Discussions

 View Only
Back to discussions
Expand all | Collapse all

Do you require vendors to sign a Data Privacy Agreement (DPA)?

  • 1.  Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 26 days ago

    Hi folks,

    I'm curious to know how many schools currently require vendors to sign a DPA before a contract is signed and access to school data is provided. 

    I'm looking at the NYS Model DPA and wondering if using an agreement based on that (or similar) would be worthwhile.

    Please share your school's practice and/or your thoughts on the topic.  Thanks.


    #CybersafetyandDataSecurity

    ------------------------------
    Jim Anderson
    The Packer Collegiate Institute
    Brooklyn NY
    ------------------------------


  • 2.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 26 days ago

    Watching! We thought about doing something like this and still sort of interested but haven't actively pursued it. Would be interested as well in what others are doing since I think it could be helpful.



    ------------------------------
    Nick Marchese
    Emma Willard School
    Troy NY
    ------------------------------

    Original Message


  • 3.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 25 days ago

    Hi Jim and Nick!

    During my time as an IT-director, educational tech specialist and school leader this was always an important element to think about during procurement (and even after). I was working in a Scandinavian school system at the time, but I suspect the reason you are asking about data protection agreements is very similar in that the data of staff and students is easily spread when a tech provider suddenly has a multitude of 3rd parties that are now going to have access to and process your data without it ever really being truly transparent. You're definitely right to investigate existing DPAs - it's a simple way to protect your staff and students.

    Something I think you can definitely require of a EdTech or tech vendor is a DPA. They should really have one prepped and ready if they are serious about what they are doing. They work with data processing each and every day. They likely understand data processing regulations quite well. It's in their interest to know where the data they use is stored, transferred and processed - not to mention that they would definitely benefit from knowing how you want your data to be handled. A DPA is just that - an agreement. It's the element between your school and the vendor that helps you in those (hopefully few) moments where you need to make sure that data is erased, or just want to know what is being shared. It's about accountability and security for both parties, and a way for your school to ensure that communication about the thing you are buying is transparent. I've since moved on to working with the development of academic technologies, and every time a contract is signed with a school it's always nice to see that they've reviewed how we will be storing and processing their data.

    Maybe I am out on a limb here, but serious vendors should actually be presenting you with an existing DPA that you can review together with your legal and/or tech team and hopefully modify together with the vendor to a certain extent. It means less work for you, and, again, they are likely way more "in" on what current regulations are like. If you have specific questions or modifications it's a great way to build a dialogue between the vendor and your tech and legal teams.

    In short, a DPA should certainly be one of those elements in your procurement checklist and plan when investigating what tech you'll introduce into or keep working with in your school.



    ------------------------------
    John Dimaria
    Customer Success Manager (North America)
    Digiexam
    Stockholm
    ------------------------------

    Original Message


  • 4.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 24 days ago

    We use the California version of the National Data Privacy Agreement:

    https://sdpc.a4l.org/agreement_info.php?state=CA

    https://privacy.a4l.org/national-dpa/

    - Elaine



    ------------------------------
    Elaine Wrenn
    St. Matthew's Parish School
    Lakewood CA
    ------------------------------

    Original Message


  • 5.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 11 days ago

    I strongly recommend ensuring you have a DPA covering any vendor who will have access to school data. We developed ours with school counsel since our process includes legal review of all terms, privacy policies and contracts before vendor onboarding. If a vendor does not provide a sufficient DPA or contract language we provide ours and ask them to include it. I have yet to find a vendor who was unwilling but do wish this was more of a standard.



    ------------------------------
    Kevin Warenda, MBA, CISM
    The Hotchkiss School
    Lakeville CT
    ------------------------------

    Original Message


  • 6.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 11 days ago

    @Elaine Wrenn & @Kevin Warenda

    Awesome contributions! I'll again stress that serious vendors should always bring their DPA up in procurement discussions.

    Something that kept me up at night when I took over a director of tech position was that I didn't have a clear view of the subprocessors that certain vendors were using (as I was also wrestling with non-uniformity of existing DPAs / no "real" DPAs existing during that time). Include in your discussion with a vendor the importance of also understanding who subprocessors are.

    The DPA should definitely include a section about how to define a subprocessor and their role and duties, but it's often the case that these are not listed in the DPA itself and might actually be listed somewhere else. Make sure you get ahold of that list from the vendor to better understand where your data is off to once the vendor is working with it - and that the vendor (processor) is taking full responsibility for how the subprocessors are working with your data.

    Another key piece here is that a vendor / processor might also include a statement that they are allowed to change subprocessors if needed / required. Nothing weird as this is usually to make sure their platform or service continues to improve, but make sure that a section exists describing what happens when they do hire new subprocessors or replace existing ones. A simple sentence in the DPA that you want that information in writing when changes in subprocessors occurs establishes another solid contact point between you and the vendor for a transparent dialogue.

    Again, it's a partnership and this is their responsibility.



    ------------------------------
    John Dimaria
    Customer Success Manager (North America)
    Digiexam
    Stockholm
    ------------------------------

    Original Message


  • 7.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 10 days ago

    Hi Jim-all,

    I recommend you provide a DPA to the vendor with the requirements you want rather than rely on the vendor providing a DPA. I've worked in a district for 25 years as CTO in Ohio and along the way founded Learn21, non-profit serving K12. We are the Ohio SDPC, Student Data Privacy Consortium, affiliate. I've had the honor of working with over 200 plus schools in Ohio and across US that are using the SDPC DPA template as Elaine referenced. It is a game changer and puts you in control of the conversation from data points collected, disposal of data, security frameworks and special language that you can add on for your culture.

