Tobii Dynavox, in its role as a vendor to educational agencies and institutions (EAs), receives disclosures from the EAs of personally identifiable information (PII) contained in student records. Only information that is needed for Tobii Dynavox to perform the requested services to the EA is disclosed to Tobii Dynavox. In the United States of America, these disclosures are authorized under the Family Educational Rights and Privacy Act (FERPA), a federal statute that regulates the privacy of student records by EAs that receive financial assistance from the U.S. Department of Education.
Tobii Dynavox, as a contractor to the EA, receives the disclosures on the same basis as school officials employed by the EA, consistent with FERPA regulations, 34 CFR §99.31(a)(1)(i)(B). Consistent with those regulations, Tobii Dynavox has a legitimate educational interest in the information to which it is given access because the information is needed to perform the outsourced service, and Tobii Dynavox uses and maintains the disclosed education records, consistent with the terms of its agreement with the EA.
Tobii Dynavox is subject to the same conditions on use and redisclosure of education records that govern all school officials, (in the USA 34 CFR §99.33). In particular, Tobii Dynavox must ensure that only individuals that it employs or that are employed by its contractor, with legitimate educational interests – consistent with the purposes for which Tobii Dynavox obtained the information -- obtain access to PII from education records it maintains on behalf of the district or institution.
Further, (in the USA 34 CFR §99.33(a) and (b)), Tobii Dynavox may not redisclose PII without consent of a parent or an eligible student (meaning a student who is 18 years old or above or is enrolled in postsecondary education) unless the agency or institution has authorized the redisclosure under an (FERPA) exception and the agency or institution records the subsequent disclosure. An example of such a disclosure is when Tobii Dynavox is requested by a school district to assist the district in the transfer of the student records from our system to another system.
Tobii Dynavox will not sell or otherwise use or redisclose education records for targeted advertising or marketing purposes. Tobii Dynavox does not allow advertising within its products, and therefore there is no behavioral or targeted advertising. Tobii Dynavox uses data within its products only to deliver the services contracted by the educational institution. Tobii Dynavox may use anonymized, non-PII data internally to improve the products and services it delivers to EAs. Tobii Dynavox employs extensive technological and operational measures to ensure data security and privacy, including advanced security systems technology, physical access controls, and annual privacy training for employees and partners, and criminal background checks of all relevant employees. Tobii Dynavox employs a dedicated, full-time Head of IT to implement and improve Tobii Dynavox’s security posture and practice. The organization undergoes periodic security audits. [All student data for the United States is housed within the United States.]
Details about company policies which support the Tobii Dynavox programs are available on the Tobii Dynavox website. Documents specific to EAs may require a non-disclosure agreement. All relevant employees of Tobii Dynavox are required to sign an Acknowledgement and Agreement of Policies that commits the employees to comply with Tobii Dynaovx's data privacy and security policies and receive required periodic privacy training.
Tobii Dynavox does not own any of the student data or district-created data within its products. The data within the products are property of, and under the control of the local educational agency. The collection, input, use, retention, disposal, and disclosure of any information in our software applications are controlled solely by the EAs which license Tobii Dynavox products. Tobii Dynaovx cannot delete, change, or disclose any information from software applications controlled by the EA.
Students who wish to retain possession and control of their own pupil-generated content should contact the EA. If the EA is unable to fulfil the request of the student, Tobii Dynavox may assist at the direction and expense of the EA. In the event any third party (including the eligible student or parent/guardian of the eligible student) seeks to access education records, Tobii Dynavox will immediately inform the EA of such request in writing. Tobii Dynavox will not provide access to such data or information or respond to such requests unless compelled to do so by court order or lawfully issued subpoena from any court of competent jurisdiction or directed to do so by the EA. Should Tobii Dynavox receive a court order or lawfully issued subpoena seeking the release of such data or information, Tobii Dynavox will provide notification, along with a copy thereof, to the EA prior to releasing the requested data or information, unless such notification is prohibited by law or judicial and/or administrative order or subpoena.
