Blog: Student Data Privacy Articles

Practical tips, best practices, and useful student data privacy resources.

NYS Ed Law 2-d Part 121 Requirements

NY State Educators Approach July 1st Deadline to Demonstrate Compliance with Ed Law 2-d Part 121

NY State Educators Approach July 1st Deadline to Demonstrate Compliance with Ed Law 2-d Part 121

 All public school districts in New York state have until July 1, 2020 to complete the requirements of Education Law 2-d. The law protects student data privacy and security by limiting access to students’ personally identifiable information (PII) in all public schools and education agencies throughout the state. The New York Board of Regents adopted additional regulations outlined in Part 121 in January, 2020, and the law is in effect July 1, 2020.

Three key regulations that need to be met by the July 1 deadline include:

  1. Education agencies must adopt a data security and privacy policy.
  2. A Bill of Rights Policy must be posted on the school district or agency website and notice is provided to officers and employees. 
    • This document must be included in every third-party contract the agency enters into where the contractor receives student data or protected teacher/principal data.
    • A Bill of Rights Policy must be signed and posted publicly for each and every vendor that collects/uses student PII.
  3. A Data Privacy Officer is designated to monitor compliance.

Ed Law 2-d, Part 121 applies to the following New York state educational organizations:

  • New York State Education Department (NYSED)
  • PreK–12 public school districts
  • Each Board of Cooperative Educational Services or BOCES
  • All schools that are:
    • Public elementary or secondary
    • Universal pre-kindergarten program
    • Approved provider of preschool special education services
    • Schools for the education of students with disabilities

NYS Ed Law 2-d Part 121 Requirements

Data Security and 
Privacy Policy

  • Educational agencies are to adopt a policy on data security and privacy by July 1, 2020.

Protection of PII

  • Educational agencies must ensure that every use of PII by the educational agency benefits students. Additionally, educational agencies cannot sell or disclose PII for commercial purposes.
  • Educational Agencies must ensure PII is not included in public reports or other documents.

Bill of Rights for Data Privacy and Security

  • A Bill of Rights for Data Privacy and Security must be published on the website of each educational agency and must be included with every contract an educational agency enters into with a third-party contractor that receives PII.
  • Educational agencies are required to post information about third-party contracts on the agency’s website with the Bill of Rights.

Designation of Data Protection Officer

  • Each educational agency must designate a Data Protection Officer to be responsible for the implementation of the policies and procedures required in Education Law 2-D.
  • The designee will also serve as the point of contact for data security and privacy for the educational agency.

NIST Cybersecurity Framework

Third Party Contracts

  • Applies to any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management, conducting studies, or evaluation of publicly funded programs.

Annual Employee Training

  • Educational agencies shall annually provide data privacy and security awareness training to their officers and employees with access to personally identifiable information.

Unauthorized Disclosure Complaint Procedures

  • Educational agencies must establish and communicate to parents, eligible students, principals, teachers, and other staff of an educational agency procedures to file complaints about breaches or unauthorized releases of student data and/or protected teacher or principal data.

Incident Reporting and Notification

  • Educational agencies shall report every discovery or report of a breach or unauthorized release of student, teacher or principal data to the Chief Privacy Officer and notify impacted stakeholders.


How EdPrivacy Can Help

New York state public schools and educational agencies will soon be legally liable to protect all identifiable student data. That is why schools and districts need to feel confident that the digital resources and applications they are using are compliant with state and federal privacy laws.

Education Framework's student data privacy management service, EdPrivacy, includes a database of over 12,500 digital applications and resources, commonly used in classrooms, that have been thoroughly reviewed and vetted to meet local, state and federal privacy specifications. 

Using machine learning-based artificial intelligence, EdPrivacy's proprietary scoring system helps educators and administrators quickly and easily determine which service providers respect and protect student data privacy. EdPrivacy is the only privacy management solution available to K–12 school districts that provides on-demand privacy vetting. With so much at stake, district leaders enjoy student data privacy peace of mind with EdPrivacy. 

Additional Resources