Media Library (4)

North Carolina Implements Stringent Data Security Standards for Third-Party Vendors Handling Student Information

For much of the past decade, states have been implementing new laws and policies to protect the privacy and safety of student data.  Most recently, the state of North Carolina’s Department of Public Instruction (NCDPI) launched new data security standards for any technology or system that receives student information from a state system.  Going into effect on August 1, 2023, this statewide policy design and intent is to ensure that public school units (PSU) have the resources they need to adequately evaluate the security readiness of vendor partners. In an effort to prevent cybersecurity threats in ed tech platforms and tools, NCDPI implemented a new process that impacts third-party vendors at a PSU.  In short, third-party vendors will be required do the following: 

  • Sign the DPI Data Confidentiality and Security Agreement, with no modifications.
  • Articulate which statewide systems they will connect to, data fields requested and rational for collection, and how that data will be restricted to users who have a legitimate business need, and a description of any data written back to a statewide system.
  • Submit security documentation including a vendor readiness assessment report, a third-party conducted assessment report (FedRAMP authorization, ISO 27001 certification, or others) no less than 12 months old, and alignment against the NC DIT Statewide Information Security Manual.
  • Provide additional documentation if not in compliance with the Statewide Information Security Manual. 

Third-party vendors that are contracted or renewed after August 1, 2023 will have to be evaluated with the aforementioned steps, before it can be integrated in the PSU. Vendors that do not comply with the security requirements for integration will not be allowed to receive student data from the PSU.  

SIIA raised concerns with the new policy and requested additional guidance via a letter on  June 20, 2023. We received a response on July 12, 2023 with direct answers to our questions, to which SIIA responded via another letter on July 25, 2023. We are posting these answers for the broader public in case they are of assistance. Further, SIIA participated in a public meeting/call with NCDPI on June 22, 2023, however, there is no recording of that call.  There is still much confusion on this and we look forward to working with our members and the state of North Carolina to make sure student data is protected.  

If you have any additional questions, please contact our education policy team at education@siia.net.

NCDPI Response
SIIA's Letter
StatementBlog Media (5)

SIIA’s Comments Regarding Proposed Regulations Under the Department of Education’s (ED) Negotiated Rulemaking Process

Software & Information Industry Association (SIIA) writes to comment on the proposed regulations under the Department of Education’s (ED) negotiated rulemaking process (“neg reg”).

The Department has recently sought feedback related to Third-Party Servicers (TPS), and what constitutes a TPS at an institute of higher education. As noted in SIIA’s comments, ed tech companies should not be considered a TPS when not directly carrying out functions under Title IV. The original functions of a TPS, as provided by statute, are more specific to the focus being related to Title IV of the HEA.

The statute provides clear guidance to what functions and responsibilities are needed to be considered a TPS. Many of SIIA’s member companies provide services that are non-Title IV functions, such as providing software, digital services, processing systems, and computer software equipment. SIIA recommends ED continue to abide by the original definition of TPS when going through the neg reg process.

Read Full Letter Here
Media Library (26)

TECH& with Carlton Vreen, SIIA member and Make it Home Safe Founder

Traffic stops are one of the most dangerous functions in police work and can affect the motorist and officer. Make it Home Safe mobile application can decrease the potential for a negative or tragic outcome by using real-time remote identity to increase safety and transparency.

Carlton Vreen, SIIA member and Make it Home Safe Founder, chats with Danny Bounds, SIIA Education Technology Policy Manager, about the mobile app to help create a safer environment for police officers and motorists.

Download the app now. With the help of Make it Home Safe, we can get more people home safe.

Learn More about Make it Home Safe

Watch the full conversation here