Student Data Privacy Consortium (SDPC) Privacy Contract Framework Getting Started Toolkit Track 1 Summer 2016
About the Consortium There is a bevy of great organizations providing guidance to schools and states regarding student data privacy. The Student Data Privacy Consortium (SDPC) will leverage this work and focus on issues being faced by on-theground practitioners. The SDPC is a non-profit collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns. This Consortium is developing common leverage activities, artifacts, templates, tools and effective practices, all through the most unique collaborative: end users and marketplace providers working together! The Student Data Privacy Consortium (SDPC) is a collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns. Consortium Goals Establish a community of stakeholders who have various needs addressed through policy, technology and/or effective practice sharing around effective privacy management, Identify projects that have on-the-ground and real-world impact on student privacy enabling schools, districts, state and vendors find resources, adapt them to their unique context and implement protections, Development of tools and resources to address operational issues not currently being addressed, Leverage partnership organizations working in the privacy space to have their good work utilized and no reinvention of existing work, Development of a clearinghouse of student data privacy operational issues and resources to support schools, districts, states and vendors in managing those issues no matter where the resources originate. About This Project Privacy Contract Framework The first project of the group was to leverage the great work done by the Massachusetts Student Privacy Alliance (MSPA) and their work around a "common contract" for usage across 40 districts. The clear expectation by establishing the contract and the partnership has benefited districts and even the vendors working with them. This project looks to exponentially leverage and expand upon this work. The Privacy Contract Framework resources and tools can all be found in the SDPC App. Track one is designed for schools, districts or regional organizations/associations or state agencies that do not yet have a model/template contract designed specifically for their jurisdiction. Organizations entering into the project via tack one will utilize SDPC products and resources to assist with the development of a model/template contract. These resources will include model contract clauses, appropriate federal and state laws, examples of other jurisdiction's model contracts as well as interaction with the community members to develop a new model contract. Track two is designed for schools, districts or regional organizations/associations or state agencies that do have a model/template contract designed specifically for their jurisdiction and are ready to create a jurisdictional specific alliance for the purpose of utilizing shared model contracts. Organizations entering into the project via track two will utilize SDPC products and services to create and implement a specific jurisdictional alliance. These resources will include an on line tool for the management of the contracting process by all alliance members, including inventorying applications, tracking contract status, posting contracts, and creating transparency with all stakeholders
Contract Tool Tutorial! PTAC Clauses! States/Districts Clauses! Model Consolidated Clauses! Create Your Own Track 1 Tool Kit Components Checklists! Project Benefits Matrix Communication Tools! Generic Awareness! Staff/Administration! Parent Letter! Press Release Vendor Engagement Strategies! Engagement Letter! Talking Points Resources! Sample Contracts! Data Usage Policies! SEA Guidance
Contract Tool Tutorial Step 1: Visit the Tool https://secure2.cpsd.us/a4l/build_a_contract.php?jurisdiction=select+a+jurisdiction&submit.x=90&su bmit.y=26 Larry Fruth 6/28/16 6:30 AM Comment: Add screenshots for a tutorial here again just track 1 Step 2: Review PTAC Clauses http://ptac.ed.gov/sites/default/files/tos_guidance_mar2016.pdf Step 3: Review States/Districts Clauses o Do you have a required minimal set for state/local needs Step 4: Review Model Consolidated Clauses Step 5: Create Your Own
Checklists Project Benefits Matrix Contract Issues Expectation Setting Clear Communications Reduced Legal Dependence SDPC Contract Framework Benefits The framework will set common expectations between IT staff and marketplace providers in what agreement items are expected by all products The framework tools will allow for transparency in what applications have signed agreements, access to the actual agreements, what data that application is using and for what grade and content area. This information is open to all. Organizations do not have the bandwidth or dollars to address the legal requirements needed for the hundreds of applications in place in the school ecosystem. By partnering and leveraging the same vetted tools, these organizations can allocate resources elsewhere.
