Stevensville School District
Montana Data Privacy Agreement For use with vendors providing student record management and online applications utilized to deliver services to students.
This is a sample agreement to assist Montana public school districts in complying with the Montana Pupil Online Personal Information Protection Act. The sample agreement, if executed, will constitute a legally binding contract between the district and the vendor. As with any legal contract, school districts should consult with legal counsel prior to execution to ensure the provisions of the draft agreement reflect the terms the district has agreed upon with the contract and that the specific sections of the agreement protect the school district’s interests. If the vendor or the school district have requested changes to this sample agreement, those amendments should be reviewed by legal counsel. Legal assistance is available from the Montana School Boards Association at 406-442-2180.
I. PARTIES:
The parties to this Agreement are the ________________________________________ School District (hereinafter “District”)
and ____________________________________ (hereinafter “Contractor” or “Contractor”).
II. PURPOSE:
District retains Contractor to provide the following services on behalf of the District: Provide technology services, including cloud-based services, for the digital storage, management, and retrieval of pupil records; provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records in accordance with the provisions of this contract. Contractor shall be free from control and direction over the performance of the services, both under this Agreement and in fact. Except as limited herein, Contractor shall have and exercise full professional discretion as to the details of performance.
III. TERM OF AGREEMENT, NO GUARANTEE OF WORK, NON-EXCLUSIVITY:
This Agreement shall begin on the date of signature and shall run for _____ years and shall expire on _____________ , 20___ , unless terminated earlier by mutual agreement of the parties. This Agreement shall not be construed as any guarantee of work or assignments to Contractor.
Contractor shall be contacted on an “as-needed” basis by District, with no obligation by District to use Contractor for any specified number of projects. Contractor shall have no expectation of renewal of this Agreement and shall not be entitled to continue to contract with or perform services for the District beyond the expiration of this Agreement. This Agreement is non-exclusive, meaning that both Contractor and District may contract with any other party for the procurement or provision of investigative services without interference.
IV. DEFINITIONS:
“Data” include all Personally Identifiable Information (“PII”) and other non- public information including protected information as defined by Montana law. Data include, but are not limited to, student data, metadata, and user content.
Protected information may be created or provided by a pupil, or the pupil’s parent or legal guardian, to an operator in the course of the pupil’s, parent’s, or legal guardian’s use of the operator’s K-12 online application or created or provided by an employee or agent of a school district to an operator in the course of the employee’s or agent’s use of the operator’s K-12 online application; or gathered by an operator through the operator’s K-12 online application. The term “protected information” includes but is not limited to:
(i) information in the pupil’s educational record or e-mail messages;
(ii) first and last name, home address, telephone number, e-mail address, or other information that allows physical or online contact;
(iii) discipline records, test results, special education data, juvenile dependency records, grades, or evaluations;
(iv) criminal, medical, or health records;
(v) social security number;
(vi) biometric information;
(vii) disability;
(viii) socioeconomic information;
(ix) food purchases;
(x) political affiliation;
(xi) religious information; or
(xii) text messages, documents, pupil identifiers, search activity, photos, voice recordings, or geolocation information.
“Confidential Information” means information, not generally known, and proprietary to the Contractor or the School District or to a third party for whom the Contractor or the School District is performing work, including, without limitation, information concerning any patents or trade secrets, confidential or secret designs, processes, formulae, source codes, plans, devices or material, research and development, proprietary software, analysis, techniques, materials or designs (whether or not patented or patentable), directly or indirectly useful in any aspect of the business of the Contractor or the School District. Confidential Information includes all information which Contractor or the School District acquires or becomes acquainted with during the period of this Agreement, whether developed by Contractor, the School District or others, which Contractor or the School District has a reasonable basis to believe to be Confidential, such as data that is personally identifiable to an individual student and information within the definition of “Education Record.” The parties agree that the following will be treated as “Confidential Information”: (i) all database information (“Data”) provided by or on behalf of the School District to Contractor; (ii) all information provided by Contractor to the School District pertaining to the Services; (iii) all information which is labeled as such in writing and prominently marked as “Confidential,” “Proprietary” or words of similar meaning by either party; or (iv) business information of a party which a reasonable person would understand under the circumstances to be confidential.
