Data Privacy Policy

Sourcewell Technology

Please read carefully.

ARTICLE 1 – INTRODUCTION

1. Purpose and Scope.

The purpose of this Data Privacy Policy (“Privacy Policy”) is to describe the manner in which Sourcewell Technology (“SWT”) protects the confidentiality and safety of educational data transmitted or shared with SWT by its customers, generally, state, local and education (SLED) government agencies (“Customers”), in connection with SWT’s provision of software products and, support and technical services that would otherwise be performed by its Customers. This Privacy Policy is available at www.sourcewelltech.org/privacy-policy.

2. Additional Data Policies.

In addition to this Privacy Policy, SWT has implemented separate data policies which include additional details applicable to specific laws and regulations. Such separate policies include: (1) the SWT Minnesota Government Data Practices Act Policy (“MGDPA Policy”) available at www.sourcewelltech.org/data-policy); and, (2) SWT’s Information Security Policy which includes technical information about the security measures used in the operation of SWT systems including references to individual policies and procedures included in the PCI DSS (Payment Card Industry Data Security Standard). This policy is available upon request.

For clarification, this Privacy Policy should not be confused with SWT’S separate Terms of Use for its Website available at www.sourcewelltech.org/terms-of-use. While the focus of the Privacy Policy is to inform Customers how SWT conforms with applicable privacy laws, the Terms of Use for its Website are limited to describing the terms and conditions to which visitors of the site must agree in order to use the website.

3. Changes to Privacy Policy.

SWT reserves the right to update this Privacy Policy from time to time in the course of ordinary business. SWT will not make material changes to the Privacy Policy related to Student Data that are inconsistent with any Customer Agreements then in effect. If SWT makes material changes to the Privacy Policy - before the changes are effective, SWT will send an email to its Customers including the following information: the effective date of such material changes; a link to the revised policy; a summary of the material changes; and, notice that Customers consent to the material changes by continuing to purchase products and/or services under Customer Agreements.

ARTICLE 2 – CUSTOMER DATA OWNERSHIP; UNAUTHORIZED ACCESS

1. Customer Data.

For purposes of this Privacy Policy, “Customer Data” shall mean all data provided by Customers to SWT in connection with products and/or services purchased by Customer under a separate agreement (“Customer Agreement”). Customer Data transferred by Customer or created by SWT in connection with such agreements is subject to the Minnesota Government Data Practices Act (“MGDPA”), Minnesota Statutes Chapter 13. As used in this Privacy Policy, the term, Customer Data, includes any “Student Data” provided to SWT from Customers as defined below in Section 2.

2. Student Data.

In connection with Customer Agreements for products and/or services, Customers may provide SWT with data that is subject to federal statutes, including, the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. 1232g (34 CFR Part 99); the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. 6501-6506; and, Protection of Pupil Rights Amendment (“PPRA), 20 U.S.C. 1232h. Such data shall be referred to as “Student Data,” which shall mean any data, whether gathered by SWT or provided by Customer or its users, students, or students’ parents/guardians, that is descriptive of the student including, but not limited to, information in the student’s educational record or email, first and last name, home address, telephone number, email address, or other information allowing online contact, discipline records, videos, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security numbers, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings or geolocation information. Student Data includes PII (personally identifiable information) as defined in FERPA. Excluded from the term, Student Data, is “De-identified Data” as defined below in ARTICLE 3, Section 8.

3. Ownership.

SWT acknowledges and agrees that Customer Data is owned solely by Customer. SWT will not share, sell or disclose Customer Data to any third party without prior written consent of Customer. Customer has the right to request the prompt return of any portion of Customer Data and/or all data files at any time for any reason whatsoever, subject to payment for time and materials at reasonable rates by Customer to SWT.

4. Third Party Data Request.

SWT will promptly report to Customer about any requests from third parties for Customer Data. Customer will respond to such data requests. If SWT is subject to compelled disclosure to a third party (e.g., lawfully issued subpoena or court order), SWT will provide notification to Customer in advance of such compelled disclosure, provided that SWT is not prohibited from doing under terms in a subpoena or court order.

5. Subcontractor.

In the event that SWT retains a subcontractor to perform data collection, analytics, storage or similar services who has access to Customer Data, SWT will ensure that the Subcontractor agrees in writing to protect Customer Data in a manner consistent with the terms of this Privacy Policy.

ARTICLE 3 – DATA PRACTICES

1. Legal Requirements.

SWT will comply with all applicable state and federal laws and regulations pertaining to data privacy and security, including FERPA, COPPA, PPRA, MGDPA and similar state laws as applicable to SWT. SWT agrees that any information it creates, collects, receives, stores, uses, or disseminates during the course of its performance under a Customer Agreement which concerns the personal, financial, or other affairs of Customer, its students, employees, officers, or Board shall be kept private and in conformance with all state and federal laws relating to data privacy as applicable to SWT, including without limitation, the MGDPA.

