EDUCATION LAW §2-D BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY
Parents (includes legal guardians or persons in parental relationships) and Eligible Students (student 18 years and older) can expect the following:
- A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition.
- The right to inspect and review the complete contents of the student’s education recordstored or maintained by an educational agency. This right may not apply to parents of anEligible Student.
- State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g(34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information.
- Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred.
- A complete list of all student data elements collected by NYSED is available at http://www.nysed.gov/common/nysed/files/programs/data-privacy-security/inventory-of-data-elements-collected-by-nysed_0.pdf and by writing to:Chief Privacy Officer, New York State Education Department, 89 Washington Avenue,Albany, NY 12234.
- The right to have complaints about possible breaches and unauthorized disclosures of PII addressed. Complaints may be submitted to NYSED at http://www.nysed.gov/data-privacy-security/report-improper-disclosure, by mail to: Chief Privacy Officer, New York StateEducation Department, 89 Washington Avenue, Albany, NY 12234; by email to firstname.lastname@example.org; or by telephone at 518-474- 0937.
- To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs.
- Educational agency workers that handle PII will receive training on applicable state andfederal laws, policies, and safeguards associated with industry standards and best practicesthat protect PII.
- Educational agency contracts with vendors that receive PII will address statutory andregulatory data privacy and security requirements.