR THE COUNTY IN WHICH THIS AGREEMENT IS FORMED FOR ANY DISPUTE ARISING OUT OF OR RELATING TO THIS SERVICE AGREEMENT OR THE TRANSACTIONS CONTEMPLATED HEREBY. NOTWITHSTANDING THE FOREGOING, ANY CLAIM IN CONNECTION WITH THIS DPA MUST FIRST, AND BEFORE TAKING ANY OTHER LEGAL ACTION, BE SUBMITTED TO THE PROVIDER IN THE FORM OF A COMPLAINT (EMAIL TO: PRIVACY@DESMOS.COM), AND LEA MUST GIVE DESMOS REASONABLE TIME TO RESOLVE THE CLAIM. 9. Authority. Provider represents that it is authorized to bind to the terms of this Agreement, including confidentiality and destruction of Student Data and any portion thereof contained therein, all related or associated institutions, individuals, employees or contractors who may have access to the Student Data and/or any portion thereof, or may own, lease or control equipment or facilities of any kind where the Student Data and portion thereof stored, maintained or used in any way. Provider agrees that any purchaser of the Provider shall also be bound to the Agreement. 10.Waiver. No delay or omission of the LEA to exercise any right hereunder shall be construed as a waiver of any such right and the LEA reserves the right to exercise any such right from time to time, as often as may be deemed expedient. 11.Successors Bound. This DPA is and shall be binding upon the respective successors in interest to Provider in the event of a merger, acquisition, consolidation or other business reorganization or sale of all or substantially all of the assets of such business. [Signature Page Follows] 11 IN WITNESS WHEREOF, the parties have executed this Wisconsin Student Data Privacy Agreement as of the last day noted below. Provider: BY: Date: Printed Name: Kathleen Hammill Title/Position: Chief of Staff Local Education Agency: BY: Date: Printed Name: Chris Czerniak Title/Position: Technology Director Note: Electronic signature not permitted. 1/25/2021 2/25/2022 12 EXHIBIT “A” DESCRIPTION OF SERVICES Desmos provides digital math tools -- including, but not limited to, a graphing calculator, scientific calculator, four function calculator, geometry tool, and matrix calculator -- through its website and mobile applications. In addition, Desmos has classroom activities that teachers can use to lead a class through mathematical topics in a way that is social and creative. Teachers can use activities created by Desmos, can build their own, and can modify activities created by Desmos or other teachers. Desmos licenses its core technology to textbook publishers, assessment companies, and other organizations that can benefit from our products. Desmos never licenses any data on users to these customers. Desmos also does not work with any 3rd party ad networks, targeted or otherwise, on any of its sites, apps, or services. Please note that because many features of Desmos are available for free to any user, Desmos can only delete or return data on behalf of an LEA if Desmos knows that the user is under the jurisdiction of the LEA. Only accounts associated with a student’s or teacher’s official LEA- issued email address are covered by this DPA. Additionally, please note that because many instances of Student Data require Desmos’s technology to be rendered and interpreted, in many cases it will not be possible for Desmos to return the data at the request of the LEA. In such cases, we will notify the LEA that the data cannot be returned and instead delete the data if the LEA requests such deletion in response to our notification. 15 Category of Data Elements Check if used by your system Student Name First and/or Last X Student In App Performance Program/applica tion performance (typing program-student types 60 wpm, reading program-student reads below grade level) X Student Program Membership Academic or extracurricular activities a student may belong to or participate in Student Survey Responses Student responses to surveys or questionnaires X Student work Student generated content; writing, pictures etc. X Other student work data - Please specify: Transcript Student course grades Student course data Student course grades/performa nce scores Category of Data Elements Check if used by your system Other transcript data -Please specify: Transportation Student bus assignment Student pick up and/or drop off location Student bus card ID number Other transportation data -Please specify: Other Please list each additional data element used, stored or collected by your application No Student Data Collected at this time ______. *Provider shall immediately notify LEA if this designation is no longer applicable. OTHER: Use this box, if more space needed 16 EXHIBIT “C” DEFINITIONS De-Identifiable Information (DII): De-Identification refers to the process by which the Provider removes or obscures any Personally Identifiable Information (“PII”) from student records in a way that removes or minimizes the risk of disclosure of the identity of the individual and information about them. Educational Records: Educational Records are official records, files and data directly related to a student and maintained by the school or local education agency, including but not limited to, records encompassing all the material kept in the student’s cumulative folder, such as general identifying data, records of attendance and of academic work completed, records of achievement, and results of evaluative tests, health data, disciplinary status, test protocols and individualized education programs. For purposes of this DPA, Educational Records are referred to as Student Data. NIST: Draft National Institute of Standards and Technology (“NIST”) Special Publication Digital Authentication Guideline. Operator: The term “Operator” means the operator of an Internet Website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes. For the purpose of the Service Agreement, the term “Operator” is replaced by the term “Provider.” This term shall encompass the term “Third Party,” as it is found in applicable state statutes. Personally Identifiable Information (PII): The terms “Personally Identifiable Information” or “PII” shall include, but are not limited to, student data, metadata, and user or pupil-generated content obtained by reason of the use of Provider’s software, website, service, or app, including