Every employee at Kokomo has signed upon agreement to ensure the understanding of the data handling. This is a sample copy.
DATA USE AGREEMENT BETWEEN KOKOMO SOLUTIONS AND EMPLOYEES FOR
THE DISCLOSURE OF EDUCATION RECORDS
1.1 Kokomo Solutions (“Kokomo”) is a delarware incorporated C-corp organized and existing under and pursuant to the constitution and laws of the State of Illinois, California, and Delaware and with a primary business address at 2700 Patriot Blvd. Ste 250 Glenview, IL 60026.
1.2 [ ] (Contractor) provides service as a contractor or an employee with a primary place of business at 2700 PATRIOT BLVD. STE 250 GLENVIEW, IL 60026.
2.1 The purpose of this Data Use Agreement (“Agreement”) is to allow for the Kokomo to provide Contractor with personally identifiable information (“PII”) from student education records (“student data”) without consent so that the Contractor may perform the following institutional service or function for which the Kokomo would otherwise use employees:
BUILD AND MAINTAIN INCIDENT MANAGEMENT SOLUTION IN THE CLOUD
2.2 This Agreement is meant to ensure that Contractor adheres to the requirements concerning the use of student information protected under the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. §1232g, 34 Code of Federal Regulations Part 99, and California Education Code sections 49060-49085. This agreement applies to all interactions between Contractor and Kokomo.
2.3 34 C.F.R. §99.30 and Education Code §49076(a) require the consent of the education rights holder prior to the release of PII from the education record of a student. An exception to the consent requirement is provided for in 34 CFR §99.31(a)(1)(i) and Education Code §49076(a)(2)(G)(i) for contractors “performing institutional services or functions otherwise performed by school employees.” These contractors are considered “Kokomo officials” under FERPA and the California Education Code.
2.4 Under this Agreement, the Kokomo considers Contractor to be a school official with legitimate educational interests performing an institutional service or function for which the Kokomo would otherwise use employees within the meaning of 34 C.F.R. §99.31(a)(1)(i) and Education Code §49076(a)(2)(G)(i) and this allows the Kokomo to disclose PII from education records of students without the consent required by 34 C.F.R. § 99.30 and Education Code §49076(a).
2.5 This Agreement does not necessarily describe the complete nature of all interactions between the Contractor and the Kokomo. Rather, this Agreement pertains to the disclosure of personally identifiable information from education records only. It is likely that the Contractor has some other form of written agreement with the Kokomo (possibly including, but not limited to a separate contract or MOU, a license agreement, a subscription agreement, etc.). However, in so far as it pertains to the subject matter of this Agreement, this Agreement takes precedence over any inconsistencies with any other agreements.
- PROCESS FOR DATA TRANSFER
The Kokomo entered into a five-year Contract on August 1, 2015 with Clever, Inc., (Clever) and EduTone Corporation (EduTone) under which Clever or EduTone receives electronic data from the Kokomo containing student-, teacher-, and other information. Clever or EduTone then provides the data to various Kokomo vendors, such as Contractor. This alleviates work on the Disrict’s part, which formerly required the creating of separate record layouts for each vendor. By entering into this Agreement, the Kokomo authorizes Clever or EduTone to send data to Contractor in accordance with the Kokomo’s Contract with Clever and EduTone.
- KOKOMO DUTIES
4.1 The Kokomo will provide student data in compliance with the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. section 1232g and 34 C.F.R. 99, and California Education Code sections 49060-49085.
