703.1-R Administrative Regulations Regarding Technology and Data Security Requirements of Third-Party Vendors

The district must ensure proper safeguards and procedures exist to use third-party vendors as a resource to further educational functions. The following procedures will be used to investigate and contract only with qualifying third-party vendors for the performance of necessary educational functions of the district; and to ensure that third-party vendors meet the required standards to be designated under the Family Educational Rights and Privacy Act (FERPA) as a school official to handle personally identifiable information (PII) within the district. 

Third-party vendors may be designated by the district as a school official when the vendor: 

  1. Performs an institutional service or function for which the school or district would otherwise use its own employees;
  2. Has met the criteria set forth in the district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records;
  3. Is under the direct control of the district regarding the use and maintenance of education records; and 
  4. Uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the district to do so and is otherwise permitted by FERPA). 

Third-party vendor data use requirements will include, but not be limited to the following:

  1. The vendor implements and maintains security procedures and practices consistent with current industry standards; and
  2. The vendor be prohibited from collecting and using PII for:
    1. Targeted advertising;
    2. Amassing a profile about a student or students except in furtherance of educational purposes;
    3. Selling or renting PII for any purpose other than those expressly permitted by law; and
    4. Disclosing PII for any purposes other than those expressly permitted by law. 
  3. The vendor is responsible to provide proof that PII information and records have been returned to the district and permanently removed from the vendor.

Adopted: 12/18
Reviewed: 9/21; 2/24
Related Policy: 703.1
IASB Reference: 712-R(1)