Common use of Data Confidentiality and Data Security Clause in Contracts

Data Confidentiality and Data Security. Services Provider agrees to the following confidentiality and data security statements: 1. Services Provider acknowledges that the data is confidential data and proprietary to JCPS, and agrees to protect the data from unauthorized disclosures and to comply with all applicable Local, State and Federal confidentiality laws and regulations including but not limited to FERPA; the Kentucky Family Educational Rights and Privacy Act, KRS 160.700 et seq.; the Xxxxxxx X. Xxxxxxx National School Lunch Act, 42 U.S.C. 1751 et seq.; the Child Nutrition Act of 1966, 42 U.S.C. 1771 et seq.; 7 C.F.R. 245.6 et seq.; the Personal Information Security and Breach Investigation Procedures and Practices Act, KRS 61.931 et seq.; and the Kentucky Open Records Act, KRS 61.820 et seq. 2. If the performance of this Agreement involves the transfer by JCPS to Services Provider of any data regarding any JCPS student that is subject to FERPA, Services Provider agrees to: a. In all respects comply with the provisions of FERPA. b. Use any such data for no purpose other than to fulfill the purposes of the services contract described in Paragraph B.1 above, and not share any such data with any person or entity other than Services Provider and its employees, contractors and agents, without the prior written approval of JCPS. c. Require all employees, contractors and agents of Services Provider to comply with all applicable provisions of FERPA with respect to any such data. d. Maintain any such data in a secure computer environment, and not copy, reproduce or transmit any such data expect as necessary to fulfill the purposes of the services contract described in Paragraph B.1 above. e. Provide the services under the services contract described in Paragraph B.1 above in a manner that does not permit the identification of an individual student by anyone other than employees, contractors or agents of Services Provider having a legitimate interest in knowing such personal identification. f. Destroy or return to JCPS any such data obtained under this Agreement within thirty days (30) after the date within it is no longer needed by Services Provider for the purposes of the services contract described in Paragraph B.1 above. 3. Services Provider shall not release or otherwise reveal, directly or indirectly, the data to any individual, agency, entity, or third party not included in this Agreement, unless such disclosure is required by law or court order. If Services Provider becomes legally compelled to disclose any confidential and otherwise personally identifiable data (whether by judicial or administrative order, applicable law, rule or regulation, or otherwise), then Services Provider shall use all reasonable efforts to provide JCPS with prior notice before disclosure so that JCPS may seek a protective order or other appropriate remedy to prevent the disclosure or to ensure JCPS's compliance with the confidentiality requirements of federal or state law; provided, however, that Services Provider will use all reasonable efforts to maintain the confidentiality of confidential and otherwise personally identifiable data. If a protective order or other remedy is not obtained prior to the deadline by which any legally compelled disclosure is required, Services Provider will only disclose that portion of confidential and otherwise personally identifiable data that Services Provider is legally required to disclose. 4. Services Provider shall not distribute, reprint, alter, sell, assign, edit, modify or create derivative works or any ancillary materials from or with the data. 5. Services Provider shall not use data shared under this Agreement for any purpose other than the services contract described in Paragraph B.1 above. Nothing in this Agreement shall be construed to authorize Services Provider to have access to additional data from JCPS that is not included in the scope of this Agreement (or addenda). Services Provider understands that this Agreement does not convey ownership of the data to Services Provider. 6. Services Provider shall take reasonable security precautions and protections to ensure that persons not authorized to view the data do not gain access to the data. Reasonable security precautions and protections include, but are not limited to: a. Creating, distributing, and implementing data governance policies and procedures which protect data through appropriate administrative, technical and physical security safeguards, and outline staff responsibilities for maintaining data security; b. Encrypting all data carried on mobile computers/devices; c. Encrypting data before it is transmitted electronically; d. Requiring that users be uniquely identified and authenticated before accessing data;

