Sample Contract





Bethel Public Schools

CONTRACT

In compliance with P.A. 16-189, An Act Concerning Student Data Privacy



AGREEMENT

                                                                                                                       Contractor

And

Bethel Public Schools


This Agreement (“Agreement”) is entered into on this __th day of ____, 201__, between the _Bethel_Board of Education (the “Board”) and [INSERT NAME OF CONTRACTOR] (“Contractor”) (Operator) (Consultant) (collectively, the “Parties”) for the purpose of identifying the obligations of the Parties relative to the confidentiality of student data.


Article I. Definitions.  For purposes of this Agreement, “directory information,” “de-identified student information,” “personally-identifiable information,” “school purposes,” “student information,” “student records,” “student-generated content,” and “targeted advertising,” shall be as defined by Public Act 16-189.  “Education records” shall be defined by the Family Educational Rights and Privacy Act of 1974 (“FERPA”), codified at 20 U.S.C § 1232g (as amended); and its implementing regulations, 34 CFR 99.1 - 99.67 (as amended).


Article II.  Purpose of Agreement: The Parties agree that the purpose of this Agreement is to detail the obligations of both Parties relative to the safety and confidentiality of student information, student records and student-generated content (collectively, “student data”), which student data may be provided to the Contractor in connection with Contractor’s provision of one or more of the following professional and non-instructional services (check those applicable):

  • Medical consultation
  • Special education consultation or audit
  • Academic program consultation or audit (non-special education)
  • Behavior intervention/Positive behavior intervention supports consultation or audit
  • Information technology consultation or audit
  • Student data storage, maintenance, collection and/or analysis
  • Student access to Contractor/Operator online content and/or services
  • Other (explain):_______________________________________________

Article III.  General Provisions


  1. All student data provided or accessed pursuant to this Agreement is and remains under the control of the Board.  All student data are not the property of, or under the control of, the Contractor.   


  1. The Board may request that the Contractor delete student data in the Contractor’s possession by sending such request to the Contractor by electronic mail.  The Contractor will delete the requested student data within two (2) business days of receiving such a request.


  1. The Contractor shall not use student data for any purposes other than those authorized in this Agreement, and may not use student data for any targeted advertising.


  1. If the Contractor receives a request to review student data in the Contractor’s possession directly from a student, parent, or guardian, the Contractor agrees to refer that individual to the Board and to notify the Board within two (2) business days of receiving such a request.   The Contractor agrees to work cooperatively with the Board to permit a student, parent, or guardian to review personally identifiable information in student data that has been shared with the Contractor, and correct any erroneous information therein, by following the amendment procedures outlined in the Board’s Confidentiality and Access to Education  Records Policy, [INSERT POLICY NUMBER].  


  1. FERPA – The contractor/Operator/Consultant and the Board will ensure compliance with the Federal Family Educational Rights to Privacy Act of 1974.



Article IV.  Security and Confidentiality of Student Data.  The Contractor/Operator/Consultant and the Board shall ensure that they each comply with the FERPA.  Further, the Contractor shall take actions designed to ensure the security and confidentiality of student data, including but not limited to:


  1. Using technologies and methodologies consistent with the guidance issued in the American Recovery and Reinvestment Act of 2009, Public Law 111-5, § 13402(h)(2), 42 U.S.C. § 17932;


  1. Maintaining technical safeguards relating to the possession of education records in a manner consistent with 45 C.F.R. 164.312;


  1. Otherwise meeting or exceeding industry standards relating to the safeguarding of confidential information.


  1. Consultants will disclose file storage including paper and electronic file storage on local devices and or online file storage services.


  1. Consultants will disclose security strategies for protecting all student personally identifiable information in active or stored files. Local devices will have password security and be stored on dedicated servers or industry security compliant online storage systems.