Communication Tools Generic Awareness We are proud to announce that INSERT LEA/SEA is joining in the work of the Student Data Privacy Consortium (SDPC) formed under the Access 4 Learning (A4L) Community. The SDPC is a collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing realworld, adaptable, and implementable solutions to growing data privacy concerns. There is a bevy of great organizations providing guidance to schools and states regarding student data privacy. The Student Data Privacy Consortium (SDPC) will leverage this work and focus on issues being faced by on-theground practitioners. The SDPC is a non-profit collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns. This Consortium is developing common leverage activities, artifacts, templates, tools and effective practices, all through the most unique collaborative: end users and marketplace providers working together! Consortium Goals Establish a community of stakeholders who have various needs addressed through policy, technology and/or effective practice sharing around effective privacy management, Identify projects that have on-the-ground and real-world impact on student privacy enabling schools, districts, state and vendors find resources, adapt them to their unique context and implement protections, Development of tools and resources to address operational issues not currently being addressed, Leverage partnership organizations working in the privacy space to have their good work utilized and no reinvention of existing work, Development of a clearinghouse of student data privacy operational issues and resources to support schools, districts, states and vendors in managing those issues no matter where the resources originate. The first project of the group identified, the Privacy Contract Framework, leverages the great work done by the Massachusetts Student Privacy Alliance (MSPA) and their work around a "common contract" for usage across 40 districts. The clear expectation by establishing the contract and the partnership has benefited districts and even the vendors working with them. The Privacy Contract Framework resources and tools can all be found in the SDPC App. We will be focusing on Track one designed for schools, districts or regional organizations/associations or state agencies that do not yet have a model/template contract designed specifically for their jurisdiction. We will utilize SDPC products and resources to assist with the development of a model/template contract. These resources will include model contract clauses, appropriate federal and state laws, examples of other jurisdiction's model contracts as well as interaction with the community members to develop a new model contract. Track two is designed for alliances to be built across states that have a model/template contract designed specifically for their jurisdiction and are ready to create a jurisdictional specific alliance for the purpose of utilizing shared model contracts. We are excited about this new project to help us streamline our learning application identification, implementation and usage for our students. Much more to come - please feel free to contact us at any time with questions, concerns, etc. Thanks,
Assistant Director, Educational Technology YOUR SCHOOL ------------------------------------------------------------------------------------------------------------------------------ Staff/Administration We are proud to announce that INSERT LEA/SEA is joining in the work of the Student Data Privacy Consortium (SDPC) formed under the Access 4 Learning (A4L) Community. The SDPC is a collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing realworld, adaptable, and implementable solutions to growing data privacy concerns. There is a bevy of great organizations providing guidance to schools and states regarding student data privacy. The Student Data Privacy Consortium (SDPC) will leverage this work and focus on issues being faced by on-theground practitioners. The SDPC is a non-profit collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns. This Consortium is developing common leverage activities, artifacts, templates, tools and effective practices, all through the most unique collaborative: end users and marketplace providers working together! The first project of the group identified, the Privacy Contract Framework, leverages the great work done by the Massachusetts Student Privacy Alliance (MSPA) and their work around a "common contract" for usage across 40 districts. The clear expectation by establishing the contract and the partnership has benefited districts and even the vendors working with them. The Privacy Contract Framework resources and tools can all be found in the SDPC App. We will be focusing on Track one designed for schools, districts or regional organizations/associations or state agencies that do not yet have a model/template contract designed specifically for their jurisdiction. We will utilize SDPC products and resources to assist with the development of a model/template contract. Track two is designed for alliances to be built across states that have a model/template contract designed specifically for their jurisdiction and are ready to create a jurisdictional specific alliance for the purpose of utilizing shared model contracts. We are excited about this new project to help us streamline our learning application identification, implementation and usage for our students. Much more to come that will impact our work such as applications you want vetting, processes for maintenance and even public communication models. Please feel free to contact us at any time with questions, concerns, etc. Thanks, Assistant Director, Educational Technology YOUR SCHOOL ------------------------------------------------------------------------------------------------------------------------------ Parent Letter We are proud to announce that INSERT LEA/SEA is joining in the work of the Student Data Privacy Consortium (SDPC) formed under the Access 4 Learning (A4L) Community. The SDPC is a collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing realworld, adaptable, and implementable solutions to growing data privacy concerns.
