Global Grid for Learning (“GG4L”, “we”, “us”, “our”) provides access to our services (“platforms”, “products”, “services”) to school districts and others for the purposes of delivering education-related products. We operate our services and use data provided by a school district only to deliver the products, services and capabilities contracted by the district.
We are an approved signatory of the Student Data Privacy Pledge, a recipient of the IMS TrustEd Apps Seal and a member of the Student Data Privacy Consortium.
It is important to note that data ownership of district data at all times and in all circumstances remains exclusively with the school district. As a school district, you have complete control of and responsibility for your data. If you have questions about or need help with your data, just ask us.
- 1. Information we collect
- 2. Disclosure of data
- 3. Use of personal information for administrative accounts
- 4. Use of cookies
- 5. Student data privacy and protecting children online
- 6. Our handling of Student Data
- 7. Data security, retention and disposal
- 8. Business transfers
- 9. Limits of our policy
- 10. Changes to this policy
- 11. Contact Information
1. Information we collect
We collect and process information only where we have a legal basis for doing so and use information only where:
- it’s necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract,
- it satisfies a legitimate interest which is not overridden by your data protection interests such as improving our service,
- you give us consent to do so for a specific purpose, or
- we need to process your data to comply with a legal obligation.
When you consent to our collection and use of data for a specific purpose, you have the right to change your mind at any time and direct us to (1) stop collecting new data and (2) delete all data already collected. This may affect your ability to use our services and it may affect any processing that has already taken place.
We don’t keep data for longer than it is necessary. While we retain data, we will protect it to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification. If necessary, we may retain data for compliance with a legal obligation.
Student data
As a necessary part of our services, we ingest data about students. Student data refers to roster and other operational data associated with a student that is provided to GG4L by a school district for the purposes of providing our services. Student data may contain student personally identifiable information (PII). Student data is, and at all times remains, the property of the school district and is under the district’s full control.
Unless otherwise stated in your contract with us, the data we collect is defined by OneRoster V1.1 or the Ed Fi standard. Data can be loaded into the service in three possible ways: a) upload from the UI of Connect, b) SFTP upload of CSV files, or 3) an API pull from the SIS, Ed Fi or other system.
School district operational data
As a necessary part of our services, we may ingest a broader data set about the school district. Roster and other data provided to us by a school district may contain operational data about staff, guardians, facilities, finances, etc. District operational data may contain personally identifiable information (PII). District operational data is, and at all times remains, the property of the school district and is under the district’s full control.
Unless otherwise stated in your contract with us, the data we collect is defined by OneRoster V1.1 or the Ed Fi standard. Data can be loaded into the service in three possible ways: a) upload from the UI of Connect, b) SFTP upload of CSV files, or 3) an API pull from the SIS, Ed Fi or other system.
Log data
When an administrator visits our services, our servers may automatically log standard data provided by the web browser. It may include the computer’s Internet Protocol (IP) address, the browser type and version, the pages visited, the time and date of access, the time spent on each page, and other details.
Device data
We may also collect data about the device used to access our services. This data may include the device type, operating system, unique device identifiers, device settings, and geo-location data. What we collect can depend on the individual settings of your device and software. We recommend checking the policies of the device manufacturer or software provider to learn what information they make available to us.
Personal information for administrative users of the service
We may ask for personal information about administrators, such as:
- Name
- Date of birth
- Phone/mobile number
- Work address
- Website address
Business data
Business data refers to data that accumulates over the normal course of operation on our platforms. This may include transaction records, stored files, user profiles, analytics data and other metrics, as well as other types of information, created or generated, as users and systems interact with our services.
2. Disclosure of data
GG4L does not sell or disclose data to third parties for sales, marketing or similar commercial purposes. We may disclose data during the normal course of operating our business and services to
- third-parties authorized by the district to use their data such as edtech vendors and services,
- service providers for the purpose of enabling them to provide their services in support of School Passport, including (without limitation) IT service providers, analytics, error loggers, maintenance or problem-solving providers, and professional advisors,
- our employees, contractors and/or related entities, while supporting School Passport and
- courts, tribunals, regulatory authorities and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights.
Amazon AWS is our cloud services provider and hosts our technology and data systems. Amazon does not have authorized access to our systems or data. We don’t intentionally disclose data to Amazon.