V. WORK PRODUCT – OWNERSHIP:
Unless otherwise noted in this agreement, all work product completed in whole or in part under this Agreement, including but not limited to records, reports, documents, pleadings, exhibits and other materials related to this Agreement and/or obtained or prepared by, or supplied to Contractor in connection with the performance of the services contracted for herein shall be confidential, shall not be discussed or otherwise disseminated by Contractor without the authorization of District, and shall remain the exclusive property of District. Contractor shall return all such work product to District upon termination or expiration of this Agreement. Contractor further agrees to supply a copy of all documents prepared or maintained in an electronic format to District in such electronic format.
Nothing contained in this Agreement or inferable from this Agreement shall be deemed or construed to: 1) make Contractor the agent, servant or employee of the School District; or 2) create any partnership, joint venture, or other association between the School District and Contractor. Any direction or instruction by the School District or any of its authorized representatives in respect of the work shall relate to the results the School District desires to obtain from the work, and shall in no way affect Contractor’s or OPERATOR’s independent status.
Contractor shall not use the image or likeness of the School District’s buildings or the School District’s official logo or emblem and any other trademark, service mark, or copyrighted or otherwise protected information of the School District, without the School District’s prior written consent. Contractor shall not have any authority to advertise or claim that the School District endorses Contractor’s or OPERATOR’s services, without the School District’s prior written consent.
VI. MONTANA PUPIL ONLINE PERSONAL INFORMATION PROTECTION ACT
In accordance with the Montana Pupil Online Personal Information Protection Act, pupil records continue to be the property of and under the control of the school district. Contractor is prohibited from using any information in pupil records for any purpose other than those required or specifically permitted by this Agreement. Contactor is specifically prohibited from using personally identifiable information in pupil records to engage in targeted advertising.
By executing this Agreement, Contractor certifies that pupil records will not be retained or available upon completion of the terms of the Agreement. Upon completion of this Agreement, Contractor will provide written certification to the School District pupil records are no longer held, possessed or otherwise available to Contractor or its employees, agents, or subcontractors. This requirement does not apply to pupil-generated content if a pupil chooses to establish or maintain an account with the third party for the purpose of storing that content.
Parents, guardians and eligible pupils have the right to inspect the personal information held by the Contractor. Parents, guardians, or pupils should submit to the school principal written request identifying the information they wish to inspect. The principal will make arrangements for access and notify the requesting party of the time and place the information may be inspected. Contractor will cooperate with the School District to accommodate any inspection request. The rights contained in this section are denied to any person against whom an order of protection has been entered concerning a student.
Parents/guardians or eligible pupils may ask the School District to amend a personal information held by the Contractor they believe is inaccurate, misleading, irrelevant, or improper. They should write the school principal clearly identifying the part of the record they want changed and specify the reason. Contractor will cooperate with the School District to accommodate any amendment request.
If the District decides not to amend the record as requested by the parent(s)/guardian(s) or eligible student, the District will notify the parent(s)/guardian(s) or eligible pupil of the decision and advise him or her of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the parent(s)/guardian(s) or eligible student when notified of the right to a hearing.
Parents/guardians or eligible pupils may ask the School District to transfer possession of personal information held by the Contractor to the pupil. Parents, guardians, or pupils should submit to the school principal written request identifying the information they wish to transfer. Contractor will cooperate with the School District to accommodate any transfer request including providing options by which a pupil may transfer pupil-generated content to a pupil’s personal account.
Contractor designates ______________________________ , as the primary employees responsible to ensure the security and confidentiality of pupil records. By signing this agreement, Contractor certifies that designated employees have completed training in pupil information security and confidentiality. Documentation of this training including its scope, duration, and date of completion will be provided to the School District upon request. Compliance with this requirement does not, in itself, absolve the third party of liability in the event of an unauthorized disclosure of pupil records.
Contractor will immediately provide written notification to the School District of any unauthorized disclosure of pupil information. Contract will coordinate with the School District to notify the parent, legal guardian, or pupil affected by an unauthorized disclosure of the pupil’s records.
VII. CONFIDENTIALITY SAFEGUARDS:
Contractor will collect and use the School District’s Data only for the purpose of fulfilling its duties and providing services under this Agreement, and for improving services under this Agreement.
