Local governments and schools often rely on third parties to provide a variety of IT-related services. For your protection and to avoid potential misunderstandings, there should be a written agreement between your local government or school and the IT service provider that specifies the level of service to be provided by the vendor and clearly states your needs and expectations, including those relating to the confidentiality and protection of personal, private and sensitive information.

In addition, it is very important for local governments and schools to know who (any vendor or subcontractor) has access to their personal, private and sensitive information, and to convey the security expectations to vendor(s) and subcontractor(s) through the written contract(s). Any legal requirements relating to the protection of specific type(s) of data (for example, PII or electronic health records) should also be considered, discussed with the vendor and included in the contract, as appropriate.

State Education Law and Regulations require educational agencies to include the following in any contract that involves sharing student, teacher or principal (shared) PII with the third-party contractor:¹¹

• A requirement to maintain the confidentiality of shared PII.
• A bill of rights supplement that specifies (among other things):
  • The exclusive purposes for which shared PII will be used.
  • The contract’s duration and a description of what will happen to shared PII upon the contract’s expiration (e.g., whether, when and in what format it will be returned and/or whether, when and how it will be destroyed).
  • How shared PII will be protected using encryption while in motion and at rest.
• The contractor’s data security and privacy plan that includes (among other things):
  • The administrative, operational and technical safeguards and practices to protect shared PII.
  • How officers and employees with shared PII access receive, or will receive, training on the laws governing confidentiality of that information.
  • Any use of subcontractors and how those relationships and contracts will be managed to ensure shared PII is protected.
  • How data security and privacy incidents that implicate shared PII will be managed, including any plans to identify breaches and unauthorized disclosures and to promptly notify the educational agency.

While contract terms begin to establish expectations, a service level agreement (SLA) should be used to help further expectation clarity and measurement methods. An SLA is different from a traditional written contract in that it should establish comprehensive, measurable performance targets and remedies for not meeting those requirements, so that there is a mutual understanding of the nature and required level of services to be provided. SLAs are a critical component of any IT system outsourcing or support contract. For example, if you contract with an IT vendor to administer patch management with the goal of ensuring that patches and updates that are released throughout the year are installed timely, the SLA should indicate exactly what operating system(s) and application(s) are covered and what “timely” means (e.g., is the expectation that patches be applied as soon as available, weekly or quarterly?). An SLA with a cloud service provider could, for example, indicate that you will have availability to an application 99.95 percent of the time and allow the local government or school to reduce its payment by a given percentage if that percent is not achieved.

In our experience, many of the SLAs that local governments and schools enter into are vague in terms of the services contracted for and the expected quality of those services. Such vaguely worded agreements can, among other things, contribute to confusion over who has responsibility for various aspects of the IT environment (i.e., the local government/school or service provider), which ultimately puts the local government’s or school’s data and computer resources at greater risk for unauthorized access, misuse or loss. Generally speaking, the more specific the SLA, the better. There should be no uncertainty about what the service provider will deliver, when it will be delivered and how much it’s going to cost. A vague agreement can lead to additional or increasing costs you were not expecting.

Many IT service providers have standard SLAs – reflecting various levels of service at different prices – that can be a good starting point for negotiation. SLAs should be reviewed by the local government’s or school’s legal counsel and IT staff, as appropriate. They should also be periodically reexamined, especially if your IT environment or needs change significantly. Developing a good SLA takes some effort but can help avoid potentially costly misunderstandings and establish an efficient and secure computing environment.

Finally, local governments and schools should consult New York State Archives¹² guidance prior to entering into contracts, especially those relating to data storage services.

¹¹ Education Law Section 2-d(3)(c); 8 NYCRR 121.2(c), 121.3(c), 121.6(a)

¹²  http://www.archives.nysed.gov/

The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf