Target was targeted. [image credit: ask.com]
The first place I looked is at our school information system, Veracross. Here’s a copy of the privacy agreement (a section of our contract with them)
6. Intellectual Property
B&C shall retain all right, title and interest in and to the B&C Technology and the System, and Client shall retain all right, title and interest in and to the Client Data.
7. Confidential Information
(a) Each party acknowledges that it will have access to certain confidential information of the other par- ty concerning the other party’s business, plans, Clients, resellers, technology, and products, and other information held in confidence by the other party (“Confidential Information”). Confidential Information will include all information in tangible or intangible form that is marked or designated as confidential or that, under the circumstances of its disclosure, should be considered confidential. Confidential Information will also include the Database, Client Data, and the B&C Technology. Each party agrees that it will not use in any way, for its own account or the account of any third party, except as expressly permitted by, or required to achieve the purposes of, this Agreement, nor disclose to any third party (except as required by law or to that party’s attorneys, accountants and other advisers as reasonably necessary), any of the other party’s Confidential Information and will take reasonable precautions to protect the confidentiality of such information that are at least as stringent as it takes to protect its own Confidential Information. Within 30 days after termination of this Agreement, each party shall return to the other party (or, at that party’s option, destroy) all Confidential Information of the other party then remaining in its possession.
(b) Information will not be deemed Confidential Information hereunder if such information: (i) is known to the receiving party prior to receipt from the disclosing party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (ii) becomes known (independently of disclosure by the disclosing party) to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the receiving party; or (iv) is independently developed by the receiving party. The receiving party may dis- close Confidential Information pursuant to the requirements of a governmental agency or by operation of law, provided that it gives the disclosing party reasonable prior written notice sufficient to permit the disclosing party to contest such disclosure.
Do you like the fine print? 🙂 It basically states that we agree to keep what we know about Veracross’s software and processes private and they agree to keep our data private. The main issue for me is, what happens if they don’t keep our data private? History shows that even major companies cannot keep their data private, right? I think the only thing going for Veracross and AES is that overall there is not a high demand for our data. Credit card information from Target is simply worth more on the black market.
Honestly data security is not something that I thought much about before signing a contract with Veracross. Yes, I did read the contract, but I never once asked them about the real world practices of their company that are in place to protect our students’ data. It’s something that I need to do for all of our systems, but it takes time. Once you start digging into these issues, you feel like you are going to need a personal data security specialist (and a lawyer) to complete the process! We cannot afford to ignore it however. As a school, we are, in the end, responsible for the data we maintain. So I suggest we need to expand the discussion beyond just personal privacy for students and teachers to the privacy of the data housed in our systems at school. This of course hits home to me as the Director of Technology at AES. Now that I have opened this can of worms I will have to deal with it. Looks like I have some work to do!
David,
I think you are very brave! Can of worms for sure. Some times I do start to read the fine print and before long – I decide I can’t understand the legal vocabulary and I give up before getting to the bottom and I click, “Agree” or “Accept” with crossed fingers!
And I think you are right that we should be grateful that most people are not interested in the kind of data our admin offices hold…. still…. I very much hope that you are able to persevere with your voyage of discovery as I am keen to hear what you find out!
Lindy
Hi David,
Some might disagree about the value of the data that Veracross holds. Many international schools have some fairly affluent and/or influential families attending. It’s not unimaginable that either a) the family is very security conscious, or b) there are third parties who think their personal data might be valuable.
I, for one, agree with you about the relative worth of school data but it’s good to raise the discussion at a larger institutional level as well as at a personal level.