Two and a half years have now passed since the New York State Board of Regents put regulations implementing New York State Education Law §2-d into effect. Since then, educational institutions across the state have faced many difficulties ensuring that their technologies, safeguards and practices align with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST) and that their third-party vendor contracts comply with this multifaceted data privacy law. Education Law §2-d applies to school districts, charter schools, universal pre-K providers and BOCES. It also applies to special education schools that have contracted with the NYS Education Department or local school districts.
Under Education Law §2-d, educational institutions must protect students’ personally identifiable information (PII) by ensuring that the use and disclosure of PII benefits students. It also prohibits the inclusion of PII in public reports or other public documents. Schools are also now required to use industry standard safeguards and best practices, such as encryption, firewalls and passwords to ensure data privacy and security.
In addition, schools must publish a Parents’ Bill of Rights for Data Privacy and Security (Bill of Rights) on their website and include it in all third-party contracts where the third-party contractor will receive student data or teacher or principal data. This Bill of Rights sets forth the rights a parent (or eligible student if over 18) has with regard to their child’s data. Included among these rights are that: data will only be disclosed as necessary to achieve educational purposes; data cannot be sold or released for commercial purposes; the parents have the right to inspect, review and correct their child’s education record; parents have the right to make complaints about possible breaches and unauthorized disclosures by filing complaints to the School or directly to the State Education Department; and parents have a right to be notified if a breach or unauthorized release occurs.
Education Law §2-d is also triggered when an educational institution contracts with a third-party contractor for a service where that third-party will receive student data or teacher or principal data. “Student data” is defined broadly as PII. This includes, but is not limited to: the student’s name, address, personal identifiers such as social security number or school ID number, date or place of birth, mother’s maiden name, special education status, etc. However, “teacher or principal data” is more narrowly defined as PII relating to their annual professional performance reviews (APPR). Supplemental information must be included in every third-party contract where data is exchanged that spells out: the purpose for the data disclosure, how the data will be handled after the contract’s termination, what training will be provided to employees regarding data privacy, how the data will be protected, etc.
In addition to contractual obligations and data privacy concerns, other tangential aspects of daily school practices and procedures have been affected by Education Law §2-d in a rather unforeseen manner. For example, Freedom of Information Act requests. The federal Family Education Rights and Privacy Act (FERPA) allows for the disclosure of certain types of PII, without parental consent, that have been classified as “directory information.” Directory information includes information such as a student’s name, address, telephone listing, date and place of birth, participation in officially recognized activities and sports and dates of attendance. Schools in New York were previously able to disclose this information without parental consent so long as it gave public notice of the types of information it had designated as “directory information” and allowed parents or guardians to opt out of disclosure. Prior to Education Law §2-d, if a parent or guardian did not opt out of disclosure, schools could disclose directory information in response to FOIL requests and other standard information requests, such as media inquiries regarding sports events. However, guidance issued by New York State following the implementation of the §2-d regulations suggests that this may no longer be the case for all inquiries. These inquiries should be examined on a case-by-case basis. In instances where a school can show that disclosure of a student’s directory information in response to an information request, such as a media inquiry, would benefit the student and the school district, then disclosure is likely permissible. While not an easy process, over the past two and a half years, schools and their vendors/contractors have become much more adept at recognizing the potential dangers of a data incident or breach and are working to minimize the possibility that a student’s data will be compromised.