What is Ed Law 2-d?

In early 2020, The New York State Department of Education adopted a new law focused on the privacy and security of student and staff personally identifiable information (PII). The Educational Law Section 2-d, known amongst NY schools as Ed Law 2-d, provides “guidance to educational agencies and their third-party contractors on ways to strengthen data privacy and security to protect student data and annual professional performance review data.”

NY Ed Law 2-d Security Requirements

In order to strengthen data security and privacy, the New York State Education Department (NYSED), now requires the following of all educational agencies:

• Appoint a Data Protection Officer with appropriate knowledge, training, and experience to oversee data security and privacy.

• Develop and implement a Data Security and Privacy Policy.

• Conduct security training for educational agency employees.

• Publish a Parent’s Bill of Rights and include it in every contract with a third-party contractor that receives PII.

• Mandate that all third-party contractors submit a Data Security and Privacy

• Plan for each contract to demonstrate how they will protect PII.

• Adopt the NIST Cybersecurity Framework as the standard for data privacy and security and meet the requirements to ensure they are adequately protecting PII.

NYSED Data Security and Privacy Policy

NYSED Resources on Data Privacy and Security

NYSED Ed Law 2-D Definitions

Pursuant to Education Law section 2-d, school district’s are now required to publish, on their websites, a parents bill of rights for data privacy and security and to include such information with every contract a school district enters into with a third party contractor where the third party contractor receives student data or teacher or principal data. The following is our district’s bill of rights for data privacy and security:

1. A student’s personally identifiable information (PII) cannot be sold or released by the Unadilla Valley Central School District for any commercial or marketing pusrposes.

2. Parents have the right to inspect and review the complete contents of their child’s education record including any student data stored or maintained by the District/BOCES. This right of inspection is consistent with the requirements of the Family Educational Rights and Privacy Act (FERPA). In addition to the right of inspection of the educational record, Education Law §2-d provides a specific right for parents to inspect or receive copies of any data in the student’s educational record. The New York State Department of Education (NYSED) will develop policies and procedures pertaining to this right.

3. State and federal laws protect the confidentiality of PII, and safeguards associated with industry standards and best practices, including, but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred.

4. A complete list of all student data elements collected by the State is available for public review at https://www.nysed.gov/data-privacy-security/student-data-inventory. You you may also obtain a copy of this list by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, NY 12234.

5. Parents have the right to file complaints with the District/BOCES about possible privacy breaches of student data by the District’s/BOCES’ third party contractors or their employees, officers, or assignees, or with NYSED. Complaints regarding student data breaches should be directed to: Unadilla Valley Central School District Data Coordinator, 4238 State Hwy 8, New Berlin, NY. Phone: (607) 847-7500 email: scooper@uvstorm.org
   Complaints to NYSED should be directed in writing to NYSED’s Chief Privacy Officer, Louise DeCandia, New York State Education Department, 89 Washington Avenue, EB 152, Albany NY 12234, email to privacy@nysed.gov. NYSED’s complaint process utilizes an unauthorized Disclosure Complaint form found at Report an Improper Disclosure | New York State Education Department (nysed.gov).

For purposes of further ensuring confidentiality and security of student data, as an appendix to the Parents’ Bill of Rights each contract an educational agency enters into with a third party contractor shall include the following supplemental information:

1. The exclusive purposes for which the student data, or teacher or principal data, will be used;

2. How the third party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;

3. When the agreement with the third party contractor expires and what happens to the student data or teacher or principal data upon expiration of the agreement;

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and

5. Where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.

In addition, the Chief Privacy Officer (when appointed), with input from parents and other education and expert stakeholders, is required to develop additional elements of the Parents’ Bill of Rights to be prescribed in the Regulations of the Commissioner. Accordingly, this Bill of Rights will be revised from time to time in accordance with further guidance received from the Chief Privacy Officer, the Commissioner of Education and NYSED.

As part of its commitment to maintaining the privacy and security of student data and teacher and principal data the District will take steps to minimize its collection, processing, and transmission of PII. Additionally, the District will:

• not sell PII nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.

• ensure that it has provisions in its contracts with third-party contractors or in separate data sharing and confidentiality agreements that require the confidentiality of shared student data or teacher or principal data be maintained in accordance with law, regulation, and District policy.

Except as required by law or in the case of educational emollment data the District will not report to NYSED the following student data elements:

• juvenile delinquency records;

• criminal records;

• medical and health records; and

• student biometric information.

Nothing in Education Law Section 2-d or this policy should be construed as limiting the administrative use of student data or teacher or principal data by a person acting exclusively in the person’s capacity as an employee of the District.

The District will use the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (Version I. I) (Framework) as the standard for its data privacy and security program. The Framework is a risk-based approach to managing cybersecurity risk and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework provides a common taxonomy and mechanism for organizations to:

• describe their current cybersecurity posture;

• describe their target state for cybersecurity;

• identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;

• assess progress toward the target state; and

• communicate among internal and external stakeholders about cybersecurity risk.