If Contractor will have access to “education records” as defined under the Family Educational Rights and Privacy Act (FERPA) (34 CFR Part 99), the Contractor acknowledges that for the purpose of this Agreement it will be designated as a ‘school official’ with ‘legitimate educational interests’ and will use the data only for the purpose of fulfilling its duties under this Agreement. Contractor agrees to indemnify and hold harmless the Board of Trustees of the School District for any damages or costs, including reasonable attorney’s fees, which arise out of any gross negligence or willful misconduct by Contractor, its agents and employees concerning its FERPA obligations under this section.
In performing services under this Agreement, Contractor and the School District may be exposed to and will be required to use certain “Confidential Information”, as defined below. Contractor and the School District along with their employees, agents or representatives will not, use, directly or indirectly, such Confidential Information for purposes other than the purposes outlined in this Agreement.
Any Confidential Information acquired or received by either party (the “Recipient”) in the course of this Agreement will not be disclosed or transferred to any person or entity other than to employees of a party and, as to Contractor, for the purpose of performing its obligations under this Agreement. Confidential Information received under this Agreement will be treated with the same degree of care and security as each party uses with respect to its own Confidential Information, but not less than a reasonable degree of care. The parties agree to use Confidential Information only for the purpose of performance of this Agreement and to make no copies except as necessary for performance of this Agreement. Any such confidential information and copies thereof made by a party, or any representative of a party, shall be completely and promptly destroyed at the conclusion of contract performance subject to this Agreement
Upon termination or completion of the Services hereunder, upon request of the School District, Contractor will delete the School District’s Confidential Information as housed in the Contractor production database(s), provided that Contractor may maintain archival copies for audit purposes and dispute resolution purposes and Contractor may retain copies of Confidential Information on back-up media in which such Data is co-resident with other employment and income data. Contractor shall remain under its contractual obligation of confidentiality and security to the School District and such obligations shall survive termination of the Agreement. This Section shall survive the termination of this Agreement.
Contractor may use de-identified Data for product development, research, or other internal purposes. De-identified Data will have all direct and indirect personal identifiers removed. This includes, but is not limited to, name, ID numbers, date of birth, demographic information, location information, and school ID. Furthermore, Contractor agrees not to attempt to re-identify de- identified Data.
Contractor is prohibited from mining the School District’s Data for any purposes other than those agreed to by the parties. Data mining or scanning of user content for the purpose of advertising or marketing to students or their parents is prohibited. Any and all forms of advertisement, directed towards children, parents, guardians, or District Employees will be strictly prohibited unless allowed with express written consent of the District. Contractor shall not use information to amass a profile about a pupil, except in furtherance of K-12 school purposes. Operators shall not sell a pupil’s information to unauthorized third parties.
Contractor will not change how School District Data are collected, used, or shared under the terms of this Agreement in any way without advance notice to the School District. This Agreement is the entire agreement between the School District (including all District end users) and the Contractor. All other agreements or understandings, whether electronic, click-through, verbal or in writing, with District Employees or other End Users shall be null and void.
Contractor will not share School District data, with or disclose it to any third party, except to affiliated subcontractors, agents, or third-party service providers of the Contractor, without prior specific and informed written consent of the School District, except as required by law. Contractor will not post School District or specific student data to any searchable or publicly viewable website. Contractor shall not disclose protected information unless the disclosure is made in accordance with School District policy, state or federal law, or with parent consent. Contractor shall implement and maintain reasonable security procedures and practices appropriate to the nature of the protected information and safeguard that information from unauthorized access, destruction, use, modification, or disclosure in accordance with School District policy and this Agreement.
School District Data will not be stored outside of the United States without prior, specific and informed written consent from the School District.
All goods, products, materials, documents, reports, writings, video images, photographs, papers and intellectual property of any nature including software or computer images prepared by the Contractor (or subcontractors) for the School District or from School District-provided material will not be disclosed to any other person or entity and remains the property of the school system. All student-produced work remains the property of the school system or that eligible student. The Contractor has a limited, nonexclusive license to the data described herein solely for the purpose of performing its obligations as outlined in the Agreement. This Agreement does not give Contractor any rights, implied or otherwise, to Data, content, or intellectual property, except as expressly stated in the Agreement, including any right to sell or trade Data.