If the EA is unable to fulfill a request of an eligible student or parent/guardian to review the student’s records, Tobii Dynavox may assist at the direction and expense of the EA. In such an event where a parent, legal guardian, or eligible student seeks to make changes to the data within Tobii Dynavox products parents, legal guardians, or eligible students shall follow the procedures established by the EA (in the USA in accordance with FERPA). Generally, these procedures establish the right to request an amendment of the student’s education records that the parent or eligible student believes is inaccurate, misleading, or otherwise in violation of the student’s privacy rights (under FERPA). Parents or eligible students who wish to ask the EA to amend their child’s or their education record should write an EA official, clearly identify the part of the record they want changed, and specify why it should be changed. If the EA decides not to amend the record as requested by the parent or eligible student, the EA will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures would be provided to the parent or eligible student when notified of the right to a hearing.
In the event Tobii Dynavox becomes aware of a data breach or inadvertent disclosure of PII, Tobii Dynavox will take immediate steps to limit and mitigate such breach to the extent possible. A senior executive of Tobii Dynavox will notify a senior member of the affected EAs leadership team. This will occur within a reasonable time of confirmation of the event wherein PII was exposed and would include the known relevant details.
The EA and Tobii Dynavox will work cooperatively in determining an action plan, including any required notification of affected persons. In the event Tobii Dynavox is at fault for the breach, Tobii Dynavox carries cyber-liability insurance policy that provides for a number of potential remedies, such as credit monitoring for affected parties, fraud coverage, crisis management communications coverage, business interruption coverage, and data restoration coverage, among others.
In the event of termination of a license to use Tobii Dynavox products, Tobii Dynavox works with the EA, in accordance of the terms of the EAs contract, to destroy all student records contained in Tobii Dynavox systems and then will permanently delete all archival or backup copies of the agency’s or institution’s data. Tobii Dynavox will not knowingly retain copies of any data or information received from EA once EA has directed Tobii Dynavox as to how such information shall be returned and/or destroyed. Furthermore, Tobii Dynavox will ensure that it disposes of any and all data or information received from EA in a commercially reasonable manner that maintains the confidentiality of the contents of such records (e.g. shredding paper records, erasing and reformatting hard drives, erasing and/or physically destroying any portable electronic devices). At the request and expense of the EA, Tobii Dynavox will provide a written certification of destruction.
To the extent parents, guardians or students have questions regarding the content of, or privacy associated with, any applications used by the educational institution, they should contact that agency or institution directly.
Tobii Dynavox may, from time to time, update this policy to be in compliance with evolving (in the USA state and federal) laws and regulations. Tobii Dynavox will not materially change policies and practices to make them less protective of student privacy without the written consent of the EA and the EA may rely upon any and enforce any current or prior version of this policy unless otherwise agreed to in writing.
In the USA the Children’s Online Privacy Protection Act (COPPA) does not apply to Tobii Dynavox. Tobii Dynavox products do not collect personally identifiable information (PII) from children under the age of 13. PII collected and maintained within the Tobii Dynavox products is entered by adults; either the child’s parent, guardian, or caretaker during an enrollment process or subsequently by school officials that use Tobii Dynavox products. Access to the system is granted to all users by the educational agencies and institutions (EAs) which license Tobii Dynavox products. Please note that the collection, input, use, retention, disposal, and disclosure of any private information in Tobii Dynavox software applications are controlled solely by the EAs which license Tobii Dynavox products. Tobii Dynavox cannot delete, change, or disclose any information from our software applications controlled by the EA. To the extent parents, guardians or students have questions regarding the privacy associated with the applications provided by the EA, they must contact that agency or institution directly.
In the USA Student records that are disclosed to Tobii Dynavox by EAs and maintained within Tobii Dynavox products are by definition “education records” under FERPA and not “protected health information” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103. See, also, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records, USED and U.S. Department of Health and Human Services (November 2008).