Data Privacy and Security Plan

Last Updated: May 2025

Teaching Lab may use data gathered to facilitate and/or improve professional learning services offered across their partners. 

Any data storage on Teaching Lab’s system adheres to all laws protecting confidential information related to student and teacher information, if any. Prior to storing and/or transmitting any data related to the Project, all identifying information is removed from the data. The dissemination of any findings is conducted in aggregate form.

1. How Teaching Lab implements all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with most school systems’ data security and privacy policy.

Teaching Lab follows these steps to be consistent with most school systems’ data security and privacy policy:

  1. Designate a data privacy and security officer: Teaching Lab has designated a data privacy and security officer who is responsible for overseeing the implementation of data privacy and security policies and procedures. Teaching Lab’s data privacy and security officer is Chief Operating Officer – HaMy Vu.
  2. Regularly conduct a data inventory: Under the direction of the data privacy and security officer and the Senior Director, Learning & Research, Dr. Shaye Worthman, Teaching Lab continuously conducts a data inventory to identify the types of data it collects, processes, and stores. This helps Teaching Lab to identify the potential risks to data security and privacy and develop appropriate policies and procedures to manage those risks.
  3. Develop data privacy and security policies and procedures for collecting and storing sensitive data as well as protocols for reporting data breaches and other incidents.  See more detailed responses below.
  4. Implement technical safeguards to protect sensitive data from unauthorized access, disclosure, or misuse. See more detailed responses below.
  5. Train staff on data privacy and security policies and procedures. See more detailed responses below.  
  6. Monitor compliance: Under the direction of the data privacy and security officer, Teaching Lab monitors compliance with data privacy and security policies and procedures and takes corrective action as needed to ensure ongoing compliance.
  7. Conduct regular risk assessments: Under the direction of the data privacy and security officer, Teaching Lab conducts regular risk assessments to identify potential security threats and vulnerabilities and takes appropriate measures to mitigate those risks.
  8. Review and update policies and procedures: Under the direction of the data privacy and security officer, Teaching Lab regularly reviews and updates data privacy and security policies and procedures to ensure they remain up-to-date and in compliance with most school systems’ data privacy and security policies

2. Specify the administrative, operational, and technical safeguards and practices Teaching Lab has in place to protect the Protected Information that it will receive under the contract.

It is important to note that no personal identifiers of students are collected by Teaching Lab, and only non-identifiable data are transmitted to Teaching Lab. And, Teaching Lab employees follow technical safeguards and practices to protect the Protected Information that they receive:

  1. Collection: For student data collected directly from students or teachers (i.e., student surveys or student classroom tasks, etc.) via electronic surveys through the Qualtrics survey platform, IP addresses are initially linked to the data, but these are removed to create an analysis dataset. For data transmitted or shared directly from the school system (i.e., aggregate student assessment data, teacher evaluation data, or teacher-student linkage data), data is transmitted, at the guidance of the Learning & Research and Technology Teams, using an SFTP secure transfer protocol with the Google Cloud interface. Authorized users sign in with individual credentials and multi-factor authentication.
  2. Encryption:  The data is encrypted at motion during transmission by SSL/TLS protocols. The data is also encrypted at rest using the Advanced Encryption Standard (AES) algorithm and adheres to all laws protecting confidential information.
  3. Storage of sensitive data: Physical data is exclusively housed on Google Cloud. Data is collected/ transmitted via the survey platform Qualtrics if uploaded electronically and housed on Google Cloud and within the Secure Network Attached Storage system managed by Teaching Lab’s Learning & Research and Technology departments. This database is available only to those on the project who need access for data entry and analysis.
  4. Access controls to protect against unauthorized access or use of the Protected Information.
  5. Network security controls, such as firewalls, intrusion detection, and prevention systems
  6. Regular data backups and disaster recovery procedures.
  7. Training employees and contractors to recognize and prevent unauthorized access to Protected Information. 
  8. Protocols for reporting data breaches and incidents: (See: Teaching Lab Technology Security Incident Response Plan (bit.ly/incident_response_plan)

3. Demonstrate that Teaching Lab complies with the requirements of most school systems’ Parents’ Bill of Rights for Data Privacy and Security, if one exists.