Except as otherwise expressly prohibited by law, the Contractor will immediately notify the School District of any subpoenas, warrants, or other legal orders, demands or requests, including Audits, and governmental requests and demands, received by the Contractor seeking School District Data. If the School District receives a similar request, the Contractor will promptly supply the School District with copies of records or information required by the School District to respond.
Contractor will store and process School District Data in accordance with industry best practices. This includes appropriate administrative, physical, and technical safeguards to: 1) ensure the security and confidentiality of PII and Confidential Information; 2) protect against any anticipated threats or hazards to the security or integrity of Confidential Information; 3) protect against unauthorized access to or use of Confidential Information that could result in substantial harm or inconvenience to any customer or to any School District employee and/or student; and 4) dispose of PII and Confidential Information in a secure manner.
VIII. DATA BREACHES:
Contractor shall notify the School District in writing as soon as commercially practicable, however no later than forty-eight (48) hours, after Contractor has either actual or constructive knowledge of a breach which affects the School District’s Data (an “Incident”) unless it is determined by law enforcement that such notification would impede or delay their investigation. Contractor shall have actual or constructive knowledge of an Incident if Contractor actually knows there has been an Incident or if Contractor has reasonable basis in facts or circumstances, whether acts or omissions, for its belief that an Incident has occurred. The notification required by this section shall be made as soon as commercially practicable after the law enforcement agency determines that notification will not impede or compromise the investigation. Contractor shall cooperate with law enforcement in accordance with applicable law provided however, that such cooperation shall not result in or cause an undue delay to remediation of the Incident. Contractor shall promptly take appropriate action to mitigate such risk or potential problem at Contractor’s or OPERATOR’s expense. In the event of an Incident, Contractor shall, at its sole cost and expense, restore the Confidential Information, to as close its original state as practical, including, without limitation any and all Data, and institute appropriate measures to prevent any recurrence of the problem as soon as is commercially practicable.
Contractor will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Contractor will also have a written incident response plan, to include prompt notification of BSD7 in the event of a security or privacy incident, as well as best practices for responding to a breach of PII.
IX. LEGAL COMPLIANCE AND NON-DISCRIMINATION:
All services provided by Contractor under this Agreement will be completed in accordance with state and federal law and School District Policy. Copies of School District Policies are available upon request. The parties specifically agree to collaborate in the enforcement and compliance with the Family Educational Rights and Privacy Act.
All employees hired by Contractor to perform services under this Agreement shall be hired by Contractor on the basis of merit and qualifications to perform the duties necessitated by the requirements of this Agreement. Such qualifications are those abilities of an applicant for employment genuinely related to competent and satisfactory performance of Contractor’s obligations under this Agreement. Contractor agrees and warrants that Contractor’s hiring practices related to employees performing services under this Agreement, as well as Contractor’s practices related to promotion, retention, compensation, and other terms, conditions or privileges of employment, shall be nondiscriminatory, and such hiring, promotion, retention, and general employment practices shall not be based upon race, color, religion, creed, political ideas, sex, age, marital status, physical or mental disability, or national origin.
X. EMPLOYEE REQUIREMENTS:
All employees of Contractor performing labor under this Agreement that have unsupervised access to students, including Contractor in the event that Contractor personally performs labor under this Agreement, shall be subjected to a name-based and fingerprint criminal background investigation conducted by an appropriate law enforcement agency. Contractor shall provide to the District the results of such investigation for each employee (including Contractor) prior to any such employee performing any services under this Agreement. The District shall have the authority, in the discretion of the District Superintendent, to prohibit Contractor from permitting any such employee to perform services under this Agreement on the basis of information set forth in the results of a criminal background investigation.
XI. EMPLOYEE MISCONDUCT:
All employees of Contractor (including Contractor) shall perform services under this Agreement in a professional manner, and shall, at all times while present on District property, behave in a manner appropriate to a school setting. Contractor shall discipline or terminate the employment of any of Contractor’s employees performing services under this Agreement for engaging in any conduct inappropriate to a school setting, including, but not limited to, being under the influence or in possession of alcohol or any controlled substance while on District property; use of foul language; bullying or harassment of District students or staff; or such other conduct deemed inappropriate by the District. The District shall have the authority, in the discretion of the District Superintendent, to prohibit Contractor from permitting any employee to perform services under this Agreement based upon one or more instances of employee misconduct as described herein.
