Parents Bill of Rights For Data Privacy and Security

GIRVIN & FERLAZZO, P.C.

20 Corporate Woods Boulevard Albany, New York 12211

Phone: (518) 462-0300
kal@girvinlaw.com

Parents Bill of Rights For Data Privacy and Security

July 22, 2014

Pursuant to an amendment to the Education Law, section 20-D, school districts are now required to publish, on their websites, a parents bill of rights for data privacy and security and to include such information with every contract a school district enters into with a third party contractor where the third party contractor receives student data or teacher or principal data.

The parents bill of rights for data privacy and security shall state in clear and plain English terms that:

(1) A student’s personally identifiable information cannot be sold or released for any commercial purposes;

(2)  Parents have the right to inspect and review the complete contents of their child’s education record;

(3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred;

(4) A complete list of all student data elements collected by the State is available for public review at fortplain.org or by writing to 25 High Street, Fort Plain, NY 13339; and

(5)  Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to David Ziskin Ed.D., Superintendent of Schools
25 High Street, Fort Plain, NY 13339
518-993-4000 ext. #1000.

The parents bill of rights for data privacy and security shall include supplemental information for each contract an educational agency enters into with a third party contractor where the third party contractor receives student data or teacher or principal data. Such supplemental information shall be developed by the educational agency and shall include:

(1) the exclusive purposes for which the student data or teacher or principal data will be used;

(2) how the third party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security  requirements;

(3) when the agreement expires and what happens to the student data or teacher or principal data upon expiration of the agreement;

(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected;   and

(5) where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.

The chief privacy officer, to be appointed by the Commissioner, with input from parents and other education and expert stakeholders, may develop additional elements of the parents bill of rights for data privacy and security. In addition, the Commissioner is required to promulgate regulations for a comment period whereby parents and other members of the public may submit comments and suggestions to the chief privacy officer to be considered for inclusion. We will keep you updated should changes occur.

 

These requirements are effective July 31, 2014.