Data Access Agreement

Abstract data image
Contact Us
For questions regarding this agreement, please reach out to your American Councils’ point of contact.


Proprietary Information (“PI”), Personally Identifiable Information (“PII”), and Controlled Unclassified Information (“CUI”), collectively hereinafter referred to as (PI/PII/CUI), may be provided by or collected on behalf of American Councils for International Education: ACTR/ACCELS (“American Councils”), located at 1828 L Street, Northwest, Suite 1200, Washington, District of Columbia, 20036, U.S.A, to or by its funders, volunteers, consultants, contractors, and other third parties, collectively hereinafter referred to as “Partner” or “Partners.” Partners are expected to exercise the highest level of care in maintaining the security and privacy of such PI/PII/CUI.

By accepting, collecting, and/or processing such PI/PII/CUI, Partners affirm that they will comply in perpetuity with the “Terms of Use” outlined below. These Terms of Use are based jointly upon and in consideration of Title 2 of the U.S. Code of Federal Regulations (“CFR Title 2”), Special Publication 800-171 of the U.S. National Institute of Standards and Technology (“NIST 800-171”), and the EU General Data Protection Regulation (“GDPR”).

Please contact your American Councils representative if you have concerns or questions about the Terms of Use below.

Terms of Use

All PI/PII/CUI provided by or collected on behalf of American Councils is considered proprietary and confidential and may not be shared by Partners with other parties without the express written consent of American Councils. Partners will not use or process such PI/PII/CUI for any purpose other than that for which it was provided or collected or for the benefit of American Councils in fulfilling obligations to its funders, government authorities, or other applicable parties.

Upon the request of American Councils, Partners agree to provide a copy to American Councils of or purge such PI/PII/CUI.

1. Security

Partners will take personal and/or organizational measures to protect such PI/PII/CUI from loss or access by unauthorized parties. At a minimum, individuals should protect themselves from basic cybersecurity risks and be familiar with Section 3.8 Media Protection of NIST 800-171.

2. Security Incidents

In the event of a “Security Incident,” as defined by the U.S. National Institute of Standards and Technology, Partners will take immediate action to eliminate or minimize the impact of the Security Incident. Partners will inform American Councils without delay but not to exceed 24 hours of learning of the Security Incident. Partners should provide such information as:

  • The nature of the Security Incident.
  • The number of such PI/PII/CUI records suspected to have been disclosed.
  • The categories of such PI/PII/CUI disclosed (e.g., medical, financial, identification).
  • The measures taken to mitigate the Security Incident.

In the event of a Security Incident that results in an obligation to report to law enforcement, funders, or regulatory bodies, hereinafter referred to as “Authorities,” American Councils will make such reports. Partners are not authorized to represent American Councils but must cooperate with American Councils in its compliance with Authorities.

3. Requests by Data Subjects

If Partners receive a request or complaint from a “Data Subject,” as defined under Article 4.1 of GDPR, pertaining to their personal data, such as a “request to be forgotten,” Partners will notify American Councils without delay but not to exceed 72 hours by sending that request to privacy@americancouncils.org.

For questions regarding this agreement, please reach out to your American Councils’ point of contact.