MyScholar, in its role as a vendor to educational agencies and institutions, both public and private entities (“Educational Agencies”), receives disclosures from the Educational Agencies, which include the personal information and other data (“Student Data”) contained in student records as well as directly from students and parents of students. Only information that is needed for MyScholar to perform services, which are outsourced to MyScholar by the Educational Agencies, is disclosed to MyScholar. MyScholar considers Student Data to be strictly confidential and will not use Student Data for any purpose other than improving and providing our products and services to the Educational Agencies or on the Educational Agencies’ behalf. Our collection, use, and sharing of Student Data is governed by our contracts with the Educational Agencies, the provisions of FERPA, the Children’s Online Privacy Protection Act (COPPA), and other applicable state and federal laws and regulations that regulate/protect the collection and use of personal information of students. MyScholar, as a contractor to the Educational Agency, receives the disclosures on the same basis as school officials employed by the Educational Agency, consistent with FERPA regulations, 34 CFR §99.31(a)(1)(i)(B). Consistent with those regulations, MyScholar has a legitimate educational interest in the information to which it is given access to because the information is needed to perform the outsourced service. MyScholar is under the direct control of the Educational Agency in using and maintaining the disclosed education records, consistent with the terms of its contract.
MyScholar is subject to the same conditions on use and redisclosure of education records that govern all school officials, as provided in 34 CFR §99.33. In particular, MyScholar must ensure that only individuals that it employs or that are employed by its contractor, with legitimate educational interests – consistent with the purposes for which MyScholar obtained the information -obtain access to Personally Identifiable Information (PII) from education records it maintains on behalf of the district or institution.
MyScholars application is a tool to help high school students imagine, research, plan and fund their future, allows Pathway Providers to present relevant information to students within the application (“Pathway Providers”). Pathway Providers include Universities, Colleges, Trade Schools, Employers, Trades, Military and Public Services. Messaging is “blind” – Pathway Providers are not able to see any information on individual students. However Pathway Providers are able to target the messaging to students that match the Pathway Provider’s preferred student profile.
MyScholar receives from the Educational Agency the student’s parent or designated guardians. Parents or designated guardians of students under the age of 18 are able to view their children’s PII in the application. Parents or designated guardians of students 18 or over may only view their child’s PII with the approval of the student.
MyScholar will not sell or otherwise use or redisclose education records for targeted advertising or marketing purposes. MyScholar uses data within its products only to deliver the services contracted by the educational institution. MyScholar may use anonymized, non-PII data internally to improve the products and services it delivers to Educational Agencies.
In accordance with FERPA regulations 34 CFR §99.33(a) and (b), MyScholar may not disclose PII without consent of a parent or an eligible student (meaning a student who is 18 years old or above or is enrolled in postsecondary education) unless the agency or institution has authorized the redisclosure under a FERPA exception and the agency or institution records the subsequent disclosure. MyScholar can allow limited communications between students and Pathway providers within its application. If a student is interested in a Pathway Provider and a match with the Pathway Provider’s preferred student profile, only the student may initiate communications with the Pathway Provider. The student’s first name, last initial, grade, and school are displayed to the Pathway Provider. MyScholar only enables communications if the parent or designated guardian of the student has authorized the student to communicate with Pathway Providers.
MyScholar employs extensive technological and operational measures to ensure data security and privacy, including advanced security systems technology, physical access controls, and annual privacy training for employees and partners, and criminal background checks of all employees. The organization will undergo annual security audits including an external SOC 2 Type II audit demonstrating adherence with the security principle set forth in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality and Privacy (AICPA, Technical Practice Aids). All data is housed within the United States in Amazon FERPA- compliant servers. Details about audits and company policies which support the MyScholar security programs are available to Educational Agencies under a non-disclosure agreement and sunshine law.
All employees of MyScholar are required to sign an Acknowledgement and Agreement of Policies that commits the employees to comply with MyScholar's data privacy and security policies and receive required annual security and privacy training, including commitments and training regarding the prohibition on disclosure of student data.
MyScholar does not own any of the student data or Educational Agency-created data within its products. These data within the products are property of, and under the control of the Educational Agency. The collection, input, use, retention, disposal, and disclosure of any information in our software applications are controlled solely by the Educational Agency which license our products. MyScholar cannot delete, change, or disclose any information from our application controlled by the Educational Agency.
In the event MyScholar becomes aware of a data breach or inadvertent disclosure of PII, MyScholar shall take immediate steps to limit and mitigate such security breach to the extent possible. A senior executive of MyScholar will notify a senior member of the affected Educational Agency’s leadership team, ideally the Superintendent or similar chief executive. This typically will occur within 24 hours of confirmation of the event and would include the known relevant details. The Educational Agency and MyScholar will work cooperatively in determining an action plan, including any required notification of affected persons. In the event that MyScholar is at fault for the breach or disclosure, MyScholar carries a $1,000,000 cyber-liability insurance policy that provides for a number of potential remedies, such as credit monitoring for affected parties, fraud coverage, crisis management communications coverage, business interruption coverage, and data restoration coverage, among others.
In the event of termination of a license to use our products, MyScholar works with the Educational Agency, in accordance of the terms of the Educational Agencies contract, to destroy all student records contained in our systems and then will permanently delete all archival or backup copies of the agency’s or institution’s data. MyScholar shall not knowingly retain copies of any data or information received from Educational Agency once Educational Agency has directed MyScholar as to how such information shall be returned and/or destroyed. Furthermore, MyScholar shall ensure that it disposes of any and all data or information received from Educational Agency in a commercially reasonable manner that maintains the confidentiality of the contents of such records (e.g. shredding paper records, erasing and reformatting hard drives, erasing and/or physically destroying any portable electronic devices). At the request of the Educational Agency, MyScholar will provide a written certification of confirmation of destruction.
MyScholar may, from time to time, update this policy to be in compliance with evolving state and federal laws and regulations. We will not materially change our policies and practices to make them less protective of your privacy without the written consent of the Educational Agency and the Educational Agency may rely upon any and enforce any current or prior version of this policy unless otherwise agreed to in writing.