Privacy & Ed Law 2D

PARENTS’ BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY*

Consistent with the adoption by the New York State Legislature of the Common Core Implementation Reform Act of 2014, all parents have the following rights:

• To inspect and review the complete contents of their child’s education record, as defined in the District’s Student Records policy;
   

• To access a complete list of all student data elements collected by the State, which is available for public review at http://www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx, or by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, NY 12234;
   

• To have complaints about possible breaches of student data heard and determined. Complaints should be directed in writing to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, New York 12234, or by email to the Chief Privacy Officer at CPO@mail.nysed.gov.
   

• Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred.
   

• To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs.
   

• Educational agency workers that handle PII will receive training on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII.
   

• Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.

*In the event the Commissioner of Education issues an enhanced Bill of Rights and/or promulgates regulations setting forth additional elements to be included in the Parents’ Bill of Rights, the Saugerties Central School District reserves the right to revise this document accordingly.

Saugerties Central School District Board Policy

Saugerties Central School District Board Policy

FERPA ANUNAL NOTICE

The Family Educational Rights and Privacy Act (FERPA) affords parents and students who are 18 years of age or older ("eligible students") certain rights with respect to the student's education records.  These rights are:

1. The right to inspect and review the student's education records within 45 days after the day the Saugerties Central School District (“District”) receives a request for access. 

Parents or eligible students who wish to inspect their child’s or their education records should submit to the school principal a written request that identifies the records they wish to inspect.  The school official will make arrangements for access and notify the parent or eligible student of the time and place where the records may be inspected. 

2. The right to request the amendment of the student’s education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.

Parents or eligible students who wish to ask the District to amend their child’s or their education record should write the school principal, clearly identify the part of the record they want changed, and specify why it should be changed.  If the school decides not to amend the record as requested by the parent or eligible student, the school will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment.  Additional information regarding the hearing procedures will be provided to the parent or eligible student when notified of the right to a hearing.

3. The right to provide written consent before the school discloses personally identifiable information (PII) from the student's education records, except to the extent that FERPA authorizes disclosure without consent.

One exception, which permits disclosure without consent, is disclosure to school officials with legitimate educational interests.  The criteria for determining who constitutes a school official and what constitutes a legitimate educational interest must be set forth in the school’s or school district’s annual notification for FERPA rights.  A school official typically includes a person employed by the school or school district as an administrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personnel) or a person serving on the school board.  A school official also may include a volunteer, contractor, or consultant who, while not employed by the school, performs an institutional service or function for which the school would otherwise use its own employees and who is under the direct control of the school with respect to the use and maintenance of PII from education records, such as an attorney, auditor, medical consultant, or therapist; a parent or student volunteering to serve on an official committee, such as a disciplinary or grievance committee; or a parent, student, or other volunteer assisting another school official in performing his or her tasks.  A school official typically has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.

Upon request, the school discloses education records without consent to officials of another school or school district in which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes of the student’s enrollment or transfer.  

4. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the District to comply with the requirements of FERPA.  The name and address of the Office that administers FERPA are:

Student Privacy Policy Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC  20202

You can review the FERPA regulations, frequently asked questions, significant opinions of the Office, and other information regarding FERPA at the following website:  https://studentprivacy.ed.gov 

DISCOSURE OF RECORDS

FERPA permits the disclosure of PII from students’ education records, without consent of the parent or eligible student, if the disclosure meets certain conditions found in § 99.31 of the FERPA regulations.  Except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the parent or eligible student, § 99.32 of the FERPA regulations requires the school to record the disclosure.  Parents and eligible students have a right to inspect and review the record of disclosures.  A school may disclose PII from the education records of a student without obtaining prior written consent of the parents or the eligible student –

• To other school officials, including teachers, within the educational agency or institution whom the school has determined to have legitimate educational interests.  This includes contractors, consultants, volunteers, or other parties to whom the school has outsourced institutional services or functions, provided that the conditions listed in § 99.31(a)(1)(i)(B)(1) - (a)(1)(i)(B)(3) are met. (§ 99.31(a)(1))

