The new service agreement for the Learning Analytics Service is available above and we would like to invite you to review the agreement and provide feedback. This agreement will replace the existing Data Processing Agreement from August 2017 currently in place with institutions implementing the learning analytics service.
The period of consultation is outlined below to gather any feedback, explain some of the trickier aspects and how we will be working with third party vendors. We will be updating this page during the consultation period with further information to address any feedback.
– 27 June service agreement released for institutions to review and email invitation issued
– 27 June to 11 July. Consultation period where institutions are invited to submit comments or feedback via comments on the blog post or via email to email@example.com
– 11 July at 13:00 – 14:00 service agreement webinar to discuss comments and feedback. The address for the webinar is https://zoom.us/j/400663886
– 11 July onwards the service agreement will be available for institutions to sign
Overview of the new agreement
The service agreement:
– Is simplified and easier to understand and issue
– Has been written to meet the requirements of GDPR
– Addresses feedback from the pilot institutions
– Includes an order form to specify which products you require when you sign up for the service,
Notes and explanation
There are some points worth noting relating to changes and also work on progress
- Security Requirements: Clauses 8.2.2 and 9.1.3. We are also in the process of extending Jisc’s ISO 27001 Certification (See https://www.jisc.ac.uk/network/iso-certification) to include the learning analytics service and this will be complete in early 2018.
- Charges for the service: The order form and service agreement mention charges for the service being available on the Jisc website, however these are still being finalised and will be accessible soon. Institutions who have been part of the initial pilot project (pathfinder sites) will not be charged until 1 August 2018. All new customers will get a six month pilot implementation period free of charge, after which charges will apply.
- Notification of a personal data breach: Clause 9.1.5. Under Recital 85 of the General Data Protection Regulation (GDPR) a Controller has up to 72hrs to report a personal data breach to the regulator (see http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN )
If the Institution is not aware of the breach itself, then the 72hrs reporting deadline for the Institution as a Controller begins after it has received the breach notification from Jisc.
- Liability: Clause 15. Note that the maximum liability stated in 15.1 ‘as the greater of charges paid in a year and £10,000’ is also subject to clauses 15.2 & 15.3 which address larger liabilities under for example GDPR
- Termination and deletion of data: Clause 9.1.10 describes the process and timescales for the return or deletion of data and any back-ups upon termination of the agreement, the time period covers the deletion of data in backups.
Summary of Consultation Feedback and Responses (updated 10 July 2017)
|Agreement, Section or Clause||Query||Jisc response / significant changes to the documentation|
|Service Agreement||How will you ensure compliance with the new EU General Data Protection Regulation (GDPR)?||A new Service Agreement has been produced to replace the Data Processing Agreement that pathfinder sites signed with Jisc during the R&D Learning Analytics Project. The new Service Agreement has been updated with clauses to ensure compliance with GDPR.
We have also ensured that our contracts with sub-contractors (eg HT2 Ltd, which provides the Learning Records Warehouse) are GDPR compliant.
|Service Agreement – Order Form||What’s included in the Jisc service?||The key components of the Jisc service are:
– Learning Records Warehouse Core
– Study Goal Core
– Data Explorer Core
– Student Success Plan
– Tribal Student Insight (existing pathfinder sites only)Additional information about the service will be available on the Jisc website.
An Order Form has been added to the front of the Service Agreement so that Institutions can easily see the Terms & Conditions and costs associated with the service.
Pathfinder sites have the option to continue with the components they are currently using, or they can sign up for new ones.
|Service Agreement – Order Form||What will I pay for the Jisc service?||Existing pathfinder sites (including those using Tribal Student Insight) will not pay for the service during AY2017-18.
All new customers will be able to pilot a selection of Jisc products for 6 months at no charge.
Charges after the free pilot period and 100% discount period for pathfinder sites are currently being finalised. In the coming months we’ll discuss service charges with each Institution.
|Service Agreement – Order Form and Clause 2||What is my financial commitment during the Initial Term and what termination options do I have?||The Initial Term of the Service Agreement covers one year (1 August 2017 to 31 July 2018).
Within the Initial Term there are two points at which a customer can terminate their service, the first is at any point during the 6-month Pilot Implementation Period. The second is during the remainder of the Initial Term when a customer can terminate their contract with 3 months notice.
In practice, this means:
|Service Agreement -Clause 9.1.3.||What safeguards are in place to protect personal data?||The new Service Agreement identifies the obligations on Jisc and the sub-contractors it uses to ensure personal data is safely stored and processed.
To ensure we meet these obligations we are extending the scope of Jisc’s ‘ISO 27001 – Information Security Management’ certificate to include the Learning Analytics Service. This work will be completed in early 2018.
Details on the scope of Jisc’s current ISO 27001 certificate are available on the Jisc website, see https://www.jisc.ac.uk/network/iso-certification.
|Clause 9.1.5||How does the timescale for Jisc notification of a data breach to the Institution fit with the deadline an Institution has for reporting a breach to the regulator?||Under Recital 85 of GDPR a Controller (Institution) has up to 72hrs to report a personal data breach to the regulator (see http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN )
If the Institution is not aware of the breach itself, then the 72hrs reporting deadline for the Institution begins after it has received the breach notification from Jisc.
|Clause 9.1.8||Under GDPR can an Institution rely on consent being sufficient to cover the transfer of data outside the EEA?||This query arose in relation to the transfer of personal data outside the EEA via a terminal services session.
Although all Institutional Data is stored in the EEA, Jisc and Institutions may use sub-contractors that are based, for example, in the USA. Data (including personal data ) will not be physically moved outside the EEA, but staff from the sub-contractor may view it on their screens (eg via a terminal services session). Access to data via a terminal services session involves a data transfer.
Under GDPR an institution may not be able to rely on consent for a data transfer. Jisc is currently seeking clarification on this point. In our initial discussions with Pinsent Masons their advice was that Jisc and Institutions should replace consent with a commitment to ensure that data is transferred under a compliant mechanism that safeguards personal data, such as Privacy Shield or through the adoption of EU Model Clauses.
|Clause 9.1.10||What are the arrangement for the return/deletion of data at termination?||The process is described in Clause 9.1.10.
The time allowed for the return and deletion of data and any back-ups upon termination is now 60 days.
|Service Agreement -Clause 11.3||Why has Amazon Web Services been singled out for a unique sub-clause in Clause 11.3?||Response to be updated later.|
|Service Agreement – Clauses 15.2 and 15.3||Does the liability position in the agreement allow an Institution to recover from Jisc the cost of any regulatory fines that it may receive for a data protection breach?||Response to be updated later.|
|Responses to other feedback received will be added later.|
|Sub-contract Agreement||Will there be a pro-forma agreement that Institutions can use for Add-On Services they procure under the DPS?||If an Institution opts to buy Add-On Services via a mini-competition in the Jisc Dynamic Purchasing System (DPS) for Learning Analytics, then the contract for those services will be directly between the Institution and supplier.
In a static procurement framework suppliers generally sign up to use a standard pro-forma contract with their customers. The DPS operates slightly differently. Under the DPS an Institution can use its own contract wording or the supplier’s.
In a bid to ensure that all suppliers adopt a consistent approach to data protection/GDPR-compliance, Jisc has provided a standard set of data protection clauses and mandated that suppliers use these in their contracts with Institutions.
Jisc is also in the process of reviewing some final changes to our sub-contract agreement. Once finalised, we can make this available as a starting point for contracts Institutions may enter into with suppliers under the DPS.
Please email any further questions or comments to firstname.lastname@example.org