There is a bevy of great organizations providing guidance to schools and states regarding student data privacy. The Student Data Privacy Consortium (SDPC) will leverage this work and focus on issues being faced by on-theground practitioners. The SDPC is a non-profit collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns. This Consortium is developing common leverage activities, artifacts, templates, tools and effective practices, all through the most unique collaborative: end users and marketplace providers working together! Consortium Goals Establish a community of stakeholders who have various needs addressed through policy, technology and/or effective practice sharing around effective privacy management, Identify projects that have on-the-ground and real-world impact on student privacy enabling schools, districts, state and vendors find resources, adapt them to their unique context and implement protections, Development of tools and resources to address operational issues not currently being addressed, Leverage partnership organizations working in the privacy space to have their good work utilized and no reinvention of existing work, Development of a clearinghouse of student data privacy operational issues and resources to support schools, districts, states and vendors in managing those issues no matter where the resources originate. The first project of the group identified, the Privacy Contract Framework, leverages the great work done by the Massachusetts Student Privacy Alliance (MSPA) and their work around a "common contract" for usage across 40 districts. The clear expectation by establishing the contract and the partnership has benefited districts and even the vendors working with them. The Privacy Contract Framework resources and tools can all be found in the SDPC App. We will be focusing on Track one designed for schools, districts or regional organizations/associations or state agencies that do not yet have a model/template contract designed specifically for their jurisdiction. We will utilize SDPC products and resources to assist with the development of a model/template contract. Track two is designed for alliances to be built across states that have a model/template contract designed specifically for their jurisdiction and are ready to create a jurisdictional specific alliance for the purpose of utilizing shared model contracts. We are excited about this new project to help us streamline our learning application identification, implementation and usage for our students. You as a parent will be able to access a listings of all of the application use din our schools, the actual physical signed contract, and what student data that application is using and for what content area. Much more to come - please feel free to contact us at any time with questions, concerns, etc. Thanks, Assistant Director, Educational Technology YOUR SCHOOL ------------------------------------------------------------------------------------------------------------------------------ Press Release
The Student Data Privacy Consortium Launches the Development of the Privacy Contract Framework for End Users and Vendor Washington, DC, 29 June 2016---The LEA/SEA Entity has joined the Student Data Privacy Consortium (SDPC), formed under the Access 4 Learning (A4L) Community, and it s first project the Privacy Contract Framework. There is a bevy of great organizations providing guidance to schools and states regarding student data privacy. The Student Data Privacy Consortium (SDPC) will leverage this work and focus on issues being faced by on-theground practitioners. The SDPC is a non-profit collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns. This Consortium is developing common leverage activities, artifacts, templates, tools and effective practices, all through the most unique collaborative: end users and marketplace providers working together! ADD YOUR ORGANIZATION S QUOTE: The first project of the group was to leverage the great work done by the Massachusetts Student Privacy Alliance (MSPA) and their work around a "common contract" for usage across 40 districts. The clear expectation by establishing the contract and the partnership has benefited districts and even the vendors working with them. Project Track One is designed for schools, districts or regional organizations/associations or state agencies that do not yet have a model/template contract designed specifically for their jurisdiction. Project Track Two is designed for schools, districts or regional organizations/associations or state agencies that do have a model/template contract designed specifically for their jurisdiction and are ready to create a jurisdictional specific alliance for the purpose of utilizing shared model contracts. Both tracks will utilize SDPC products and services to create and implement common contracts and specific jurisdictional alliance. The California Educational Technology Professionals Association (CETPA), representing over 1,000 districts, has joined the Student Data Privacy Consortium based on the great work demonstrated by Massachusetts. The consortium has a mature process for establishing a state-wide contract and a database for posting vetted applications and provides transparency to staff and community, states Steve Carr Chief Technology Officer Ventura County Office of Education and CETPA President-Elect. In California, AB 1584 and SOPIPA legislation has created an overwhelming burden to review every contract and Term of Service, which in some cases has been an impediment to web curriculum in the classroom. Collaboratively working with our partners, we expect to build clear steps that will streamline the process in protecting our student s data by having a statewide contract that demonstrates compliance with California legislation. Currently work is underway in several large districts as well as statewide collaborative groups in CA, VA, MA, WI, RI, and ME committed to the project. The powerful core of end uses and marketplace providers involved in this work will streamline the successful implementation of any education application ecosystem. ### About the Access 4 Learning Community The Access 4 Learning (A4L) Community, previously the SIF Association, is a unique, non-profit collaboration composed of schools, districts, local authorities, states, US and International Ministries of Education, software vendors and consultants who collectively address all aspects of learning information management and access to support learning. The A4L Community is Powered by SIF Specifications as its major technical tool to allow for
