FERPA Privacy & Data Protection Addendum
US Federal Family Educational Rights and Privacy Act (FERPA) Data Security Terms for inclusion in agreements with US schools only.
Protection of Confidential Data
Service Provider agrees to abide by the limitations on re-disclosure of personally identifiable information from education records set forth in The Family Educational Rights and Privacy Act (34 CFR § 99.33 (a)(2)) and with the terms set forth below. 34 CFR 99.33 (a)(2) states that the officers, employees, and agents of a party that receive education record information from the Institution may use the information, but only for the purposes for which the disclosure was made.
Covered data and information (CDI) includes electronic student education record information supplied by Institution, as well as any data provided by Institution’s students to the Service Provider.
Acknowledgment of Access to CDI
Service Provider acknowledges that the Agreement allows the Service Provider access to CDI.
Prohibition on Unauthorized Use or Disclosure of CDI
Service Provider agrees to hold CDI in strict confidence. Service Provider shall not use or disclose CDI received from or on behalf of Institution (or its students) except as permitted or required by the Agreement, as required by law, or as otherwise authorized in writing by Institution. Service Provider agrees not to use CDI for any purpose other than the purpose for which the disclosure was made.
Return or Destruction of CDI
Upon termination, cancellation, expiration or other conclusion of the Agreement, Service Provider shall return all CDI to Institution or, if return is not feasible, destroy any and all CDI. If the Service Provider destroys the information, the Service Provider shall provide Institution with a certificate confirming the date of destruction of the data.
If Institution reasonably determines in good faith that Service Provider has materially breached any of its obligations under this contract, Institution, in its sole discretion, shall have the right to require Service Provider to submit to a plan of monitoring and reporting; provide Service Provider with a fifteen (15) day period to cure the breach; or terminate the Agreement immediately if cure is not possible. Before exercising any of these options, Institution shall provide written notice to Service Provider describing the violation and the action it intends to take. If the Family Policy Compliance Office of the U.S. Department of Education determines that the Service Provider improperly disclosed personally identifiable information obtained from Institution’s education records, Institution may not allow the Service Provider access to education records for at least five years.
Maintenance of the Security of Electronic Information
Service Provider shall develop, implement, maintain and use appropriate administrative, technical and physical security measures to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted CDI received from, or on behalf of Institution or its students. These measures will be extended by contract to all subcontractors used by Service Provider.
Reporting of Unauthorized Disclosures or Misuse of Covered Data and Information
Service Provider shall, within one day of discovery, report to Institution any use or disclosure of CDI not authorized by this agreement or in writing by Institution. Service Provider’s report shall identify: (i) the nature of the unauthorized use or disclosure, (ii) the CDI used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what Service Provider has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Service Provider has taken or shall take to prevent future similar unauthorized use or disclosure. Service Provider shall provide such other information, including a written report, as reasonably requested by Institution.
Service Provider shall defend and hold Institution harmless from all claims, liabilities, damages, or judgments involving a third party, including Institution’s costs and attorney fees, which arise as a result of Service Provider’s failure to meet any of its obligations under this agreement.