Use of Personal Information for Administrative Accounts
Student Data Privacy and Protecting Children Online
Data Security, Retention and Disposal
Global Grid for Learning (“GG4L”, “we”, “us”, “our”) provides access to the School Passport Connect platform (“Connect”, “service”) to a School (school, school district, community college, university, or other educational organization) for the purposes of sharing data between the School and data consumers which are typically cloud-based applications.
Data privacy is important to us. GG4L protects the privacy of any information we may collect through School Passport Connect ( https://connect.gg4l.com) and other services and websites we own and operate.
School Passport Connect, is a software-as-a-service data integration hub that transmits roster and other operational data between a School and consumers of that data on behalf of the School. Only data that is explicitly authorized by the School is made available to data consumers.
It is important to note that data ownership of School data, at all times and in all circumstances, remains exclusively with the School. As a School, you have complete control of and responsibility for your data. If you have questions about or need help with your data, just ask us.
Information We Collect
We collect and process information only where we have a legal basis for doing so and use the information only where:
- it’s necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract,
- it satisfies a legitimate interest that is not overridden by your data protection interests such as improving our service,
- you give us consent to do so for a specific purpose, or
- we need to process your data to comply with a legal obligation.
When you consent to our collection and use of data for a specific purpose, you have the right to change your mind at any time and direct us (1) to stop collecting new data and (2) to delete all data already collected. This may affect your ability to use the service and it may not affect any processing that has already taken place.
We don’t keep data for longer than is necessary. While we retain data, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use, or modification. If necessary, we may retain data for compliance with a legal obligation.
Student data
As a necessary part of our service, we ingest data about students. Student data refers to the roster and other operational data associated with a student that is provided to GG4L by a School for the purposes of transmitting that data to third-party data consumers according to access rules defined by the School. Student data may contain student personally identifiable information (PII). Student data is, and at all times remains, the property of the School and is under the School’s full control.
Unless otherwise stated in your contract with us, the data set we collect is defined by OneRoster V1.1. Data can be loaded into the service in 3 possible ways: a) upload from the UI of Connect, b) SFTP upload of CSV files, or 3) an API pull from the SIS, LMS, or LDAP.
School operational data
As a necessary part of our service, we may ingest a broader data set about the School. Roster and other data provided to us by a School may contain operational data about staff, guardians, facilities, finances, etc. School operational data may contain personally identifiable information (PII). School operational data is, and at all times remains, the property of the School and is under the School’s full control.
Unless otherwise stated in your contract with us, the set data we collect is defined by OneRoster V1.1. Data can be loaded into the service in 3 possible ways: a) upload from the UI of Connect, b) SFTP upload of CSV files, or 3) an API pull from the SIS, LMS, or LDAP.
Log data
When an administrator visits our service, our servers may automatically log standard data provided by the web browser. It may include the computer’s Internet Protocol (IP) address, the browser type, browser version, pages visited, time and date of access, time spent on each page, and other details.
Device data
We may also collect data about the device used to access our service. This data may include the device type, operating system, unique device identifiers, device settings, and geo-location data. What we collect can depend on the individual settings of your device and software. We recommend checking the policies of the device manufacturer or software provider to learn what information they make available to us.
Personal information for administrative users of the service
We may ask for personal information about administrators, such as:
- Name
- Date of birth
- Phone/mobile number
- Work address
- Website address
Business data
Business data refers to data that accumulates over the normal course of operation of our platform. This may include transaction records, stored files, user profiles, analytics data, and other metrics, as well as other types of information, created or generated, as users and systems interact with our service.
Disclosure of Data
GG4L does not sell or disclose data to third parties for sales, marketing, or similar commercial purposes. We may disclose data during the normal course of operating our business and services to
- third-parties authorized by the School to consume data, such as ed-tech vendors and services,
- service providers for the purpose of enabling them to provide their services in support of School Passport Connect, including (without limitation) IT service providers, analytics, error loggers, maintenance or problem-solving providers, professional advisors,
- our employees, contractors and/or related entities, while supporting School Passport Connect and
- courts, tribunals, regulatory authorities, and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise, or defend our legal rights.