School district contract compliance
Employees, contractors, service providers and partners working with GG4L must comply with the terms of our agreements with the school district.
Disclosure of data to third parties is always under school district control
Operating as the agent of a school district, our services may share data with third-party applications and services at the request of, and under the control of, the school district.
The list of possible and currently active, third-party data consumers is available to the district administrator through our platform’s administration console. This is where the specifics of third-party data sharing configurations and agreements can be reviewed and managed. The district administrator has full, granular control of which data elements are shared and with whom they are shared.
GG4L only shares data with third parties who adhere to our security and privacy policies.
GG4L never shares data with third-parties without direction from the school district.
A school district can terminate any third party data sharing agreement at any time. This may affect or terminate the district’s ability to use the associated application or service.
Notification of changes to disclosure terms or conditions
This policy document will be changed, and the policy change notification procedure will be followed, if the terms of data disclosure or third-party access change.
3. Use of personal information for administrative accounts
We may collect, hold, use and disclose information about a platform administrator for the following purposes.
- to provide you with our platform’s core features,
- to enable you to access and use our service, associated applications and associated platforms,
- to contact and communicate with you,
- for internal record keeping and administrative purposes, and
- to comply with our legal obligations and resolve any disputes that we may have.
Choice and consent: We expect that anyone administering our services is an adult, authorized by the school district to do so and is over 18 years of age. GG4L does not knowingly provide administrative access to the service to users under 18 years of age without the appropriate consent of a guardian or authorized authority. If you are under 18 years of age, you must have, and warrant to the extent permitted by law to us, that you have your parent or legal guardian’s permission to access and use the service and they (your parents or guardian) have consented to you providing us with your personal information. By providing personal information to us, you consent to us collecting, holding, using and disclosing your personal information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of this service or the products and/or services offered on or through it.
Information from third parties: If we receive personal information about you from a third party, we will protect it as outlined in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us.
Restrict: You may choose to restrict the collection or use of your personal information. If you have previously agreed to us using your personal information, you may change your mind at any time by contacting us. If you ask us to restrict or limit how we process your personal information, this may affect your use of our products and services.
Access and data portability: You may request details of the personal information that we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine format. You may request that we erase the personal information we hold about you at any time. You may also request that we transfer this personal information to another third party.
Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading or out of date.
Notification of data breaches: We will comply with laws applicable to us in respect of any data breach.
Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.
Unsubscribe: To unsubscribe or opt-out of communications, please contact us using the details below or opt-out using the opt-out facilities provided in the communication. Unsubscribing to certain communications may affect your use of the service or the products and/or services offered on or through it.
4. Use of cookies
Typically, “cookies” collect information about you and your activity across a service. A cookie is a small piece of data that a service stores on your computer and accesses each time you visit.
Types of cookies our services may use
Essential cookies
Essential cookies are crucial to your experience of our services, enabling core features like user logins and account management. We may use essential cookies to enable certain functions.
Performance cookies
Performance cookies are used in the tracking of how you use our services without collecting personal information about you. Typically, this information is anonymous and aggregated with information tracked across all service users, to help us understand usage patterns, identify and diagnose problems or errors users may encounter, and make better strategic decisions in improving overall user experience.
Functionality cookies
Functionality cookies are used in collecting information about your device and any settings you may configure, like language and time zone settings. With this information, we can provide you with customized, enhanced or optimized content and services.
If you do not wish to accept cookies from us, you can instruct your browser to refuse cookies. Most browsers are configured to accept cookies by default, but you can update these settings to either refuse cookies altogether, or to notify you when a website is trying to set or update a cookie.
If you browse websites from multiple devices, you may need to update your settings on each individual device.
Blocking cookies may mean you are unable to use certain features and content.
5. Student data privacy and protecting children online
FERPA
GG4L uses and shares data only under the direction of, and on behalf of, the school district. We make no other use of, or disclosure of, the district’s data.
- GG4L makes data available to third parties solely at the direction of and under the control of the school district.
- The school district is responsible for appropriate use of GG4L services and must establish internal policies to ensure FERPA compliance.
- GG4L employees and contractors of GG4L do not typically see the contents of individual student (or other) records unless this is required for troubleshooting or assisting the school district. GG4L personnel are trained in protecting data in a FERPA compliant manner.
