New York Education Law: Protecting Student and Teacher Data Privacy

The New York Education Law addresses a wide range of topics, from general provisions and school district organization to the rights and responsibilities of teachers and pupils. It also covers taxation, financial administration, special schools, and instruction, as well as higher education and the professions. A critical component of this law focuses on protecting the privacy and security of student and teacher data. This article provides a summary of key aspects of New York Education Law, with a particular focus on § 2-d, which deals with the unauthorized release of personally identifiable information.

Overview of New York Education Law Titles

The New York Education Law is structured into several titles, each addressing a specific area of education. Here's a brief overview:

• Title I: General Provisions: Covers definitions, the Education Department, the University of the State of New York, and various programs like standardized testing and state financial assistance for higher education.
• Title II: School District Organization: Details the structure and governance of school districts, including common school districts, union free school districts, and central school districts.
• Title IV: Teachers and Pupils: Addresses the rights, responsibilities, and salaries of teachers, as well as compulsory education and school census requirements.
• Title V: Taxation and Financial Administration: Covers the apportionment of public funds, reserve funds, and trusts for schools.
• Title VI: Special Schools and Instruction: Deals with the education of children in child care institutions, Indian schools, and those with disabilities, as well as gifted education and career programs.
• Title VII: State and City Colleges and Institutions - Cornell University: Focuses on higher education institutions, including Cornell University and the City University of New York (CUNY).
• Title VIII: The Professions: Outlines the general provisions for various professions and addresses professional misconduct.

§ 2-d: Unauthorized Release of Personally Identifiable Information

Section 2-d of the New York Education Law is dedicated to preventing the unauthorized release of personally identifiable information (PII) related to students and educators. It establishes definitions, roles, and responsibilities for educational agencies and third-party contractors to safeguard data privacy and security.

Definitions

This section defines key terms to ensure clarity and consistency in its application:

• Building Principal: A principal subject to annual performance evaluation under specific sections of the law.
• Classroom Teacher: A teacher subject to annual performance evaluation under specific sections of the law.
• Educational Agency: A school district, board of cooperative educational services (BOCES), school, or the education department.
• Personally Identifiable Information (PII): Information that can be used to identify an individual, as defined by federal regulations (Family Educational Rights and Privacy Act - FERPA) and New York State law. For teacher or principal data, it refers to "personally identifying information" as used in subdivision ten of section three thousand twelve-c of this chapter.
• School: Includes public elementary and secondary schools, universal pre-kindergarten programs, approved preschool special education providers, publicly funded pre-kindergarten programs, special act school districts, approved private schools for students with disabilities, and state-supported or state-operated schools.
• Student: Any person attending or seeking to enroll in an educational agency.
• Eligible Student: A student who is eighteen years or older.
• Parent: A parent, legal guardian, or person in parental relation to a student.
• Student Data: Personally identifiable information from student records of an educational agency.
• Teacher or Principal Data: Personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of section three thousand twelve-c of this chapter.
• Third Party Contractor: Any entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency under a contract or written agreement for services such as data management, storage, studies, or program evaluations. This includes educational partnership organizations and non-profit organizations.

Chief Privacy Officer

To oversee data privacy and security, the law mandates the appointment of a Chief Privacy Officer (CPO) within the New York State Education Department.

Read also: What makes a quality PE curriculum?

• Appointment and Qualifications: The Commissioner of Education appoints the CPO for a renewable three-year term. The CPO must possess training or experience in state and federal education privacy laws, civil liberties, information technology, and information security.
• Responsibilities: The CPO reports to the Commissioner on matters affecting privacy and data security, including:
  • Promoting sound information practices for data privacy and security.
  • Assisting in handling data breaches and due process proceedings.
  • Providing guidance to educational agencies on minimum standards and best practices.
  • Formulating procedures for individuals to request information about student or teacher/principal data.
  • Establishing protocols for submitting complaints about potential data breaches.
  • Making recommendations to state officials regarding data privacy and security.
  • Issuing an annual report on data privacy and security activities, breaches, and complaints.
• Powers: The CPO has the authority to:
  • Access records related to student or teacher/principal data maintained by educational agencies.
  • Review and comment on department programs, proposals, grants, or contracts involving the processing of such data.
  • Exercise other powers deemed appropriate by the Commissioner.

Parents' Bill of Rights for Data Privacy and Security

A crucial component of § 2-d is the Parents' Bill of Rights for Data Privacy and Security. This bill of rights aims to provide transparency and empower parents to understand how their children's data is being used and protected.

• Supplemental Information for Contracts: Educational agencies must provide supplemental information for each contract with a third-party contractor that receives student or teacher/principal data. This information must include:
  • The exclusive purposes for which the data will be used.
  • How the contractor will ensure that subcontractors adhere to data protection and security requirements.
  • The agreement's expiration date and what happens to the data upon expiration.
  • How parents, students, eligible students, teachers, or principals can challenge the accuracy of the data.
  • Where the data will be stored, with security protections described, including whether the data will be encrypted.
• Development of Additional Elements: The Chief Privacy Officer, with input from stakeholders, is responsible for developing additional elements of the Parents' Bill of Rights. The Commissioner must establish regulations for a comment period to allow public input. The bill of rights must be completed within 120 days of the section's effective date.

