@John Dimaria agree with your thoughts regarding a vendor DPA. All vendors should have a DPA agreement or statement. However, the vendor IMHO from what I have experienced is not necessarily advocating for a school but their legal is advocating for themselves. It is everyone's responsibility (vendor and school) to protect data. The school is accountable to their school community. A school having their own DPA and expecting the vendor to sign it is my recommendation.
Using the NDPA from SDPC does allow in Exhibit G and Exhibit H for additional state and district language to be added. Thus, providing flexibility for school and vendor terms as you stated regarding international (GDPR, etc). Using the NDPA allows for schools to piggy back on each others DPAs with vendors and saves vendors cost of having to negotiate with each individual school. In return, schools are collaborating and discussing what vendors are good partners for privacy.
As for the NDPA, it was developed by schools, vendors and legal. We have a number of international vendors who use the NDPA.
-Bill
------------------------------
William D. Fritz | Founder, Chief Executive Officer, Learn21 | 2017-19 Chair, Ohio CoSN
CETL 2019, CoSN Volunteer Hall of Fame, NSBA "20 to Watch"
wfritz@learn21.orgwww.learn21.org------------------------------
Original Message:
Sent: 04-19-2024 11:50 AM
From: John Dimaria
Subject: Do you require vendors to sign a Data Privacy Agreement (DPA)?
Thanks for your insight, @Bill Fritz!
It's interesting that you recommend schools coming with their own DPA. This is certainly a good strategy that shows the vendor you are serious and definitely gives you some discussion points, but, again, I would hope that a vendor actually has a DPA that they are willing to show you to get the ball rolling in terms of a discussion. The real benefit with seeing and talking about a vendor's DPA early on is that you can discuss internally in the first stages of procurement to avoid wasting your time with unserious providers and also to have the time to either propose that you use your own or accept or modify the vendor's existing DPA.
If you can get the vendor to play ball and either accept your own or modify theirs then you've definitely succeeded in making sure you are protecting staff, student and other organizational information. What might be tricky with your own DPA is if you are working with companies that are international that might have different policies and regulations (either much looser, or much tighter). Be aware that they might come with some requirements that could mean modifications to your existing DPA.
Awesome that this conversation is talking strategy! Thanks Bill!
------------------------------
John Dimaria
Customer Success Manager (North America)
Digiexam
Stockholm
Original Message:
Sent: 04-19-2024 09:19 AM
From: Bill Fritz
Subject: Do you require vendors to sign a Data Privacy Agreement (DPA)?
Hi Jim-all,
I recommend you provide a DPA to the vendor with the requirements you want rather than rely on the vendor providing a DPA. I've worked in a district for 25 years as CTO in Ohio and along the way founded Learn21, non-profit serving K12. We are the Ohio SDPC, Student Data Privacy Consortium, affiliate. I've had the honor of working with over 200 plus schools in Ohio and across US that are using the SDPC DPA template as Elaine referenced. It is a game changer and puts you in control of the conversation from data points collected, disposal of data, security frameworks and special language that you can add on for your culture.
I'd be willing to provide an overview of the DPA and answer questions folks might have about how to be involved in SDPC. We do pro bono workshops all the time to help schools understand the components of a DPA and develop a culture of privacy. I'm thankful for the work of https://sdpc.a4l.org/
In addition to the advocacy and thought leadership work we do, Learn21 does sell software - Asset Manager and Helpdesk, and we always lead with how we manage your data. I agree with the comments that vendors need to be discussing and defining how they intend to protect your student and staff data. Those are the real partners that are advocating for you.
If anyone would like to learn more about DPAs or have us provide a webinar my contact is below,
-Bill
wfritz@learn21.org
------------------------------
Bill Fritz
CEO
Learn21
Cincinnati OH
5134022121
Original Message:
Sent: 04-02-2024 03:46 PM
From: Jim Anderson
Subject: Do you require vendors to sign a Data Privacy Agreement (DPA)?
Hi folks,
I'm curious to know how many schools currently require vendors to sign a DPA before a contract is signed and access to school data is provided.
I'm looking at the NYS Model DPA and wondering if using an agreement based on that (or similar) would be worthwhile.
Please share your school's practice and/or your thoughts on the topic. Thanks.
#CybersafetyandDataSecurity
------------------------------
Jim Anderson
The Packer Collegiate Institute
Brooklyn NY
------------------------------