MP

New York State Education Law 2-d: Data Privacy and Security for Educational Agencies and Contractors

EDUCATION LAW 2-d RIDER

  • Purpose and Enactment: New York State Education Law 2-d was enacted in 2014 to secure personally identifiable information (PII).

  • Applicability: Applies to educational agencies and third-party contractors working with them.

  • Compliance Requirements:

    • Enact and comply with a Parents' "Bill of Rights" regarding protected data.

    • Ensure each third-party contractor has a detailed data privacy plan.

    • Require each third-party contractor to sign the educational agency's Parents' Bill of Rights, signifying compliance.

  • Contractor Obligations for Protected Data:

    • Treat "Protected Data" as confidential.

    • Protect Protected Data with at least a reasonable degree of care, similar to how the contractor protects its own confidential data.

    • Prevent unauthorized dissemination or publication to third parties.

    • Disclose Protected Data only to employees or agents with a "need to know" under the agreement.

    • Use Protected Data exclusively for purposes explicitly provided in the agreement.

    • Protected Data remains the property of the disclosing party.

    • Maintain sufficient internal controls to safeguard District's Protected Data in accordance with applicable laws and regulations.

  • Applicable Laws and Regulations:

    • Children's Internet Protection Act ("CIPA")

    • Family Educational Rights and Privacy Act ("FERPA")

    • Health Insurance Portability and Accountability Act of 1996 ("HIPAA")

    • Part 121 of the Regulations of the Commissioner of Education (as amended)

Definition of Protected Data

  • Includes any information rendered confidential by State or federal law.

  • Examples of Student Data: Student demographics, scheduling, attendance, grades, health and discipline tracking, and any other data reasonably considered sensitive or confidential by the District.

  • Information protected under Education Law 2-d includes:

    • "Personally identifiable information" from student records as defined in \S 99.3 of FERPA.

    • Personally identifiable information from District records related to annual professional performance reviews (APPRs) of classroom teachers or principals, which is confidential and not subject to release under Education Law \S\S 3012-c and \S 3012-d.

Contractor and Subcontractor Responsibilities

  • Compliance: Contractor and any subcontractors, affiliates, or entities receiving, collecting, storing, recording, or displaying Protected Data must comply with New York State Education Law \S 2-d.

  • District Policy: Contractor agrees to comply with applicable District policies on data security and privacy.

  • Reimbursement for Breaches: Contractor must promptly reimburse the District for the full cost of notifying a parent, eligible student, teacher, or principal of an unauthorized release of Protected Data caused by the Contractor, its subcontractors, and/or assignees.

  • Data Handling upon Agreement Expiration/Termination: Contractor must return all District data, including Protected Data, by secure transmission, unless otherwise specified.

Data Security and Privacy Plan Requirements

  • Contractor (and any subcontractors, affiliates, or entities handling Protected Data) must maintain a Data Security and Privacy Plan with the following elements:

    1. Safeguards: Specifies administrative, operational, and technical safeguards and practices for PII received under the contract.

    2. Compliance with Part 121: Demonstrates compliance with the requirements of Section 121.3 of Part 121.

    3. Training: Specifies how officers or employees of the Contractor and its assignees accessing student, teacher, or principal data receive training on federal and state confidentiality laws before receiving access.

    4. Subcontractor Management: Specifies how the Contractor will utilize subcontractors and manage those relationships and contracts to protect PII.

    5. Incident Management: Specifies how data security and privacy incidents involving PII will be managed, including plans to identify breaches, unauthorized disclosures, and promptly notify the educational agency.

    6. Data Disposition: Specifies whether Protected Data will be returned to the District, transitioned to a successor contractor (at District's option), deleted, or destroyed by the Contractor upon contract termination or expiration.

Contractor Actions Pursuant to the Plan

  • Technology and Safeguards: Adopt technologies, safeguards, and practices aligned with the NIST Cybersecurity Framework (referred to in Part 121.5(a)).

  • Compliance: Comply with the District's data security and privacy policy, Education Law \S 2-d, and Part 121.

  • Internal Access Limitation: Limit internal access to PII to only those employees or subcontractors needing access to provide contracted services.

  • Prohibited PII Use: Prohibit the use of PII for any purpose not explicitly authorized in the contract.

  • Prohibited PII Disclosure: Prohibit disclosure of PII to any other party without prior written consent of the parent or eligible student, except for:

    • Authorized representatives (subcontractors or assignees) carrying out the contract in compliance with state/federal law and agency contract.

    • When required by statute or court order, provided the Contractor notifies the department, district board of education, or institution that provided the information no later than the time of disclosure (unless notice is expressly prohibited).

  • Safeguard Maintenance: Maintain reasonable administrative, technical, and physical safeguards for the security, confidentiality, and integrity of PII in custody.

  • Encryption: Use encryption to protect PII in custody, both while in motion and at rest.

  • No Commercial Use: Not sell PII, nor use or disclose it for any marketing or commercial purpose, or facilitate its use or disclosure by any other party for such purposes.

Subcontractor Data Protection and Consent Exception

  • Subcontractor Obligations: Data protection obligations imposed on the primary third-party contractor by state and federal law and contract also apply to subcontractors.

  • Consent & Service Request Exception: If a parent or eligible student requests a service or product from a third-party contractor and provides express consent for the use or disclosure of PII for that specific purpose, such use is not deemed a marketing or commercial purpose prohibited by the plan.

Parents' Bill of Rights Acknowledgement

  • The contractor's signature on the agreement also constitutes an acknowledgment, acceptance, and signature of the District's Parents' Bill of Rights.

Data Privacy and Security Plan Outline (Babylon UFSD)

  • Contractor Acknowledgements:

    • Acknowledges obligations under New York Education Law \S 2-d regarding student data received from Babylon UFSD.

    • Understands that failure to fulfill statutory obligations constitutes a breach of Agreement and may lead to penalties under \S 2-d (e.g., civil penalties).

    • Acknowledges and incorporates the Babylon UFSD Parents' Bill of Rights into its security and privacy plan (as Section 2).

  • Plan Components:

    • Student Data and Commitment to Data Security: Outline how all state, federal, and local data security and privacy contract requirements will be met, consistent with NYS Ed Law \S 2-d, and demonstrate compliance with Section 121.3(c) of the Regulations.

    • Employee and Subcontractor Privacy Policy: Specify how personnel (employees, subcontractors) accessing student/teacher/principal data will receive training on confidentiality laws prior to access, and how subcontractor relationships will be managed to protect PII.

    • Physical Safeguards: Describe the location and manner for data protection, specifying safeguards and practices including:

      • Password protections.

      • Administrative procedures.

      • Encryption while PII is in motion and at rest.

      • Firewalls.

    • Data Breaches: Specify how privacy incidents, including breaches and unauthorized disclosures, will be managed, and plans for prompt district notification.

    • Provisions upon Expiration of Agreement: Describe how and when data will be returned to the district, transitioned to a successor, deleted, or destroyed upon contract termination or expiration.

    • Privacy Contact Information: Provide contact details (Name, E-mail, Phone) for parents to challenge the accuracy of PII held by the contractor.

  • Contract Details: State agreement start and end dates. Specify how records containing student PII will be handled (destroyed or returned, method/format) by a given date upon service completion.

Compliance with NYS Education Law Section 2-d (Detailed Provisions)

  • Applicability: Applies to any