Amazon AWS is our cloud services provider and hosts our technology and data systems. Amazon does not have authorized access to our systems or data. We don’t intentionally disclose data to Amazon.
School contract compliance
Employees, contractors, service providers, and partners working with GG4L must comply with the terms of our agreements with the School.
Disclosure of data to third parties under School control
Operating as the agent of a School, School Passport Connect will share data with third-party applications and services at the request of, and under the control of, the School.
The list of possible and currently active, third-party data consumers is available to the School administrator through the School Passport Connect administration console. This is where the specifics of third-party data sharing configurations and agreements can be reviewed and managed. The School administrator has full, granular control of which data elements are shared and with whom they are shared.
GG4L never shares data with third parties without direction from the School.
A School can terminate any third-party data sharing agreement at any time. This may affect or terminate the School's ability to use the associated application or service.
Notification of changes to disclosure terms or conditions
This policy document will be changed, and the policy change notification procedure will be followed, if the terms of data disclosure or third-party access change.
Use of Personal Information for Administrative Accounts
We may collect, hold, use and disclose information about a School Passport Connect administrator for the following purposes.
- to provide you with our platform's core features,
- to enable you to access and use our service, associated applications, and associated platforms,
- to contact and communicate with you,
- for internal record keeping and administrative purposes, and
- to comply with our legal obligations and resolve any disputes that we may have.
Choice and consent: We expect that anyone administering the service is an adult, authorized by the School to do so, and is over 18 years of age. GG4L does not knowingly provide administrative access to the service to users under 18 years of age without the appropriate consent of a guardian or authorized authority. If you are under 18 years of age, you must have and warrant to the extent permitted by law to us, that you have your parent or legal guardian’s permission to access and use the service and they (your parents or guardian) have consented to you providing us with your personal information. By providing personal information to us, you consent to us collecting, holding, using, and disclosing your personal information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of this service or the products and/or services offered on or through it.
Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such a person’s consent to provide the personal information to us.
Restrict: You may choose to restrict the collection or use of your personal information. If you have previously agreed to us using your personal information, you may change your mind at any time by contacting us. If you ask us to restrict or limit how we process your personal information, this may affect your use of our products and services.
Access and data portability: You may request details of the personal information that we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine formats. You may request that we erase the personal information we hold about you at any time. You may also request that we transfer this personal information to another third party.
Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details below. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading, or out of date.
Notification of data breaches: We will comply with laws applicable to us in respect of any data breach.
Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.
Unsubscribe: To unsubscribe or opt-out of communications, please contact us using the details below or opt-out using the opt-out facilities provided in the communication. Unsubscribing to certain communications may affect your use of the service or the products and/or services offered on or through it.
Use of Cookies
Typically, “cookies” exist to collect information about you and your activity across a service. A cookie is a small piece of data that a service stores on your computer and accesses each time you visit.
School Passport Connect does not use cookies.
Student Data Privacy and Protecting Children Online
FERPA
School Passport Connect operates as a contractor to and agent of the School for the purposes of sharing roster and other operational data between a School and a data consumer.
- GG4L makes data available to data consumers solely at the direction of and under the control of the School.
- The School is responsible for the appropriate use of GG4L services and must establish internal policies to ensure FERPA compliance.
- GG4L employees and contractors do not typically see the contents of individual student (or other) records unless this is required for troubleshooting or assisting the School. GG4L personnel is trained in protecting data in a FERPA-compliant manner.
GG4L complies with Title 34, Chapter 99 of the Code of Federal Regulations. The responsibilities of GG4L can be reviewed here https://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf and here https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33.
COPPA
GG4L does not knowingly collect information from children under the age of 13 without the legal consent of a parent or guardian.
