data sharing and confidentiality agreement
TRANSCRIPT
1
DATA SHARING AND CONFIDENTIALITY AGREEMENT INCLUDING
Bill of Rights for Data Privacy and Security AND
American Reading Company’s Information Regarding Data Privacy and Security This Data Sharing and Confidentiality Agreement (the “Agreement”) is made and entered into by and between American Reading Company_________ (the “Vendor”) and Cattaraugus Little Valley Central School. WHEREAS, Cattaraugus Little Valley Central School and American Reading Company are parties to a contract (the “Contract”) pursuant to which American Reading Company will receive student data and/or teacher or principal data (“Protected Data”) that is protected under New York Education Law Section 2-d and Part 121 of the Regulations of the Commissioner of Education (collectively referred to as “Section 2-d”) from CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL for purposes of providing certain products or services to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL; and WHEREAS, both CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL and American Reading Company are desirous of fulfilling their respective obligations under New York Education Law Section 2-d; NOW THEREFORE, in consideration of the mutual promises and covenants contained in the Contract, as well as, this Agreement the parties hereto mutually agree as follows:
1. Confidentiality
a. American Reading Company, its employees, and/or agents agree that all information obtained in connection with the services provided for in the Agreement is deemed confidential information.
b. American Reading Company further agrees to maintain the confidentiality of the Protected Data it receives in accordance with federal and state law and that any information obtained will not be revealed to any persons, firms or organizations.
2. Data Protections and Internal Controls
a. American Reading Company acknowledges that it may receive and/or come into
contact with personally identifiable information, as defined by New York Education Law Section 2-d, from records maintained by CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL that directly relate to a student(s) (hereinafter referred to as “education record”).
b. American Reading Company understands and acknowledges that it shall have in place sufficient protections and internal controls to ensure that information is safeguarded in accordance with applicable laws and regulations, and understands and agrees that it is responsible for complying with state data security and privacy standards for all personally identifiable information from education records, and it shall:
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
2
1. Limit internal access to education records to those individuals that are determined to have legitimate educational interests; and
2. Not use the education records for any other purpose than those explicitly
authorized in the Contract and/or Agreement; and
3. Maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of education records in its custody; and
4. To use encryption technology to protect Protected Data in its custody
while in motion or at rest, using a technology or methodology specified by the secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5.
3. Data Security and Privacy Plan
a. American Reading Company agrees to have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives from CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL.
b. American Reading Company understands and agrees that it is responsible for submitting a Data Security and Privacy Plan to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL prior to the start of the term of the Agreement, and it shall:
1. Outline how all state, federal and local data security and privacy contract
requirements will be implemented over the life of the contract consistent with CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL’s policy on data security and privacy, as adopted.
2. Outline specific administrative, operational and technical safeguards and practices in place to protect Protected Data that it receives from CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL under the Contract.
3. Outline the training requirement established by American Reading Company for all employees who will receive personally identifiable information from student records (hereinafter referred to as “student data”).
4. Notice of Breach and Unauthorized Release
a. In the event of a breach of this Agreement and unauthorized release of student data,
American Reading Company shall:
1. Immediately notify CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL in the most expedient way possible and without unreasonable delay, but no more than seven (7) calendar days after American Reading Company has discovered or been informed of the breach or authorized release.
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
3
2. Advise CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL as to the nature of the breach and steps American Reading Company has taken to minimize said breach.
b. In the case of required notification to a parent or eligible student, American Reading
Company shall:
1. Promptly reimburse CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL for the full costs of such notification.
c. American Reading Company will cooperate with CATTARAUGUS LITTLE
VALLEY CENTRAL SCHOOL and provide as much information as possible directly to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL about the incident, including but not limited to:
1. The description of the incident; 2. The date of the incident; 3. The date American Reading Company discovered or was informed of the
incident; 4. A description of the types of Protected Data involved; 5. An estimate of the number of records affected; 6. The schools within CATTARAUGUS LITTLE VALLEY CENTRAL
SCHOOL affected; 7. What American Reading Company has done or plans to do to investigate
the incident, stop the breach and mitigate any further unauthorized access or release of Protected Data; and
8. The contact information for American Reading Company representatives
who can assist affected individuals that may have additional questions.
d. The American Reading Company shall indemnify and hold CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL harmless from any claims arising from its breach within the Data Sharing and Confidentiality Agreement confidentiality and data security and privacy standards provision.
e. American Reading Company acknowledges that upon initial notification from American Reading Company, CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL, as the educational agency with which American Reading Company contracts, has an obligation under Section 2-d to in turn notify the Chief Privacy Officer in the New York State Education Department (“CPO”). American Reading Company agrees not to provide this notification to the CPO directly unless requested by CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL or otherwise required by law. In the event the CPO contacts American Reading Company directly or requests more information from American Reading Company regarding the incident after having been initially informed of the incident by
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
4
CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL, American Reading Company will promptly inform CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL of the same.
