Nassau Association of School Technologists New York Education Law 2-d unauthorized release of personally identifiable information Presented to: Nassau Association of School Technologists March 17, 2016 Presented by: Valerie C. D’Aguanno, Ed.D. Assistant Director Curriculum, Instruction & Technology Nassau BOCES 71 Clinton Road, Garden City, NY 11530 516-396-2530 vdaguanno@nasboces.org Diana M. Cannino, Esq. Ingerman Smith, LLP 150 Motor Parkway, Suite 400 Hauppauge, NY 11788 631-261-8834 dcannino@ingermansmith.com

Parameters of Education law 2-d Obligations of Educational Agencies pursuant to Education Law 2-d Parents’ Bill of Rights Data Security and Privacy Policy Data Security and Privacy Plan Obligations of Third Party Contractors

Obligations of Educational Agencies: Parents’ Bill of Rights 5 statutory requirements: The Parents’ Bill of Rights for data privacy and security shall state in clear and plain English terms: A student’s personally identifiable information cannot be sold or released for any commercial purpose; Parents have the right to inspect and review the complete contents of their child’s education record; State and federal laws protect confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including, but not limited to, encryption, firewalls, and password protection, must be in place with data is stored or transferred; A complete list of all student data elements collected by the State is available for public review at www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData/xlsx; and Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to (insert phone number, email and mailing address here).

Obligations of Educational Agencies: Parents’ Bill of Rights (cont’d) Supplemental information for each contract to be developed by the educational agency. Such supplemental information shall be developed by the educational agency and shall include: The exclusive purposes for which the student data or teacher or principal data will be used; How the third party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by the data protection and security requirements; When the agreement expires and what happens to the student data or teacher or principal data upon expiration of the agreement; If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and Where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted. Additional elements as per regulations promulgated by the Commissioner of Education in conjunction with the Chief Privacy Officer. Parents’ Bill of Rights documents posted by State Education Department on July 29, 2014 states that these additional elements are mandatory.

Obligations of Educational Agencies: data security and privacy policy Commissioner will promulgate regulations establishing the standards for such policies, and develop one or more model policy. Each educational agency must have such policy in place following the promulgation of regulations by the Commissioner. Accordingly, such policies cannot be drafted and/or adopted until the Commissioner establishes the required regulations.

Obligations of Educational Agencies: data security and privacy policy While the department has yet to promulgate regulations, the statute does outline standards to be included in each educational agency’s privacy policy. Standards for data security and privacy policies shall include, but not be limited to: Data privacy protections, including criteria for determining whether a proposed use of PII would benefit students and educational agencies, and processes to ensure that PII is not included in public reports or other public documents; Data security protections, including data systems monitoring, data encryption, incident response plans, limitations on access to PII, safeguards to ensure PII is not accessed by unauthorized persons when transmitted over communication networks, and destruction of PII when no longer needed; and Application of all such restrictions, requirements and safeguards to third-party contractors.

Obligations of Educational Agencies: data security and privacy plan Each educational agency that enters into a contract or other written agreement with a third party contractor under which the third party contractor will receive student data or teacher or principal data shall ensure that such contract or agreement includes a data security and privacy plan. Such plan must outline how all state, federal and local data security and privacy contract requirement will be implemented over the life of the contract consistent with the agency’s policy on data security and privacy. Such plan shall include, but not be limited to: Signed copy of the Parents’ Bill of Rights; and Training requirement of all employees who will receive student data or teacher or principal data. As this plan requires both a completed Parents Bill of Rights and data security and privacy policy, currently, educational agencies cannot include such plan in third party contracts. However, as each educational agency is responsible for ensuring that each contract includes a plan, requesting a plan that comports with the spirit of the law is best practice until regulations are promulgated.

Procedure to be Followed in the Event of a breach In the event of a breach, educational agencies are required to notify either the parent or eligible student of the unauthorized release of student data, and/or the affected teacher or principal of the unauthorized release of teacher or principal data. Third party contractors are responsible for reimbursement of the costs of such notifications. It is third party contractor who is liable for a violation of the statute. As such, the Chief Privacy Officer investigates the third party contractor upon his or her receipt of notification that a violation or suspected violation has occurred. Penalty is borne by the third party contractor.

Implementation and enforcement Commissioner of Education, in consultation with the Chief Privacy Officer, will promulgate regulations establishing procedures to implement the provisions of Education Law 2-d. Chief Privacy Officer is responsible for investigation of complaints and determining appropriate punishment of third party contractors for violations of this section. This section does not create a private right of action against an educational agency.

Obligations of Third Party Contractors Obligations of Third Party Contractors pursuant to Educational Law 2-d: Each third party contractor that enters into a contract or other written agreement with an educational agency under which the third party contractor will receive student data or teacher or principal data shall: (1) limit internal access to education records to those individuals that are determined to have legitimate educational interests; (2) not use the education records for any other purposes than those explicitly authorized in its contract; (3) except for authorized representatives of the third party contractor to the extent they are carrying out the carrying out the contract, not disclose any personally identifiable information to any other party: (i) without the prior written consent of the parent or eligible student; or (ii) unless required by statute or court order and the party provides a notice of the disclosure to the department, district board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order; (4)maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable information in its custody; (5) uses encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the security of the United States department of health and human services in guidance issued under Section 13402(H)(2) of Public Law 111-5.

PRACTICAL IMPLICATIONS Educational Agencies Gathering and maintaining the required information for each third-party contract Adding language to each third-party contract Drafting and adopting a Data Security and Privacy Policy to comport with Commissioner’s regulations. If necessary, further modifications to agreements to align with requirements of the newly promulgated regulations. Third-Party Contractors Implementation/proof of protection mechanisms, such as encryption Development of plans to be included with each contract Providing “supplemental information” as necessary

Questions?