The District will protect the privacy of PII by ensuring that every use and disclosure of PII by the District benefits students and the District by considering, among other criteria, whether the use and/or disclosure will:

• improve academic achievement;

• empower parents and students with information; and/or

• advance efficient and effective school operations.

• not including PII in public reports or other public documents.

The District affords all protections under FERPA and the Individuals with Disabilities Education Act and their implementing regulations to parents or eligible students where applicable.

District Responsibilities

The District will ensure that whenever it enters into a contract or other written agreement with a third­ party contractor under which the third-party contractor will receive student data or teacher or principal data from the District, the contract or written agreement will include provisions requiring that confidentiality of shared student data or teacher or principal data be maintained in accordance with law, regulation, and District policy.

In addition, the District will ensure that the contract or written agreement includes the third-party contractor’s data privacy and security plan that has been accepted by the District.

The third-party contractor’s data privacy and security plan must at a minimum:

• outline how the third-party contractor will implement all state, federal, and local data privacy and security contract requirements over the life of the contract consistent with District policy;

• specify the administrative, operational, and technical safeguards and practices the third-party contractor has in place to protect PII that it will receive under the contract;

• demonstrate that the third-party contractor complies with the requirements of 8 NYCRR Section 121.3(c);

• specify how officers or employees of the third-party contractor and its assignees who have access to student data or teacher or principal data receive or will receive training on the laws governing confidentiality of this data prior to receiving access;

• specify if the third-party contractor will utilize subcontractors and how it will manage those relationships and contracts to ensure PII is protected;

• specify how the third-party contractor will manage data privacy and security incidents that implicate PII including specifying any plans to identify breaches and unauthorized disclosures and to promptly notify the District.

• describe whether, how, and when data will be returned to the District, transitioned to a successor contractor or, at the District’s option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires; and

• include a signed copy of the Parents’ Bill of Rights for Data Privacy and Security.

Third-Party Contractor Responsibilities:

Each third-party contractor, that enters into a contract or other written agreement with the District under which the third-party contractor will receive student data or teacher or principal data from the District, is required to:

• adopt technologies, safeguards, and practices that align with the NIST Cybersecurity Framework;

• comply with District policy and Education Law Section 2-d and its implementing regulations;

• limit internal access to PII to only those employees or subcontractors that have legitimate educational interests (i.e., they need access to provide the contracted services);

• not use the PII for any purpose not explicitly authorized in its contract;

• not disclose any PII to any other party without the prior written consent of the parent or eligible student:

  • except for authorized representatives of the third-party contractor such as a subcontractor or assignee to the extent they are carrying out the contract and in compliance with law, regulation, and its contract with the District; or

  • unless required by law or court order and the third-party contractor provides a notice of the disclosure to NYSED, the Board, or the institution that provided the information no later than the time the information is disclosed unless providing notice of the disclosure is expressly prohibited by law or court order;

• maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of PII in its custody;

• use encryption to protect PII in its custody while in motion or at rest; and

• not sell PII nor use or disclose it for any marketing or commercial purpose or facilitate its use or disclosure by any other party for any marketing or commercial purpose or permit another party to do so.

Where a third-party contractor engages a subcontractor to perform its contractual obligations, the data protection obligations imposed on the third-party contractor by law and contract apply to the subcontractor.

The District may not be required to enter into a separate contract or data sharing and confidentiality agreement with a third-party contractor that will receive student data or teacher or principal data from the District under all circumstances. For example, the District may not need its own contract or agreement where:

• it has entered into a cooperative educational service agreement (CoSer) with a BOCES that includes use of a third-party contractor’s product or service; and

• when BOCES has entered into a contract or data sharing and confidentiality agreement with the third-party contractor, pursuant to Education Law Section 2-d and its implementing regulations, that is applicable to the District’s use of the product or service under that CoSer.

To meet its obligations whenever student data or teacher or principal data from the District is received by a third-party contractor pursuant to a CoSer the District will consult with the BOCES to, among other things:

• ensure there is a contract or data sharing and confidentiality agreement pursuant to Education Law Section 2-d and its implementing regulations in place that would specifically govern the District’s use of a third-party contractor’s product or service under a particular CoSer;

• determine procedures for including supplemental information about any applicable contracts or data sharing and confidentiality agreements that a BOCES has entered into with a third-party contractor in its Parents’ Bill of Rights for Data Privacy and Security;

• ensure appropriate notification is provided to affected parents, eligible students, teachers, and/or principals about any breach or unauthorized release of PII that a third-party contractor has received from the District pursuant to a BOCES contract; and

• coordinate reporting to the Chief Privacy Officer to avoid duplication in the event the District receives information directly from a third-party contractor about a breach or unauthorized release of PII that the third-party contractor received from the District pursuant to a BOCES contract.