    I'd be willing to provide an overview of the DPA and answer questions folks might have about how to be involved in SDPC. We do pro bono workshops all the time to help schools understand the components of a DPA and develop a culture of privacy. I'm thankful for the work of https://sdpc.a4l.org/

    In addition to the advocacy and thought leadership work we do, Learn21 does sell software - Asset Manager and Helpdesk, and we always lead with how we manage your data. I agree with the comments that vendors need to be discussing and defining how they intend to protect your student and staff data. Those are the real partners that are advocating for you.

    If anyone would like to learn more about DPAs or have us provide a webinar my contact is below,

    -Bill
    wfritz@learn21.org



    ------------------------------
    Bill Fritz
    CEO
    Learn21
    Cincinnati OH
    5134022121
    ------------------------------

    Original Message


  • 8.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 10 days ago

    Thanks for your insight, @Bill Fritz!

    It's interesting that you recommend schools coming with their own DPA. This is certainly a good strategy that shows the vendor you are serious and definitely gives you some discussion points, but, again, I would hope that a vendor actually has a DPA that they are willing to show you to get the ball rolling in terms of a discussion. The real benefit with seeing and talking about a vendor's DPA early on is that you can discuss internally in the first stages of procurement to avoid wasting your time with unserious providers and also to have the time to either propose that you use your own or accept or modify the vendor's existing DPA.

    If you can get the vendor to play ball and either accept your own or modify theirs then you've definitely succeeded in making sure you are protecting staff, student and other organizational information. What might be tricky with your own DPA is if you are working with companies that are international that might have different policies and regulations (either much looser, or much tighter). Be aware that they might come with some requirements that could mean modifications to your existing DPA.

    Awesome that this conversation is talking strategy! Thanks Bill!



    ------------------------------
    John Dimaria
    Customer Success Manager (North America)
    Digiexam
    Stockholm
    ------------------------------

    Original Message


  • 9.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 10 days ago

    @John Dimaria agree with your thoughts regarding a vendor DPA. All vendors should have a DPA agreement or statement. However, the vendor IMHO from what I have experienced is not necessarily advocating for a school but their legal is advocating for themselves. It is everyone's responsibility (vendor and school) to protect data. The school is accountable to their school community. A school having their own DPA and expecting the vendor to sign it is my recommendation.

    Using the NDPA from SDPC does allow in Exhibit G and Exhibit H for additional state and district language to be added. Thus, providing flexibility for school and vendor terms as you stated regarding international (GDPR, etc). Using the NDPA allows for schools to piggy back on each others DPAs with vendors and saves vendors cost of having to negotiate with each individual school. In return, schools are collaborating and discussing what vendors are good partners for privacy. 

    As for the NDPA, it was developed by schools, vendors and legal. We have a number of international vendors who use the NDPA.

    -Bill



    ------------------------------
    William D. Fritz | Founder, Chief Executive Officer, Learn21 | 2017-19 Chair, Ohio CoSN
    CETL 2019, CoSN Volunteer Hall of Fame, NSBA "20 to Watch"
    wfritz@learn21.org
    www.learn21.org
    ------------------------------

    Original Message


  • 10.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 10 days ago
    Hi Folks,

    I am grateful for all the responses thus far. So far, they've only confirmed my views on DPAs.

    As it happens, just this week I discovered that we are eligible to join the SDPC, now that NY State has joined the alliance. :)  We will be signing up via The Education Cooperative, which runs a six-state alliance that now includes New York. I am looking forward to leveraging all the work that A4L.org has done, as well as the growing list of DPAs that vendors have already signed with NY State. 

    Hopefully, other folks will continue to chime in on this important topic. 

    Have a great weekend.
    Jim
     



    Jim Anderson

    Chief Technology Officer

    he | him | his

    ____________________________

    The Packer Collegiate Institute

    170 Joralemon Street | Brooklyn, NY 11201

    www.packer.edu

    Please consider the environmental impact before printing this email.





    Original Message


  • 11.  RE: Do you require vendors to sign a Data Privacy Agreement (DPA)?

    Posted 7 days ago

    @Jim Anderson - excellent! Glad that there are cooperatives that are working towards this, and glad that you found this! Definitely worth spreading to other schools. The SDPC site is an amazing resource for anyone looking to find out more about this topic and it also provides a good entry point if you are just starting to work with (or looking to update your knowledge about) data privacy in your organization.

    @Bill Fritz - I can definitely imagine that some vendors might be advocating solely for themselves. I hope that this isn't the case for the majority of them, and a vendor providing their DPA is definitely a good way to get them to be upfront. As a school leader or director of tech vetting these providers it's an additional element in the process and an additional method to see if this is going to be a partnership between you and the vendor. It's great that there are organizations out there working to help schools with the protection of their data. Also really excited that you're in the discussion!

    All the best,

    John



    ------------------------------
    John Dimaria
    Customer Success Manager (North America)
    Digiexam
    Stockholm
    ------------------------------

    Original Message


Related Content