June 25, 2014 Protection of Personally Identifiable Information
KEEPING YOU INFORMED…
The 2014-2015 New York State Budget was passed on March 31, 2014. The Budget includes, among other things, legislation creating Education Law Section 2-d which protects the privacy of personally identifiable information and creates a parents bill of rights regarding the privacy and security of student and teacher/principal data. Education Law Section 2-d became effective on March 31, 2014. The requirement to publish a parents bill of rights is effective on July 30, 2014.
Appointment of Chief Privacy Officer
Education Law Section 2-d requires the Commissioner of Education to appoint a Chief Privacy Officer for a three-year renewable term. The Chief Privacy Officer’s functions include, but are not limited to: (i) promoting the implementation of sound information practices for privacy and security of student data or teacher or principal data; (ii) assisting the Commissioner in the handling of instances of data breaches; (iii) providing assistance to school districts[1] on minimum standard and best practices associated with privacy and the security of student data; (iv) formulating a procedure within the New York State Education Department (“SED”) where parents, students, superintendents, board members, principals and other people may request information pertaining to student data or teacher or principal data; (v) assisting the Commissioner in establishing protocol for the submission of complaints of possible breaches of student data or teacher or principal data; (vi) making recommendations regarding privacy and the security of student data to the Governor on behalf of SED, the Assembly Speaker, the Senate’s temporary President, and the chairs of the Senate and Assembly Education Committees; and (vii) issuing an annual report on data privacy and security activities, the number and disposition of reported breaches, and a summary of any complaints submitted.
The Commissioner has not yet appointed a Chief Privacy Officer.
Data Collection Transparency and Restrictions
The SED can only collect personally identifiable information for an educational purpose and can only require school districts to submit personally identifiable information where required by law or authorized by the Family Educational Rights and Privacy Act. School districts may not report to the SED juvenile delinquency records, criminal records, medical and health records, and student biometric information unless required by law or if it is considered to be educational enrollment data. Within this context, the Chief Privacy Officer must develop, regularly update and make available on SED’s website an inventory and understandable description of the to be collected student, teacher and principal data elements, along with an explanation and/or legal regulatory authority outlining the reasons these elements are being collected and the intended uses and disclosure of the data.
Data Security and Privacy Standards
The Commissioner, in consultation with the Chief Privacy Officer, is required to promulgate regulations establishing standards for data security and privacy policies and developing one or more model policies for school districts. Those regulations will include a requirement that each school district have a policy on data security and privacy that is consistent with State and federal laws and regulations. A copy of the policy must be published on the school district’s website and provided to all officers and employees.
All new contracts that are effective after March 31, 2014 with an outside contractor involving the receipt of student, teacher or principal data must include a data security and privacy plan outlining how all State, federal and local data security and privacy requirements will be implemented over the contract’s term. The plan should include a signed copy of the parents bill of rights and a requirement that the entity or its assignees has provided or will provide training on the applicable State and federal laws and regulations to any officer or employee who has access to confidential student, teacher or principal data.
Contractors receiving student, teacher or principal data are required to: (i) limit internal access to individuals with legitimate educational interests; (ii) use the records only for the purposes explicitly authorized by the contract; (iii) not disclose information to any other party without prior written parental consent, unless required by statute or court order; (iv) maintain reasonable safeguards to maintain confidentiality; and (v) use encryption technology to protect data from unauthorized disclosure while in its custody. All contracts between the school district and an outside contractor involving the receipt of student, teacher or principal data should include the above provisions.
Breach and Unauthorized Release of Personally Identifiable Information
Where a breach of security occurs resulting in an unauthorized release of student, teacher or principal data, a contractor must notify the school district in the “most expedient way and without unreasonable delay.” The school district must then notify the parent, teacher or principal and the Chief Privacy Officer “in the most expedient way and without reasonable delay.” The contractor is required to promptly reimburse the school district for the “full cost” of those notifications.
Where the Chief Privacy Officer determines that a contractor has engaged in the unauthorized release of confidential data, the Chief Privacy Officer may: (i) preclude the contractor from accessing data from that school district for up to five years; (ii) if the action was knowing or reckless, preclude the contractor from accessing data from any school district for up to five years; (iii) if the action was knowing or reckless, deem the contractor, on any contract involving data access with any school district, to not be a responsible bidder for up to five years; (iv) require the contractor to provide training at its expense to all employees with access to the data, prior to be given further access; and/or (v) if the action is determined to be without intent, knowledge, recklessness or gross negligence, impose no penalty.
Parents Bill of Rights
On or before July 30, 2014, each school district is required to publish a parents bill of rights on its website and include it in all contracts involving the receipt of student data. The parents bill of rights must state in clear and plain English that: (i) student data cannot be sold or released for commercial purposes; (ii) parents have the right to inspect and review the complete contents of their child’s education record; (iii) State and federal law protect the confidentiality of personally identifiable information, and that safeguards to protect personally identifiable information are utilized by the school district (e.g., encryption, firewalls, and password protection); (iv) a list of all student data elements collected by the State is available for public review; and (v) parents have the right to have complaints addressed about possible breaches of student data. The name, phone number, email and mailing address of the person to whom complaints are to be made should also be included in the parents bill of rights.
The parents bill of rights must also include supplemental information for each contract the school district enters into with an outside contractor receiving confidential student data. Thus, the parents bill of rights will be revised as the school district enters into contracts with outside contractors receiving confidential student data. The supplemental information must include: (i) the exclusive purpose(s) for which the data will be used; (ii) how the contractor will ensure confidentiality; (iii) what happens to the data upon the expiration of the contract; (iv) if and how a parent can challenge the accuracy of the data collected; (v) where the data will be stored and security protections taken; and (vi) any other elements developed by the Chief Privacy Officer with input from parents and stakeholders.
Please contact us if you have any questions or concerns about Education Law Section 2-d and/or your compliance with it.
THIS MEMORANDUM IS MEANT TO ASSIST IN THE GENERAL UNDERSTANDING OF CURRENT LAW. IT IS NOT TO BE REGARDED AS LEGAL ADVICE. THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK THE ADVICE OF COUNSEL.
© Lamb & Barnosky, LLP 2014
[1] The term “school district” includes BOCES.