2. Collection of Customer Data.

SWT only collects, maintains, uses and shares Customer Data to the extent it is needed for “Educational/School Purposes” authorized by its Customers, or authorized by parents or students. Educational/School Purposes include services or functions that take place at the direction of an authorized representative of a Customer, typically, pursuant to a Customer Agreement, that would otherwise be performed by the Customer’s employees, and that aids in the administration or improvement of education and school activities.

3. Use of Customer Data.

SWT will ensure that any and all Customer Data shall be used expressly and solely for the purposes enumerated Customer Agreements. Customer Data shall not be distributed, repurposed, sold or shared across other applications or environments of SWT. Prior to any such distribution by SWT, it shall first obtain prior written permission from Customer.

4. Advertising Prohibition.

SWT shall not use or sell Customer Data to (a) market or advertise to students or families/guardians; (b) inform, influence, or enable marketing, advertising, or other commercial efforts by SWT; (c) develop a profile of a student, family member/guardian or group, for any commercial purpose other than providing products or services to Customer; or (d) use the Student Data for the development of commercial products or services, other than as necessary to provide services to Customer. This section does not prohibit SWT from using Student Data for adaptive learning or customized student learning purposes.

5. Student Profiles.

SWT will not use any Customer Data (in particular, Student Data) to create or maintain student profiles other than as strictly needed to provide products and/or services under Customer Agreements. SWT will not create or maintain student profiles for any non-educational purpose.

6. Employee Obligations.

SWT will restrict access of all employees and consultants to Customer Data strictly on a need-to-know basis in order to perform their job responsibilities. SWT will ensure that any such employees and consultants comply with all applicable provisions of this Privacy Policy with respect to Customer Data to which they have appropriate access.

7. Successor Entities.

SWT will ensure that any successor entity, in the case of a merger or acquisition or similar transaction, is obligated to maintain all Customer Data transferred by SWT to the successor entity in accordance with the terms and provisions in this Privacy Policy. In the event a successor entity does not agree to such terms and conditions, Customer shall have the option to withdraw its authorizations to share Customer Data with such successor entity.

8. De-identified Customer Data.

Customer understands and agrees that it hereby authorizes SWT to use Customer Data, including electronic Student Data, in a de-identified format as defined in FERPA, 34 C.F.R. §99.31(b)(1) (“De-identified Data”) for the following purposes and that SWT has no obligation to destroy or return such De-identified Data upon termination: (1) to test De-identified Data for performance and compatibility with new software releases and upgrades; (2) to test De-identified Data in a new release against the existing environment; (3) to test for conversion; (4) to provide software support services to Customer in connection with Customer Agreements; and (5) for presentations or demonstrations to current and potential Customers. SWT will not attempt to re-identify De-identified Data and will not transfer any such data to any party unless that party agrees in writing not to attempt re-identification.

9. Pupil Generated Content.

If “Pupil Generated Content” (which shall mean any materials or content created by a student for the purposes of education) is stored or maintained by SWT as part of the provided products/services, upon Customer’s request, SWT will transfer such content to a separate student account upon termination of the Customer Agreement, provided, however, such transfer shall only apply to pupil generated content that is severable from the product or services. Customer understands and agrees to pay SWT a fee for the account set-up and transfer, subject to pre-approval of the fee amount by Customer.

10. Retention of Customer Data.

SWT will only retain Customer Data for as long it is necessary for SWT to provide products and/or services to Customer under Customer Agreements or as otherwise authorized by Customer. SWT will dispose of Customer Data pursuant to Section 11 below when it is no longer needed for the purpose for which it was obtained.

11. Disposal of Customer Data.

Upon written request and in accordance with the applicable terms in subsection (a) or (b) below, SWT shall dispose or delete all Customer Data obtained under a Customer Agreement when it is no longer needed for the purpose for which it was obtained. Disposition shall include (1) the shredding of any hard copies of any Customer Data; (2) Erasing; or (3) Otherwise modifying the personal information in those records to make it unreadable or indecipherable by human or digital means. SWT will not maintain Customer Data obtained under a Customer Agreement beyond the time period reasonably needed to complete the disposition. SWT shall provide written notification to Customer when the Customer Data has been disposed. The duty to dispose of Customer Data shall not extend to De-identified Data as defined above in Section 8 or to Pupil Generated Data placed in a separate user account per Section 9 above. Upon receipt of a request from the Customer, the SWT will use best efforts to provide the Customer with any specified portion of the Customer Data within thirty (30) business days of receipt of said request. Customer understands and agrees to pay SWT a fee for the provisions of requested data, subject to pre-approval by Customer.

a. Partial Disposal During Term of Customer Agreement. Throughout the term of a Customer Agreement, Customer may request partial disposal of Customer Data obtained under the Customer Agreement that is no longer needed for products/services.

b. Complete Disposal Upon Termination of Customer Agreements. Upon termination of all Customer Agreements between the parties, SWT shall dispose or delete all Customer Data obtained under such agreements, but only upon receipt of affirmative written confirmation from Customer that such data will not be transferred to a separate account.