- Acting as an agent of the School, the School Passport Connect service transfers data from a School to a data consumer authorized by the School. Data transfers may contain data about children under age 13.
- Before authorizing the use of the service or sharing data with a data consumer, it is the responsibility of the School to issue any required notifications and gain any required consent from parents or guardians of children protected under COPPA.
- The School is responsible for the appropriate use of GG4L services and must establish internal policies to ensure COPPA compliance.
- GG4L personnel is trained in protecting data in a COPPA-compliant manner.
Authorized use of student data
The School owns and is responsible for the data contained within the service. GG4L uses data only to provide the service as authorized by the School. GG4L specifically does not
- sell student personal information individually or in aggregate for any reason,
- disclose student personal information, in any form, for targeted advertising,
- profile a student other than as authorized by the School for providing authorized services by the School, or
- retain student data longer than authorized by the School.
Authorized Sharing of Data Between the School and Application Vendors
The general purpose of GG4L is to enable the School to share data with application vendors.
Authorized system administrators for the School are in full control, down to the individual data element level, of the data sharing process. At any time an authorized administrator can establish, modify or cancel data sharing between the School and an application vendor. In addition, an authorized administrator can view current data sharing activity and audit the history of data sharing between the School and application vendors down to individual data elements.
GG4L employees and contractors have no day-to-day access to the data shared between Schools and applications vendors. We do occasionally have access when we access the service on behalf of the School for operational or troubleshooting purposes.
Data Security, Retention and Disposal
GG4L maintains a comprehensive data security program designed to protect the security, privacy, confidentiality, and integrity of School and personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.
Unless otherwise stated in your contract with us, data is stored and processed in the United States and managed from the United States and Ukraine on Amazon’s AWS environment. The AWS environment provided by Amazon conforms to a range of security standards including SOC 1/SSAE 16/ISAE 3402, SOC 2, PCI DSS Level 1, ISO 27001, and FISMA. Additional information about Amazon’s AWS compliance practices can be found at https://aws.amazon.com/compliance/.
Access to data is limited to authorized users. Confidential and other sensitive data is encrypted while it is at rest and in transit. Administrative and audit controls are in place to enforce authorized data access and prevent unauthorized access. Strong password policies are enforced (OWASP guidelines). GG4L employees and contractors access School data only as and when authorized by the School.
GG4L retains data only for the length of time necessary to provide the service. GG4L securely and permanently deletes student, School, and personal user data when a contract is terminated, when the data is no longer needed to operate the service or when advised to do so by the School or other authorized agency or individual.
In response to an authorized request, GG4L will remove data from the system. Personal user data for an administrator can be permanently deleted upon an authorized request from the School or the individual. This may affect the ability to use the service. Student data and other School-owned data can be permanently deleted upon authorized request from the School.
Data breach response and notification
GG4L complies with laws applicable to us in respect of any data breach. We promptly notify the School and/or other affected organizations of a data breach, conduct an investigation, retain evidence, work with law enforcement when necessary, and restore the data integrity of the service as soon as possible.
Business Transfers
If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur and that any parties who acquire us may continue to use your personal information according to this policy.
Limits of our Policy
Our service may link or connect to external websites and services that are not operated by us. Please be aware that we have no direct control over the content and policies of those sites and cannot accept responsibility or liability for their respective practices.
Changes to this Policy
At our discretion, we may change our privacy policy to reflect current acceptable practices. We will take reasonable steps to let users know about changes via our service. Your continued use of this service after any changes to this policy will be regarded as acceptance of our practices around privacy and personal information.
If we make a significant change to this privacy policy, for example changing a lawful basis on which we process your data, we will ask you to re-consent the amended privacy policy.
Contact Information
To contact the Global Grid for Learning Data Controller or Data Protection Officer:
Email: dataprivacy@gg4l.com
Mail: Global Grid for Learning, A Public Benefit Corporation Attn: Data Privacy
1101 Marina Village Parkway, Suite 201, Alameda, CA 94501 USA