Check out the CA Student Privacy Alliance and CA Student Data Privacy Agreement
Effective January 1, 2015, here are the nine requirements that a contract must include:
1. A statement that pupil records continue to be the property of and under the control of the local educational agency.
2. A description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account.
3. A prohibition against the third party using any information in the pupil record for any purpose other than those required or specifically permitted by the contract.
4. A description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil’s records and correct erroneous information.
5. A description of the actions the third party will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records. Compliance with this requirement shall not, in itself, absolve the third party of liability in the event of an unauthorized disclosure of pupil records.
6. A description of the procedures for notifying the affected parent, legal guardian, or eligible pupil in the event of an unauthorized disclosure of the pupil’s records.
7. A. A certification that a pupil’s records shall not be retained or available to the third party upon completion of the terms of the contract and a description of how that certification will be enforced; and
B. The requirements provided in subparagraph (A) shall not apply to pupil-generated content if the pupil chooses to establish or maintain an account with the third party for the purpose of storing that content pursuant to paragraph (2).
8. A description of how the local educational agency and the third party will jointly ensure compliance with the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g).
9. A prohibition against the third party using personally identifiable information in pupil records to engage in targeted advertising.