FERPA Addendum
FERPA Addendum
THESE ADDITIONAL TERMS PERTAIN TO EDUCATIONAL INSTITUTIONS SUBJECT TO THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT ("FERPA ADDENDUM"). YOUR EXECUTION OF A CUSTOMER ORDER FOR SERVICES CONSTITUTES YOUR AGREEMENT TO BE BOUND BY THESE ADDITIONAL TERMS. YOU ACKNOWLEDGE AND AGREE THAT CENTRALREACH HAS THE RIGHT TO ESTABLISH TERMS FOR THE CONTINUED USE OF OUR SERVICES. ACCORDINGLY, CENTRALREACH RESERVES THE RIGHT TO MODIFY THESE TERMS FROM TIME TO TIME WITH OR WITHOUT NOTICE TO YOU. YOU AGREE THAT YOUR USE OF THE SERVICES CONSTITUTES YOUR AGREEMENT TO ANY SUCH MODIFICATION. TERMS NOT DEFINED HEREIN SHALL HAVE THE MEANING SET FORTH IN THE TERMS OF SERVICE AND ADDITIONAL AGREEMENTS AS APPLICABLE. IN THE EVENT OF ANY CONFLICT BETWEEN THE TERMS OF SERVICE AND OTHER ADDITIONAL AGREEMENTS AND THIS FERPA SERVICE ADDENDUM, THE TERMS OF THIS FERPA ADDENDUM SHALL CONTROL.
- Control of Data
CentralReach, in its role as a vendor to educational and behavior agencies and institutions (“Customers”), receives disclosures from the Customers of personally identifiable information (PII) and protected health information (PHI) contained in student records. Only information that is needed for CentralReach to perform services outsourced to it by the Customer are disclosed to CentralReach. These disclosures are authorized under the Family Educational Rights and Privacy Act (FERPA), a federal statute that regulates the privacy of student records by educational agencies that receive financial assistance from the U.S. Department of Education. CentralReach, as a contractor to the Customer, receives the disclosures on the same basis as school or employee officials employed by the Customer, consistent with FERPA regulations. Consistent with those regulations, CentralReach has a legitimate educational interest in the information to which it is given access because the information is needed to perform the outsourced service, and CentralReach is under the direct control of the Customer in using and maintaining the disclosed education records, consistent with the terms of its contract.
CentralReach is subject to the same conditions on use and re-disclosure of education records that govern all school officials, as provided in 34 CFR §99.33. In particular, CentralReach will ensure that only individuals that it employs or that are employed by its contractor or vendors, with legitimate educational interests - consistent with the purposes for which CentralReach obtained the information -- obtain access to PII and PHI from education records it maintains on behalf of the Customer. Further, CentralReach will not re-disclose PII or PHI without consent of a parent or an eligible student (meaning a student who is 18 years old or above or is enrolled in postsecondary education) unless the Customer has authorized the re-disclosure under a FERPA exception, and the Customer records the subsequent disclosure. An example of such a disclosure is when CentralReach is requested by a Customer to assist the Customer in the transfer of the student records from our system to another system.
CentralReach will not sell or otherwise use or re-disclose education records for targeted advertising or marketing purposes. CentralReach uses data within its products only to deliver the services contracted by Customers. Notwithstanding anything to the contrary contained in these terms or the Service Agreement, CentralReach may use protected health information and personally identifiable information to create de-identified data retaining any and all ownership claims related to the de-identified data it creates from protected health information and personally identifiable information. CentralReach may use, during and after the termination of the Service Agreement, all aggregated de-identified information, and de-identified data for purposes of enhancing the Services, technical support, analytics, reporting, and research and development, all in compliance with FERPA, including without limitation the limited data set and de-identification of information regulations. For more information on how CentralReach utilizes Customer data, please review our Product Privacy Policy.