Data Confidentiality and Data Security. Services Provider agrees to the following confidentiality and data security statements: 1. Services Provider acknowledges that the data is confidential data and proprietary to JCPS, and agrees to protect the data from unauthorized disclosures and to comply with all applicable Local, State and Federal confidentiality laws and regulations including but not limited to FERPA; the Kentucky Family Educational Rights and Privacy Act, KRS 160.700 et seq.; the Xxxxxxx X. Xxxxxxx National School Lunch Act, 42 U.S.C. 1751 et seq.; the Child Nutrition Act of 1966, 42 U.S.C. 1771 et seq.; 7 C.F.R. 245.6 et seq.; the Personal Information Security and Breach Investigation Procedures and Practices Act, KRS 61.931 et seq.; and the Kentucky Open Records Act, KRS 61.820 et seq. 2. If the performance of this Agreement involves the transfer by JCPS to Services Provider of any data regarding any JCPS student that is subject to FERPA, Services Provider agrees to: a. In all respects comply with the provisions of FERPA. b. Use any such data for no purpose other than to fulfill the purposes of the services contract described in Paragraph B.1 above, and not share any such data with any person or entity other than Services Provider and its employees, contractors and agents, without the prior written approval of JCPS. c. Require all employees, contractors and agents of Services Provider to comply with all applicable provisions of FERPA with respect to any such data. d. Maintain any such data in a secure computer environment, and not copy, reproduce or transmit any such data expect as necessary to fulfill the purposes of the services contract described in Paragraph B.1 above. e. Provide the services under the services contract described in Paragraph B.1 above in a manner that does not permit the identification of an individual student by anyone other than employees, contractors or agents of Services Provider having a legitimate interest in knowing such personal identification. f. Destroy or return to JCPS any such data obtained under this Agreement within thirty days (30) after the date within it is no longer needed by Services Provider for the purposes of the services contract described in Paragraph B.1 above. 3. Services Provider shall not release or otherwise reveal, directly or indirectly, the student data to any individual, agency, entity, or third party not included in this Agreement, unless such disclosure is required by law or court order. If Services Provider becomes legally compelled to disclose any confidential and otherwise personally identifiable data (whether by judicial or administrative order, applicable law, rule or regulation, or otherwise), then Services Provider shall use all reasonable efforts to provide JCPS with prior notice before disclosure so that JCPS may seek a protective order or other appropriate remedy to prevent the disclosure or to ensure JCPS's compliance with the confidentiality requirements of federal or state law; provided, however, that Services Provider will use all reasonable efforts to maintain the confidentiality of confidential and otherwise personally identifiable data. If a protective order or other remedy is not obtained prior to the deadline by which any legally compelled disclosure is required, Services Provider will only disclose that portion of confidential and otherwise personally identifiable data that Services Provider is legally required to disclose. 4. Services Provider shall not distribute, reprint, alter, sell, assign, edit, modify or create derivative works or any ancillary materials from or with the student data. 5. Services Provider shall not use student data shared under this Agreement for any purpose other than the services contract described in Paragraph B.1 above. Nothing in this Agreement shall be construed to authorize Services Provider to have access to additional data from JCPS that is not included in the scope of this Agreement (or addenda). Nothing in this Agreement shall restrict Services Provider from retaining, using and disclosing de-identified or aggregate information for the purposes of improving the products and services, to demonstrate the effectiveness of the products and services, and for research or other purposes related to developing and improving the products and services. Services Provider understands that this Agreement does not convey ownership of the confidential data to Services Provider. 6. Services Provider shall take reasonable security precautions and protections to ensure that persons not authorized to view the student data do not gain access to the data. Reasonable security precautions and protections include, but are not limited to: a. Creating, distributing, and implementing data governance policies and procedures which protect data through appropriate administrative, technical and physical security safeguards, and outline staff responsibilities for maintaining data security; b. Encrypting all data carried on mobile computers/devices; c. Encrypting data before it is transmitted electronically; d. Requiring that users be uniquely identified and authenticated before accessing data;

