NYS Education Law 2-D
New York State Education Law 2-D
The Board of Regents adopted Part 121 of the Regulations of the Commissioner of Education on January 13, 2020. These rules will implement Education Law Section 2-d and provide guidance to educational agencies and their third-party contractors on ways to strengthen data privacy and security to protect student data and annual professional performance review data. The regulation went through multiple sets of revisions and three rounds of public comments and went into effect on January 29, 2020. It applies to both charter and traditional public schools. NYS Legislation SECTION 2-D Unauthorized release of personally identifiable information
Federal Laws That Protect Students
Federal Laws that Protect Students
Family Educational Rights and Privacy Act (FERPA):
The foundational federal law on the privacy of students’ educational records, FERPA safeguards student privacy by limiting who may access student records, specifying for what purpose they may access those records, and detailing what rules they have to follow when accessing the data.
Protection of Pupil Rights Amendment (PPRA):
PPRA defines the rules states and school districts must follow when administering tools like surveys, analysis, and evaluations funded by the US Department of Education to students. It requires parental approval to administer many such tools and ensures that school districts have policies in place regarding how the data collected through these tools can be used.
Children's Online Privacy Protection Rule (COPPA):
COPPA imposes certain requirements on operators of websites, games, mobile apps or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
Annual FERPA Notification
Annual FERPA Notification
Under FERPA, the district has the option of designating certain categories of student information as “directory information”. The Board directs that “directory information” include a student’s:
- Name of student and parent(s)/guardians
- ID number, user ID, or other unique personal identifier used by a student for purposes of accessing or communicating in electronic systems (only if the ID cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student’s identity) Address (except information about a homeless student’s living situation, as described below)
- Telephone number
- Date and place of birth
- Major course of study/grade level
- Dates of attendance,
- Degrees and awards received
- Most recent school attended
- Grade level
- Photograph
- E-mail address
- Enrollment status
- Participation in recognized school activities/extracurricular activities/sports programs
- Academic honors, achievements, awards, scholarships
Information about a homeless student’s living situation will be treated as a student educational record and will not be deemed directory information. A parent/guardian or eligible student may elect, but cannot be compelled, to consent to release of a student’s address information in the same way they would for other student education records. The district’s McKinney-Vento liaison will take reasonable measures to provide homeless students with information on educational, employment, or other postsecondary opportunities and other beneficial activities.
Social security numbers or other personally identifiable information will not be considered directory information.
Students who opt out of having directory information shared are still required to display their student ID cards.
Once the proper FERPA notification is given by the district, a parent/guardian or student will have 14 days to notify the district of any objections they have to any of the “directory information” designations. If no objection is received, the district may release this information without prior approval of the parent/guardian or student for the release. Once the student or parent/guardian provides the “opt-out,” it will remain in effect after the student is no longer enrolled in the school district.
Parents' Bill of Rights
Parents' Bill of Rights
A Parents' Bill of Rights for Data Privacy and Security must be published on the website of each educational agency and must be included with every contract an educational agency enters into with a third-party contractor that receives PII.
Required Elements
- Data will not be Sold: A student's PII cannot be sold or released for any commercial purposes.
- The Right to Review Child's Record: Parents have the right to inspect and review the complete contents of their child's education record.
- Data is Protected: State and federal laws protect the confidentiality of PII and safeguards associated with industry standards and best practices must be in place when data is stored or transferred.
- NYSED Collected Data: A complete list of all student data elements collected by the state is available for public review. Districts must include an appropriate NYSED link and NYSED mailing address for parents.
- Breach Complaint Contact: Parents have the right to have complaints about possible breaches of student data addressed. Districts must include appropriate complaint submission contact information.
- Supplemental Information: Supplemental information for each contract an educational agency enters into with a third-party contractor where the third-party contractor receives student, teacher or principal data.
Supplemental Information
Education agencies are required to post information about third-party contracts on the agency's website with the Bill of Rights. Supplemental information may be redacted to the extent necessary to safeguard the data.
Required Elements
- Exclusive Purpose for Data Use: Exclusive purpose for the student, teacher or principal data will be used by the third-party contractor, as defined in the contract.
- Subcontractors Management: How the contractor will ensure that the subcontractor will abide by all applicable data protection requirements, including but not limited to, those outlined in applicable state and federal laws and regulations.
- Contract Duration and Data Destruction: The duration of the contract, including the expiration data and a description of what will happen to the data upon expiration of the contract or other written agreement.
- Data Accuracy: If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student, teacher or principal data that is collected.
