Third Party Data Integration
Important Updates!
The effective date for full implementation has been shifted from August 1, 2023 to January 1, 2024. This extension will enable vendors and PSUs some additional flexibility with initial implementation.
The following changes to this process are live as of November 1, 2023:
An updated version of the Data Sharing Agreement is now available (11/16/2023)
Direct integrations with state systems that share student data via API/Plugin must adhere to the requirements below.
The deadline for Canvas LTI integrations to follow this process has been extended to August 1st, 2024. More guidance on how to evaluate Canvas LTI Integrations is coming soon.Canvas integrations are recommended to use version LTI v1.3. LTI v1.1 will be deprecated at a later date.
DPI does not require this process for any third-party integration through other methods but it is highly recommended to follow the same process. PSUs maintain the discretion to implement this process prior to January 1, to require the process be completed for additional applications, and to impose additional requirements.
Protecting the privacy and security of our student data is a challenging, yet critical task. The Department of Public Instruction (DPI) and Public-School Units (PSUs) are required, under Article 29 of NC General Statute 115C, to protect student data. Over the last two years, the number of digital resources provided to students has increased dramatically. The vendors of these digital resources are requesting PSUs to receive data on students or directly integrate their data with statewide applications, such as the Student Information System. These integrations may be implemented both through an Application Programming Interface (API) or data exported flat files provided to the vendors.
While these integrations are necessary for many of these tools to be useful in the classroom, a significant increase in cybersecurity threats against education technology vendors, schools, and student data is occurring nationally. To strengthen security and privacy protections, DPI will implement a new process for PSU third-party vendor integration. The new process aligns with the NC Department of Information Technology (DIT) data security standards for third-party integrations with state systems. This new process is designed to ensure that PSUs have the resources they need to adequately evaluate the security readiness of vendor partners, provide alignment with the State of North Carolina Information Security Manual and the NIST 800-53 framework, as well as provide a more streamlined process that allows PSUs to implement a third-party application more quickly.
Requirements
- The Vendor and PSU must both sign the DPI (Department of Public Instruction) Data Confidentiality and Security Agreement, in whole with no modifications.
- The vendor must clearly articulate the following items in the Third Party Data Collection Reporting Worksheet:
- The statewide systems they will be connecting to (PowerSchool SIS, ECATS, Amplify mClass, or any state system containing student information);
- The method of integration (API, AutoComm, SFTP, etc.);
- Specific data fields requested and the rationale for their inclusion in the request, including how the data will be used in the target system;
- A description of how data will be restricted to the users who have a legitimate business need to see the data;
- A description of any data written back to the statewide system.
- The Vendor must submit the following security documentation:
- An approved Vendor Self-Assessment Tool:
- Educause Higher Education Community Vendor Assessment Toolkit (HECVAT) Lite
- CoSN K-12 Community Vendor Assessment Toolkit (K-12CVAT)
- 1EdTech Security Assessment Rubric (when released for public use)
- The NCDIT Vendor Readiness Assessment Report
- A third-party conducted assessment report:
- A Public Assessment report no older than twelve months of the vendor's third-party conducted assessment report that includes the product, such as:
- SOC3 (Security Operations Center) or SOC2 Type 2 Executive Summary
- FedRAMP (Federal Risk and Authorization Management Program) authorization
- ISO 27001 certification
- HITRUST certification.
- An Engagement letter that states the vendor is actively in the process to obtain their third party assessment. This report must be no more than 12 months old.
- A Public Assessment report no older than twelve months of the vendor's third-party conducted assessment report that includes the product, such as:
- An approved Vendor Self-Assessment Tool:
If the vendor is unable to complete the required documentation then the PSU can complete an Authorization to Operate (ATO) Letter (template below). This document is an acceptance of risk by the PSU for the vendor to use student data without meeting the requirements listed above. This option is only available for applications not directly integrating with NCDPI systems.
Once all the required documentation has been obtained, the PSU shall review to ensure that the documentation meets all applicable security standards. The PSU shall upload a copy of the signed Data Confidentiality and Security Agreement and Third Party Data Collection Reporting Worksheet into the PSU Third Party Data Integration Reporting form. Once complete, PSUs may begin exchanging data. In the event a vendor is unable or unwilling to provide the requested information at any time during the contract period, the integration is unauthorized and may not proceed. If the PSU or DPI becomes aware of a data breach involving the vendor, authorization of the integration is suspended pending investigation.
Questions?
- Review the Frequently Asked Questions
- Submit a question