December 18, 2019 New Regulations Related to Data Privacy and Security
KEEPING YOU INFORMED…
In March 2014, Education Law § 2-d was enacted to protect the privacy and security of personally identifiable information (“PII”) of students and certain annual professional performance review (“APPR”) data of teachers and principals. As you may know, the State has been in the process of developing regulations and, it seems likely that regulations will be adopted during the current school year.
We wish to take this opportunity to remind you of existing obligations pursuant to Education Law § 2-d and to lay out the new requirements that will be mandated by the regulations (when and if the regulations are adopted). The new requirements include, but are not limited to, the appointment of a data protection officer, the adoption of a new data security and privacy policy by July 1, 2020, and the provision of annual training for employees and officers.
1. Possible Time Frame for Adoption of Regulations/Effective Date
Draft regulations were first presented to the Board of Regents at its January 2019 meeting and have since been twice revised. The most recent revision was presented at the October 2019 meeting and published in the October 23, 2019 issue of the New York State Register. If the revised regulations are adopted at the January 2020 Board of Regents meeting, they will become effective on January 29, 2020.
2. Protected Data
As a reminder, the law protects “student data” and “teacher or principal data” (collectively referred to in this memo as “protected data”).
a. Student Data
Student data means PII from student records. PII is defined the same way it is in the regulations implementing the Family Educational Rights and Privacy Act (“FERPA”). PII for student data includes, but is not limited to:
i. A student’s name or address or the names or addresses of a student’s parents or other family members;
ii. Any student personal identifier (g., SSN, student number or biometric record);
iii. Indirect identifiers (g., date of birth, place of birth or mother’s maiden name);
iv. Other information that alone or in combination is linked or linkable to a specific individual and would allow a reasonable person to identify the individual with reasonable certainty; and
v. Any information requested by a person who is reasonably believed to know the identity of the person to whom a record relates.
b. Teacher or Principal Data
Teacher or principal data is defined as PII from records related to the APPR of classroom teachers or principals that is confidential and not subject to release pursuant to Education Law §§ 3012-c and 3012-d (the APPR statutes).
3. Appointment of a Data Protection Officer
Pursuant to the proposed regulations, each educational agency (this includes, among other school entities, school districts, BOCES and charter schools)[1] will be required to designate a Data Protection Officer. This individual will be responsible for the implementation of the policies and procedures required in Education Law § 2-d, as well as the new regulations, and will have the continuing obligation to serve as the point of contact for data security and privacy issues. The Data Protection Officer can be a current employee who will perform the new data security and privacy functions in addition to his or her current job responsibilities.[2] He or she must have the appropriate knowledge, training and experience.
4. Required Data Security and Privacy Policy
By July 1, 2020, if the proposed regulations are adopted, each educational agency will be required to adopt and publish a data security and privacy policy that aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (“the NIST Cybersecurity Framework”) and implement the requirements of the new regulations. The NIST Cybersecurity Framework is guidance that is based on existing standards, guidelines, and practices to assist organizations to better manage and reduce cybersecurity risks. The data security and privacy policy must:
a. Require that every use and disclosure of PII benefits students and the educational agency (examples of benefits include improving academic achievement, empowering parents and students with information, and advancing the efficiency and effectiveness of school operations);
b. Provide that PII will not be included in public reports or other documents; and
c. Include all protections provided to parents and eligible students (students who are 18 or older) pursuant to FERPA and the Individuals With Disabilities Act (“IDEA”).
The policy must be published on the educational agency’s website and notice of the policy must be provided to all employees and officers.
The law provides that the State’s chief privacy officer “shall develop one or more model policies….” At the present time, none has been released.
5. Annual Training for Employees and Officers
If the regulations are adopted, you will be required to provide annual data privacy and security awareness training to all officers and employees with access to PII. This training must include a review of State and federal laws that protect PII and an explanation on how to comply with the laws. The regulations do not specify the method, format or length of the training and do not specify the credentials of a trainer. The draft regulations specifically provide that the training may be delivered using online training tools or included as part of training the educational agency already offers.