Data Confidentiality and Data Security. Services Provider agrees to the following confidentiality and data security statements: 1. Services Provider acknowledges that the data is confidential data of a student and proprietary to JCPS, and agrees to protect the data from unauthorized disclosures and to comply with all applicable Local, State and Federal confidentiality laws and regulations including but not limited to FERPA; the Kentucky Family Educational Rights and Privacy Act, KRS 160.700 et seq.; the Xxxxxxx X. Xxxxxxx National School Lunch Act, 42 U.S.C. 1751 et seq.; the Child Nutrition Act of 1966, 42 U.S.C. 1771 et seq.; 7 C.F.R. 245.6 et seq.; the Personal Information Security and Breach Investigation Procedures and Practices Act, KRS 61.931 et seq.; and the Kentucky Open Records Act, KRS 61.820 et seq. 2. If the performance of this Agreement involves the transfer by JCPS to Services Provider of any data regarding any JCPS student that is subject to FERPA, Services Provider agrees to: a. In all respects comply with the applicable provisions of FERPA. b. Use any such data for no purpose other than to fulfill the purposes of the services contract Services Contract described in Paragraph B.1 above, and not share any such data with any person or entity other than Services Provider and its employees, contractors and agents, without the prior written approval of JCPS. c. Require all employees, contractors and agents of Services Provider to comply with all applicable provisions of FERPA with respect to any such data. d. Maintain any such data in a secure computer environment, and not copy, reproduce or transmit any such data expect as necessary to fulfill the purposes of the services contract Services Contract described in Paragraph B.1 above. e. Provide the services under the services contract Services Contract described in Paragraph B.1 above in a manner that does not permit the identification of an individual student by anyone other than employees, contractors or agents of Services Provider having a legitimate interest in knowing such personal identification. f. Destroy or return to JCPS any such data obtained under this Agreement within thirty ninety days (3090) after the date within it is no longer needed by Services Provider for the purposes of the services contract Services Contract described in Paragraph B.1 above. 3. Services Provider shall not release or otherwise reveal, directly or indirectly, the data to any individual, agency, entity, or third party not included in this Agreement, unless such disclosure is required by law or court order. If Services Provider becomes legally compelled to disclose any confidential and otherwise personally identifiable data (whether by judicial or administrative order, applicable law, rule or regulation, or otherwise), then Services Provider shall use all reasonable efforts to provide JCPS with prior notice before disclosure so that JCPS may seek a protective order or other appropriate remedy to prevent the disclosure or to ensure JCPS's compliance with the confidentiality requirements of federal or state law; provided, however, that Services Provider will use all reasonable efforts to maintain the confidentiality of confidential and otherwise personally identifiable data. If a protective order or other remedy is not obtained prior to the deadline by which any legally compelled disclosure is required, Services Provider will only disclose that portion of confidential and otherwise personally identifiable data that Services Provider is legally required to disclose. 4. Services Provider shall not distribute, reprint, alter, sell, assign, edit, modify or create derivative works or any ancillary materials from or with the data. 5. Services Provider shall not use data shared under this Agreement for any purpose other than the services contract Services Contract described in Paragraph B.1 above. Nothing in this Agreement shall be construed to authorize Services Provider to have access to additional data from JCPS that is not included in the scope of this Agreement (or addenda). Services Provider understands that this Agreement does not convey ownership of the data to Services Provider. 6. Services Provider shall take commercially reasonable security precautions and protections to ensure that persons not authorized to view the data do not gain access to the data. Reasonable Commercially reasonable security precautions and protections include, but are not limited to: a. Creating, distributing, and implementing data governance policies and procedures which protect data through appropriate industry standard administrative, technical and physical security safeguards, and outline staff responsibilities for maintaining data security; b. Encrypting all data carried across public networks in motion and at rest on mobile computers/devices; c. Encrypting data before it is transmitted electronically; d. Requiring that users be uniquely identified and authenticated before accessing data;