- Location of the Data & Security Practices: Where the data will be stored, described in such a manner as to protect data security, and the security protections taken to ensure such data will be protected and data security and privacy risks are mitigated.
- Encryption: Address how the data will be protected using encryption while in motion and at rest.
Port Washington UFSD - Parents Bill of Rights
Personally Identifiable Information (PII)
Personally Identifiable Information (PII)
Protected Student Data
- The term "student" refers to any person attending or seeking to enroll in an educational agency.
- The term "personally identifiable information" ("PII") uses the definition in FERPA. The term PII includes, but is not limited to:
- Student Name
- Parent Names
- Student ID Number
- Student Email
- Student Address
- Student Photos
- Video of Students
- Student Birthday
- Student Medical Information
- Special Education Information
- Other indirect identifiers
- Information that, alone or in combination would allow a reasonable person to identify the student
Teacher & Principal Data
Personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of Education Law 3012-c and 3012-d is subject to Education Law 2-d.
NYS Ed Law 2-d and Directory Information
- Third-Party Contractors: All FERPA "directory information" continues to be PII under Education Law 2-d. All Third-Party contractors must sign an agreement prior to directory information can be transmitted to them.
- Newsletters:
- If a newsletter is composed in-house or by BOCES, and there is no sharing with a third-party contractor, Ed Law 2-d would not apply. However, FERPA will still apply. Some PII might be allowed based on "directory information" or "school official" analysis.
- If a newsletter is composed by a third-party contractor and/or is distributed over the Internet in such a manner that the third-party contractor receives PII, Ed Law 2-d applies and an agreement will be needed.
New York State Law:
New York State Law:
Education Law 2-d and Part 121 of the Commissioner's Regulations outline requirements for school districts and BOCES related to the protection of the personally identifiable information (PII) of students, as well as some teacher and principal information. The law and the regulations require schools to undertake a multi-pronged approach to information governance.
NYS Education Law Section 2-dData Elements Inventory
Children's Internet Protection Act (CIPA) The Children's Internet Protection Act (CIPA) was enacted by Congress in 2000 to address concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program – a program that makes certain communications services and products more affordable for eligible schools and libraries. In early 2001, the FCC issued rules implementing CIPA and provided updates to those rules in 2011.
Annual Employee Training
Annual Employee Training
Educational agencies are responsible for providing data privacy and security awareness training to their officers and employees with access to personally identifiable information annually. Training their officers and employees with access to personally identifiable information annually. Training should include training on the state and federal laws, and how employees can comply with such laws. Each agency must also provide notice of the agency's data security and privacy policy to all its officers and employees.
Best Practices
- New York State Education Law 2-d:
- Protected Data: Employees need to know what types of information are protected.
- Parents' Rights: Employees should be aware of the Bill of Rights. For example, parents have the right to inspect their child's education record.
- District Policy: Each agency must provide notice of the agency's data security and privacy policy to all its officers and employees.
- Security Awareness Topics: The NIST CSF includes controls related to personnel being provided cybersecurity awareness education and trained to perform duties consistent with policies and agreements.
- Requirements related to Third-Party Contractor: Employees must be informed that contracts created through clicking an "accept" agreement are subject to Ed Law 2-d if, as a result of using that contractor's product, the contractor receives protected PII from the agency.
- Incident Procedures: Employees must be informed of incident complaints, response, and notification requirements.
Data Protection Officer
Data Protection Officer
Port Washington UFSD Data Protection Officer:
Christine Wise
90 Avenue C
Port Washington, NY 11050
(516)767-5470
Parents have the right to file complaints about possible breaches of student data. Parents may submit a complaint regarding a potential breach by the District Data Privacy Officer listed above. The School District shall promptly acknowledge any complaints received and commence an investigation into the complaint, while taking the necessary precautions to protect personally identifiable information. The School District shall provide a response detailing its findings from the investigation no more than sixty (60) days after receipt of the complaint.
Report an Improper Disclosure through NYSED Data Privacy and Security
Complaints pertaining to the State Education Department or one of its third-party vendors should be directed in writing to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234, or email to [email protected] or by telephone at 518-474-0937.
You can also complete the form below, thoroughly, including sufficient detail that will allow the complaint to be investigated. Please do NOT include any information in this form that would constitute student personally identifiable information (PII). SED will contact you if additional information is needed. By filing this form, you are filing a complaint with the Chief Privacy Officer alleging that PII has been disclosed to or accessed by an unauthorized person.
To submit a complaint or report, please access the form from the following link:
Port Washington UFSD Disclosure or Breach Reporting Form
Data Security & Privacy Policy
Data Security & Privacy Policy
Part 121 of the Commissioner's Regulations requires agencies to adopt a policy on data security and privacy. Additionally, the law requires agencies to publish the policy on the district's website.