mobile apps, whether gathered by Provider or provided by LEA or its users, students, or students’ parents/guardians. PII includes Indirect Identifiers, which is any information that, either alone or in aggregate, would allow a reasonable person to be able to identify a student to a reasonable certainty. For purposes of this DPA, Personally Identifiable Information shall include the categories of information listed in the definition of Student Data. Provider: For purposes of the Service Agreement, the term “Provider” means provider of digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of pupil records. Within the DPA the term “Provider” includes the term “Third Party” and the term “Operator” as used in applicable state statutes. Pupil Generated Content: The term “pupil-generated content” means materials or content created by a pupil during and for the purpose of education including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, photographs, videos, and account information that enables ongoing ownership of pupil content. Pupil Records: Means all of the following: (1) Any information that directly relates to a pupil that 17 is maintained by LEA;(2) any information acquired directly from the pupil through the use of instructional software or applications assigned to the pupil by a teacher or other LEA employee; and any information that meets the definition of a “pupil record” under Wis. Stat. § 118.125(1)(d). For the purposes of this Agreement, Pupil Records shall be the same as Educational Records, Student Personal Information and Covered Information, all of which are deemed Student Data for the purposes of this Agreement. Service Agreement: Refers to the Contract or Purchase Order to which this DPA supplements and modifies. School District Official: For the purposes of this Agreement and pursuant to 34 CFR 99.31 (B) and Wis. Stat. § 118.125(2)(d), a School District Official is a contractor that: (1) Performs an institutional service or function for which the agency or institution would otherwise use employees; (2) Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and (3) Is subject to 34 CFR 99.33(a) and Wis. Stat. § 118.125(2) governing the use and re-disclosure of personally identifiable information from student records. Student Data: Student Data includes any data, whether gathered by Provider or provided by LEA or its users, students, or students’ parents/guardians, that is descriptive of the student including, but not limited to, information in the student’s educational record or email, first and last name, home address, telephone number, email address, or other information allowing online contact, discipline records, videos, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security numbers, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information text messages, documents, student identifies, search activity, photos, voice recordings or geolocation information. Student Data shall constitute Pupil Records for the purposes of this Agreement, and for the purposes of Wisconsin and federal laws and regulations. Student Data as specified in Exhibit “B” is confirmed to be collected or processed by the Provider pursuant to the Services. Student Data shall not constitute that information that has been anonymized or de- identified, or anonymous usage data regarding a student’s use of Provider’s services. SDPC (The Student Data Privacy Consortium): Refers to the national collaborative of schools, districts, regional, territories and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns. Student Personal Information: “Student Personal Information” means information collected through a school service that personally identifies an individual student or other information collected and maintained about an individual student that is linked to information that identifies an individual student, as identified by Washington Compact Provision 28A.604.010. For purposes of this DPA, Student Personal Information is referred to as Student Data. Subscribing LEA: An LEA that was not party to the original Services Agreement and who accepts the Provider’s General Offer of Privacy Terms. Subprocessor: For the purposes of this Agreement, the term “Subprocessor” (sometimes referred to as the “Subcontractor”) means a party other than LEA or Provider, who Provider uses for data 20 EXHIBIT “E” GENERAL OFFER OF PRIVACY TERMS Lake Mills Area School District 1. Offer of Terms Provider offers the same privacy protections found in this DPA between it and [Name of LEA] and which is dated to any other LEA (“Subscribing LEA”) who accepts this General Offer though its signature below. This General Offer shall extend only to privacy protections and Provider’s signature shall not necessarily bind Provider to other terms, such as price, term, or schedule of services, or to any other provision not addressed in this DPA. The Provider and the other LEA may also agree to change the data provided by LEA to the Provider in Exhibit “B” to suit the unique needs of the LEA. The Provider may withdraw the General Offer in the event of: (1) a material change in the applicable privacy statutes; (2) a material change in the services and products subject listed in the Originating Service Agreement; or three (3) years after the date of Provider’s signature to this Form. Provider: BY:_______________________________ Printed Name:_______________________ Date:________________________________ Title/Position:_________________________ 2. Subscribing LEA A Subscribing LEA, by signing a separate Service Agreement with Provider, and by its signature below, accepts the General Offer of Privacy Terms. The Subscribing LEA and the Provider shall therefore be bound by the same terms of this DPA. Subscribing LEA: BY:_______________________________ Date:_______________________________ Printed Name:______________________ Title/Position: _______________________ TO ACCEPT THE GENERAL OFFER, THE SUBSCRIBING LEA MUST DELIVER THIS SIGNED EXHIBIT TO THE PERSON AND EMAIL ADDRESS LISTED BELOW Name: Eli Luberoff Title: Chief Executive Officer Email Address: privacy@desmos.com Kathleen Hammill Chief of Staff 1/25/2021 21 EXHIBIT “F” DATA SECURITY REQUIREMENTS [INSERT ADDITIONAL DATA SECURITY REQUIREMENTS HERE]