Protections for student data privacy took an important step forward this summer when the Student Data Privacy Consortium (SDPC) released the first model National Data Privacy Agreement (NDPA) for school districts to use with their technology service providers. Ever since education technology (edtech) emerged as a key tool in classrooms, both schools and edtech companies have struggled to create data privacy agreements (DPAs) that adequately protect student data and meet both schools’ and providers’ needs. DPAs provide crucial protections for student data by limiting its use and sharing. A key challenge in that process is that US federal student privacy law and many state laws require specific contractual clauses or protections. The new NDPA addresses this challenge by streamlining the education contracting process and, in the SDPC’s words, establishing “common expectations between schools/districts and marketplace providers.”
In this blog, we outline some of the major contracting challenges, the SDPC’s creation of the model contract, and the ways in which education stakeholders can use the NDPA to reduce the burden of contracting.
Data Privacy Agreements: Challenges for Schools and Edtech Companies
Schools and districts typically use hundreds of companies to provide services every school year. Edtech companies perform widely varying tasks for schools and districts, such as data storage, educational games, learning management systems, attendance tracking, and many other school functions. The privacy protections that each company must implement can vary based on the type and sensitivity of student data they hold and how it is collected, used, or shared. In addition, as 43 states have passed more than 130 student privacy laws in the past five years , districts and edtech companies must incorporate significant legal obligations into their agreements or contracts. Districts also want to ensure that companies limit their student data collection and use.
However, contracting individually with each service provider to ensure this protection is often extremely difficult for both districts and companies. Each DPA might require different levels of sharing, control, and protections regarding student data. And few districts can hire teams of technologists and lawyers to understand and negotiate student data privacy with each of their service providers. As a result, districts across the country have sought ways to ensure trust and facilitate the DPA process.
Edtech companies face similar challenges as they bring important services to schools and districts. Because contracts involving student data must align with federal and state laws and address each district’s needs and concerns, edtech companies find it challenging and expensive to negotiate DPAs with school districts at scale. Often, schools and districts require DPAs that are unique to their institution but might contain requirements that are not appropriate for every edtech company; for example, a company that deletes data after it is no longer needed (to improve data security) would be unable to comply with a contractual requirement to return all student data after the company provides its service. Larger edtech companies might have teams of lawyers who can work with clients on these issues, but many smaller companies without legal departments may sign contracts they know they cannot observe because they lack the resources or leverage to incorporate language that fits the realities of their business.
These challenges have forced both school districts and companies to dedicate significant time and resources to DPAs each year. To alleviate schools’ contracting challenges and strengthen their knowledge and bargaining power with edtech companies, a group of Massachusetts school districts created the SDPC in 2015. The organization now has school district alliances in 29 states.
How the SDPC Developed the NDPA
SDPC’s alliances have created influential state-wide agreements in several states, such as California and Massachusetts. In recent years, other state alliances have increasingly adapted versions of the California and Massachusetts agreements in their own states to ease the burdens of contracting with their service providers. As a result of the growing popularity of the state-level DPAs and calls to establish baseline agreements for its alliances, SDPC formed a working group to create a national set of standards that align as much as possible with current laws, requirements, and edtech business practices.
For more than a year, the SDPC working group––made up of attorneys, district officials, company representatives, and nonprofit organizations, including FPF––met to create the NDPA. The goal was to improve the language from the state agreements and to create a balanced starting point for negotiations between schools and companies nationwide. The result is a contract that will likely save time and money for schools, districts, and edtech companies, ultimately benefiting students by allowing schools and districts to allocate more resources to learning and less to negotiating.
The working group attempted to balance substantive changes and create a structure that makes the contract easier to use than past state-level versions. The group addressed provisions regarding data breaches, sub-processor restrictions, advertising limits, de-identified data use, and other issues, reflecting multiple compromises between districts and companies. The working group also added sections that will allow districts and edtech companies to easily include information that was challenging in past DPAs, such as descriptions of companies’ services, terms that address state law, and changes to standard terms. Over the next year, SDPC’s state-level alliances will create state-specific clauses allowing them to incorporate unique requirements from their state laws into the NDPA.
Ongoing Revision and Stakeholder Participation
The SDPC’s NDPA contains terms that align with most US state and federal student privacy laws. Nonetheless, not every provision in the agreement will be perfect for every school, district, or company. Districts and companies concerned about specific provisions will still benefit from using the NDPA because it will set a common starting point for districts’ and companies’ discussions of data privacy.
While a significant step forward, the NDPA has room for improvement. No matter how well-vetted, a resource such as this can cause unintended consequences, and stakeholders should not hesitate to identify and communicate them. For example, transactional challenges remain regarding how the NDPA will fit within the structure of a service agreement between schools and companies, especially since the NDPA has some overlapping and, therefore, redundant definitions: “third party” “operator,” and “provider,” for instance, all refer to the company signing the contract.
There are also substantive provisions that may cause issues down the road: the audit clause, for example, could allow multiple districts to simultaneously audit one company. Although the NDPA improves prior language about breach notifications, it does not explicitly define a data breach, thus introducing potential ambiguity about when a notification is required. Furthermore, the NDPA might impact the national edtech market by creating a barrier to entry for smaller companies, which often have little opportunity to negotiate inapplicable or unnecessarily burdensome provisions. SDPC has said that it will continue to develop the NDPA, so feedback about the agreement’s challenges and strengths will be necessary and useful.
Adopting the NDPA will benefit schools, districts, and companies because it establishes a common baseline for these stakeholders to begin student data privacy negotiations. Even if it does not apply perfectly to everyone, the agreement will save contracting resources for all education stakeholders. This efficiency, in turn, will allow schools and districts to better protect student data as they provide important services and education for American students.