4.2 The following student data will be provided:
NAME, STUDENT ID, ADDRESS, GEOLOCATION, INCIDENT, CONTACT INFORMATION
- CONTRACTOR DUTIES
5.1 The Contractor will perform the following duties in regard to any student data it obtains:
5.1.1 Not disclose the information to any other party without the consent of the parent or eligible student;
5.1.2 Use the data for no purpose other than the work stated in this Agreement;
5.1.3 Allow the Kokomo access to any relevant records for purposes of completing authorized audits;
5.1.4 Require all employees, contractors and agents of any kind to comply with all applicable provisions of FERPA and other federal and California laws with respect to the data shared under this Agreement;
5.1.5 Designate in writing a single authorized representative able to request data under this Agreement. The authorized representative shall be responsible for transmitting all data requests and maintaining a log or other record of all data requested and received pursuant to this Agreement, including confirmation of the completion of any projects and the return or destruction of data as required by this Agreement. Kokomo or its agents may, upon request, review the records required to be kept under this section;
5.1.6 Maintain all data obtained pursuant to this Agreement in a secure computer environment and not copy, reproduce or transmit data obtained pursuant to this Agreement except as necessary to fulfill the purpose of this Agreement. All copies of data of any type, including any modifications or additions to data from any source that contains information regarding students, are subject to the provisions of this Agreement in the same manner as the original data. The ability to access or maintain data under this Agreement shall not under any circumstances transfer from Contractor to any other institution or entity;
5.1.7 Destroy or return all personally identifiable information obtained under this Agreement when it is no longer needed for the purpose for which it was obtained no later than 60 days after it is no longer needed. In the event Contractor destroys the PII, Contractor shall provide the Kokomo with certification of such destruction. Failure to return or destroy the PII will preclude Contractor from accessing personally identifiable student information for at least five years as provided for in 34 C.F.R. section 99.31(a)(6)(iv).
5.2 If Contractor is an operator of an Internet website, online service, online application, or mobile application, Contractor shall comply with the requirements of California Business and Professions Code section 22584 and Kokomo policy as follows:
5.2.1 Contractor shall not (i) knowingly engage in targeted advertising on the Contractor’s site, service or application to Kokomo students or their parents or legal guardians; (ii) use PII to amass a profile about a Kokomo student; (iii) sell information, including PII; or (iv) disclose PII without the Kokomo’s written permission.
5.2.2 Contractor will store and process Kokomo Data in accordance with commercial best practices, including appropriate administrative, physical, and technical safeguards, to secure such data from unauthorized access, disclosure, alteration, and use. Such measures will be no less protective than those used to secure Contractor’s own data of a similar type, and in no event less than reasonable in view of the type and nature of the data involved. Without limiting the foregoing, Contractor warrants that all electronic Kokomo Data will be encrypted in transmission using SSL [(Secure Sockets Layer)] [or insert other encrypting mechanism] (including via web interface) [and stored at no less than 128-bit level encryption]. “Encryption” means a technology or methodology that utilizes an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and such confidential process or key that might enable decryption has not been breached, and shall have the meaning given to such term under HIPAA and HIPAA Regulations, including 45 CFR §164.304.
5.2.3 Contractor shall delete a student’s covered information upon request of the Kokomo.
5.2.4 Kokomo Data will not be stored outside the United States without prior written consent from the Kokomo.
5.3 Contractor shall comply with the Kokomo’s information security specifications prior to receiving any electronic transfers of pupil record information from any Kokomo-approved third party contractor, such as Clever or EduTone. Kokomo may require Contractor to provide documentation of compliance prior to any transmittal.
5.4 If Contractor will (1) provide cloud-based services which will involve digital storage of pupil records or (2) provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use pupil records, then, the following requirements in compliance with California Education Code section 49073.1 pertain:
5.4.1 The pupil records continue to be the property of and under the control of the Kokomo;
5.4.2 Contractor will not use any information in the pupil record for any purpose other than those required or specifically permitted by this Agreement.
5.4.3 In order for a parent, legal guardian or eligible pupil to review personally identifiable information in the pupil’s records and correct erroneous information, Contractor shall:
UPDATE ITS DATA ACCORDINGLY BASED ON FEEDS FROM THE SOURCES SUCH AS STUDENT MANAGEMENT SYSTEM AND OTHER LUASD SYSTEMS
5.4.4 Contractor shall take the following actions, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records: REGULAR TRAINING, INTERNAL AUDITS, REVIEW OF PRACTICE
5.4.5 Contractor shall use the following procedure for notifying the affected parent, legal guardian, or eligible pupil in the event of an unauthorized disclosure of the pupil’s records:
NOTIFY LAUSD ITD
5.4.6 Contractor certifies that it will not retain the pupil records upon completion of the services. Contractor will take the following actions to enforce this certification: RAW DATA IS STORED AND ONLY FEW AUTHORIZED PERSONNEL WILL GAIN ACCESS TO IT.