• To officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer, subject to the requirements of § 99.34.  (§ 99.31(a)(2))  

• To authorized representatives of the U. S. Comptroller General, the U. S. Attorney General, the U.S. Secretary of Education, or State and local educational authorities, such as the State educational agency (SEA) in the parent or eligible student’s State.  Disclosures under this provision may be made, subject to the requirements of § 99.35, in connection with an audit or evaluation of Federal- or State-supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.  These entities may make further disclosures of PII to outside entities that are designated by them as their authorized representatives to conduct any audit, evaluation, or enforcement or compliance activity on their behalf, if applicable requirements are met.  (§§ 99.31(a)(3) and 99.35)

• In connection with financial aid for which the student has applied or which the student has received, if the information is necessary for such purposes as to determine eligibility for the aid, determine the amount of the aid, determine the conditions of the aid, or enforce the terms and conditions of the aid.  (§ 99.31(a)(4))

• To State and local officials or authorities to whom information is specifically allowed to be reported or disclosed by a State statute that concerns the juvenile justice system and the system’s ability to effectively serve, prior to adjudication, the student whose records were released, subject to § 99.38.  (§ 99.31(a)(5))

• To organizations conducting studies for, or on behalf of, the school, in order to:  (a)  develop, validate, or administer predictive tests; (b)  administer student aid programs; or (c)  improve instruction, if applicable requirements are met.  (§ 99.31(a)(6))

• To accrediting organizations to carry out their accrediting functions.  (§ 99.31(a)(7))

• To parents of an eligible student if the student is a dependent for IRS tax purposes.  (§ 99.31(a)(8))

• To comply with a judicial order or lawfully issued subpoena if applicable requirements are met.  (§ 99.31(a)(9))

• To appropriate officials in connection with a health or safety emergency, subject to § 99.36.  (§ 99.31(a)(10))

• Information the school has designated as “directory information” if applicable requirements under § 99.37 are met.  (§ 99.31(a)(11))

• To an agency caseworker or other representative of a State or local child welfare agency or tribal organization who is authorized to access a student’s case plan when such agency or organization is legally responsible, in accordance with State or tribal law, for the care and protection of the student in foster care placement.  (20 U.S.C. § 1232g(b)(1)(L))

• To the Secretary of Agriculture or authorized representatives of the Food and Nutrition Service for purposes of conducting program monitoring, evaluations, and performance measurements of programs authorized under the Richard B. Russell National School Lunch Act or the Child Nutrition Act of 1966, under certain conditions.  (20 U.S.C. § 1232g(b)(1)(K))

STUDENT DIRECTORY INFORMATION NOTICE

The Family Educational Rights and Privacy Act (FERPA) defines student directory information as any of the following: name; address; telephone listing; date and place of birth; major field of study; grade level; participation in officially recognized activities and sports; weight and height (if members of athletic teams); dates of attendance; honors, degrees and awards received; electronic mail address; photograph; and the name of the educational agency or institution most recently previously attended by the student. The District will release only the following defined directory information: name, address, telephone listing, date and place of birth, major field of study, grade level, participation in recognized activities and sports, weight and height (if members of athletic teams) honors, degrees and awards received, photograph and name of previous educational institution. Directory information does not include: a) a student's social security number; or b) a student's identification (ID) number, except as provided below.

Directory information includes a student ID number, user ID, or other unique personal identifier used by the student for purposes of accessing or communicating in electronic systems, or that is displayed on a student ID card or badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the authorized user. Parents and eligible students may not, by opting out of disclosure of directory information, prevent a school from requiring a student to wear or present a student identification card or a badge that displays information that may be directory information.

New York State adopted Part 121 of the Regulations of the Commissioner of Education on January 3, 2020.  These regulations focus on cybersecurity with an emphasis on protecting personally identifiable information for our students.   In addition, Saugerties would like to promote consistency in its programming for our students.

The lists on the second page contain the district approved technology that meets the new regulations and supports our programming.

Any technology not on this list will be BLOCKED starting March 1, 2020.  Any technology you would like to propose must go through the attached Technology Adoption Process. 