5. American Reading Company’s Information
American Reading Company understands that as part of CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL’s obligations under New York Education Law Section 2-d,. American Reading Company is responsible for providing CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL with American Reading Company information (see American Reading Company’s Information for Data Privacy and Security) to include:
a. Exclusive purposes for which the student data will be used;
b. How American Reading Company will ensure that subcontractors, persons or entities that American Reading Company will share the student data with, if any, will abide by data protection and security requirements;
c. That student data will be returned or destroyed upon expiration of the Agreement;
d. If and how a parent, student, or eligible teacher may challenge the accuracy of the student/teacher data that is collected; and
e. Where the student data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.
6. Termination or Expiration of Contract and/or Agreement
a. Upon termination of the Agreement, shall return or destroy all confidential
information obtained in connection with the services provided therein and/or student data. Destruction of the confidential information and/or student data shall be accomplished utilizing an approved method of confidential destruction, including, shredding, burning or certified/witnessed destruction of physical materials and verified erasure of magnetic media using approved methods of electronic file destruction. The parties further agree that the terms and conditions set forth herein shall survive the expiration and/or termination of the Agreement.
b. If requested by CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL, American Reading Company will assist CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL in exporting all Protected Data previously received back to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL for its own use, prior to deletion, in such formats as may be requested by CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL.
c. In the event the Contract is assigned to a successor American Reading Company (to the extent authorized by the Contract), will cooperate with CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL as necessary to transition Protected Data to the successor American Reading Company prior to deletion.
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
5
d. Neither American Reading Company nor any of its subcontractors or other authorized persons or entities to whom it has disclosed Protected Data will retain any Protected Data, copies, summaries or extracts of the Protected Data, or any de-identified Protected Data, on any storage medium whatsoever. Upon request, American Reading Company and/or its subcontractors or other authorized persons or entities to whom it has disclosed Protected Data, as applicable, will provide CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL with a certification from an appropriate officer that these requirements have been satisfied in full.
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
6
PARENTS’ BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY
CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL is committed to protecting the privacy and security of student data and teacher and principal data. In accordance with New York Education Law Section 2-d and its implementing regulations, CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL informs the school community of the following:
1. A student's personally identifiable information cannot be sold or released for any commercial purposes.
2. Parents have the right to inspect and review the complete contents of their child's education
record.
3. State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when data is stored or transferred.
4. A complete list of all student data elements collected by New York State is available for public review at the following website http://www.nysed.gov/data-privacy-security/student-data-inventory or by writing to the Office of Information and Reporting Services, New York State Education Department, Room 865 EBA, 89 Washington Avenue, Albany, New York 12234.
5. Parents have the right to submit complaints about possible breaches of student data addressed. Complaints should be directed in writing to CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL Data Privacy Officer, 25 North Franklin Street, Cattaraugus, New York 14719 or by using the form available at the following website: https://caboces.org/resources/new-york-state-education-law-2d/report-an-improper-disclosure/. Complaints may also be directed in writing to Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, New York 12234 or by using the form available at the following website: http://www.nysed.gov/data-privacy-security/report-improper-disclosure
IN WITNESS WHEREOF, the parties hereto have executed this agreement as of the day and year first written above.
