For more than a year, the SDPC working group, composed of lawyers, district officials, business representatives and non-profit organizations, including the FPF, met to form the NDPA. The aim was to improve the language of state agreements and create a balanced starting point for negotiations between schools and businesses at the national level. The result is a contract that is likely to save time and money for schools, counties and education technology companies, which will ultimately benefit students by allowing schools and districts to devote more resources to learning and less to negotiation. Edtech companies face similar challenges as they provide essential services to schools and districts. Because student data contracts comply with federal and state laws and must meet the needs and concerns of each district, education technology companies find it difficult and expensive to negotiate APDs with school districts on a large scale. Often, schools and districts require DPAs that are unique to their institution, but may include requirements that are not suitable for all education technology companies. For example, a company that deletes data after it is no longer needed (to improve data security) would not be able to comply with a contractual obligation to return all student data after the company has provided the service. Large information technology companies may have teams of lawyers who can work with clients on these issues, but many small businesses without legal services may sign contracts that they know they cannot meet because they do not have the resources or leverage to incorporate language that matches the realities of their business. Protecting student privacy took a big step forward this summer when the Student Data Privacy Consortium (SDPC) released the first model of the National Data Privacy Agreement (NDPA) that school districts can use with their technology service providers. Since educational technology (edtech) has become a key tool in the classroom, schools and education technology companies have struggled to create confidentiality agreements (DSAs) that adequately protect student data and meet the needs of schools and providers. DPAs provide essential protection for student data by limiting its use and disclosure. One of the main challenges in this process is that U.S. federal student privacy law and many state laws require specific contractual clauses or safeguards.

The new NDPA addresses this challenge by streamlining the education contracting process and, in the words of the SDPC, by establishing “common expectations between schools/districts and procurement providers.” The SDPC NDPA contains terms that comply with most U.S. federal and state student privacy laws. Nevertheless, not all provisions of the agreement will be perfect for every school, district or business. Districts and businesses concerned about specific regulations will continue to benefit from the use of the NDPA, as it will provide a common starting point for districts and businesses to discuss privacy. The adoption of the NDPA will benefit schools, counties and businesses by creating common ground for these stakeholders to enter into negotiations on student privacy. While not perfect for everyone, the agreement will save resources for all education stakeholders. This efficiency, in turn, will allow schools and districts to better protect student data by providing essential services and education to U.S. students. Increase interoperability without including data protection requirements = increased RISK. Data exchange and data protection parameters must be identified and communicated. Five years and 28 alliances of U.S.

states later, the individual alliances asked, “Why don`t we have a national data protection agreement (ODA)?” After two community reviews and unanimous approval from THE SPSP leadership – it`s here! Alliance leaders noted in 2019 that there was enough commonality among their DPAs, that a national ODA project team had been formed, and that the feasibility of developing a design that could be used by any school/district in the United States had been explored. Two years later, the community is proud to release the first version of the NDPA. However, to ensure this protection, it is often extremely difficult for districts and businesses to enter into contracts with each service provider individually. Each data protection authority may require different levels of sharing, control and protection with regard to student data. And few districts can hire teams of technologists and lawyers to understand and negotiate student privacy with each of their service providers. As a result, districts across the country have sought ways to build confidence and facilitate the ODA process. SDPC alliances have created influential statewide agreements in several states such as California and Massachusetts. In recent years, other state alliances have increasingly adapted versions of the agreements between California and Massachusetts in their own states to reduce the burden of contracting with their service providers. Due to the growing popularity of DPAs at the state level and the demand to conclude basic agreements for their alliances, SDPC has formed a working group to create a national set of standards as close as possible to the applicable edtech laws, requirements and business practices.

Which providers and service providers work together to ensure privacy AND interoperability? Schools and districts typically use hundreds of businesses to provide services each school year. Edtech companies perform very different tasks for schools and districts, such as data storage. B, educational games, learning management systems, attendance tracking and many other school functions. The privacy that each company must implement may vary depending on the nature and sensitivity of the student data it stores and how it is collected, used, or shared. With 43 states having passed more than 130 student privacy laws in the past five years, districts and education technology companies must include important legal obligations in their agreements or contracts. Districts also want to ensure that companies restrict the collection and use of student data. While this is an important step forward, the NDPA can be improved. No matter how well controlled it is, a resource like this can have unintended consequences, and stakeholders should not hesitate to identify and communicate it.

For example, transactional challenges remain with respect to how NDPA fits into the structure of a service contract between schools and businesses, especially since NDPA has overlapping and therefore redundant definitions: “third party,” “operator,” and “provider,” for example, all refer to the company signing the contract. The NDPA was developed based on extensive reviews and input from schools, counties, government organizations, procurement providers and their legal representatives. It is designed to address common concerns about student privacy and streamline contracting processes for education requests for schools/districts that do not have the legal or tax resources, and providers who previously had to sign “unique” contracts with each of the more than 13,000 U.S. school districts. While the NPDA allows all country-specific legal requirements, the majority of privacy expectations are standardized and can be used by any company as part of its terms of use. The working group sought to compensate for the substantive changes and create a structure that would make the treaty easier to use than previous versions at the State level. The group discussed regulations around data breaches, restrictions on sub-processors, advertising restrictions, the use of anonymized data, and other issues that reflect several trade-offs between districts and businesses. The working group also added sections that allow districts and information technology companies to share information that was difficult in previous DPAs, such as.B.

Descriptions of business services, state law requirements, and changes to standard terms that are easy to include. Over the next year, SDPC alliances at the state level will create state-specific clauses that will allow them to incorporate unique requirements from their state laws into the NDPA. There are also substantive provisions that can lead to problems later: the audit clause, for example, could allow several districts to audit a company at the same time. While the NDPA improves the previous wording on breach notification, it does not explicitly define a data breach, creating potential uncertainty as to when notification is required. In addition, the NDPA could have an impact on the domestic information technology market by creating a barrier to entry for small businesses, which often have few opportunities to negotiate unenforceable or unnecessarily onerous provisions. The SDPC said it would further develop the NDPA so that feedback on the challenges and strengths of the agreement is necessary and useful. .