12. Customer Audit Request.

Upon receipt of a written request from Customer, and proposed Statement of Work, SWT will allow Customer to audit or review the security and privacy measures that are in place to ensure protection of Customer Data within a reasonable timeframe after the request, subject to the provisions in Minn. Stat. § 13.02, subd. 13 or Minn. Stat. § 13.37, subd. 1 (a).

13. Litigation Hold Request.

Upon receipt of a written litigation hold request from Customer, SWT will assist the Customer to preserve all documents and data identified by Customer within the scope of the litigation hold. Such efforts will include the suspension of deletion, overwriting or similar destruction of the documentation and data identified by Customer.

ARTICLE 4 – DATA SECURITY

1. Industry Standards.

For purposes of this Privacy Policy, the term, “Industry Standards” includes but is not limited to, the current standards and benchmarks set forth and maintained by the following entities:

2. Customer Data Security.

SWT will preserve the confidentiality, integrity and accessibility of Customer Data with administrative, technical and physical measures that conform to the Industry Standards and best practices that SWT then applies to its own processing environment. Maintenance of a secure processing environment includes, but is not limited to, the timely application of patches, fixes and updates to operating systems and applications as provided by SWT or open source support.

3. Network Security.

SWT will maintain network security that includes: network firewall provisioning, intrusion detection, and regular third-party vulnerability assessments. SWT will maintain network security that conforms to Industry Standards and best practices that SWT applies to its own network.

4. Application Security.

SWT will provide, maintain and support software licensed to Customers and subsequent updates, upgrades, and bug fixes as made available for the software so that such software is and remains secure from those vulnerabilities as described in Industry Standards.

5. Customer Data Storage.

SWT will ensure that any and all Customer Data will be stored, processed, and maintained solely on designated target servers and that no Customer Data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless that device or storage medium is in use as part of the SWT designated backup and recovery processes and encrypted in accordance with the provisions set forth below in Section 7.

6. Customer Data Transfer or Remote Access by Customer.

SWT will ensure that any and all electronic transmission, exchange or transfer of system and application Customer Data with Customer and/or any other parties expressly authorized in writing by Customer, e.g., vendors, shall take place via secure means (using HTTPS or SFTP or equivalent) and in accordance with the provisions set forth above in ARTICLE 3, Section 4. SWT will provide Customer with a Data Transfer Agreement (or similar document) to sign before any such transfer occurs. In the event Customer requests remote access to Customer Data via ODBC (open database connectivity), SWT will provide Customer with a Remote Access Agreement (or similar document) for signature by Customer and a similar agreement for signature by each individual using such access before remote access is available.

7. Customer Data Encryption.

SWT will store all backup Customer Data as part of its designated backup and recovery processes in encrypted form, using a commercially supported encryption solution. Additionally, all Student Data, or “private data” under the MGDPA stored on any portable or laptop computing device or any portable storage medium will be likewise encrypted. Encryption solutions will be deployed with no less than a 256-bit key for symmetric encryption and a 2048 (or larger) bit key length for asymmetric encryption.

8. Security Breach Notification.

If SWT becomes aware of a privacy incident or a security incident (each of which is defined below in this Section 8) regarding any Customer Data, SWT will report the event to the Customer and the Customer's Chief Technology Officer (or employee with similar title and responsibility) within two (2) business days, or within a time frame specified under applicable state law, subject to any restrictions imposed by law enforcement authorities. In addition, Customer shall notify SWT of suspected security events, system or network compromises, or other events related to Customer’s system that could impact the confidentiality, integrity or availability of the SWT managed applications or systems; of any defects in software licensed to Customer, reproducing the suspected defects in the unaltered software; and, upon SWT's request and to the extent provided by law, providing additional data in machine‑readable or interpreted form deemed necessary or desirable by SWT to reproduce the environment in which the defect occurred and to install defect correction and maintenance releases. The decision to notify and the actual notifications to the Customer's data subjects affected by the security or privacy incident is the responsibility of the Customer. To the extent within the insurance coverage and limits of SWT's current insurance policy, subject to the provisions in Minn. Stat. §466.06, if applicable, SWT shall indemnify, hold harmless and defend the Customer and its officers, and employees for and against any claims, damages, costs and expenses related to any privacy or security incident involving any Customer Data except to the extent caused by the Customer or a third party. SWT and the Customer each have a duty to reasonably mitigate any harmful effects resulting from any privacy or security incident involving any Customer Data.

For purposes of this Section 8, "security incident" means the successful unauthorized access, use, disclosure, modification or destruction of data or interference with system operations in an information system. For purposes of this Section 8, "privacy incident" means violation of the MGDPA and/or federal privacy requirements in federal laws, rules and regulations. This includes, but is not limited to, improper or unauthorized use or disclosure of Not public data, improper or unauthorized access to or alteration of public data, and incidents in which the confidentiality of the Customer Data maintained by SWT has been breached. “Not public data” has the meaning set forth in the MGDPA, Minn. Stat. § 13.02, subdivision 8 (a).

 

Vers.2020-01