Data Collection Transparency and Restrictions

To minimize the risk of unauthorized data release, the law promotes transparency and imposes restrictions on data collection.

• Least Intrusive Data Collection: The Department must promote the least intrusive data collection policies practicable. The goal is to improve academic achievement, empower parents, and advance efficient school operations while minimizing the collection and transmission of personally identifiable information.
• Educational Purpose Limitation: Except as otherwise authorized by law, the department shall only collect personally identifiable information relating to an educational purpose.
• Prohibited Data Elements: School districts are prohibited from reporting certain student data elements to the department, except as required by law or in the case of educational enrollment data. These include:
  • Juvenile delinquency records
  • Criminal records
  • Medical and health records
  • Student biometric information
• No Sale or Marketing Use: Personally identifiable information maintained by educational agencies, including data provided to third-party contractors, cannot be sold or used for marketing purposes.
• Parental Right to Inspect Records: Parents have the right to inspect and review their child's educational record, including any student data stored or maintained by an educational agency. The department must develop policies for school districts that:
  • Provide annual notification to parents of their right to request student data.
  • Ensure security when providing student data to parents, including that only authorized individuals receive such data.
  • Specify a reasonable amount of time in which school districts should respond to such requests.

Data Security and Privacy Standards

The law mandates the establishment of data security and privacy standards to protect student and teacher data from unauthorized access and disclosure.

• Regulation and Model Policies: The Commissioner, in consultation with the Chief Privacy Officer, must promulgate regulations establishing standards for educational agency data security and privacy policies. They must also develop one or more model policies for use by educational agencies, seeking input from experts in security, cyber-security, and data protection.
• Standards for Data Security and Privacy Policies: The standards must include:
  • Data privacy protections, including criteria for determining whether a proposed use of personally identifiable information would benefit students and educational agencies, and processes to ensure that personally identifiable information is not included in public reports or other public documents.
  • Data security protections, including data systems monitoring, data encryption, incident response plans, limitations on access to personally identifiable information, safeguards to ensure personally identifiable information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of personally identifiable information when no longer needed.
  • Application of all such restrictions, requirements, and safeguards to third-party contractors.
• Educational Agency Policies: Each educational agency must have a data security and privacy policy in place that is consistent with state and federal laws and applied to student data and, where applicable, to teacher or principal data.
• Contractual Provisions: Educational agencies must include provisions in their contracts with third-party contractors or in separate data sharing and confidentiality agreements that require the confidentiality of shared student data or teacher or principal data be maintained in accordance with federal and state law and the educational agency's policy on data security and privacy.
• Data Security and Privacy Plan: Each educational agency that enters into a contract with a third-party contractor must ensure that the contract includes a data security and privacy plan that outlines how all state, federal, and local data security and privacy contract requirements will be implemented over the life of the contract, consistent with the educational agency's policy on data security and privacy. Such plan shall include, but shall not be limited to, a signed copy of the parents bill of rights for data privacy and security, and a requirement that any officers or employees of the third party contractor and its assignees who have access to student data or teacher or principal data have received or will receive training on the federal and state law governing confidentiality of such data prior to receiving access.
• Third Party Contractor Requirements: Each third party contractor that enters into a contract or other written agreement with an educational agency under which the third party contractor will receive student data or teacher or principal data shall:
  • Limit internal access to education records to those individuals that are determined to have legitimate educational interests.
  • Not use the education records for any other purposes than those explicitly authorized in its contract.
  • Except for authorized representatives of the third party contractor to the extent they are carrying out the contract, not disclose any personally identifiable information to any other party:
    • Without the prior written consent of the parent or eligible student; or
    • Unless required by statute or court order and the party provides a notice of the disclosure to the department, district board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order;
  • Maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable student information in its custody;
  • Uses encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the United States department of health and human services in guidance issued under Section 13402(H)(2) of Public Law 111-5.

Breach and Unauthorized Release of Personally Identifiable Information

In the event of a data breach, the law outlines specific requirements for notification and remediation.

• Third Party Contractor Notification: Each third party contractor that receives student data or teacher or principal data pursuant to a contract or other written agreement with an educational agency shall be required to notify such educational agency of any breach of security resulting in an unauthorized release of such data by the third party contractor or its assignees in violation of applicable state or federal law, the parents bill of rights for student data privacy and security, the data privacy and security policies of the educational agency and/or binding contractual obligations relating to data privacy.

Additional Key Aspects of New York Education Law

Beyond data privacy, the New York Education Law encompasses various other important aspects of education.

Read also: Maximize Savings on McGraw Hill Education

Compulsory Education

• School attendance is mandatory for children between the ages of 6 and 16, with exceptions for home schooling.

Regulation of Conduct

• Boards of education have the authority to regulate conduct on school district property.
• Colleges can regulate conduct on campuses and other college property used for educational purposes.

Instruction in Certain Subjects

• The law mandates instruction in specific subjects, such as patriotism and citizenship.

Medical and Health Services

• Schools are required to provide medical and health services to students.

Read also: Becoming a Neonatal Nurse

tags: #nys #education #law #summary

Popular posts:

• Student Entertainment on a Budget
• Driving Futures Through Education
• Top Computer Science Films
• San Jose State University Scholarship Guide
• Requirements for Special Education Teachers