XII. TERMINATION PRIOR TO EXPIRATION OF CONTRACT TERM:
This Agreement may be terminated at any time prior to expiration of the contract term by mutual agreement of the parties in writing. This Agreement may be terminated unilaterally by either party for cause or noncompliance with the terms, conditions, and requirements set forth herein, provided, however, that the noncompliant party shall first be entitled to a written demand for compliance and a reasonable opportunity to cure any noncompliance therein identified. Failure to cure any identified noncompliance within 20 days of receipt of written demand shall constitute a material breach of this Agreement, and shall entitle the non-breaching party to immediately terminate this Agreement. All parties subject to a contract voided under this subdivision shall return all pupil records in their possession to the school district
XIII. ENTIRE AGREEMENT, MODIFICATION, AND WAIVER:
This Agreement embodies the complete agreement of the parties hereto, superseding all oral and written previous and contemporary agreements between the parties. No alteration or modification of this Agreement shall be valid unless evidenced by a writing signed by the parties to this Agreement. A waiver of any term or condition of this Agreement or breach of this agreement shall not be deemed a waiver of any other term or condition of this Agreement or any part hereof or of any later breach of this Agreement. Any waiver must be in writing each time a waiver occurs.
XIV. SAVINGS CLAUSE:
In the event any one or more of the provisions contained in this Agreement shall, for any reason, be held invalid, illegal, or unenforceable, such invalidity, illegality, or unenforceability shall not affect any other provision thereof, and this Agreement shall be construed as if such invalid, illegal, or unenforceable provision had never been contained herein.
XV. NOTICES:
All notices, consents, request, instructions approvals or other communications provided for herein shall be in writing and delivered by both email and personal delivery or regular U.S. mail, return receipt requested, to the last known address of the party being provided such notice.
XVI. ENFORCEMENT AND INTERPRETATION:
This Agreement shall be enforced and interpreted pursuant to the laws of the State of Montana. Jurisdiction over any claim or action for interpretation or enforcement of, or otherwise arising from the terms and conditions of this Agreement, shall be with the appropriate Montana District Court.
This agreement is subject to the laws of Montana and School District policy. Contractor is expressly notified that the agreement is subject to the Montana Pupil Online Personal Information Protection Act and violation of the act may be considered a crime a conviction of such may result in a fine not less than $200 or more than $500.
Any civil claim arising out of or related to the Agreement, or services provided under the Agreement, may be subject to mediation at the request of either party. School District and Contractor expressly agree that mediation shall not be a condition precedent to the initiation of any litigation arising out of such Claims. Claims for injunctive relief shall not be subject to this Section. Any claim not resolved in mediation shall be subject to litigation in accordance with the laws of the State of Montana. Any litigation shall be conducted in Montana district court. Mandatory and exclusive venue for any disputes shall be in the county in which the School District is located.
Notwithstanding anything to the contrary in the Agreement or in any document forming a part hereof, there shall be no mandatory arbitration for any dispute arising hereunder. The parties may mutually agree in writing to submit a dispute to arbitration but the default dispute resolution shall be litigation. Contractor stipulates that the School District is a political subdivision of the State of Montana, and, as such, enjoys immunities from suit and liability provided by the Constitution and laws of the State of Montana. By entering into this Agreement, the School District does not waive any of its immunities from suit and/or liability, except as otherwise specifically provided herein and as specifically authorized by law. In any adjudication under this Agreement, reasonable and necessary attorneys’ fees may be awarded to the prevailing party. The parties acknowledge that, as a public entity in the State of Montana, the School District and entities contracting with the School District must comply with the open records laws of the State.
I have read this Agreement, understand its terms, and agree to be bound hereby.
DATED this __________ day of __________ , _____ .
_________________________________________ Date: ___________________________
_________________________________________, Contractor
Title/Position: ________________________________________
Company Name: _______________________________________
Company Address: ______________________________________
Company Phone Number: _________________________________
Company Website: ______________________________________
__________________________________________ Date: __________________________
___________________________________, Board Chair __________________ School District
ATTEST:
__________________________________________ Date: ___________________________
___________________________________, District Clerk _________________ School District
Print Friendly