this management and access simply, securely and in a scalable, standard way regardless of the platform hosting those applications. The Access 4 Learning Community has united these education technology end users and providers in an unprecedented effort to give teachers more time to do what they do best: teach. For further information, visit http://www.a4l.org ADD YOUR ABOUT LEA/SEA INFO HERE XXXXXXX Resources Excel in Ed Communications Toolkit: http://www.excelined.org/wp-content/uploads/student-data-privacy-comms-toolkit.pdf
Vendor Engagement Strategies Vendor Engagement Letter VENDOR CONTACT, Attached is the YOUR SCHOOL s Student Data Privacy Agreement. With any online application hosting student data, we require the execution of this agreement. APPLICATION NAME serves as the district PURPOSE, which WHAT TYPE OF STUDENT DATA such as student work. Therefore we feel this agreement is appropriate for this application. Larry Fruth 6/28/16 10:34 AM Comment: Do we need two? One for current and one for future application providers? INSERT LEA/SEA is working with the Student Data Privacy Consortium (SDPC) formed under the Access 4 Learning (A4L) Community. The SDPC is a collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns. It is also worth noting that the attached YOUR SCHOOL s Student Data Privacy Agreement is the same model contract template supported by numerous members of the SDPC a larger national framework for common student data privacy contracting clauses and conditions. In Massachusetts alone, the MA SDPC Alliance is an alliance of 50, and growing MA school districts that have agreed to implement standard contract terms in an effort to streamline this contracting process for both districts and vendors. Currently there are seven other states with districts leveraging the SDPC s work. By agreeing to this contract, as written, you are in essence agreeing to similar terms with other SDPC schools, although separate contracts would need to be executed. YOUR CONTACT, THEIR TITLE, is leading our Student Data Privacy Consortium work and is happy to answer any questions you may have on these efforts. Let us know if you have any questions or concerns about the attached agreement. Thanks, Assistant Director Educational Technology YOUR SCHOOL ------------------------------------------------------------------------------------------------------------------------------ Vendor Talking Points Why?: As a LEA/SEA we are charged as custodians of the student data and mandated to take certain precautions. We have chosen to engage with your organization to provide a service that is we had the capacity we would provide internally to our community. Since we are contracting this service out to you and designating you as a school official for the specific purpose of providing this service we expect you to take all the same precautions to ensure the privacy of our students data just as if we were providing this service internally. PII or Not?: Vendors will often push back that their application does not collect PII. The definition of PII is loose enough that this is up to local interpretation. According to PTAC PII is any data that can be used to identify an individual student or when used in combination with other data may identify a student. This leaves the door wide open to
various interpretations. Some districts take the position if a student interacts with an application rather than simply consume information, then the potential is there for the collection of PII and thus require the agreement. Anonymous login IDs: Some vendors will insist on students using fictitious login IDs that are maintained by a staff member/teacher to avoid collecting PII. Again, depending on the interpretation of PII, this does not alleviate the fact that when combined with other data the PII still exists. Not all clauses apply: Since the contract templates are intentionally broad in scope to address all possible scenarios, there may be clauses that do not apply to a particular application or service. For example, if a vendor, by their own policies never have client data on mobile devices a clause addressing mobile device security may not apply. There are usually written with language such as If/when any data is loaded onto mobile devices.. but often vendors will want this removed. There are other such instances. If they still won t sign: Inquire as to exactly why. What particular clause are they uncomfortable with? There may be some underlying architectural issue with their application preventing them from signing. Common Clause language: While engaging in a conversation with the vendor informing them of the larger SDPC project goals is beneficial. While dealing with the actual contract negotiation process is the best time to attempt to engage the vendor in becoming active in the SDPC to assist with creating common contracts for their product across both your jurisdiction as well as other locales. Would the vendor be interested in the negotiated contract, if different from the template, being promoted as a template on the SDPC site? Vendor Resource: Building a Trusted Environment for Ed Tech Products - Excel http://excelined.org/may2016studentdataprivacypaper/?utm_source=excelined&utm_campaign=cb1a4a2847- c3_fromdesk_neilcampbell_edtechpaper_dat6_6_2016&utm_medium=email&utm_term=0_0473a80b81- cb1a4a2847-115589585 Student Privacy and Data Security Toolkit for School Service Providers - SIIA http://www.siia.net/divisions/etin-education-technology-industry-network/resources/student- Privacy-Data-Security-Toolkit-for-School-Service-Providers
Resources Sample Contracts https://secure2.cpsd.us/mspa/mspa-student-data-agreement-template-v3.pdf Larry Fruth 6/28/16 6:31 AM Comment: Need to keep adding SEA Guidance http://www.ccsso.org/documents/2016/privacy%20discussion%20tool%20for%20chiefs_june2016.pd f Data Usage Policies http://ptac.ed.gov/sites/default/files/policies%20for%20users%20of%20student%20data%20checklist.pdf Privacy Course Excel in Ed https://www.canvas.net/browse/excelined/courses/data-privacy-getschooled?utm_source=excelined&utm_medium=link&utm_campaign=student%20data%20privacy Protecting Student Privacy Excel in Ed http://www.excelined.org/2015dataprivacywhitepaper/ Educators Guide to Student Data Privacy FERPA/SHERPA https://ferpasherpa.org/school-officials/educators-guide-to-student-privacy/ Educators Guide to Student Data Privacy Connect Safely http://www.connectsafely.org/wp-content/uploads/educators-guide-data-.pdf Parent Guide to Student Data Privacy FERPA/SHERPA https://ferpasherpa.org/parents/a-parents-guide-to-student-data-privacy/