Sec. 121.6. Data security and privacy plan  


Latest version.
  • (a) Each educational agency that enters into a contract with a third-party contractor shall ensure that the contract includes the third-party contractor’s data security and privacy plan that is accepted by the educational agency. The data security and privacy plan shall, at a minimum:
    (1) outline how the third-party contractor will implement all State, Federal, and local data security and privacy contract requirements over the life of the contract, consistent with the educational agency's data security and privacy policy;
    (2) specify the administrative, operational and technical safeguards and practices it has in place to protect personally identifiable information that it will receive under the contract;
    (3) demonstrate that it complies with the requirements of section 121.3(c) of this Part;
    (4) specify how officers or employees of the third-party contractor and its assignees who have access to student data, or teacher or principal data receive or will receive training on the Federal and State laws governing confidentiality of such data prior to receiving access;
    (5) specify if the third-party contractor will utilize sub-contractors and how it will manage those relationships and contracts to ensure personally identifiable information is protected;
    (6) specify how the third-party contractor will manage data security and privacy incidents that implicate personally identifiable information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the educational agency;
    (7) describe whether, how and when data will be returned to the educational agency, transitioned to a successor contractor, at the educational agency’s option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.