Software & Information Industry Association (SIIA) expresses appreciation for the efforts of the North Carolina Department of Public Instruction (NCDPI) in safeguarding student data. However, SIIA raises several concerns regarding the recently updated “Data Confidentiality and Security Agreement for Online Service Providers and Public School Units.” The concerns include:

1. 1. The time-consuming requirement for advanced approval by public school units (PSUs) for subcontractor use and data sharing, suggesting an alternative of obligating subcontractors to follow privacy and security requirements.
   2. The definition of shared data extending beyond legal frameworks, recommending alignment with state and federal laws.
   3. Operational difficulties in meeting the 24-hour breach disclosure timeframe, proposing an extension to at least 72 hours after breach confirmation.
   4. Lack of a nondisclosure agreement between NCDPI and vendors, suggesting an inherent and written duty of confidentiality when confidential information is requested.
   5. Inconsistency between NCDPI’s statement on no changes to the Agreement and the Authorization to Operate Letter allowing PSU’s acceptance of vendor modifications, recommending more flexibility.
   6. Inadequate time for vendor compliance with third-party assessment standards, proposing a more lenient timeframe aligned with state education funding deadlines.
   7. Impracticality of third-party penetration tests, suggesting the use of non-confidential reports from recognized cybersecurity frameworks.
   8. Contradiction with NC’s student data privacy statute regarding ownership of de-identified, aggregated data and metadata, recommending compliance with applicable state law.
   9. Lack of clarity in the timeline for data destruction post-subscription termination, suggesting adherence to the vendor’s data retention policy or customer request.

The letter concludes with additional questions related to approved third-party assessments, protections under the Public Records Act, a grayed-out section in the “Process Overview Flow Chart,” and the adequacy of an ISO 27001 certificate for NCDPI’s requirements.