At no point should students be creating accounts or entering personally identifiable information.

Any student accounts will be generated by the district for approved and supported technology.  

Students may enter made up nicknames for programs such as Kahoot. 

View Document 

Parents, eligible students (students who are at least 18 years), principals, teachers, and other employees of the Saugerties Central School District may file a complaint about a possible breach or improper disclosure of student data and/or protected teacher, principal data using this form. A data privacy complaint should be sent to the District’s Data Protection Officer at Call Box A, Saugerties, NY 12477.

Access Form

ADDENDUM TO AGREEMENT 
Regarding  Data Privacy and Security  In Accordance with Section 2-d of the New York Education Law

This is an addendum (the "Addendum") to an agreement (Clinical Affiliation "Agreement") dated _______________ (“Original Agreement”), entered into by between ______________________________________, with its principal place of business located at ____________________________________ ("Contractor"), and Saugerties Central School District, with its principal place of business located at 310 Washington Avenue Ext., Saugerties, NY 12477 ("District"). Upon being executed by Contractor's and District’s authorized representatives, this Addendum shall be deemed to have been in full force and effect as of the effective date of the Agreement it amends.

WHEREAS, District is an educational agency within the meaning of New York State Education Law, Section 2-d (“Section 2-d”), and Contractor is a third-party contractor within the meaning of Section 2-d; and

WHEREAS, Contractor and its authorized officers, employees, students and agents shall have access to “student personally identifiable information (PII)," “student data" and/or "teacher or principal data" regulated by Section 2-d; and

WHEREAS, the provisions of this Addendum are intended to comply with Section 2-d in all respects. To the extent that any term of the Agreement conflicts with the terms of this Addendum, the terms of this Addendum shall apply and be given effect.

NOW, THEREFORE, it is mutually agreed that the Agreement is hereby amended in accordance with this Addendum, as follows:

1. Confidential Information

1.1 Contractor agrees that in performing the Original Agreement with the District, Contractor may have access to confidential information in the possession of District, including student, teacher or principal personally identifiable information (“PII”). For the purposes of this Addendum and the Original Agreement, it is agreed that the definition of Confidential Information includes all documentary, electronic or oral information made known to Contractor or developed or maintained by Contractor through any activity related to the Original Agreement. This Confidential information includes student, teacher and/or principal data (as the terms are defined under Section 2-d.

1.2 Contractor agrees to comply with Section 2-d, and the corresponding regulations promulgated by the Commissioner of Education of New York (“Commissioner”) thereunder, and relevant DISTRICT policies. In addition, Contractor agrees to comply with any changes in Section 2-, the Commissioner’s regulations and relevant DISTRICT policy that may be amended or modified during the term of the Original Agreement.

1.3 Upon expiration of the Agreement to which this Addendum applies, without a successor agreement in place, Contractor shall assist District in exporting all student, teacher and/or principal data previously received by Contractor from, or developed on behalf of, District, and Contractor shall, at the request of District, either securely delete any student, teacher and/or principal data remaining in Contractor's possession or return the student, teacher and/or principal data to District. If student, teacher

and/or principal data is to be maintained by Contractor for any lawful purpose, such data shall remain in an encrypted format and shall be stored on systems maintained by Contractor in a secure data facility located within the United States.

1.4 The parties further agree that the terms and conditions set forth in this Confidential Information section and all of its subparts shall survive the expiration and/or termination of the Original Agreement.

2. Challenges to Data

In the event that a student's parent or an eligible student wishes to challenge the accuracy of student data (pertaining to the particular student) that may include records maintained, stored, transmitted, and/or generated by Contractor pursuant to the Agreement, the challenge will be processed in accordance with the procedures of District.

A teacher or principal who wishes to challenge the accuracy of data pertaining to the teacher or principal personally, which is disclosed to Contractor pursuant to the Agreement, shall do so in accordance with the procedures for challenging APPR data, as established by District.

