The district must ensure proper safeguards and procedures exist to use third-party vendors as a resource to further educational functions. The following procedures shall be used to investigate and contract only with qualifying third-party vendors for the performance of necessary educational functions of the district; and to ensure that third-party vendors meet the required standards to be designated under the Family Educational Rights and Privacy Act (FERPA) as a school official to handle personally identifiable information (PII) within the district.
Third-party vendors may be designated by the district as a school official when the vendor:
- Performs an institutional service or function for which the school or district would otherwise use its own employees;
- Has met the criteria set forth in the district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records;
- Is under the direct control of the district regarding the use and maintenance of education records; and
- Uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the district to do so and is otherwise permitted by FERPA).
Third-party vendor data use requirements shall include, but not be limited to the following:
- The vendor implements and maintains security procedures and practices consistent with current industry standards; and
- The vendor be prohibited from collecting and using PII for:
- Targeted advertising;
- Amassing a profile about a student or students except in furtherance of educational purposes;
- Selling or renting PII for any purpose other than those expressly permitted by law; and
- Disclosing PII for any purposes other than those expressly permitted by law.
- The vendor is responsible to provide proof that PII information and records have been returned to the district and permanently removed from the vendor.
Related Policy (Code#): 703.1