5.4.7 Contractor shall not use personally identifiable information in pupil records to engage in targeted advertising.
5.4.8 The following shall be considered a part of and required under this Agreement:
- The Kokomo’s Contractor Code of Conduct (http://achieve.lausd.net/cms/lib08/CA01000043/Centricity/Domain/218/5.%20%20CODE%20OF%20CONDUCT%20irfp.pdf)
- SB 1177 Student Online Personal Information Protection Act (SOPIPA)
5.5 Additional Contractor Duties Pertaining to Protected Information
5.5.1 In addition to any Contractor obligations stated elsewhere in this Agreement, Contractor shall notify the Kokomo in writing as soon as possible, but in no event more than two (2) business days, after Contractor becomes aware of any breach of or security Incident involving the Kokomo's PROTECTED INFORMATION (see Section 2.2). Contractor shall be deemed to be aware of any breach or security incident as of the first day on which such breach or security incident is known or reasonably should have been known to its officers, employees, agents or subcontractors. Contractor shall identify as soon as practicable each individual whose unsecured PROTECTED INFORMATION has been, or is reasonably believed by Contractor to have been, accessed, acquired, or disclosed during such breach or security incident. Contractor shall cooperate in good faith with the Kokomo in the investigation of any breach or security incident.
5.5.2 Contractor shall take prompt corrective action to remedy any breach or security incident, mitigate, to the extent practicable, any harmful effect of a use or disclosure of PROTECTED INFORMATION, and take any other action required by applicable federal and state laws and regulations pertaining to such breach or security incident.
5.5.3 Contractor will provide written notice to the Kokomo as soon as possible but no later than twenty (20) calendar days after discovery of the breach or security incident of the actions taken by Contractor to mitigate any harmful effect of such breach or security incident and the corrective action Contractor has taken or shall take to prevent future similar breaches or security incidents. Upon the Kokomo's request, Contractor will also provide to the Kokomo a copy of Contractor’s policies and procedures that pertain to the breach or security incident involving the Kokomo's PROTECTED INFORMATION, including procedures for curing any material breach of this Agreement.
5.5.4 Contractor shall make reasonable efforts to trace lost or translate indecipherable transmissions. Contractor shall bear all costs associated with the recreation of incomplete, lost or indecipherable transmissions if such loss is the result of an act or omission of Contractor.
5.5.5 Contractor shall take appropriate security measures to protect the confidentiality, integrity and availability of the Kokomo's PROTECTED INFORMATION that it creates receives, maintains, or transmits on behalf of the Kokomo and to prevent any use or disclosure of the Kokomo's INFORMATION other than as provided by the Agreement. Appropriate security measures include the implementation of the best practices as specified by the the ISO 27001/2, NIST, or similar security industry guidelines.
AUTHORIZATION FOR TRANSFER OF DATA.
6.1 The Kokomo hereby authorizes Contractor to receive the student data listed in Section 4.2.
6.2 Contractor agrees that Kokomo makes no warranty concerning the accuracy of the student data provided.
7.1 This Agreement shall be effective on the date the last party signs and shall be for an indefinite term to match any Contractor interactions with the Kokomo under which the Contractor receives student data.
7.2 Either party may terminate this Agreement for any reason at any time upon reasonable notice to the other party.
8.1 All notices required or permitted by this Agreement shall be in writing and shall be either personally delivered or sent by nationally-recognized overnight courier, facsimile or by registered or certified U.S. mail, postage prepaid, addressed as set forth below (except that a party may from time to time give notice changing the address for this purpose). A notice shall be effective on the date personally delivered, on the date delivered by a nationally-recognized overnight courier, on the date set forth on the receipt of a telecopy or facsimile, or upon the earlier of the date set forth on the receipt of registered or certified mail or on the fifth day after mailing.
8.2 Notices shall be delivered to the following:
Attention: Daniel Lee, CEO
2700 Patriot Blvd. Ste 250
Glenview, IL 60026
__________, ____ __________
TEL: (877) 565-6668
FAX: (877) 565-6668
IN WITNESS WHEREOF, the parties have executed this Agreement as of the last day noted below.
By: ______________________________________ Date: ________________
Title/Position: Daniel Lee, CEO