Data Privacy
- Parents Bill of Rights
- Data Privacy Complaint Form
- District Approved Technology
- Sample of Ed Law 2-D Addendum
Parents Bill of Rights
PARENTS’ BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY*
Consistent with the adoption by the New York State Legislature of the Common Core Implementation Reform Act of 2014, all parents have the following rights:
- To inspect and review the complete contents of their child’s education record, as defined in the District’s Student Records policy;
-
To access a complete list of all student data elements collected by the State, which is available for public review at http://www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx, or by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, NY 12234;
-
To have complaints about possible breaches of student data heard and determined. Complaints should be directed in writing to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, New York 12234, or by email to the Chief Privacy Officer at CPO@mail.nysed.gov.
-
Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred.
-
To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs.
-
Educational agency workers that handle PII will receive training on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII.
-
Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.
*In the event the Commissioner of Education issues an enhanced Bill of Rights and/or promulgates regulations setting forth additional elements to be included in the Parents’ Bill of Rights, the Saugerties Central School District reserves the right to revise this document accordingly.
Data Privacy Complaint Form
Parents, eligible students (students who are at least 18 years), principals, teachers, and other employees of the Saugerties Central School District may file a complaint about a possible breach or improper disclosure of student data and/or protected teacher, principal data using this form. A data privacy complaint should be sent to the District’s Data Protection Officer at Call Box A, Saugerties, NY 12477.
District Approved Technology
New York State adopted Part 121 of the Regulations of the Commissioner of Education on January 3, 2020. These regulations focus on cybersecurity with an emphasis on protecting personally identifiable information for our students. In addition, Saugerties would like to promote consistency in its programming for our students.
The lists on the second page contain the district approved technology that meets the new regulations and supports our programming.
Any technology not on this list will be BLOCKED starting March 1, 2020. Any technology you would like to propose must go through the attached Technology Adoption Process.
At no point should students be creating accounts or entering personally identifiable information.
Any student accounts will be generated by the district for approved and supported technology.
Students may enter made up nicknames for programs such as Kahoot.
Sample of Ed Law 2-D Addendum
ADDENDUM TO AGREEMENT
Regarding Data Privacy and Security In Accordance with Section 2-d of the New York Education Law
This is an addendum (the "Addendum") to an agreement (Clinical Affiliation "Agreement") dated _______________ (“Original Agreement”), entered into by between ______________________________________, with its principal place of business located at ____________________________________ ("Contractor"), and Saugerties Central School District, with its principal place of business located at 310 Washington Avenue Ext., Saugerties, NY 12477 ("District"). Upon being executed by Contractor's and District’s authorized representatives, this Addendum shall be deemed to have been in full force and effect as of the effective date of the Agreement it amends.
WHEREAS, District is an educational agency within the meaning of New York State Education Law, Section 2-d (“Section 2-d”), and Contractor is a third-party contractor within the meaning of Section 2-d; and
WHEREAS, Contractor and its authorized officers, employees, students and agents shall have access to “student personally identifiable information (PII)," “student data" and/or "teacher or principal data" regulated by Section 2-d; and
WHEREAS, the provisions of this Addendum are intended to comply with Section 2-d in all respects. To the extent that any term of the Agreement conflicts with the terms of this Addendum, the terms of this Addendum shall apply and be given effect.
NOW, THEREFORE, it is mutually agreed that the Agreement is hereby amended in accordance with this Addendum, as follows:
1. Confidential Information
1.1 Contractor agrees that in performing the Original Agreement with the District, Contractor may have access to confidential information in the possession of District, including student, teacher or principal personally identifiable information (“PII”). For the purposes of this Addendum and the Original Agreement, it is agreed that the definition of Confidential Information includes all documentary, electronic or oral information made known to Contractor or developed or maintained by Contractor through any activity related to the Original Agreement. This Confidential information includes student, teacher and/or principal data (as the terms are defined under Section 2-d.
1.2 Contractor agrees to comply with Section 2-d, and the corresponding regulations promulgated by the Commissioner of Education of New York (“Commissioner”) thereunder, and relevant DISTRICT policies. In addition, Contractor agrees to comply with any changes in Section 2-, the Commissioner’s regulations and relevant DISTRICT policy that may be amended or modified during the term of the Original Agreement.
1.3 Upon expiration of the Agreement to which this Addendum applies, without a successor agreement in place, Contractor shall assist District in exporting all student, teacher and/or principal data previously received by Contractor from, or developed on behalf of, District, and Contractor shall, at the request of District, either securely delete any student, teacher and/or principal data remaining in Contractor's possession or return the student, teacher and/or principal data to District. If student, teacher
and/or principal data is to be maintained by Contractor for any lawful purpose, such data shall remain in an encrypted format and shall be stored on systems maintained by Contractor in a secure data facility located within the United States.
