NYS Ed. Law 2-d
Education Law 2-d and Part 121 of the Commissioner's Regulations outline requirements for school districts and BOCES related to the protection of the personally identifiable information (PII) of students, as well as some teacher and principal information. The law and the regulations require schools to undertake a multi-pronged approach to information governance. The following information is excerpted from ESBOCES Data Protection and Planning Document. Please click on a heading below to learn more.
- Protection of Personally Identifiable Information (PII): The District will protect student and some teacher and principal PII.
- Parent's Bill of Rights for Data Privacy and Security: The District will develop and post on the District's website, a Parents Bill of Rights with supplemental information regarding each agreement with a third-party contractor that involves the disclosure of PII.
- NIST Cybersecurity Framework: The District will apply the planning, process and categories of information protection in adherence to the NIST Cybersecurity Framework for district practices.
- Third-Party Contracts: The district will, whenever a third-party contractor is given access to PII, ensure that the agreement for using the product or services or an addendum to that agreement, has all required language.
- Annual Employee Training: The District will provide annual privacy and security awareness training to all employees with access to protected data.
- Unauthorized Disclosure Complaint Procedures: The District will create and publish complaint procedures.
- Incident Reporting & Notification: The District will follow reporting and notification procedures when a breach or unauthorized disclosure of PII occurs.
- Data Protection Officer: The District will appoint a Data Protection Officer to oversee the implementation of Education Law 2-d responsibilities.
Annual Employee Training
Return to top of page
- Complying with State & Federal Law: Training on the state and federal laws that protect PII, and how employees can comply with such laws.
- New York State Education Law 2-d:
- Protected Data: Employees need to know what types of information are protected.
- Parents' Rights: Employees should be aware of the Bill of Rights. For example, parents have the right to inspect their child's education record.
- Security Awareness Topics: The NIST CSF includes controls related to personnel being provided cybersecurity awareness education and trained to perform duties consistent with policies and agreements.
- Requirements related to Third-Party Contractor: Employees must be informed that contracts created through clicking an "accept" agreement are subject to Ed Law 2-d if, as a result of using that contractor's product, the contractor receives protected PII from the agency.
- Incident Procedures: Employees must be informed of incident complaints, response, and notification requirements.
- Family Educational Rights and Privacy Act (FERPA): This is the foundational federal law related to the privacy of student educational records. FERPA limits the access to student records and details rules to follow when providing access to or disclosing the data.
- Children's Online Privacy Protection Act (COPPA): COPPA imposes requirements on operators of websites, games, apps or online services directed to children under 13, and on online service providers that collect PII online from a child under 13.
- Protection of Pupil Rights Amendment (PPRA): PPRA defines the rules states and districts must follow when administering surveys, analysis, and evaluations funded by the US Department of Education.
Bill of Rights
A Parents' Bill of Rights for Data Privacy and Security must be published on the website of each educational agency and must be included with every contract an educational agency enters into with a third-party contractor that receives PII.
- Data will not be Sold: A student's PII cannot be sold or released for any commercial purposes.
- The Right to Review Child's Record: Parents have the right to inspect and review the complete contents of their child's education record.
- Data is Protected: State and federal laws protect the confidentiality of PII and safeguards associated with industry standards and best practices must be in place when data is stored or transferred.
- NYSED Collected Data: A complete list of all student data elements collected by the state is available for public review. Districts must include an appropriate NYSED link and NYSED mailing address for parents.
- Breach Complaint Contact: Parents have the right to have complaints about possible breaches of student data addressed. Districts must include appropriate complaint submission contact information.
- Supplemental Information: Supplemental information for each contract an educational agency enters into with a third-party contractor where the third-party contractor receives student, teacher or principal data.
Education agencies are required to post information about third-party contracts on the agency's website with the Bill of Rights. Supplemental information may be redacted to the extent necessary to safeguard the data.
- Exclusive Purpose for Data Use: Exclusive purpose for the student, teacher or principal data will be used by the third-party contractor, as defined in the contract.
- Subcontractors Management: How the contractor will ensure that the subcontractor will abide by all applicable data protection requirements, including but not limited to, those outlined in applicable state and federal laws and regulations.
- Contract Duration and Data Destruction: The duration of the contract, including the expiration data and a description of what will happen to the data upon expiration of the contract or other written agreement.
- Data Accuracy: If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student, teacher or principal data that is collected.
- Location of the Data & Security Practices: Where the data will be stored, described in such a manner as to protect data security, and the security protections taken to ensure such data will be protected and data security and privacy risks are mitigated.