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that Unadilla Valley Central School District, with certain exceptions, obtain your written consent prior to the disclosure of personally identifiable information from your child’s education records.  However, Unadilla Valley Central School District may disclose appropriately designated “directory information” without written consent, unless you have advised the District to the contrary in accordance with District procedures.  The primary purpose of directory information is to allow the Unadilla Valley Central School District to include this type of information from your child’s education records in certain school publications.  Examples include:

• A playbill, showing your student’s role in a drama production;

• The annual yearbook;

• Honor roll or other recognition lists;

• Graduation programs, and

• Sports activity sheets, such as for wrestling, showing weight and height of team members.

Directory information, which is information that is generally not considered harmful and/or invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent.  Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks.  In addition, the New York State Education Law Section 2-1 and two federal laws require school districts receiving assistance under the Elementary and Secondary Education Act of 1965 (ESEA) to provide military recruiters, upon request, with student names, addresses, and telephone listings unless parents have advised the school district that they do not want their student’s information disclosed without their prior written consent.  If you do not want the Unadilla Valley Central School District to disclose some or all directory information from your child’s education records without your prior written consent, you must notify the District in writing.

 Unadilla Valley Central School District has designated the following information as directory information:  (Note:  Unadilla Valley Central School District may, but does not have to, include all the information below.)

• Student’s name

• Participation in officially recognized activities and sports

• Address   

• Telephone listing    

• Weight and height of members of athletic teams

• Electronic mail address   

• Student’s image

• Degrees, honors, and awards received

• Date and place of birth

• The most recent educational agency or institution or instruction attended

• Major field of study                                                    

• Date of attendance

• Grade level

Policy # 7245

Students – Section 7000

SUBJECT: DATA SECURITY AND PRIVACY POLICY

In accordance with New York State Education Law § 2-d, the District hereby implements the requirements of Commissioner’s regulations (8 NYCRR part 121) and aligns its data security and privacy protocols with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or “NIST CSF”).

In this regard, every use and disclosure of personally identifiable information (PII) by the District will benefit students and the District (for example, improving academic achievement, empowering parents and students with information, and/or advancing efficient and effective school operations). PII will not be included in public reports or other documents.

The District also complies with the provisions of the Family Educational Rights and Privacy Act of 1974 (FERPA). Consistent with FERPA’s requirements, unless otherwise permitted by law or regulation, the District will not release PII contained in student education records unless it has received a written consent (signed and dated) from a parent or eligible student. For more details, see Policy 7240 and any applicable administrative regulations.

In addition to the requirements of FERPA, the Individuals with Disabilities Education Act (IDEA) provides additional privacy protections for students who are receiving special education and related services. For example, pursuant to these rules, the District will inform parents of children with disabilities when information is no longer needed and, except for certain permanent record information, that such information will be destroyed at the request of the parents. The District will comply with all such privacy provisions to protect the confidentiality of PII at collection, storage, disclosure, and destruction stages as set forth in federal regulations 34 CFR 300.610 through 300.627.

The Superintendent or his/her designee will establish and communicate procedures for parents, eligible students, and employees to file complaints about breaches or unauthorized releases of student, teacher or principal data (as set forth in 8 NYCRR 121.4). The Superintendent is also authorized to promulgate any and all other regulations necessary and proper to implement this policy.

References:

Education Law § 2-d

8 NYCRR Part 121

Family Educational Rights and Privacy Act of 1974, 20 USC § 1232(g)), 34 Code of

Federal Regulations (CFR) Part 99

Individuals with Disabilities Education Act (IDEA), 20 USC § 1400 et seq., 34 CFR

300.610–300.627

BOE Adopted: October 26, 2020

The District has designated an employee to serve as the District’s Data Protection Officer.

The Data Protection Officer is responsible for the implementation and oversight of this policy and any related procedures including those required by Education Law Section 2-d and its implementing regulations as well as serving as the main point of contact for data privacy and security for the District.

The District will ensure that the Data Protection Officer has the appropriate knowledge, training, and experience to administer these functions. The Data Protection Officer may perform these functions in addition to other job responsibilities.

The Data Protection Officer for the District is Stephanie Cooper.

Parents, eligible students (students who are at least 18 years of age), principals, teachers, and employees of an educational agency may file a complaint about a possible breach or improper disclosure of student data and/or protected teacher or principal data using this form. Submit this form to Unadilla Valley Central School District, Attn: Stephanie Cooper, 4238 State Hwy 8, New Berlin, NY 13411.

Unauthorized Disclosure Form

The District will annually provide data privacy and security awareness training to its officers and staff with access to PII. This training will include, but not be limited to, training on the applicable laws and regulations that protect PII and how staff can comply with these laws and regulations. The District may deliver this training using online training tools. Additionally, this training may be included as part of the training that the District already offers to its workforce.

Education Law § 2-d 8 NYCRRPart 121

• Student Data and Privacy YouTube Playlist