Authorized American Reading Company Signature
Date 7/1/2020
Authorized CATTARAUGUS LITTLE VALLEY CENTRAL SCHOOL Signature
Date
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
4/9/2021
7
AMERICAN READING COMPANY INFORMATION REGARDING DATA PRIVACY AND SECURITY
American Reading Company:
Product: SchoolPace Connect (includes ARC Adventures)
Collects: ☒ Student Data ☐ Teacher or Principal Data ☐ Does not collect either
Educational agencies including Cattaraugus-Allegany-Erie-Wyoming BOCES are required to post information about third-party contracts on the agency’s website with the Parents Bill of Rights. To that end, please complete the table below with information relevant to NYS Education Law 2-d and Part 121.3 of the Commissioner’s Regulations. Note that this applies to all software applications and to mobile applications (“apps”). Part 1: Exclusive Purposes for Data Use The exclusive purposes for which the student data (or teacher or principal data) will be used by the third-party contractor: Please see American Reading Company’s New York State Ed Law 2-D compliance doc attached. Part 2: Subcontractor Oversight Details – Select the appropriate option below. ☐ This contract has no subcontractors. ☒ This contract has subcontractors. As such, the third-party contractor will take the following steps to ensure that any subcontractors, assignees, or other agents who see, or receive, this protected data are contractually required to obey the same data protection and security requirements that the third-party contractor is required to obey under state and federal law: Please see American Reading Company’s New York State Ed Law 2-D compliance doc attached. Part 3: Contract Lifecycle Practices The contract expires on _______________________ unless renewed or automatically extended for a term pursuant to the agreement. When the contract expires, protected data will be deleted by the contractor, via shredding, returning of data, mass deletion, and upon request, may be exported for use by Sa before deletion. Part 4: Student Educational Records / Improper Disclosure A. For information on FERPA (Family Educational Rights and Privacy Act), which is the federal law that protects the privacy of student education records, visit the U.S. Department of Education FERPA website. B. A complaint or report of improper disclosure may be completed by submitting the Improper Disclosure Report form. Part 5: Security Practices A. Protected data provided to the contractor will be stored: (include where and how) Please see American Reading Company’s New York State Ed Law 2-D compliance doc attached. B. The security protections taken to ensure data will be protected that align with the NIST Cybersecurity Framework and industry best practices include: Please see American Reading Company’s New York State Ed Law 2-D compliance doc attached. Part 6: Encryption Practices
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
8
☒ By checking this box, contractor certifies that data encryption is applied in accordance with NYS Education Law Section 2-d 5(f)(5).
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
American Reading Company Compliance with Supplemental Information Regarding Third-Party Contractors
New York State Ed Law 2-D
For purposes of further ensuring confidentiality and security of student data, as an appendix to the Parents’ Bill of Rights each contract an educational agency enters into with a third party contractor shall include the following supplemental information:
American Reading Company's digital products, including SchoolPace, SchoolPace Connect, ARC Bookshelf, and ARC Adventures, comply with New York State Ed Law 2-d.
1. The exclusive purposes for which the student data, or teacher or principal data, will be used; a. SchoolPace
i. Teachers use SchoolPace to assess student progress. While conferencing with students, teachers record observations about student learning. Teachers have access to charts, graphs, and other reports that aggregate student progress data for the students in their classrooms.
ii. School administrators use SchoolPace to monitor the progress of students, classrooms, and student groups within their school.
iii. District administrators use SchoolPace to monitor the progress of students, classrooms, student groups, and schools within their district.
iv. American Reading Company’s team of professional developers use SchoolPace to generate reports for the schools they service, in accordance with district contracts and data sharing agreements.
v. American Reading Company’s technical support team uses SchoolPace to configure rosters, settings, and reports for the districts they service. In addition, the technical support team may access data to troubleshoot customer concerns.
vi. Students use SchoolPace to view their own progress and view coaching tips tailored to their current progress. No personally identifiable information (PII) is collected from students directly.
vii. Family members use SchoolPace to view the progress of their student(s) and view coaching tips tailored to the current progress of their student(s). No personally identifiable information (PII) is collected from family members directly.
b. SchoolPace Connect i. Teachers, administrators, students, and families use SchoolPace Connect to access
digital resources, lessons, and videos from American Reading Company. Rostering data is used to provide the correct content to each teacher and student. Analytics data tracks which users have accessed each resource, and how long each resource was used.
c. ARC Bookshelf i. Teachers and students use ARC Bookshelf to access digital books. Rostering data is
used to provision the correct books to each teacher and student. Analytics data tracks which users have accessed each digital book, how much time was spent on each page, and other data.
d. ARC Adventures
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
i. Students play the ARC Adventures game to practice foundational reading skills. Rostering and SchoolPace performance data is used to determine the appropriate level and area of practice for each student. Analytics data tracks which students have accessed the game, and tracks progress throughout each play session.