- GG4L complies with Title 34, Chapter 99 of the Code of Federal Regulations. The responsibilities of GG4L can be reviewed here https://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf and here https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33.
COPPA
GG4L does not knowingly collect information from children under the age of 13 without the legal consent of a parent or guardian.
- Acting as an agent of the school district, the GG4L services may transfer data from a school district to an application or service authorized by the district. Data transfers may contain data about children under age 13.
- Before authorizing use of our services or sharing data with a third party through our services, it is the responsibility of the school district to issue any required notifications and gain any required consent from parents or guardians of children protected under COPPA.
- The school district is responsible for appropriate use of GG4L services and must establish internal policies to ensure COPPA compliance.
- GG4L personnel are trained in protecting data in a COPPA compliant manner.
6. Our handling of Student Data
GG4L makes every effort to be a good steward of Student Data, protect data privacy and provide comprehensive data security.
At all times, Student Data remains the property of the school district and is under the district’s full control.
We believe in full transparency. If you have a question, just ask us.
GG4L employees and contractors have no day-to-day access to the data shared between districts and applications vendors. We do occasionally have access when we access the service on behalf of the district for operational or troubleshooting purposes.
GG4L does not sell student personal information individually or in aggregate for any reason.
We don’t disclose student personal information, in any form, for targeted advertising or other marketing or similar commercial purposes.
We do not profile, identify or otherwise analyze data related to a particular student or group of students other than as authorized by the school district for providing authorized services to the school district.
GG4L does not retain student data longer than authorized by the school district.
7. Data security, retention and disposal
GG4L maintains a comprehensive data security program designed to protect the security, privacy, confidentiality, and integrity of district and personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.
Data is stored in accordance with jurisdictional and customer requirements. For our US customers, unless it is otherwise stated in your contract, your data is stored in the United States on Amazon’s AWS environment. The AWS environment provided by Amazon conforms to a range of security standards including SOC 1/SSAE 16/ISAE 3402, SOC 2, PCI DSS Level 1, ISO 27001, and FISMA. Additional information about Amazon’s AWS compliance practices can be found at https://aws.amazon.com/compliance/.
Access to data is limited to authorized use. Confidential and other sensitive data is encrypted while it is at rest and in transit. Administrative and audit controls are in place to enforce authorized data access and prevent unauthorized access. Strong password policies are enforced (OWASP guidelines). GG4L employees and contractors access district data only as and when authorized by the district. GG4L on-boarding and support are provided by our personnel in various global GG4L offices including those in Australia, Ireland, Ukraine and the United States of America.
GG4L retains data only for the length of time necessary to provide the service. GG4L securely and permanently deletes student, district and personal user data when a contract is terminated, when the data is no longer needed to operate the service or when advised to do so by the school district or other authorized agency or individual.
In response to an authorized request, GG4L will remove data from the system. Personal user data for an administrator can be permanently deleted upon an authorized request from the district or the individual. This may affect the ability to use the service. Student data and other district-owned data can be permanently deleted upon authorized request from the school district.
Data breach response and notification
GG4L complies with laws applicable to us in respect of any data breach. We promptly notify the school district and/or other affected organizations of a data breach, conduct an investigation, retain evidence, work with law enforcement when necessary and restore the data integrity of the service as soon as possible.
8. Business transfers
If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may continue to use your data according to the terms of this policy.
9. Limits of our policy
Our services may link or connect to external websites and services that are not operated by us. Please be aware that we have no direct control over the content and policies of those sites and cannot accept responsibility or liability for their respective practices.
10. Changes to this policy
We may occasionally change our privacy policy. In that event, we will always take industry-standard steps to contact users and let them know about changes to our services and privacy policy. In all cases, continued use of our services after changes to this policy is regarded as acceptance of our practices around privacy and personal information. Therefore we will require the user to acknowledge and re-consent to the amended privacy policy prior to continued use.
11. Contact Information
To contact the Global Grid for Learning Data Controller or Data Protection Officer:
Email: dataprivacy@gg4l.com
Mail: Global Grid for Learning, A Public Benefit Corporation Attn: Data Privacy
1101 Marina Village Parkway, Suite 201, Alameda, CA 94501 USA
This document was last modified on July 2, 2019, 10:26:45 AM