6. Data Collection Restrictions and Transparency
PII from protected data cannot be: (i) sold by an educational agency; or (ii) used or disclosed for any marketing or commercial purposes. Further, an educational agency cannot allow a third party to use or disclose PII for any marketing or commercial purpose. While this general requirement was in the existing law, the draft regulations use the specific term “commercial or marketing purpose” and provide the following definition: “the sale of student data; or its use or disclosure for purposes of receiving remuneration, whether directly or indirectly; the use of student data for advertising purposes, or to develop, improve or market products or services to students.” Pursuant to the draft regulations, steps must also be taken to minimize the collection, processing and transmission of PII.
As a reminder, except as otherwise required by law, educational agencies cannot report the following student data elements to SED: (1) juvenile delinquency records; (2) criminal records; (3) medical and health records; and (4) student biometric information.
7. Rights of Parents/Eligible Students to Inspect Education Records
Pursuant to existing State and federal law, parents and eligible students have rights to inspect and review a student’s education record. The proposed regulations set forth the following:
a. An educational agency is required to takes steps to verify the identity of the requestor and verify the requestor’s authority to review a student’s education records;
b. An educational agency can require that requests to inspect and review education records be made in writing;
c. An educational agency is required to annually notify parents of their rights to inspect and review their child’s education record (this requirement can be satisfied within the same document as the annual FERPA notice); and
d. An educational agency must comply with a request for access within a reasonable period of time not to exceed 45 calendar days after receipt of the request.
Pursuant to the proposed regulations, requests by a parent or eligible student for access to a student’s education records cannot be directed to third-party contractors. Written agreements should make clear that any request directed toward a third-party contractor should be forwarded to the educational agency for response.
The proposed regulations provide that, with consent of the parent or eligible student, requested education records may be sent electronically. If sent electronically, however, PII in the requested records must be sent in a manner that is in compliance with State and federal law and “safeguards associated with industry standards and best practices.” These industry standards and best practices include, but are not limited to, encryption and password protection. Encryption requires PII to be rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology set forth in guidance issued by the Secretary of the United States Department of Health and Human Services related to protected health information.
8. Parents’ Bill of Rights for Data Privacy and Security
Since the summer of 2014, each educational agency has been required to publish a parents’ bill of rights on its website. Where a third-party contractor receives protected data, the bill of rights must include supplemental information. Excluding some elements of the supplemental information required for third-party contractors, the requirements related to the parents’ bill of rights will not be changed if the regulations are adopted. The supplemental information must be developed by the educational agency and include the below-listed information (this list includes the existing as well as the proposed new requirements).
a. The exclusive purposes (as defined in the contract) for which student data or teacher or principal data will be used by the third-party contractor.
b. How the third-party contractor will ensure that its subcontractors or other entities to whom the third-party contract discloses protected data will comply with the applicable data protection and security requirements.
c. The duration of the agreement, including the agreement’s expiration date.
d. A description of what will happen to the protected data upon the contract’s expiration.
e. If and how a parent, student, teacher or principal may challenge the accuracy of protected data.
f. Where the protected data will be stored, described in a way to protect data security.
g. The security protections taken to ensure protected data will be protected and that security and privacy risks will be mitigated.
h. How the data will be protected using encryption while in motion and at rest.
The regulations, if adopted, will explicitly require that each supplement to the bill of rights be published on the educational agency’s website. The bill of rights and supplemental information may, however, be redacted to the extent necessary to safeguard the privacy or security of data or technology infrastructure.
This is a good opportunity to confirm that you have obtained the supplemental information for existing third-party contractors and to ensure that forms and templates are appropriately updated when and if the regulations are adopted.
9. Agreements with Third-Party Contractors
A third-party contractor is defined as any person or entity (other than another educational agency, SED, a charter school and certain other schools that are funded, approved or supported or operated by the State)[1] that receives protected data from a district or BOCES pursuant to a “contract or other written agreement” for the purpose of providing services to the district or BOCES. The draft regulations make clear that a “contract or other written agreement” includes click wrap agreements and agreements in electronic form. In other words, whenever an educational agency user must agree to terms and conditions prior to obtaining a software license, downloading or using online applications, or using any other technology, even when the license, application or technology does not cost the user any money, Education Law § 2-d and the new regulations, when and if adopted, will apply. You should review your internal policies and protocols to ensure that employees only use, download and agree to terms and conditions for school-approved applications or other technologies.
a. Third-Party Contractor Obligations
Like the educational agencies with which they work, the proposed regulations, if adopted, will require that third-party contractors adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework. Third-party contractors also must:
i. Comply with the educational agency’s data security and privacy policy and applicable law;
ii. Limit internal access to PII to employees or contractors who need access to provide the services pursuant to the applicable agreement;
iii. Maintain reasonable administrative, technical and physical safeguards to protect PII in its custody;
iv. Use encryption to protect PII while in motion or at rest; and
v. Promptly notify an educational agency of a breach or unauthorized release of PII (see paragraph 10 below) and cooperate with the schools and law enforcement to protect the integrity of investigations into the breach.
