Pursuant to an amendment to the Education Law, section 2-D, school districts are now required to publish, on their websites, a parents bill of rights for data privacy and security and to include such information with every contract a school district enters into with a third party contractor where the third party contractor receives student data or teacher or principal data.
The parents bill of rights for data privacy and security shall state in clear and plain English terms that:
(1) A student’s personally identifiable information (PII) cannot be sold or released for any commercial purposes;
(2) Parents have the right to inspect and review the complete contents of their student’s education record stored or maintained by an educational agency;
(3) State and federal laws, such as NYS Education Law 2-d and the Family Education Rights and Privacy Act, that protect the confidentiality of student’s PII, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred;
(4) A complete list of all student data elements collected by the State is available for public review at fortplain.org or by writing to Data Privacy Officer, 25 High Street, Fort Plain, NY 13339; and
(5) Parents have the right to have complaints about possible breaches and unauthorized disclosure of student data addressed. Complaints should be directed to:
Data Privacy Officer
25 High Street, Fort Plain, NY 13339
518-993-4000 ext. #1000
(6) Parents have the right to be notified in accordance with applicable laws and regulations if a breach or unauthorized release of their student’s PII occurs.
(7) Educational agency workers that handle PII will receive training on applicable state and federal laws, the educational agency’s policies, and safeguards associated with industry standards and best practices that protect PII.
(8) Education agency contracts with vendors that receive PII address statutory and regulatory data privacy and security requirements.
The parents bill of rights for data privacy and security shall include supplemental information for each contract an educational agency enters into with a third party contractor where the third party contractor receives student data or teacher or principal data. Such supplemental information shall be developed by the educational agency and shall include:
(1) the exclusive purposes for which the student data or teacher or principal data will be used;
(2) how the third party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;
(3) when the agreement expires and what happens to the student data or teacher or principal data upon expiration of the agreement;
(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and
(5) where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.
The chief privacy officer, to be appointed by the Commissioner, with input from parents and other education and expert stakeholders, may develop additional elements of the parents bill of rights for data privacy and security. In addition, the Commissioner is required to promulgate regulations for a comment period whereby parents and other members of the public may submit comments and suggestions to the chief privacy officer to be considered for inclusion. We will keep you updated should changes occur.
Unauthorized Disclosure Complaint Form (Please print and complete this form, then mail to Data Privacy Office, 25 High Street, Fort Plain, NY 13339.)
If you need assistance accessing the complaint form or any other items on this website, contact the district office or firstname.lastname@example.org.