Data Processing Agreement
Definitions
Date of Last Revision: May 22, 2018.
Controller - means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Data Protection Law - means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. The terms “process”, “processes” and “processed” will be construed accordingly.
Data Subject - means an identified or identifiable natural person (users of CN)
GDPR - means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Personal Data - means any information relating Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Third Party - means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
Details of Data Processing
Data Subject Categories - Controllers’ data subjects include end users including public users, institutional users. Within the institutional user group, there are several different types of roles such as student, instructor, and administrator. Administrators have complete access to all channel members’ data.
Personal Data Types - Information inputted by the user or SIS, the extent of which is determined and controlled by the Data Subject or Controller in its sole discretion, including name, email, photo, and other Personal Data such as website usage information, communication data, badging data, course data, application integration data, and other electronic data submitted, stored, sent, or received by end users via CourseNetworking.
Nature of Data Processing - Personal Data is only Processed based on use purposes outlined in the Terms of Service. Personal Data is not sold, used for advertisements, etc.
Data Processing Purpose - Personal Data is Processed for purposes of providing services outlined and agreed to in the Terms of Service and Privacy Policy.
Duration of the Processing - Personal Data Processing is outlined in the Security Document and can be altered based on user requests.
Customer Responsibility
Provide instructions to CourseNetworking and determine the purposes and general means of CN’s processing of Customer (Data Subject) Personal Data in accordance with the Agreement; and
Comply with its protection, security and other obligations with respect to Personal Data prescribed by Data Protection Law Requirements for data controllers by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of Data Subject; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring compliance with the provisions of this Agreement by its personnel or by any third-party accessing or using Personal Data on its behalf.
CN is capable of being used through LTI integration, for this reason, any instructor can add LTI tool(s) to their courses. CN Channel Admin can also add tools to their institution channel at their own discretion. CN does not monitor these tools or the data sharing that takes place through these LTI launches. This responsibility is undertaken by the individual instructor or the institution administrators.
Obligations of Processor
- Using Personal Data only for the Purpose outlined here. The purpose of Personal Data Processing is solely to improve the service, site, and user ability to use them. These reasons include notifying users about new services, service-related announcements, availability to be found in search results across the Site & browsers (if so chosen), accessibility and editability of user content, showing profiles to other users who have permissions;
- provide timely notification of breaches and if a security breach occurs, work with Customer and end-users to notify promptly. If a data breach should occur, the GDPR specifies that the Processor must provide adequate notification. The affected company has 72 hours to notify the appropriate Data Protection Agency and must inform affected individuals “without undue delay;”
- ensure that its employees, authorized agents are required to comply with and acknowledge and respect the confidentiality of the Customer Personal Data, including after the end of their respective employment, contract or assignment;
- maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Customer Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Personal Data;
- be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all CourseNetworking personnel with respect to Customer Personal Data and liable for any failure by such CourseNetworking personnel to meet the terms of this DPA;
Scenarios
CN as a Data Processor
- SIS as controller
- SIS imports user information and enrollment data for account creation
- Data includes: first name, last name, email or student ID, courses enrolled and role in course
CN as a Data Controller / Third Party Data Processors
- LTI tool/third party tool inside CN is the Processor
- LTI standards - email, first name, last name, course name, enrollment role are shared with Processor
- Integrated through API and LTI - LTI is an open interface, instructors, and admins or Customer can add their own tools so the responsibility lies with the Customer
- CN is responsible for built-in tools in the LMS: Turnitin and Zoom
Audit
We conduct internal audits regularly, however, per client request, we can conduct additional audits CN once per year, and we will provide all of the necessary audit reports. This audit can be completed by the CN security team or a third party auditor. If a third party is preferred, cost responsibility of the audit is undertaken by the requesting party.
Data Transfers
CourseNetworking sites and services are primarily operated on Amazon servers located in the United States. To improve our service and site for users, we may transfer your personally identifiable information from the EEA to the U.S. However, during these transfers, we take full precautions and provide the same level of protection as transfers residing in the EEA. As previously mentioned, we use Amazon servers, and through Amazon, we adhere to the EU-U.S. Privacy Shield Framework when transferring data from the EEA to the United States. Please see the Amazon Privacy Shield Policy certification for more information.
Data Return and Deletion
When Customers public content to the site, they authorize and direct CourseNetworking to make such copies thereof as we deem necessary in order to facilitate the posting and storage of the user content on the site and delivery of the service. Customers may remove Customer Personal Data from the site at any time. If Customer chooses to remove Customer Personal Data, however, they acknowledge that the company may retain archived copies of content and Customer Personal Data for the duration of 6 months, where deletion takes place month by month. If Customer desires data retrieval and returns during this time, reasonable requests may be granted. Similarly, if Customer desires for files to be completely removed from the CN servers before scheduled, they must request via writing an email to help@thecn.com. For more information on user data, please see our Privacy Policy.