- Changes to Customer Data
CentralReach does not own any of the student data or district-created data within its products. The data within the products are property of, and under the control of the Customer. The collection, input, use, retention, disposal, and disclosure of any information in our software applications are controlled solely by the Customer who license our products. CentralReach does not delete, change, or disclose any information from our software applications controlled by the Customer unless CentralReach receives a written and signed statement of work requesting such action, or upon termination of the Service Agreement. Students who wish to retain possession and control of their own pupil-generated content should contact the Customer. If the Customer is unable to fulfil the request of the student, CentralReach can assist at the direction and expense of the Customer. Any requests sent directly to CentralReach will be disclosed to the Customer to respond to as the Customer determines is appropriate.In the event any third party (including the eligible student or parent/guardian of the eligible student) seeks to access education records, CentralReach will inform the Customer of such request in writing. CentralReach shall not provide access to such data or information or respond to such requests unless compelled to do so by court order or lawfully issued subpoena from any court of competent jurisdiction or directed in writing to do so by the Customer. Should CentralReach receive a court order or lawfully issued subpoena seeking the release of such data or information, CentralReach shall provide notification, along with a copy thereof, to the Customer prior to releasing the requested data or information, unless such notification is prohibited by law or judicial and/or administrative order or subpoena.
If the Customer is unable to fulfil a request of an eligible student or parent/guardian to review the student's records, CentralReach can assist at the direction and expense of the Customer. In such an event where a parent, legal guardian, or eligible student seeks to make changes to the data within our products parents, legal guardians, or eligible students shall follow the procedures established by the Customer in accordance with FERPA. Generally these procedures establish the right to request an amendment of the student's education records that the parent or eligible student believes is inaccurate, misleading, or otherwise in violation of the student's privacy rights under FERPA. Parents or eligible students who wish to ask the Customer to amend their child's or their education record should write a Customer official (often a Principal or Superintendent), clearly identify the part of the record they want changed, and specify why it should be changed. If the Customer decides not to amend the record as requested by the parent or eligible student, the Customer will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures would be provided to the parent or eligible student when notified of the right to a hearing. CentralReach will not make determinations of whether records should be edited or otherwise changed, and will defer any decision on such changes to Customer.
- Security at CentralReach
CentralReach employs extensive technological and operational measures to ensure data security and privacy, including advanced security systems technology, physical access controls, and annual privacy training for employees and partners, and criminal background checks of all employees. Any information subject to this FERPA Addendum shall be safeguarded in accordance with the Service Agreement and CentralReach’s Privacy Policy. More information on CentralReach’s Security policies is available here.
- Termination of Service Agreement
In the event of termination of the Service Agreement, Customer is solely responsible for exporting all Customer Content prior to the termination of the Service Agreement (or last billing cycle). Customer can export data in an Excel (.XLS), Microsoft Word (.DOC), or Comma Separated Values File (.CSV) format depending on the module. Customer can seek support for data export prior to termination from CentralReach support staff, subject to any support costs. CentralReach will retain all Customer Content for a minimum of sixty (60) days after the termination of the Service Agreement, including those accounts terminated due to non-payment or inactivity, as a safeguard in case the Customer requires more time to export all Customer Content. This sixty (60) days is referred to herein as the "Data Retention Period". Customers will be responsible during this Data Retention Period to make any requests for additional data exports in writing to CentralReach at contracting@centralreach.com, as account access may be restricted during the Data Retention Period due to termination of the Services. After the Data Retention Period expires, CentralReach may remove or delete any Customer Content, including Customer Content that contains PHI or PII, and CentralReach shall not be responsible for any damage caused by said removal. It is the Customer's responsibility to comply with all privacy, data retention and other laws in its use of the Services, including FERPA and any other healthcare or other regulations relating to medical records or educational records, including without limitation any required time period relating to the retaining records. Notwithstanding the foregoing, CentralReach will not retain Customer Content longer than needed to provide the Services and satisfy other reasonable business purposes and limitations, such as: (i) complying with record retention obligations imposed on CentralReach under applicable law or our other; (ii) resolving disputes or enforcing our agreements; or (iii) for the purposes of backup, recovery, contingency planning or business continuity planning provided that such Customer Content, to the extent not permanently deleted or overwritten in the ordinary course of business, is not accessed except as required for backup, recovery, contingency planning or business continuity purposes.
- Other Terms
CentralReach may, from time to time, update this FERPA Addendum to be in compliance with evolving laws and regulations.
In the event of any conflict or ambiguity between any of the documents that form the Service Agreement, said conflict or ambiguity shall be resolved by giving precedence to the documents in the order outlined in the Terms of Service.
CentralReach and Customer agree that the Service Agreement is governed by the internal laws of the State wherein Customer is located (without regard to conflicts of law principles), and expressly agree that the state and federal courts sitting in that State shall have exclusive jurisdiction in any action arising out of or connected in any way to the Service Agreement or use of or access to the Services, and each party consents to personal jurisdiction of and venue in such matter.