Third-Party Vendor Purchasing Contracts when requiring PII from Lexington City Schools
Lexington City Schools (LCS) is mandated to safeguard student data in accordance with North Carolina's General Statute 115C, Article 29. Given the exponential increases in the use of online classroom tools coupled with the heightened cybersecurity threats, the North Carolina Department of Public Instruction is setting new standards starting January 1, 2024, aimed at preventing unauthorized student PII (Personal Identifiable Information) breaches.
Third-party entities seeking student PII from LCS must undergo a detailed vetting procedure. This procedure is extensive, demanding significant time and resources from the third-party company. The findings from this procedure will help assess the robustness of a third-party's IT infrastructure, which directly affects their capability to secure LCS student data. Both LCS and NC DPI's strict measures underscore the critical importance they place on student data protection.
The guidelines to follow are primarily rooted in the state's IT protocols as stipulated by the North Carolina Division of Information Technology (NC DIT), which in turn are based on the NIST 800-53 framework.
To comply, third-party companies should adhere to the detailed steps provided. After all documentation is submitted, LCS will evaluate and provide feedback. Once approved, the documents will be sent to DPI for a final decision.
It's important to note: Contracts signed before January 1, 2024, get a grace period of one year to meet these standards. Contracts signed from January 1, 2024, onwards must ensure full compliance before LCS can share student data.