Pre-Scientist, Inc Data Privacy Addendum
This Data Privacy Addendum (“DPA”) forms part of the agreement between a District (including Schools within the District) which has entered into a Memorandum of Understanding with Pre-Scientist, Inc. for a community partnership (collectively, the “Parties”). The Parties agree to the terms as stated herein. Capitalized terms not defined herein shall have the meaning set forth in the MOU.
RECITALS
WHEREAS, the Organization and the District have entered into a partnership to provide the Letters to a Pre-Scientist Program (the “Program”) pursuant to the terms of the Memorandum of Understanding (“MOU”). Part of the Program requires the Organization to collect certain personal information and data from the District’s students; and
WHEREAS, in order to implement the Program described in the MOU, the Organization may receive or create, and the District may provide student documents or data (“Student Data”) to Organization, that may be subject to certain federal laws relating to privacy, such as the Family Educational Rights and Privacy Act (“FERPA”) at 20 U.S.C. 1232g (34 CFR Part 99), Children’s Online Privacy Protection Act (“COPPA”) at 15 U.S.C. 6501-6506, Protection of Pupil Rights Amendment (“PPRA”) at 20 U.S.C. 1232h; and
WHEREAS, the Student Data provided by the District to Organization may also be subject to certain state student privacy laws; and
WHEREAS, the Parties wish to enter into this DPA to ensure that the MOU conforms to the requirements of the privacy laws referred to above that are applicable to the Organization and to establish implementing procedures and duties.
NOW THEREFORE, for good and valuable consideration, the Parties agree as follows:
PURPOSE AND SCOPE
Purpose of DPA. The purpose of this DPA is to describe the duties and responsibilities to protect Student Data transmitted to the Organization from the District pursuant to the MOU, including compliance with certain privacy laws, including FERPA, PPRA, COPPA, KOPIPA, and other student privacy laws of California and other states, each as they may be amended from time to time, and to the extent applicable to the District and to the Organization (“Applicable Privacy Laws”).
Nature of Services Provided. The Organization has agreed to launch the Program at one or more schools within the District (the “School”), whether in person or remotely, depending on the nature of the academic year, in order to expose students to future careers in STEM, higher education options, and real-world connections to STEM. The Program is an early exposure mentorship opportunity connecting STEM Professionals within the School through the exchange of snail mail letters to build self-efficacy, motivation, and a sense of belonging in STEM.
Student Data to Be Provided. In order to successfully administer the Program, the Organization will collect the following information from students, whether in the classroom or electronically if the School is holding classes remotely, once their parent/guardian has approved participation in the Program through a signed permission slip: first and last name, language information (to know whether the student needs correspondence in a language other than English), student school enrollment, grade level, homeroom, parent/guardian first and last name, student survey responses (for program evaluation and to match students with an appropriate STEM Professional), student work (student letters, the Program’s lessons/activities), any other relevant academic information, and Student photos and videos for promotion of the Program (collectively, the “Student Data”). Student Data may also include gender identity, preferred pronouns, and race/ethnicity if Students choose to disclose such information on a student survey but are not required to.
AUTHORIZED ACCESS
Parental Access Request. If a parent or guardian wishes to review their child’s Student Data, they can email lucy.madden@prescientist.org.
Third Party Request. Should a Third Party, including law enforcement and government entities, contact the Organization with a request for data held by the Organization as part of the Program, the Organization shall notify the District in advance of a compelled disclosure to a Third Party where such advance notice is permitted under applicable law.
Subprocessors. The Organization shall enter into written agreements with all Third Party vendors used to process Student Data (“Subprocessors”), whereby the Subprocessors agree to protect Student Data in manner consistent with the terms of this DPA.
DUTIES OF THE DISTRICT
Privacy Compliance. The District shall provide Student Data to Organization for the purposes of the Program in compliance with Applicable Privacy Laws. By providing Student Data to Organization, the District warrants that such disclosure of Student Data is in conformance with such laws.