- Encryption: Address how the data will be protected using encryption while in motion and at rest.
Return to top of page
Part 121 of the Commissioner's Regulations requires agencies to adopt a policy on data security and privacy. Additionally, the law requires agencies to publish the policy on the district's website.
- NIST Cybersecurity Framework Alignment: Policy must align with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. (NIST Cybersecurity Framework or NIST CSF).
- Data Governance: Every use and disclosure of PII by the district must benefit students and the district.
- Disclosure Avoidance: PII will not be included in public reports or other documents.
- Protections Afforded to Parents: This includes all protections afforded to parents or eligible students, where applicable, under FERPA and IDEA, and the federal regulations implementing such statutes.
- Consistent with State and Federal Laws: Consistent with applicable state and federal laws.
Return to top of page
NIST Cybersecurity Framework
Education Law 2-d requires educational agencies to adopt a policy on data security and privacy that aligns with the NIST Cybersecurity Framework, or NIST CSF. At the center of the NIST CSD is the Framework Core, which is a set of activities and desired outcomes to help organizations manage data security and privacy risk. Districts will use a Target Profile, Current Profile, and Action Plan to apply these activities.
NIST CSD Version 1.1 Overview
- Framework Core: A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.
- Framework Core Functions: The Core consists of live concurrent and continuous functions:
These functions provide a high-level, strategic view of the organization's management of cybersecurity risk.
- Framework Implementation Tiers: Tiers Characterize an organization's practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-information.
- Framework Profile: The Profile represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories.
- Current Profile and Target Profile: Profiles are used to identify opportunities for improving the cybersecurity posture by comparing a "Current" Profile (the "as is" state) with a "Target Profile (the "to be" state).
- Action Plan: The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritizes action plan to address gaps-reflecting mission drivers, costs and benefits, and risks.
Return to top of page
Personally Identifiable Information (PII)
Protected Student Data
- The term "student" refers to any person attending or seeking to enroll in an educational agency.
- The term "personally identifiable information" ("PII") uses the definition in FERPA. The term PII includes, but is not limited to:
- Student Name
- Parent Names
- Student ID Number
- Student Email
- Student Address
- Student Photos
- Video of Students
- Student Birthday
- Student Medical Information
- Special Education Information
- Other indirect identifiers
- Information that, alone or in combination would allow a reasonable person to identify the student
Teacher & Principal Data
Personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of Education Law 3012-c and 3012-d is subject to Education Law 2-d.
NYS Ed Law 2-d and Directory Information
- Third-Party Contractors: All FERPA "directory information" continues to be PII under Education Law 2-d. All Third-Party contractors must sign an agreement prior to directory information can be transmitted to them.
- If a newsletter is composed in house or by BOCES, and there is no sharing with a third-party contractor, Ed Law 2-d would not apply. However, FERPA will still apply. Some PII might be allowed based on "directory information" or "school official" analysis.
- If a newsletter is composed by a third-party contractor and/or is distributed over the Internet in such a manner that the third-party contractor receives PII, Ed Law 2-d applies and an agreement will be needed.
Return to top of page
A third-party contractor is any person or entity, other than an educational agency, that receives student, teacher or principal data from an educational agency pursuant to a contract or other agreement for purposes of providing services to such agency, including but not limited to data management, conducting studies, or evaluation of publicly funded programs.
Required Contract Elements
- Confidentiality Maintained: Contracts must require the confidentiality of shared protected data be maintained in accordance with law and the educational agency's policy.
- Data Security and Privacy Plan: Contracts must include the third-party contractor's data security and privacy plan that is accepted by the educational agency.
- Implementation of all Requirements: Outline how the contractor will implement all state, federal, and local contract requirements, consistent with the agency's policy.
- Security Protections: Specify the administrative, operational and technical safeguards and practices it has in place.
- Supplemental Information Compliance: Demonstrate that it complies with the supplemental information requirements.
- Contractor and Subcontractor Training: Specify how employees and is assignees receive or will receive training on the laws governing data prior to receiving access.
- Subcontractors Management: Specify how the contractor will utilize sub-contractors and how it will manage sub-contractor relationships and contracts.
- Cyber Incident Plan: Specify how the contractor will manage incidents including specifying any plans to identify incidents, and to notify the agency.
- Data Transfer and Disposal: Describe whether, how and when data will be returned or destroyed when the contract is terminated.
- Signed Copy of the Bill of Rights: Include a signed copy of the parents' bill of rights for data privacy and security.
Return to top of page