Third-party contractors are forbidden from:
i. Using PII for any purpose not explicitly authorized in the agreement;
ii. Selling PII;
iii. Disclosing PII to any other party without the prior written consent of the parent or eligible student except for carrying out its services pursuant to the contract and in compliance with law or unless required by statute or court order (when required by statute or court order, the third-party contractor must provide notice to the educational agency of the disclosure unless the notice is expressly prohibited by the statute or court order); and
iv. Using or disclosing PII for any “commercial or marketing purpose” (see paragraph 6 above).
If the third-party contractor engages a subcontractor, the data protection obligations apply to the subcontractor.
b. Contract Requirements
Pursuant to Education Law § 2-d, contracts with third-party contractors must contain provisions (or there must be separate data sharing and confidentiality agreements) that require the confidentiality of protected data and require that the data is maintained in accordance with law and the educational agency’s data security and privacy policy. Every agreement with a third-party contractor must include a data security and privacy plan. The proposed regulations expand the plan’s requirements. At a minimum, if the regulations are adopted, the plan must:
i. Outline how the third-party contractor will implement all applicable State, federal and local laws and requirements, including the requirements set forth in the educational agency’s data security and privacy policy;
ii. Specify the third-party contractor’s administrative, operational and technical safeguards and practices for the protection of PII;
iii. Demonstrate that the third-party contractor complies with the supplemental information included in the bill of rights with respect to the third-party contractor (see paragraph 8 above) and include a signed copy of the parents’ bill of rights;
iv. Specify how the third-party’s officers, employees and assignees who have access to protected data will receive training prior to accessing the data;
v. Specify how the third-party contractor will manage data security and privacy incidents, including any plans to identify breaches and unauthorized disclosures;
vi. Specify how the third-party contractor will notify the educational agency of a breach or unauthorized release (see paragraph 10(b) below for notification requirements);
vii. Specify whether the third-party contractor will utilize subcontractors and how the third-party contractor will ensure that PII shared with the subcontractors will be protected; and
viii. Describe whether, how and when data will be returned to the educational agency, transitioned to a successor contractor at the educational agency’s option and direction, or deleted or destroyed by the third-party contractor when the contract terminates.
You should review existing contracts to confirm that all agreements with vendors that receive protected data have a data security and privacy plan and, if the regulations are adopted, that any forms or templates are appropriately updated (if necessary).
10. Breaches and Unauthorized Releases
A breach is defined in the proposed regulations as an “unauthorized acquisition, access, use, or disclosure of [protected data] by or to a person not authorized to acquire, access, use, or receive the [protected data].” Unauthorized release (or unauthorized disclosure) is defined as any disclosure or release not permitted by applicable laws or agreements or not responsive to a lawful order (e.g., a court order).
a. New Complaint Procedure Required
The new regulations, if adopted, will require each educational agency to establish procedures for parents, eligible students, teachers, principals and staff to file complaints alleging breaches or unauthorized releases of protected data. An educational agency may require that complaints be submitted in writing. Upon receipt of a complaint, each educational agency is required to:
b. Promptly acknowledge receipt of complaints;
c. Commence an investigation;
d. Take the necessary precautions to protect PII; and
e. Provide the parent, eligible student, teacher, principal or other staff member with its findings or, when allowed, notice that additional time is needed within a “reasonable period” but not more than 60 calendar days from the educational agency’s receipt of the complaint.
The 60 calendar-day period for response will be extended if the educational agency needs additional time or where an educational agency’s response may compromise security or obstruct or hinder a law enforcement investigation. Under these circumstances, the educational agency will be required to provide the parent, eligible student, teacher, principal or other staff member with a written explanation and the approximate date when the educational agency expects to respond to the complaint. Educational agencies will be required to maintain records of complaints in accordance with applicable data retention policies and related laws.
