Data Privacy Addendum

Pre-Scientist, Inc Data Privacy Addendum

This Data Privacy Addendum (“DPA”) forms part of the agreement between a District (including Schools within the District) which has entered into a Memorandum of Understanding with Pre-Scientist, Inc. for a community partnership (collectively, the “Parties”).  The Parties agree to the terms as stated herein. Capitalized terms not defined herein shall have the meaning set forth in the MOU. 

RECITALS

WHEREAS, the Provider and the District have entered into a partnership to provide the Letters to a Pre-Scientist Program (the “Program”) pursuant to the terms of the Memorandum of Understanding (“MOU”). Part of the Program requires the Provider to collect certain personal information and data from the District’s students; and

WHEREAS, in order to implement the Program described in the MOU, the Provider may receive or create, and the District may provide student documents or data (“Student Data”) to Provider, that may be covered federal law, such as the Family Educational Rights and Privacy Act (“FERPA”) at 20 U.S.C. 1232g (34 CFR Part 99), Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. 6501-6506; Protection of Pupil Rights Amendment (“PPRA”) 20 U.S.C. 1232h; and

WHEREAS, the Student Data transferred from the District to Provider may also be subject to state student privacy laws; and

WHEREAS, the Parties wish to enter into this DPA to ensure that the MOU conforms to the requirements of the privacy laws applicable referred to above that are applicable to the Provider and to establish implementing procedures and duties.

NOW THEREFORE, for good and valuable consideration, the Parties agree as follows:

PURPOSE AND SCOPE

Purpose of DPA.  The purpose of this DPA is to describe the duties and responsibilities to protect student Data transmitted to the Provider from the District pursuant to the MOU, including compliance with FERPA, PPRA, COPPA, SOPIPA, AB 1584, and other applicable California and other state laws, all as may be amended from time to time to the extent applicable to the District and to the Provider (“Applicable Privacy Laws”). 

Nature of Services Provided.  The Provider has agreed to launch the Program at one or more schools within the District (the “School”), whether in person or remotely depending on the nature of the academic year in order to expose students to future careers in STEM, higher education options, and real-world connections to STEM. The Program is an early exposure mentorship opportunity connecting STEM Professionals within the School through the exchange of snail mail letters to build self-efficacy, motivation, and a sense of belonging in STEM.

 

Student Data to Be Provided.  In order to successfully administer the Program, the Provider will collect the following information from students, whether in the classroom or electronically if the School is holding classes remotely, once their parent has approved participation in the Program through a signed permission slip: First and last name, language information (to know whether the student needs correspondence in a language other than English), student school enrollment, grade level, homeroom, parent/guardian first and last name, student survey responses (for program evaluation and to match students with an appropriate STEM Professional), student work (student letters, the Program’s lessons/activities), and any other relevant academic information. Students can also indicate their gender identity, preferred pronouns, and race/ethnicity if they choose to on a student survey, but it is not required (collectively, the “Student Data”).

AUTHORIZED ACCESS

Parental Access Request. If a parent or guardian wishes to review their child’s Student Data, they can email lucy.madden@prescientist.org. 

Third Party Request.  Should a Third Party, including law enforcement and government entities, contact the Provider with a request for data held by the Provider as part of the Program, the Provider shall notify the District in advance of a compelled disclosure to a Third Party where such advance notice is permitted under applicable law. 

Subprocessors.  The Provider shall enter into written agreements with all Third Party vendors used to process Student Data (“Subprocessors”), whereby the Subprocessors agree to protect Student Data in manner consistent with the terms of this DPA. 

DUTIES OF THE DISTRICT

Privacy Compliance.  The District shall provide student Data to Provider for the purposes of the Program in compliance with all Applicable Privacy Laws. By providing student Data to Provider, the District warrants that such disclosure of Data is in conformance with all such laws.

Annual Notification of Rights.  If the District has a policy of disclosing education records under FERPA (4 CFR § 99.31 (a) (1)), the District shall include a specification of criteria for determining who constitutes a school official and what constitutes a legitimate educational interest in its Annual notification of rights.

Unauthorized Access Notification.  The District shall notify the Provider promptly of any known or suspected unauthorized access to, or disclosure of, student Data collected or created in connection with the Program. The District will assist the Provider in any efforts by the Provider to investigate and respond to any such unauthorized access.

DUTIES OF THE PROVIDER

Privacy Compliance.  The Provider shall comply with all Applicable Privacy Laws.

Authorized Use.  The Student Data shared under the MOU shall be used for no purpose other than to implement, evaluate and further develop the Program and in accordance with Provider’s Privacy Policy (“Permitted Purposes”). 

Employee Obligation. The Provider shall require all employees and agents who have access to Student Data to comply with all applicable provisions of this DPA with respect to the Student Data shared under the MOU. 

No Disclosure.  De-identified information may be used by the Provider for the purposes of development, research, and improvement of educational sites, services, or applications, as any other member of the public or party would be able to use de-identified data pursuant to 34 CFR 99.31(b).  The Provider agrees not to attempt to re-identify de-identified Student Data and not to transfer de-identified Student Data to any party unless (a) that party agrees in writing not to attempt re-identification, and (b) prior written notice has been given to the District and the District has provided prior written consent for such transfer.  The Provider shall not copy, reproduce or transmit any data obtained and/or any portion thereof, except to the extent necessary to fulfill the terms of the Program.

Disposition of Data.  Upon written request and in accordance with the applicable terms of this DPA, the Provider shall dispose of or delete all Student Data obtained when it is no longer needed for the Permitted Purposes.  

DATA PROVISIONS

Data Security.  The Parties agree to abide by and maintain data security measures, consistent with industry standards and technology best practices, to protect Student Data from unauthorized disclosure or acquisition by an unauthorized person.  The general security duties are set forth below. 

  • Passwords and Employee Access.  The Provider shall secure usernames, passwords, and any other means of gaining access to Student Data. The Provider shall only provide access to Student Data to employees, contractors and approved teachers that are performing the services associated with the Program.  

 

  • Security Protocols.  Both Parties agree to maintain security protocols that meet industry standards and applicable laws in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so.  

Data Breach.  In the event that Student Data is accessed or obtained by an unauthorized individual (“Data Breach”), the Party experiencing the Data Breach shall provide notification to the other Party within a reasonable amount of time of confirming that an Incident has occurred. 

The Data Breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described herein under the following headings:  “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.

The Parties agree to adhere to all requirements in applicable state and federal law with respect to a Data Breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such Data Breach. 

Except as required under applicable law, the Provider shall not directly contact any parents, legal guardians or students regarding a Data Breach without first consulting with the District. Based upon such consultation, the Parties shall determine which Party shall notify the affected parents, legal guardians or students of the Data Breach, and if Provider is to provide relevant notifications, District shall provide to Provider all necessary contact information.  The Parties shall fully cooperate with each other as needed to ensure any risks to Student Data relating to the Data Breach are mitigated and that all other actions are taken as needed to secure Student Data and comply with applicable law.

MISCELLANEOUS

Term.  The terms of this DPA shall survive termination of the MOU to the extent that either Party continues to store or process Student Data.

Severability.  Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions of this DPA, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction.

Authority.  The Provider represents that it is authorized to enter the terms of this DPA. 

Waiver.  No delay or omission of the District to exercise any right hereunder shall be construed as a waiver of any such right and the District reserves the right to exercise any such right from time to time, as often as may be deemed expedient.

Successors Bound.  This DPA is and shall be binding upon the respective successors in interest to the Provider in the event of a merger, acquisition, consolidation or other business reorganization or sale of all or substantially all of the assets of such business.