Annual Notification of Rights. If the District has a policy of disclosing education records under FERPA (4 CFR § 99.31 (a) (1)), the District shall include a specification of criteria for determining who constitutes a school official and what constitutes a legitimate educational interest in its Annual notification of rights.
Unauthorized Access Notification. The District shall notify the Organization promptly of any known or suspected unauthorized access to, or disclosure of, Student Data collected or created in connection with the Program. The District will assist the Organization in any efforts by the Organization to investigate and respond to any such unauthorized access.
DUTIES OF THE ORGANIZATION
Privacy Compliance. The Organization shall comply with Applicable Privacy Laws applicable to the Organization and its activities under the MOU.
Authorized Use. The Student Data shared under the MOU shall be used for no purpose other than to implement, maintain, evaluate and further develop the Program and in accordance with the Organization’s Privacy Policy (“Permitted Purposes”).
Employee Obligation. The Organization shall require all employees and agents who have access to Student Data to comply with all applicable provisions of this DPA with respect to the Student Data shared under the MOU.
No Disclosure. The Organization shall not copy, reproduce or transmit any Student Data obtained and/or any portion thereof, except to the extent necessary for the Permitted Purposes. De-identified Student Data may be used by the Organization for the purposes of development, research, and improvement of educational sites, services, or applications, as any other member of the public or party would be able to use de-identified student data pursuant to 34 CFR 99.31(b). The Organization agrees not to attempt to re-identify de-identified Student Data and not to transfer de-identified Student Data to any party unless (a) that party agrees in writing not to attempt re-identification, and (b) prior written notice has been given to the District and the District has provided prior written consent for such transfer.
Disposition of Data. Upon written request and in accordance with the applicable terms of this DPA, the Organization shall dispose of or delete all Student Data obtained (except for any De-identified Student Data) when it is no longer needed for the Permitted Purposes.
DATA PROVISIONS
Data Security. The Parties agree to abide by and maintain data security measures, consistent with industry standards and technology best practices, to protect Student Data from unauthorized disclosure or acquisition by an unauthorized person. The general security duties are set forth below.
a. Passwords and Employee Access. The Organization shall use reasonable efforts to secure usernames, passwords, and any other means of gaining access to Student Data under its possession or control. The Organization shall only provide access to Student Data to employees, contractors and approved teachers for the Permitted Purposes.
b. Security Protocols. Both Parties agree to maintain security protocols consistent with industry standards and applicable laws in the transfer or transmission of any data, including protocols designed to ensure that data may only be viewed or accessed by parties legally allowed to do so.
Data Breach. In the event that Student Data is accessed or obtained by an unauthorized individual (“Data Breach”), the Party experiencing the Data Breach shall provide notification to the other Party within a reasonable amount of time of confirming that a Data Breach has occurred.
The Data Breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described herein under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.
The Parties agree to adhere to all requirements under applicable state and federal law with respect to a Data Breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such Data Breach.
Except as required under applicable law, the Organization shall not directly contact any parents, legal guardians or students regarding a Data Breach without first consulting with the District. Based upon such consultation, the Parties shall determine which Party shall notify the affected parents, legal guardians or students of the Data Breach, and if Organization is to provide relevant notifications, District shall provide to Organization all necessary contact information. The Parties shall fully cooperate with each other as needed to ensure any risks to Student Data relating to the Data Breach are mitigated and that all other actions are taken as needed to secure Student Data and comply with applicable law.
MISCELLANEOUS
Term. The terms of this DPA shall survive termination of the MOU to the extent that either Party continues to store or process Student Data collected in connection with the Program.
Severability. Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this DPA, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction.
Authority. Each Party represents that it is authorized to enter the terms of this DPA.
Waiver. No delay or omission of either Party to exercise any right hereunder shall be construed as a waiver of any such right and such Party reserves the right to exercise any such right from time to time, as often as may be deemed expedient.
Successors Bound. This DPA is and shall be binding upon the respective successors in interest to each Party in the event of a merger, acquisition, consolidation or other business reorganization or sale of all or substantially all of the assets of such business or organization.