Data Confidentiality and Data Security. Services Provider agrees to the following confidentiality and data security statements: 1. Services Provider acknowledges that the data is confidential data and proprietary to JCPS, and agrees to protect the data from unauthorized disclosures and to comply with all applicable Local, State and Federal confidentiality laws and regulations including but not limited to FERPA; the Kentucky Family Educational Rights and Privacy Act, KRS 160.700 et seq.; the Xxxxxxx X. Xxxxxxx National School Lunch Act, 42 U.S.C. 1751 et seq.; the Child Nutrition Act of 1966, 42 U.S.C. 1771 et seq.; 7 C.F.R. 245.6 et seq.; the Personal Information Security and Breach Investigation Procedures and Practices Act, KRS 61.931 et seq.; and the Kentucky Open Records Act, KRS 61.820 et seq. 2. If the performance of this Agreement involves the transfer by JCPS to Services Provider of any data regarding any JCPS student that is subject to FERPA, Services Provider agrees to: a. In all respects comply with the provisions of FERPA. b. Use any such data for no purpose other than to fulfill the purposes of the services contract described in Paragraph B.1 aboveServices Agreement, and not share any such data with any person or entity other than Services Provider and its employees, contractors and agents, without the prior written approval of JCPS. c. Require all employees, contractors and agents of Services Provider to comply with all applicable provisions of FERPA with respect to any such data. d. Maintain any such data in a secure computer environment, and not copy, reproduce or transmit any such data expect as necessary to fulfill the purposes of the services contract described in Paragraph B.1 aboveServices Agreement. e. Provide the services under the services contract described in Paragraph B.1 above Services Agreement in a manner that does not permit the identification of an individual student by anyone other than employees, contractors or agents of Services Provider having a legitimate interest in knowing such personal identification. f. Destroy or return to JCPS any such data obtained under this Agreement within thirty days (30) after the date within it is no longer needed by Services Provider for the purposes of the services contract described in Paragraph B.1 aboveServices Agreement. 3. Services Provider shall not release or otherwise reveal, directly or indirectly, the data to any individual, agency, entity, or third party not included in this Agreement, unless such disclosure is required by law or court order. If Services Provider becomes legally compelled to disclose any confidential and otherwise personally identifiable data (whether by judicial or administrative order, applicable law, rule or regulation, or otherwise), then Services Provider shall use all reasonable efforts to provide JCPS with prior notice before disclosure so that JCPS may seek a protective order or other appropriate remedy to prevent the disclosure or to ensure JCPS's compliance with the confidentiality requirements of federal or state law; provided, however, that Services Provider will use all reasonable efforts to maintain the confidentiality of confidential and otherwise personally identifiable data. If a protective order or other remedy is not obtained prior to the deadline by which any legally compelled disclosure is required, Services Provider will only disclose that portion of confidential and otherwise personally identifiable data that Services Provider is legally required to disclose. 4. Services Provider shall not distribute, reprint, alter, sell, assign, edit, modify or create derivative works or any ancillary materials from or with the datadata except as permitted by the Services Agreement with respect to data that has been de-identified, anonymized and aggregated. 5. Services Provider shall not use data shared under this Agreement for any purpose other than the services contract described in Paragraph B.1 aboveServices Agreement. Nothing in this Agreement shall be construed to authorize Services Provider to have access to additional data from JCPS that is not included in the scope of this Agreement (or addenda). Services Provider understands that this Agreement does not convey ownership of the data to Services Provider. 6. Services Provider shall take reasonable security precautions and protections to ensure that persons not authorized to view the data do not gain access to the data. Reasonable security precautions and protections includeinclude those included in the Information Security Schedule attached as Attachment C. 7. If Services Provider receives Personal Information as defined by and in accordance with the Kentucky Personal Information Security and Breach Investigation Procedures and Practices Act, KRS 61.931, et seq. (the "Act"), Services Provider shall secure, protect and maintain the confidentiality of the Personal Information by, without limitation, complying with all requirements applicable to "non-affiliated third parties" set forth in the Act, including but are not limited toto the following: a. Creating, distributing, and implementing data governance policies and procedures which protect data through appropriate administrative, technical and physical security safeguards, and outline staff responsibilities for maintaining data security; b. Encrypting all data carried on mobile computers/devices; c. Encrypting data before it is transmitted electronically; d. Requiring that users be uniquely identified and authenticated before accessing data;