2. How the third party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;
a. All American Reading Company employees who have access to student, teacher, or principal data are trained on data safe-handling and privacy protection during semi-annual conferences.
b. All American Reading Company employees are required to sign an acceptable use policy for data-handling and information technology usage.
c. American Reading Company uses the following sub-contractors for hosting and cloud services. Through the use of encryption and restricted access to physical devices, neither of the following sub-contractors have access to district data in any form at any time.
i. TrueNet (Data Center): 24 Hagerty Blvd #10, West Chester, PA, 19382, (610) 429-8300
ii. Microsoft Azure (Cloud Platform): One Microsoft Way, Redmond, WA, 98052, (800) 426-9400
3. When the agreement with the third party contractor expires and what happens to the student data or teacher or principal data upon expiration of the agreement;
a. American Reading Company's digital product licenses end on June 30 unless renewed. b. SchoolPace data may be exported to CSV or Excel format at the end of the agreement and
provided to district IT staff. c. Data stored in American Reading Company's digital products will be available throughout
the licensing period. If a district chooses not to renew their subscription(s), data will remain available in backup form for no more than 30 days after the licensing period ends. Deletion of district data is triggered automatically 30 days after the expiration date of the district's digital product subscription(s).
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected;
a. Reviewing Student Records: SchoolPace includes several printable reports, including the IRLA Home Update, Student History Report, and Status of the Class, that may be printed by district personnel for review by a parent, legal guardian, or eligible pupil. In addition, parents, legal guardians, and eligible pupils may contact their school directly to request a review of student records.
b. Correcting Student Records: If erroneous information is found in student records, parents, legal guardians, and eligible pupils may contact the district to request a modification of the erroneous records. For districts using an automated rostering solution, the incorrect student records will need to be modified in the root SIS system. Changes will be synchronized to SchoolPace within 24 hours. For districts not using an automated rostering solution, district personnel may make corrections to student records directly in the SchoolPace interface.
5. Where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
a. American Reading Company's digital products adhere to the following security and disaster recovery practices:
i. All web-based services and RESTful API calls use TLS 1.2 security. ii. All personally identifiable information stored in MySQL is encrypted at rest using
InnoDB tablespace encryption. iii. ARC digital products offer access for teachers, school administrators, and
district administrators as identified by the district. Users in each of those security groups have access to only those student records in their scope of responsibility.
iv. For districts using Clever Instant Login or Classlink OneClick Single Sign-On, the district maintains real-time control of all user credentials. For districts not using one of our supported single sign-on solutions, districts may assign usernames and passwords up to 128 characters. All passwords are stored using BCrypt encryption.
v. The TrueNet data center includes biometric door locks coupled with NFC cards. All server cabinets are locked.
vi. Servers at the TrueNet data center have dual power supplies connected to separate power circuits with battery backup.
vii. All data at the TrueNet data center is stored on striped and mirrored hard drives for redundancy.
viii. All digital product data is replicated to multiple database servers behind our firewalls.
ix. All data is backed up daily using Dell RapidRecovery, encrypted, and transferred securely to ARC’s headquarters.
x. All employees who might require access to secure data are provided training on safe-handling procedures.
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
ARC Digital Products Security and Privacy
Security and Disaster Recovery
ARC digital products adhere to the following security and disaster recovery practices:
• All web-based services and RESTful API calls use TLS 1.2 security.
• All personally identifiable information stored in MySQL is encrypted at rest using
InnoDB tablespace encryption.
• ARC digital products offer access for teachers, school administrators, and district
administrators as identified by the district. Users in each of those security groups
have access to only those student records in their scope of responsibility.
• For districts using Clever Instant Login or Classlink OneClick Single Sign-On, the
district maintains real-time control of all user credentials. For districts not using
one of our supported single sign-on solutions, districts may assign usernames and
passwords up to 128 characters. All passwords are stored using BCrypt encryption.
• The TrueNet data center includes biometric door locks coupled with NFC cards. All
server cabinets are locked.
• Servers at the TrueNet data center have dual power supplies connected to
separate power circuits with battery backup.
• All data at the TrueNet data center is stored on striped and mirrored hard drives
for redundancy.
• All digital product data is replicated to multiple database servers behind our
firewalls.
• All data is backed up daily using Dell RapidRecovery, encrypted, and transferred
securely to ARC’s headquarters.
• All employees who might require access to secure data are provided training on
safe-handling procedures.
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
Privacy
The complete privacy policy for ARC digital products can be found online
at https://www.schoolpace.com/privacy.html.
• Data stored in ARC digital products remains the property of the district, and is
protected by several policies to ensure privacy.
• American Reading Company does not share district data with any third parties
unless requested by district administration.
