Issues with Predictive Analytics Vendor Contracts

As with any vendor, colleges need to be sure that a contract with a predictive analytics company protects their students’ privacy and maintains the college’s ownership of that data. This is particularly critical when working with vendors that use cloud-based computing. All vendors must, at a minimum, meet the legal requirements of FERPA but there are other things to consider above and beyond that legal standard.¹ Although colleges’ legal and IT departments probably know what contracts with vendors should look like, here are a few things administrators should keep in mind. This list is not exhaustive but it highlights important components to consider.

• Ownership of the cleaned source data, the repurposed data, and the byproduct data
• Switching vendors
• Vendor bankruptcy, closure, or acquisition
• Vendor outsourcing
• Disaster mitigation, recovery, and breach plan
• Service level agreements
• Security

In some cases, the vendor will not agree to return the cleaned source data to the college, instead destroying it at the end of the contract. The contract should clearly lay out who owns what data and under what terms.² Of course, it should also prohibit the vendor or any partner of the vendor from selling student data.

Return to Top

To prevent vendor lock in, colleges need to have a plan for how they will switch vendors, if they need to, with the minimum amount of pain. To facilitate any transition, the contract should spell out the college’s right to access the data and lay out the process by which the vendor will return the data to the college at the end of the contract. The agreement should include the time frame for the data’s return as well as the format in which the data should be returned. The contract should also obligate the vendor to destroy and verify the destruction of any personally identifiable information when the contract ends.³ Colleges should consider including transition assistance in the contract to ensure a smooth transition to a new solution.⁴ The contract also needs to address the end of the relationship, laying out timelines and each parties’ obligations beyond the ones listed above.⁵

Return to Top

In the relatively new space of predictive analytics, there are bound to be acquisitions and closures. The contract needs to address that possibility. Colleges can find model language in the mergers and acquisitions section in this article: If It's in the Cloud, Get It on Paper.⁶

Return to Top

Many vendors work with subcontractors or other partners. The contract should require them to disclose those partners and their roles in providing services. It should also clarify that the vendor remains responsible for executing all aspects of the contract with the college.⁷

Return to Top

The contract should also outline how the contractor would respond to a disaster and outline a recovery plan, including how the vendor would respond if data are lost or corrupted. The section should detail how the vendor would notify the college, how it would correct the problem, and how it would continue to provide service. The contract should also outline the vendor’s plan of action if there is a data breach. And it should lay out who is responsible for what action and where the liability sits for the breach.

Return to Top

Service level agreements (SLAs) lay out the acceptable levels of service for each element of the service provided.⁸ For example, if a product has an unacceptable outage, the penalty would be addressed in this section. The SLAs should also outline what the vendor will do if the expected level of service is not met.⁹ Examples of SLAs for the University of California system can be found in this University of California Cloud Computing Service Agreement Template (starting on page 11).¹⁰

Return to Top

The contract should clarify the level of security expected by the college. See the next section for more detail.

Return to Top