Any student data collected by Teaching Lab is only done so because it is necessary to achieve educational purposes in accordance with state and federal law.

Except for in extremely rare circumstances initiated by the school system partners, Teaching Lab does not accept data containing personally-identifiable information related to students: Per Teaching Lab’s Service Agreement with school system partners, the school system partner shall not transfer any Record to Teaching Lab or any Vendor Device unless, prior to the transfer, school system partner has de-identified the Record, or made a reasonable determination that no Student’s identity is personally identifiable from the Record, in the manner contemplated by federal regulation 34 CFR 99.31(b). Any transfer of any Record by the school system partner to Teaching Lab or a Vendor Device constitutes a representation and warranty by school system partner that such Record does not contain Student Protected Information, unless prior to the transfer, school system partner has (i) notified Teaching Lab that the record or records includes or constitutes Student Protected Information; (ii) notified Teaching Lab which aspects of the information or data constitute Student Protected Information; (iii) provided Teaching Lab a reasonable opportunity to request that the Student Protected Information be de-identified such that it no longer constitutes Student Protected Information; and (iv) obtained Teaching Lab’s prior written consent to the transfer. 

Further, all data received from school system partners is subjected to the following technical safeguards to protect sensitive data from unauthorized access or disclosure..

  1. Encryption:  The data is encrypted at motion during transmission by SSL/TLS protocols. The data is also encrypted at rest using the Advanced Encryption Standard (AES) algorithm and adheres to all laws protecting confidential information.
  2. Access controls to protect against unauthorized access or use of the Protected Information.
  3. Network security controls, such as firewalls, intrusion detection, and prevention systems

All Teaching Lab employees and specified contractors with access to data collected from school system partners are required to complete annual training on data privacy and security policies and procedures, including the importance of protecting sensitive data, how to recognize potential security threats, and how to respond to data breaches.

Finally, if any data collected or transferred from a school system partner contains PII, it is permanently and securely deleted no later than when the contract ends.

4. Specify how Teaching Lab officers or employees of the third-party contractor and its assignees who have access to Protected Information receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access.

First, Teaching Lab does not accept data containing personally-identifiable information related to students except for extremely rare circumstances initiated by the school system partners. 

Teaching Lab’s Senior Director, Learning & Research and Data Analyst have completed training on human subject research through the Collaborative Institutional Training Initiative (CITI Program), which includes human subject protections, ethical issues, and current regulatory and guidance information. 

Finally, all Teaching Lab employees and specified contractors with access to data collected from school system partners complete annual training on data privacy and security policies and procedures, including the importance of protecting sensitive data, how to recognize potential security threats, and how to respond to data breaches. A curated series of courses are identified for Teaching Lab employees. Specific contractors need to submit proof of completion of such training within the last 12 months to be approved by the data privacy and security officer.

5. Specify how Teaching Lab utilizes subcontractors and how it manages those relationships and contracts to ensure Protected Information is protected.

Teaching Lab does not share data containing protected information with other individuals outside of the project team unless authorization is specific in the provider-school system partner agreement. If data were to be shared with subcontractors, they would be required to implement and adhere to the same data security and privacy measures as outlined in this plan. In addition, such subcontractors are also subjected to equivalent and no less protective data privacy and security obligations as those set forth in any MOU, NDA, or other agreements between Teaching Lab and a school system partner. 

6. Specify how Teaching Lab manages data security and privacy incidents that implicate Protected Information, including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the impacted school system.

If a data security or privacy incident involving Protected Information is detected, Teaching Lab follows all phases of its Technology Security Incident Response Plan (bit.ly/incident_response_plan): containment, investigation, remediation, and recovery. The impacted school system is promptly notified.

7. Describe whether, how, and when data is returned to the school system, transitioned to a successor contractor, at the school system’s option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.

Teaching Lab returns data to the school system, transitions to a successor contractor at the school system’s option and direction, and deletes or destroys the data when the contract is terminated or expires. Teaching Lab provides the school system with a written certification of the destruction or deletion of the data. Teaching Lab acknowledges the significance of safeguarding the privacy and security of Protected Information and is dedicated to implementing the required measures and practices outlined in this plan. In case of any uncertainty, the school system partner agreement or terms has priority.