Article V.  Prohibited Uses of Student Data


  1. The Contractor shall not use student data for any purposes other than those authorized pursuant to this Agreement.


  1. The Contractor shall not retain, and the Board shall not otherwise make available, any student data upon completion of the contracted services unless a student, or parent or legal guardian of a student chooses to establish or maintain an electronic account with the Contractor for the purpose of storing student-generated content.


  1. During the entire effective period of this Agreement, the Board shall have control of any and all student data provided to or accessed by the Contractor. If a student, parent or guardian requests deletion of student data, the Contractor agrees to notify the Board immediately, but no later than two (2) business days after receiving such a request, and agrees to not delete such student data because it is controlled by the Board.  The contractor shall destroy any and all student data within a reasonable period of time if the Board requests the deletion of such student data.  


  1. The Contractor shall not collect, store, or use student data or persistent unique identifiers for purposes other than the furtherance of school purposes, as determined by the Board.


  1. The Contractor shall not sell, rent or trade student data. In the event the Contractor merges or is purchased by another entity, the Contractor must notify the Board in writing and receive written approval from the Board prior to providing for any purpose any student data covered under this Agreement to its successor.


Article VI. Data Breaches


  1. Upon the discovery by the Contractor of a breach of security that results in the unauthorized release, disclosure, or acquisition of student data, or the suspicion that such a breach may have occurred, the Contractor shall provide initial notice to the Board as soon as possible, but not more than forty-eight (48) hours after such discovery (“Initial Notice”).  The Initial Notice shall be delivered to the Board by electronic mail to [INSERT CONTACT NAME AND E-MAIL] and shall include the following information, to the extent known at the time of notification:

  1. Date and time of the breach;

  2. Names of student(s) whose student data was released, disclosed or acquired;

  3. The nature and extent of the breach;

4.   The Contractor’s proposed plan to investigate and remediate the breach.


  1. Upon discovery by the Contractor of a breach, the Contractor shall conduct an investigation and restore the integrity of its data systems and, without unreasonable delay, but not later than thirty (15) days after discovery of the breach, shall provide the Board with a more detailed notice of the breach, including but not limited to the date and time of the breach; name(s) of the student(s) whose student data was released, disclosed or acquired; nature and extent of the breach; and measures taken to ensure that such a breach does not occur in the future.


  1. The Contractor agrees to cooperate with the Board with respect to investigation of the breach and to reimburse the Board for costs associated with responding to the breach, including but not limited to the costs relating to notifications as required by Public Act 16-189.


  1. Notwithstanding the breach notifications required in this Article, the Contractor shall provide the Board with a copy of the notification that it provides to a student or the parents or guardians of such student pursuant to Public Act 16-189.  The copy of such notice shall be provided to the Board by electronic mail on the same date that it is provided to the student or parents or guardians of such student. The Parties agree that the following information shall be included in the Contractor’s notice of breach to a student or parent or guardian of a student:

  1. Name of the student being notified whose student data was released, disclosed or acquired, which shall not include the names of other students;

  2. Date and time of the breach.





Article VIII. Choice of Law, Choice of Forum, Merger, Severability


A. Choice of Law.  The parties agree that this agreement and any disputes arising from or relating to this Agreement, including its formation and validity, shall be governed by the laws of the State of Connecticut.


B. Choice of Forum.  The parties agree that any and all disputes arising from or relating to this Agreement, including its formation and validity, shall be settled in the State of Connecticut.


C. Amendment.  This Agreement may be changed, amended, or superseded, only upon an agreement in writing executed by both parties hereto.


D. Severability.  A court finding of invalidity for any provision of this Agreement does not invalidate other provisions or applications that are not affected by the finding.


This Agreement is effective upon execution by both parties and shall continue until [INSERT ENDING DATE OR PERIOD].


INSERT NAME

Superintendent of Schools

INSERT BOARD OF EDUCATION



__________________________________ __________

Date

INSERT NAME

COMPANY/ORGANIZATION NAME


__________________________________ __________

Date



Comments