• FERPA Compliance: American Reading Company's software products meet the
requirements of FERPA. Acting as a school official with legitimate educational
interests, American Reading Company receives basic directory information from
the district in order to populate ARC digital products with student rosters. To
facilitate information review by parents, legal guardians, and eligible pupils, ARC
digital products include several printable reports, including the Student History
Report and Status of the Class, that may be printed by district staff. If erroneous
information is found in student records, parents, legal guardians, and eligible
pupils may contact the district to request a modification of the erroneous records.
For districts using an automated rostering solution, the incorrect student records
will need to be modified in the root SIS system. Changes will be synchronized to
American Reading Company's software platform within 24 hours. For districts not
using an automated rostering solution, district personnel may make corrections to
student records directly in American Reading Company's software platforms.
• COPPA Compliance: American Reading Company's software products meet the
requirements of COPPA. All of American Reading Company's software products
are marketed and sold to schools and districts, not directly to students. No
personal data is collected from students, and students are never prompted to
enter any personal information. Any rostering and demographic data used to
populate class lists and other constructs is entered by authorized district or school
personnel.
• CIPA Compliance: American Reading Company's software products meet the
requirements of CIPA. At the time of this writing, American Reading Company
offers three software products, SchoolPace Connect, ARC Bookshelf and ARC
Adventures, that are used directly by students. These products do not offer open
or unfiltered access to Internet resources. Rather, they are curated collections of
curricular resources, digital books and foundational skills practice activities,
respectively. This content has been vetted for age appropriateness.
• ARC’s support and development teams may access student records for support
and troubleshooting purposes. Members of American Reading Company's
professional development team, who are assigned to the district, may access
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
student data for review with district leadership, and for training purposes. Only
those American Reading Company employees, defined above, who require access
to the district's student data in order to fulfill the terms of the contract are
granted access.
• All American Reading Company employees who are granted access to student
data are trained in the safe-handling of student records. Among other provisions,
employees are trained to never send or request student information via email or
other insecure messaging solutions, never share access, and never store exported
student records on laptops, desktops, or mobile devices at any time.
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
Handling of Breaches, Data Privacy Incidents, and Security
Incidents • Cyber Security Insurance: American Reading Company is protected by a cyber
security policy provided by CNA. The individual event and aggregate coverage
limits for this policy are both $5,000,000.
• Audit Logs: ARC digital products collect a variety of audit logs of user activity.
Logs are retained until the end of the agreement term with each customer. These
logs include, but are not limited to, the following activities:
o For every user log in, the user identifier, IP address, and timestamp are
recorded.
o Each insert, update, and deletion of data is logged with a user identifier and
timestamp.
o The viewing of documents, digital books, and videos is logged with a user
identifier and timestamp.
o The exporting of artifacts including PDF files, CSV files, and Excel files
is logged with a user identifier and timestamp.
• Error Logs and Access Logs: All system logs, including error logs and server
access logs, are captured and aggregated on a third-party log aggregator,
NewRelic.
• Intrusion Detection and Prevention: ARC digital products are hosted behind
redundant SonicWall network security appliances. These appliances apply the
following intrusion detection and prevention safeguards:
o Firewall with Deep Packet Inspection (DPI)
o SonicWall Intrusion Prevention Service (IPS)
• Notification: Upon detection of a data breach, American Reading Company will
send an email and place a phone call to the designated security contact for the
affected school district within 24 hours. If no security contact is specified,
American Reading Company will notify the district's IT department. Notifications
will include:
o The nature of the breach.
o The number of PII records affected.
o A description of how the breach was identified.
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C
Data Sharing
American Reading Company receives basic directory information from the district in
order to populate our digital products with student rosters. This rostering data is used to
create schools, classrooms, and student records in our databases. This basic rostering
data is necessary to allow teachers and administrators to collect reading performance
data, view reports based on this data, and provide access to appropriate resources and
content. The following data is collected:
Students Teachers and Administrators
• Student Identification
Number
• Prefix *
• First Name
• Middle Name *
• Last Name
• Suffix *
• Gender *
• Ethnicity *
• Date of Birth *
• Grade
• Classroom
Assignments
• Prefix *
• First Name
• Middle Name *
• Last Name
• Suffix *
• Email Address *
• Security Level
(Teacher, School
Administrator,
District
Administrator)
• Classroom
Assignments
Items marked with an asterisk ( * ) are optional.
DocuSign Envelope ID: 21ECE61A-5FA4-4F8E-8BEE-405BC4F7474C