North Carolina Implements Stringent Data Security Standards for Third-Party Vendors Handling Student Information

For much of the past decade, states have been implementing new laws and policies to protect the privacy and safety of student data.  Most recently, the state of North Carolina’s Department of Public Instruction (NCDPI) launched new data security standards for any technology or system that receives student information from a state system.  Going into effect on August 1, 2023, this statewide policy design and intent is to ensure that public school units (PSU) have the resources they need to adequately evaluate the security readiness of vendor partners. In an effort to prevent cybersecurity threats in ed tech platforms and tools, NCDPI implemented a new process that impacts third-party vendors at a PSU.  In short, third-party vendors will be required do the following: 

  • Sign the DPI Data Confidentiality and Security Agreement, with no modifications.
  • Articulate which statewide systems they will connect to, data fields requested and rational for collection, and how that data will be restricted to users who have a legitimate business need, and a description of any data written back to a statewide system.
  • Submit security documentation including a vendor readiness assessment report, a third-party conducted assessment report (FedRAMP authorization, ISO 27001 certification, or others) no less than 12 months old, and alignment against the NC DIT Statewide Information Security Manual.
  • Provide additional documentation if not in compliance with the Statewide Information Security Manual. 

Third-party vendors that are contracted or renewed after August 1, 2023 will have to be evaluated with the aforementioned steps, before it can be integrated in the PSU. Vendors that do not comply with the security requirements for integration will not be allowed to receive student data from the PSU.  

SIIA raised concerns with the new policy and requested additional guidance via a letter on  June 20, 2023. We received a response on July 12, 2023 with direct answers to our questions, to which SIIA responded via another letter on July 25, 2023. We are posting these answers for the broader public in case they are of assistance. Further, SIIA participated in a public meeting/call with NCDPI on June 22, 2023, however, there is no recording of that call.  There is still much confusion on this and we look forward to working with our members and the state of North Carolina to make sure student data is protected.  

If you have any additional questions, please contact our education policy team at education@siia.net.

Comments are closed.