After these procedures are developed, you may need to update the portion of the parents’ bill of rights related to complaints about possible breaches of student data.
b. Notification of Breach or Unauthorized Release
i. Third-Party Contractor Obligations/Potential Penalties
A third-party contractor must notify an educational agency of any breach or unauthorized release of PII in the most expedient way possible and without unreasonable delay. Pursuant to the proposed regulations, this notification will be required to be made no more than seven calendar days after the third-party contractor’s discovery of the breach. When a breach or unauthorized release is attributed to the third-party contractor, the contractor is obligated to reimburse the affected educational agency for the cost of its notification obligations (set forth below). The proposed regulations, like the law, set out potential penalties for third-party contractors, including monetary penalties, preclusion from accessing student data or bidding or offering to work with any educational agency for up to five years, and being ordered to provide additional training to its officers and employees.
ii. Educational Agency’s Obligations
Within 10 calendar days after it receives notice from a third-party contractor or after an educational agency discovers a breach or unauthorized release of protected data, the educational agency must notify the State’s Chief Privacy Officer by using the form or format prescribed by SED.
The educational agency must also notify affected parents, eligible students, teachers and/ or principals “in the most expedient way possible and without unreasonable delay” and, in any event, no more than 60 calendar days after discovery or notification of a breach or unauthorized release. Notification to those affected in the school community may be delayed if notification would interfere with an ongoing law enforcement investigation or if notification would disclose an unfixed security problem and cause further unauthorized disclosure of PII. These notifications must be written clearly and concisely with easy-to-understand plain language. They can be provided by first-class mail, email or telephone. These notices must include the following information, where available:
* A brief description of the breach or unauthorized release;
* The date(s) of the breach or unauthorized release;
* The date of discovery of the breach or unauthorized release;
* A description of the types of PII affected;
* An estimate of the number of records affected;
* A brief description of the investigation or plan to investigate; and
* Contact information for those who can provide additional information related to the breach or unauthorized release.
As 2019 comes to a close, it is a good time to ensure compliance with existing obligations pursuant to Education Law § 2-d and to become familiar with the new requirements that will be mandated by the regulations, if adopted. We will let you know if (and when) the regulations are adopted. If you have any questions regarding the current law or the requirements set forth in the new regulations, please contact Lindsay Crocker or one of our other attorneys by calling (631) 694-2300.
THIS MEMORANDUM IS MEANT TO ASSIST IN GENERAL UNDERSTANDING OF THE CURRENT LAW. IT IS NOT TO BE REGARDED AS LEGAL ADVICE. THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK THE ADVICE OF COUNSEL.
© Lamb & Barnosky, LLP 2019
[1] The rules related to third-party contractors do not apply to contracts between school districts or BOCES and “schools.” School is defined to include: (i) public elementary or secondary schools including charter schools (charter schools are only listed in the proposed regulations and not in the existing law); (ii) UPK programs authorized pursuant to Education Law § 3602-e; (iii) approved providers of preschool special education; (iv) special act school districts as defined in Education Law § 4001; (v) approved private schools for students with disabilities; (vi) State-supported schools subject to Education Law Article 85; and (vii) State-operated schools subject to Education Law Articles 87 or 88.
[1] The rules related to third-party contractors do not apply to contracts between school districts or BOCES and “schools.” School is defined to include: (i) public elementary or secondary schools including charter schools (charter schools are only listed in the proposed regulations and not in the existing law); (ii) UPK programs authorized pursuant to Education Law § 3602-e; (iii) approved providers of preschool special education; (iv) special act school districts as defined in Education Law § 4001; (v) approved private schools for students with disabilities; (vi) State-supported schools subject to Education Law Article 85; and (vii) State-operated schools subject to Education Law Articles 87 or 88.
[1] The law applies, and the proposed regulations will apply (if adopted), to every “educational agency,” which is defined as a school district, BOCES, the New York State Education Department (“SED”) or a school (see definition of “school” in FN 3).
[2] If the assigned individual is a member of a bargaining unit, there may be an obligation to negotiate over the impact of the assignment of these duties, and perhaps even the decision to do so if there is a substantial impact on the employee’s workload or if the work is sufficiently outside of the employee’s normal duties.