Port Washington UFSD Data Security & Privacy Policy
Required Elements
- NIST Cybersecurity Framework Alignment: Policy must align with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. (NIST Cybersecurity Framework or NIST CSF).
- Data Governance: Every use and disclosure of PII by the district must benefit students and the district.
- Disclosure Avoidance: PII will not be included in public reports or other documents.
- Protections Afforded to Parents: This includes all protections afforded to parents or eligible students, where applicable, under FERPA and IDEA, and the federal regulations implementing such statutes.
- Consistent with State and Federal Laws: Consistent with applicable state and federal laws.
NIST Cybersecurity Framework
NIST Cybersecurity Framework
Education Law 2-d requires educational agencies to adopt a policy on data security and privacy that aligns with the NIST Cybersecurity Framework, or NIST CSF. At the center of the NIST CSD is the Framework Core, which is a set of activities and desired outcomes to help organizations manage data security and privacy risk. Districts will use a Target Profile, Current Profile, and Action Plan to apply these activities.
NIST CSD Version 1.1 Overview
- Framework Core: A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.
- Framework Core Functions: The Core consists of live concurrent and continuous functions:
- Identify
- Detect
- Respond
- Recover
- These functions provide a high-level, strategic view of the organization's management of cybersecurity risk.
- Framework Implementation Tiers: Tiers Characterize an organization's practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-information.
- Framework Profile: The Profile represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories.
- Current Profile and Target Profile: Profiles are used to identify opportunities for improving the cybersecurity posture by comparing a "Current" Profile (the "as is" state) with a "Target Profile (the "to be" state).
- Action Plan: The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address gaps-reflecting mission drivers, costs and benefits, and risks.
Third-Party Contracts
Third-Party Contracts
A third-party contractor is any person or entity, other than an educational agency, that receives student, teacher or principal data from an educational agency pursuant to a contract or other agreement for purposes of providing services to such agency, including but not limited to data management, conducting studies, or evaluation of publicly funded programs.
Required Contract Elements
- Confidentiality Maintained: Contracts must require the confidentiality of shared protected data be maintained in accordance with law and the educational agency's policy.
- Data Security and Privacy Plan: Contracts must include the third-party contractor's data security and privacy plan that is accepted by the educational agency.
- Implementation of all Requirements: Outline how the contractor will implement all state, federal, and local contract requirements, consistent with the agency's policy.
- Security Protections: Specify the administrative, operational and technical safeguards and practices it has in place.
- Supplemental Information Compliance: Demonstrate that it complies with the supplemental information requirements.
- Contractor and Subcontractor Training: Specify how employees and assignees receive or will receive training on the laws governing data prior to receiving access.
- Subcontractors Management: Specify how the contractor will utilize sub-contractors and how it will manage subcontractor relationships and contracts.
- Cyber Incident Plan: Specify how the contractor will manage incidents including specifying any plans to identify incidents, and to notify the agency.
- Data Transfer and Disposal: Describe whether, how and when data will be returned or destroyed when the contract is terminated.
- Signed Copy of the Bill of Rights: Include a signed copy of the parents' bill of rights for data privacy and security.
Family Engagement Resources for Internet Safety
Family Engagement Resources for Internet Safety
Common Sense Media- Digital Citizenship Resources for Family Engagement
Boost your family engagement program with articles, videos, and ready-made presentations about online safety and privacy.
FTC: Protecting Kids Online
How to talk to your kids about being online, and how to help them make good decisions and stay safe.
Google Safety Center
Children today are growing up with technology, not growing into it like previous generations. So we’re working directly with experts and educators to help you set boundaries and use technology in a way that’s right for your family.
Optimum Online Security
Identity Protection Protect your identity. Phishing scams are a common way people are tricked into providing personal information via email. Commonly, the email appears to come from a trusted source, like a large, known organization, and asks recipients to click on a link in order to verify or update contact details or credit card information.
Verizon Parental Controls
Your Verizon router comes with parental controls designed to allow control of Internet access on all devices connected to your home network. Prevent your children from attempting to access inappropriate website with the below steps.
TIPS FOR PARENTS ON RAISING PRIVACY-SAVVY KIDS
TIPS FOR PARENTS ON RAISING PRIVACY-SAVVY KIDS
Below is an article from the National Cybersecurity Alliance that contains tips for parents on raising privacy-savvy kids.
TIPS FOR PARENTS ON RAISING PRIVACY-SAVVY KIDS