Common use of Additional Statutory and Regulatory Obligations Clause in Contracts

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (iii) Vendor may use de-identified information (which refers to personally identifiable information that has been removed or obscured from student records in a way that minimizes the risk of disclosure of the identity of the individual and information about them) for evaluation, research and development of educational products and services. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with industry standards. (g) To comply with the District’s policy on data security and privacy, attached to this Master Agreement, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any confirmed data breach resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy which are attached to this Master Agreement, or other binding obligations relating to data privacy and security contained in the Master Agreement. (j) To reasonably cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor’s or its subcontractors’s or assignees’s negligence or omission.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (iii) Vendor may use de-identified information (which refers to personally identifiable information that has been removed or obscured from student records in a way that minimizes the risk of disclosure of the identity of the individual and information about them) for evaluation, research and development of educational products and services. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with industry standardsthe NIST Cyber security Framework. (g) To comply with the District’s policy on data security and privacy, attached to this Master Agreement, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any confirmed data breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy which are attached to this Master Agreementprivacy, or other binding obligations relating to data privacy and security contained in the Master AgreementAgreement and this Exhibit. (j) To reasonably cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor’s Vendor or its subcontractors’s subcontractors or assignees’s negligence or omission. The District, in compliance with Education Law §2-d, provides the following: As used in this policy, the following terms are defined: Student Data means personally identifiable information from the student records of a District student.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement: (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (iii) Vendor may use de-identified information (which refers to personally identifiable information that has been removed or obscured from student records in a way that minimizes the risk of disclosure of the identity of the individual and information about them) for evaluation, research and development of educational products and services. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with industry standardsthe NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, attached to this Master Agreement, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any confirmed data breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy which are attached to this Master Agreementprivacy, or other binding obligations relating to data privacy and security contained in the Master AgreementAgreement and this Exhibit. (j) To reasonably cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor’s Vendor or its subcontractors’s subcontractors or assignees’s negligence or omission.

Additional Statutory and Regulatory Obligations. Vendor acknowledges that it has the following additional obligations under Section 2-d with respect to any Protected Data received from the District, and that any failure to fulfill one or more of these statutory or regulatory obligations will be deemed a breach of the Master Agreement and the terms of this Data Sharing and Confidentiality Agreement:1 (a) To limit internal access to Protected Data to only those employees or subcontractors that are determined to have legitimate educational interests within the meaning of Section 2-d and the Family Educational Rights and Privacy Act (FERPA); i.e., they need access in order to assist Vendor in fulfilling one or more of its obligations to the District under the Master Agreement. (b) To not use Protected Data for any purposes other than those explicitly authorized in this Data Sharing and Confidentiality Agreement and the Master Agreement to which this Exhibit is attached. (c) To not disclose any Protected Data to any other party, except for authorized representatives of Vendor using the information to carry out Vendor’s obligations to the District and in compliance with state and federal law, regulations and the terms of the Master Agreement, unless: (i) the parent or eligible student has provided prior written consent; or (ii) the disclosure is required by statute or court order and notice of the disclosure is provided to the District no later than the time of disclosure, unless such notice is expressly prohibited by the statute or court order. (iii) Vendor may use de1 Nothing in Education Law Section 2-identified information (which refers d or Part 121 specifically requires an educational agency to personally identifiable information include within its contracts with third-party contractors this list of obligations that has been removed or obscured from student records in are imposed on third- party contractors by the statute and/or its implementing regulations. However, many school districts and other educational agencies have considered it a way that minimizes the risk of disclosure of the identity of the individual best practice to include these statutory and information about them) for evaluation, research and development of educational products and servicesregulatory obligations within their third-party contracts. (d) To maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Protected Data in its custody. (e) To use encryption technology to protect Protected Data in its custody while in motion or at rest, using a technology or methodology specified by the Secretary of the U.S. Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. (f) To adopt technologies, safeguards and practices that align with industry standardsthe NIST Cybersecurity Framework. (g) To comply with the District’s policy on data security and privacy, attached to this Master Agreement, Section 2-d and Part 121. (h) To not sell Protected Data nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so. (i) To notify the District, in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement, of any confirmed data breach of security resulting in an unauthorized release of Protected Data by Vendor or its assignees or subcontractors in violation of applicable state or federal law, the District’s Bill of Rights for Data Security and Privacy, the District’s policies on data security and privacy which are attached to this Master Agreementprivacy, or other binding obligations relating to data privacy and security contained in the Master AgreementAgreement and this Exhibit. (j) To reasonably cooperate with the District and law enforcement to protect the integrity of investigations into the breach or unauthorized release of Protected Data. (k) To pay for or promptly reimburse the District for the full cost of notification, in the event the District is required under Section 2-d to notify affected parents, students, teachers or principals of a breach or unauthorized release of Protected Data attributed to Vendor’s Vendor or its subcontractors’s subcontractors or assignees’s negligence . The District, in compliance with Education Law §2-d, provides the following: DEFINITIONS: As used in this policy, the following terms are defined: Student Data means personally identifiable information from the student records of a District student. Teacher or omission.Principal Data means personally identifiable information from District records relating to the annual professional performance reviews of classroom teachers or Principals that is confidential and not subject to release under the provisions of Education Law §§3012-c and 3012-d.