Below is a sample of the agreement we adhere to ensure your student data is protected when you enroll in LifePlan Labs. There’s more to this agreement since we customize it to your school’s needs and policies. Contact us to learn more.
EDUCATIONAL SERVICES COMPANY
DATA SHARING AGREEMENT
LIFEPLAN LABS, LLC.
This Data Sharing Agreement (“DSA”) is entered into between Sample School, a school in SampleCity, State (“School”) and LifePlan Labs, LLC. (“Requestor”), an educational services company that provides SEL and career-focused curriculum content to School students. This contract has the following overriding goals:
- Preserving the anonymity of student identities, including assurance that identifiable student data is not released to third parties;
- Enhancing the ability of the School and the Requestor to improve academic achievement for School students by allowing access to individual student records consistent with the requirements of the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232g; and
- Accurately measuring the School and the Requestor’s progress toward improving student outcomes and indicators, and meeting set targets and other goals.
NOW, THEREFORE, THE SCHOOL AND REQUESTOR AGREE AS FOLLOWS:
OBLIGATIONS OF REQUESTOR
The Requestor, representing all members of the organization, shall ensure the confidentiality of student data through the following methods.
- The Requestor shall update the list of enrolled students on the first day of every month to remove students who cease participating in the program.
- The Requestor shall strictly comply with all state and federal laws that apply to the use and release of the data, including but not limited to FERPA and its regulations, set forth at 34 C.F.R. § pt. 99. In accordance with FERPA, the Requestor shall procure the consent of parents or eligible students to the release and use of the data, and shall maintain and make written proof of parent or student consent available to the School.
- The Requestor shall comply with the redisclosure limitations set forth in FERPA, including 34 C.F.R. § pt. 99.33.
- The Requestor shall restrict access to the data only to (i) the person or persons who provide direct services to School students; or (ii) the person or persons within the Requestor’s organization who have been tasked with analyzing the data; and make those persons aware of, and agree to abide by, the terms set forth in this Agreement.
- The Requestor shall not release or otherwise reveal, directly or indirectly, the data to any individual, agency, entity, or third party not included in this Agreement, unless such disclosure is required by law or court order.
- The Requestor shall not distribute, reprint, alter, sell, assign, edit, modify or create derivative works or any ancillary materials from or with the data, other than publications permitted under Sections II(l) and II(m).
- The Requestor shall not use data shared under this Agreement for any purpose other than the goals outlined in this Agreement. Nothing in the Agreement shall be construed to authorize Requestor to have access to additional data from the School that is not included in the scope of the Agreement (or addenda). Requestor understands that the Agreement does not convey ownership of the data to Requestor.
- The Requestor shall take reasonable security precautions and protections to ensure that persons not authorized to view the data do not gain access to the data. Reasonable security precautions and protections include, but are not limited to:
- Creating, distributing, and implementing data governance policies and procedures which protect School data through appropriate administrative, technical, and physical security safeguards, and outline staff responsibilities for maintaining data security;
- Encrypting all School data carried on mobile computers/devices;
- Encrypting School data before it is transmitted electronically;
- Requiring that users be uniquely identified and authenticated before accessing School data;
- Establish and enforce well-defined data privilege rights which restrict users’ access to the data necessary for them to perform their job functions;
- Ensuring that all staff accessing School data sign an affidavit of nondisclosure, attached as Exhibit A, and maintain copies of signed affidavits; Securing access to any physical areas/electronic devices where sensitive data are stored;
- Installing a firewall to permit or deny network transmissions based upon a set of rules;
- Installing anti-virus software to protect the network;
- The Requestor shall report all known or suspected breaches of School data, in any format, to the School’s designated electronic data reporting custodian at firstname.lastname@example.org within one hour. The report shall include (1) the name, job title, and contact information of the person reporting the incident; (2) the name, job title, and contact information of the person who discovered the incident; (3) date and time the incident was discovered; (4) nature of the incident (e.g., system level electronic breach, an electronic breach of one computer or device, or a breach of hard copies of records; (5) a description of the information lost or compromised; (6) name of electronic system and possible interconnectivity with other systems; (7) storage medium from which information was lost or compromised; (8) controls in place to prevent unauthorized use of the lost or compromised information; (9) number of individuals potentially affected; and (10) whether law enforcement was contacted.
- The Requestor shall securely and permanently destroy the data, and any and all hard and soft (electronic) copies thereof, upon the termination of this agreement. Requestor agrees to require all employees, contractors, or agents of any kind using the School data to comply with this provision. Requestor agrees to document the methods used to destroy the data, and upon request, provide certification to the School that the data has been destroyed.
- For purposes of this agreement and ensuring Requestor’s compliance with the terms of this Agreement and all application of state and Federal laws, Requestor designates Requestor specific staff member,(or an alternative designee specified in writing) the temporary custodian of the data that the School shares with the Requestor. The School will release all data and information under this Agreement to said named temporary custodian. Requestor specific staff member, shall be responsible for transmitting all data requests and maintaining a log or other record of all data requested and received pursuant to the Agreement, including confirmation of the return or destruction of data as described below. The School or its agents may, upon request, review the records the Requestor is required to keep under this Agreement. The School designates its Dean of Engagement (or an alternative designee specified in writing) as its liaison for all communications with the Requestor regarding this Agreement;
- The Requestor has the right to present, publish, or use student results it has gained in the course of its analysis, but only if the publication, presentation, or use does not include personally identifiable information of parents, students, or teachers.
- Should the Requestor present, publish, or use student results it has gained in the course of its analysis under Section I(m), Requestor shall adhere to the following terms:
- Publications and reports of data and information shared, including preliminary descriptions and draft reports, shall involve only aggregate data and no personally identifiable information or other information that could lead to the identification of any student, parent, or teacher.
- No less than 7 business days prior to public disclosure of its data analysis, Requestor will provide the School a manuscript or other draft of the proposed public disclosure. Within 7 business days following receipt thereof, the School will notify Requestor in writing if the proposed disclosure contains any confidential information and specify the portions of the proposed disclosure requiring redaction.
- The Requestor shall provide the School, free of charge and within thirty (30) days, a copy of any report that is generated using the data.
- Reports or articles based on data obtained from the School under this agreement must include the following acknowledgment: This report/article was made possible, in part, by the support of Sample School. Opinions contained in this report/article reflect those of the author and do not necessarily reflect those of Sample School. The School must be cited as the source of the data in all tables, reports, presentations, and papers.
- The Requestor acknowledges that any violation of this Agreement and/or the provisions of FERPA or accompanying regulations related to the non disclosure of protected student information constitutes just cause for the School to immediately terminate this Agreement without penalty.