NY State Educators Approach July 1st Deadline to Demonstrate Compliance with Ed Law 2-d Part 121 June 14, 2020By Katie Onstad New York Privacy Laws NY Ed Law 2d NY State Educators Approach July 1st Deadline to Demonstrate Compliance with Ed Law 2-d Part 121 All public school districts in New York state have until July 1, 2020 to complete the requirements of Education Law 2-d. The law protects student data privacy and security by limiting access to students’ personally identifiable information (PII) in all public schools and education agencies throughout the state. The New York Board of Regents adopted additional regulations outlined in Part 121 in January, 2020, and the law is in effect July 1, 2020. Three key regulations that need to be met by the July 1 deadline include: Education agencies must adopt a data security and privacy policy. A Bill of Rights Policy must be posted on the school district or agency website and notice is provided to officers and employees. This document must be included in every third-party contract the agency enters into where the contractor receives student data or protected teacher/principal data. A Bill of Rights Policy must be signed and posted publicly for each and every vendor that collects/uses student PII. A Data Privacy Officer is designated to monitor compliance. Ed Law 2-d, Part 121 applies to the following New York state educational organizations: New York State Education Department (NYSED) PreK–12 public school districts Each Board of Cooperative Educational Services or BOCES All schools that are: Public elementary or secondary Universal pre-kindergarten program Approved provider of preschool special education services Schools for the education of students with disabilities NYS Ed Law 2-d Part 121 Requirements Data Security and Privacy Policy Educational agencies are to adopt a policy on data security and privacy by July 1, 2020. Protection of PII Educational agencies must ensure that every use of PII by the educational agency benefits students. Additionally, educational agencies cannot sell or disclose PII for commercial purposes. Educational Agencies must ensure PII is not included in public reports or other documents. Bill of Rights for Data Privacy and Security A Bill of Rights for Data Privacy and Security must be published on the website of each educational agency and must be included with every contract an educational agency enters into with a third-party contractor that receives PII. Educational agencies are required to post information about third-party contracts on the agency’s website with the Bill of Rights. Designation of Data Protection Officer Each educational agency must designate a Data Protection Officer to be responsible for the implementation of the policies and procedures required in Education Law 2-D. The designee will also serve as the point of contact for data security and privacy for the educational agency. NIST Cybersecurity Framework Educational agencies are to adopt a policy on data security and privacy that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Third Party Contracts Applies to any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management, conducting studies, or evaluation of publicly funded programs. Annual Employee Training Educational agencies shall annually provide data privacy and security awareness training to their officers and employees with access to personally identifiable information. Unauthorized Disclosure Complaint Procedures Educational agencies must establish and communicate to parents, eligible students, principals, teachers, and other staff of an educational agency procedures to file complaints about breaches or unauthorized releases of student data and/or protected teacher or principal data. Incident Reporting and Notification Educational agencies shall report every discovery or report of a breach or unauthorized release of student, teacher or principal data to the Chief Privacy Officer and notify impacted stakeholders. How EdPrivacy Can Help New York state public schools and educational agencies will soon be legally liable to protect all identifiable student data. That is why schools and districts need to feel confident that the digital resources and applications they are using are compliant with state and federal privacy laws. Education Framework's student data privacy management service, EdPrivacy, includes a database of over 12,500 digital applications and resources, commonly used in classrooms, that have been thoroughly reviewed and vetted to meet local, state and federal privacy specifications. Using machine learning-based artificial intelligence, EdPrivacy's proprietary scoring system helps educators and administrators quickly and easily determine which service providers respect and protect student data privacy. EdPrivacy is the only privacy management solution available to K–12 school districts that provides on-demand privacy vetting. With so much at stake, district leaders enjoy student data privacy peace of mind with EdPrivacy. Additional Resources How EdPrivacy Supports NYS Education Law 2-d Updates and Additions Infographic overview of NY State education law New York State Education Department FAQs Related Posts How Schools Can Manage COPPA Compliance School and district leaders are adopting new technologies quickly - learn how to make sure your school is meeting COPPA compliance. Helping School Districts Address FERPA Compliance Meeting FERPA regulations and ensuring FERPA compliance is no easy task. Learn the solutions that schools use to manage student privacy. What is PII? What Districts and Families Need to Know Personally identifiable information, or PII, is any data point that can be used to identify a specific individual. Understanding how to protect student PII begins with knowing what data is being collected. Learn more about the federal and state data privacy laws that govern the protection of student information, and how EdPrivacy helps districts proactively protect PII. Optimize Student Data Protection with this EdPrivacy Checklist Take full advantage of the student data privacy and security benefits that EdPrivacy provides. Follow this simple checklist to enhance your data protection program and get the year off to a smart start. What is App Vetting and Why is it Important? School district leaders are tasked with protecting student data. Here we share the importance of reading the privacy policy and vetting apps for privacy before approving them for student use, and explore the benefits of outsourcing the vetting process to data professionals. The California Consumer Privacy Act Bolstering Student Data Privacy Goes into Effect Beginning January 1, 2020, The California Consumer Privacy Act of 2018 (CCPA) is in effect. This comprehensive law protects the personal information of all California residents collected by any company doing business in the state of California. Edtech companies that collect PII from California students are bound by this new law. Read more about CCPA and learn how EdPrivacy helps school district leaders navigate the requirements of multiple laws and ensure student data is properly protected.