Appendix I: Additional Requirements for Third Parties/Vendors

This appendix serves as an addendum to the data privacy and security requirements and sets specific requirements for third parties (organizations, vendors, etc.) that may utilize, store or transmit District data as either an intermediary or contracted entity or individual.

Any third party entities or individuals that collect, store or transmit District data and any associated computer systems, storage devices/media and networks.

In addition to the terms specified in the District’s Data Privacy and Security Policy, third party entities/individuals are expected to:

• Identify and assess information security risks regularly and develop/maintain a risk treatment plan to reduce the risk to the confidentiality, integrity and availability of the information it holds or processes.
• Work to reduce or eliminate security incidents
• Minimize the impact of any such incidents
• Continually improve the company’s ability to assess, detect, reduce, avoid and ameliorate information security risks and/or incidents
• Work to avoid a negative impact to the District’s reputation and brand as a result of any security breach.
• Protect the information of all interested parties including the personal information of its customers.
• Comply with any applicable legal, regulatory or contractual requirements in respect of the data it holds about individuals (i.e., FERPA, COPPA, PPRA, HIPAA).
• Follow best practices for data collection and security.
• Seek to continually improve the company’s Information Security Management System(s)
• Maintain a Data Security Policy outlining/governing:
  • Types of data collected along with rationale for collection
  • Data collection, storage and usage practices/procedures
  • Data security standards
  • Employee access to data
  • Disclosure/Sharing of District data with any other parties not directly contracted by the District.
  • Policy review
  • Statement regarding how/when changes are made to the policy and how they will be communicated
• Designate a Data Protection Officer that at a minimum is tasked with:
  • Reviewing Data Protection and related policies
  • Advising other staff on Data Protection issues
  • Ensuring that Data Protection induction and training takes place
  • Notification
  • Handling subject access requests
  • Approving unusual or controversial disclosures of personal data
  • Approving contracts with Data Processors

• District Data must be encrypted at rest.
• District Data must be encrypted in transit using SSL Encryption.
• All access to District data must be logged and logs maintained for a minimum period of 90 days.
• Access by employees or third parties (excluding District users) to District Data must be protected by multi-factor authentication.
• Remote desktop access to systems that store or handle District data is disabled by default and only enabled on an as-needed basis.
• All data must be stored in an ISO 27001 or NIST compliant or equally secure facility in the United States or its territories.
• All data must be backed up regularly and securely and in multiple locations.
• Any relevant data security contracts that have been entered into between the vendor/organization/individual and another party must be disclosed to the District.
• In order to comply with relevant legislation:
  • Any data relating to or created by a Student should be deleted if a request to do so is made by a parent of the student. However, the vendor must verify the validity and confirm the authority of the person or persons making the request by contacting the School or District.
• Operate a Business Continuity Plan to deliver continuity of service in the event of a disaster. This plan should cover situations such as:
  • Fire
  • Flash flood
  • Pandemic
  • Power Outage
  • Theft
• All staff who have access to any kind of District data will have their responsibilities outlined during their induction procedures.
• Data Protection will be included in foundation training for all staff.
• Staff are required to sign an electronic form signifying that they have read, understood and accept the Data Security Policy.
• Data security incidents should be classified according to severity:
  • Level 1: Incidents such as unsuccessful exploit attempts that do not involve data loss should be classified as Level 1 - Non Critical Incidents. Level 1 incidents do not require customer notification since there has been no impact to privacy.
  • Level 2: Incidents that do involve data loss (even suspected data loss) will be classified as Level 2 - Critical Incidents and require notification to the District if the District’s data may have been impacted.
• Data/Security Policies must be audited at a minimum once per year.
• Penetration and vulnerability testing of all in-scope systems and networks must be conducted at a minimum annually and any identified gaps must be communicated to the District along with a remediation plan outlining steps, responsible parties and a target date for resolution.