Data Confidentiality and Data Security. Services Provider agrees to the following confidentiality and data security statements: 1. Services Provider acknowledges that the data is confidential data and proprietary to JCPS, and agrees to protect the data from unauthorized disclosures and to comply with all applicable Local, State and Federal confidentiality laws and regulations including but not limited to FERPA; the Kentucky Family Educational Rights and Privacy Act, KRS 160.700 et seq.; the Xxxxxxx X. Xxxxxxx National School Lunch Act, 42 U.S.C. 1751 et seq.; the Child Nutrition Act of 1966, 42 U.S.C. 1771 et seq.; 7 C.F.R. 245.6 et seq.; the Personal Information Security and Breach Investigation Procedures and Practices Act, KRS 61.931 et seq.; and the Kentucky Open Records Act, KRS 61.820 et seq. 2. If the performance of this Agreement involves the transfer by JCPS to Services Provider of any data regarding any JCPS student that is subject to FERPA, Services Provider agrees to: a. In all respects comply with the provisions of FERPA. b. Use any such data for no purpose other than to fulfill the purposes of the services contract described in Paragraph B.1 above, and not share any such data with any person or entity other than Services Provider and its employees, contractors and agents, without the prior written approval of JCPS. c. Require all employees, contractors and agents of Services Provider to comply with all applicable provisions of FERPA with respect to any such data. d. Maintain any such data in a secure computer environment, and not copy, reproduce or transmit any such data expect as necessary to fulfill the purposes of the services contract described in Paragraph B.1 above. e. Provide the services under the services contract described in Paragraph B.1 above in a manner that does not permit the identification of an individual student by anyone other than employees, contractors or agents of Services Provider having a legitimate interest in knowing such personal identification. f. Destroy or return to JCPS any such data obtained under this Agreement within thirty days (30) after the date within it is no longer needed by Services Provider for the purposes of the services contract described in Paragraph B.1 above, except backup files made in the normal course of business which are retained per Service Provider’s data retention policy, for regulatory compliance. 3. Services Provider shall not release or otherwise reveal, directly or indirectly, the data to any individual, agency, entity, or third party not included in this Agreement, unless such disclosure is required by law or court order. If Services Provider becomes legally compelled to disclose any confidential and otherwise personally identifiable data (whether by judicial or administrative order, applicable law, rule or regulation, or otherwise), then Services Provider shall use all reasonable efforts to provide JCPS with prior notice before disclosure so that JCPS may seek a protective order or other appropriate remedy to prevent the disclosure or to ensure JCPS's compliance with the confidentiality requirements of federal or state law; provided, however, that Services Provider will use all reasonable efforts to maintain the confidentiality of confidential and otherwise personally identifiable data. If a protective order or other remedy is not obtained prior to the deadline by which any legally compelled disclosure is required, Services Provider will only disclose that portion of confidential and otherwise personally identifiable data that Services Provider is legally required to disclose. 4. Services Provider shall not distribute, reprint, alter, sell, assign, edit, modify or create derivative works or any ancillary materials from or with the data. 5. Services Provider shall not use data shared under this Agreement for any purpose other than the services contract described in Paragraph B.1 above. Nothing in this Agreement shall be construed to authorize Services Provider to have access to additional data from JCPS that is not included in the scope of this Agreement (or addenda). Services Provider understands that this Agreement does not convey ownership of the data to Services Provider. 6. Services Provider shall take reasonable security precautions and protections to ensure that persons not authorized to view the data do not gain access to the data. Reasonable security precautions and protections include, but are not limited to: a. Creating, distributing, and implementing data governance policies and procedures which protect data through appropriate administrative, technical and physical security safeguards, and outline staff responsibilities for maintaining data security; b. Encrypting all data carried on mobile computers/devices; c. Encrypting data before it is transmitted electronically; d. Requiring that users be uniquely identified and authenticated before accessing data;