1.4 The parties further agree that the terms and conditions set forth in this Confidential Information section and all of its subparts shall survive the expiration and/or termination of the Original Agreement.
2. Challenges to Data
In the event that a student's parent or an eligible student wishes to challenge the accuracy of student data (pertaining to the particular student) that may include records maintained, stored, transmitted, and/or generated by Contractor pursuant to the Agreement, the challenge will be processed in accordance with the procedures of District.
A teacher or principal who wishes to challenge the accuracy of data pertaining to the teacher or principal personally, which is disclosed to Contractor pursuant to the Agreement, shall do so in accordance with the procedures for challenging APPR data, as established by District.
3. Training
Contractor represents and warrants that any of its officers, employees, and/or assignees who will have access to student, teacher and/or principal data pursuant to the Original Agreement will receive training on the federal and state laws governing confidentiality of such student, teacher and/or principal data, prior to obtaining initial or any further access to such data.
4. Use/Disclosure of Data
4.1 Contractor shall not sell or use for any commercial purpose student, teacher and/or principal data that is received by Contractor pursuant to the Agreement or developed by Contractor to fulfill its responsibilities pursuant to the Agreement.
4.2 Contractor shall use the student, teacher and/or principal data, records, or information solely for the exclusive purpose of and limited to that necessary for the Contractor to perform the duties and services required under the Original Agreement. Such services include, but are not limited to ______________. Contractor shall not collect or use educational records of District or any student, teacher and/or principal data of District for any purpose other than as explicitly authorized in this Addendum or the Original Agreement.
4.3 Contractor shall ensure, to the extent that it receives student, teacher and/or principal data pursuant to the Agreement, that it will not share Confidential Information with any additional parties, including an authorized subcontractor or non-employee agent, without prior written consent of District.
5. Contractor's Additional Obligations under Section 2-d and this Addendum
Contractor acknowledges that, with respect to any student, teacher and/or principal data received through its relationship with District pursuant to the Agreement it is obliged to maintain a Data Security & Privacy Plan, and fulfill the following obligations:
execute, comply with and incorporate as Exhibit “A” to this Addendum, as required Section 2-d, the Parents’ Bill of Rights for Data Privacy and Security developed by District;
store all data transferred to Contractor pursuant to the Agreement by District, in an electronic format on systems maintained by Contractor in a secure data facility located within the United States or hard copies under lock and key;
limit internal access to student, teacher and/or principal data to Contractor's officers, employees and agents who are determined to need such access to such records or data to perform the services set forth in the Original Agreement;
not disclose student, teacher and/or principal data to any other party who is not an authorized representative of Contractor using the information to carry out Contractor's obligations under the Agreement, unless: (I) the other party has the prior written consent of the applicable student's parent or of the eligible student; or (II) the other party has the prior written consent of the applicable teacher or principal; or (III) the disclosure is required by statute or court order, and notice of the disclosure is provided to District no later than five business days before such information is required or disclosed (unless such notice is expressly prohibited by the statute or court order);
use reasonable administrative, technical and physical safeguards that align with the NIST Cybersecurity Framework and are otherwise consistent with industry standards and best practices, including but not limited to encryption, firewalls and password protection as specified by the Secretary of the United States Department of HHS in any guidance issued under P.L. 111-5, Section 13402(H)(2), to protect the security, confidentiality and integrity of student and/or staff data of District while in motion or in custody of Contractor from unauthorized disclosure;
not mine Confidential Information for any purposes other than those agreed to in writing by the Parties. Data mining or scanning of user content for the purpose of advertising or marketing to students or their parents is prohibited; notify District, in the most expedient way possible and without unreasonable delay, of any breach of security resulting in an unauthorized release of any PII. In addition, Contractor shall take immediate steps to limit and mitigate the damage of such security breach or unauthorized release to the greatest extent practicable, and promptly reimburse District for the full cost of any notifications DISTRICT makes as a result of the security breach or unauthorized release. Contractor further acknowledges and understands that Contractor may be subject to civil and criminal penalties in accordance with Section 2-d for violations of Section 2-d and/or this Agreement.
understand that any breach of the privacy or confidentiality obligations set forth in this Addendum may, at the sole discretion of District, result in District immediately terminating this Agreement; and
familiarize its applicable officers, employees and agents with this Addendum and with the "Parents' Bill of Rights for Data Privacy and Security."
The Contractor acknowledges that failure to fulfill these obligations shall be a breach of the Agreement.
6. Except as specifically amended herein, all of the terms contained in the Original Agreement are hereby ratified and confirmed in all respects, and shall continue to apply with full force and effect.
IN WITNESS WHEREOF, Contractor and District execute this Addendum to the Agreement as follows:
Contractor Name: DISTRICT
By: By: Kirk Reinhardt
Title: Title: Superintendent of Schools
Signature: Signature:
Date: Date: