712.R1 - Technology and Data Security - Security Requirements of Status: Third-Party Vendors Regulation

The District must ensure proper safeguards and procedures exist to use third-party vendors as a resource to further educational functions.  The following procedures shall be used to investigate and contract only with qualifying third-party vendors for the performance of necessary educational functions of the district; and to ensure that third-party vendors meet the required standards to be designated under the Family Educational Rights and Privacy Act (FERPA) as a School Official to handle personally identifiable information (PII) within the district.  

Third-party vendors may be designated by the district as a School Official when the vendor:  

  1. Performs an institutional service or function for which the school or district would otherwise use its own employees;
  2. Has met the criteria set forth in the district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records; 
  3. Is under the direct control of the district regarding the use and maintenance of education records; and  
  4. Uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the district to do so and is otherwise permitted by FERPA).  

Third party vendor data use requirements shall include, but not be limited to the following:

  1. The vendor implements and maintains security procedures and practices consistent with current industry standards; and
  2. The vendor be prohibited from collecting and using PII for:
    1. Targeted advertising;
    2. Amassing a profile about a student or students except in furtherance of educational purposes;
    3. Selling or renting PII for any purpose other than those expressly permitted by law; and
    4. Disclosing PII for any purposes other than those expressly permitted by law.  

 

 

 

Legal Reference:           20 U.S.C. §1232g
47 U.S.C. §254
Iowa Code §§ 715C

 

Cross Reference:          401.13              Staff Technology Use/Social Networking
                                               401.13.R1        Staff Technology Use/Social Networking – Regulation
                                               506.1               Education Records Access
                                               506.1.R1          Education Records Access – Regulation
                                               506.1.E1          Education Records Access – Request of Nonparent for Examination or Copies of Education Records
                                               506.2.E2          Education Records Access – Authorization for Release of Education Records
                                               506.2E3           Education Records Access – Request for Hearing on Correction of Education Records
                                               506.2E4           Education Records Access – Request for Examination of Education Records
                                               506.2E5           Education Records Access – Notification of Transfer of Education Records
                                               506.2E6           Education Records Access – Letter to Parent Regarding Receipt of a Subpoena
                                               506.2E7           Education Records Access – Juvenile Justice Agency Information Sharing Agreement
                                               506.2E8           Education Records Access – Annual Notice
                                               605.4               Technology and Instruction Materials