3. Training

Contractor represents and warrants that any of its officers, employees, and/or assignees who will have access to student, teacher and/or principal data pursuant to the Original Agreement will receive training on the federal and state laws governing confidentiality of such student, teacher and/or principal data, prior to obtaining initial or any further access to such data.

4. Use/Disclosure of Data

4.1 Contractor shall not sell or use for any commercial purpose student, teacher and/or principal data that is received by Contractor pursuant to the Agreement or developed by Contractor to fulfill its responsibilities pursuant to the Agreement.

4.2 Contractor shall use the student, teacher and/or principal data, records, or information solely for the exclusive purpose of and limited to that necessary for the Contractor to perform the duties and services required under the Original Agreement. Such services include, but are not limited to ______________. Contractor shall not collect or use educational records of District or any student, teacher and/or principal data of District for any purpose other than as explicitly authorized in this Addendum or the Original Agreement.

4.3 Contractor shall ensure, to the extent that it receives student, teacher and/or principal data pursuant to the Agreement, that it will not share Confidential Information with any additional parties, including an authorized subcontractor or non-employee agent, without prior written consent of District.

5. Contractor's Additional Obligations under Section 2-d and this Addendum

Contractor acknowledges that, with respect to any student, teacher and/or principal data received through its relationship with District pursuant to the Agreement it is obliged to maintain a Data Security & Privacy Plan, and fulfill the following obligations:

 execute, comply with and incorporate as Exhibit “A” to this Addendum, as required Section 2-d, the Parents’ Bill of Rights for Data Privacy and Security developed by District;

 store all data transferred to Contractor pursuant to the Agreement by District, in an electronic format on systems maintained by Contractor in a secure data facility located within the United States or hard copies under lock and key;

 limit internal access to student, teacher and/or principal data to Contractor's officers, employees and agents who are determined to need such access to such records or data to perform the services set forth in the Original Agreement;

 not disclose student, teacher and/or principal data to any other party who is not an authorized representative of Contractor using the information to carry out Contractor's obligations under the Agreement, unless: (I) the other party has the prior written consent of the applicable student's parent or of the eligible student; or (II) the other party has the prior written consent of the applicable teacher or principal; or (III) the disclosure is required by statute or court order, and notice of the disclosure is provided to District no later than five business days before such information is required or disclosed (unless such notice is expressly prohibited by the statute or court order);

 use reasonable administrative, technical and physical safeguards that align with the NIST Cybersecurity Framework and are otherwise consistent with industry standards and best practices, including but not limited to encryption, firewalls and password protection as specified by the Secretary of the United States Department of HHS in any guidance issued under P.L. 111-5, Section 13402(H)(2), to protect the security, confidentiality and integrity of student and/or staff data of District while in motion or in custody of Contractor from unauthorized disclosure;

 not mine Confidential Information for any purposes other than those agreed to in writing by the Parties. Data mining or scanning of user content for the purpose of advertising or marketing to students or their parents is prohibited; notify District, in the most expedient way possible and without unreasonable delay, of any breach of security resulting in an unauthorized release of any PII. In addition, Contractor shall take immediate steps to limit and mitigate the damage of such security breach or unauthorized release to the greatest extent practicable, and promptly reimburse District for the full cost of any notifications DISTRICT makes as a result of the security breach or unauthorized release. Contractor further acknowledges and understands that Contractor may be subject to civil and criminal penalties in accordance with Section 2-d for violations of Section 2-d and/or this Agreement.

 understand that any breach of the privacy or confidentiality obligations set forth in this Addendum may, at the sole discretion of District, result in District immediately terminating this Agreement; and

 familiarize its applicable officers, employees and agents with this Addendum and with the "Parents' Bill of Rights for Data Privacy and Security."

The Contractor acknowledges that failure to fulfill these obligations shall be a breach of the Agreement.

6. Except as specifically amended herein, all of the terms contained in the Original Agreement are hereby ratified and confirmed in all respects, and shall continue to apply with full force and effect.

IN WITNESS WHEREOF, Contractor and District execute this Addendum to the Agreement as follows:

Contractor Name: DISTRICT

By: 

Title: Title: Superintendent of Schools

Signature: Signature:

Date: Date: