How EdPrivacy Supports NYS Education Law 2-d Updates and Additions

New York State Education Law 2-d went into effect in April, 2014. The law focused on the privacy and security of personally identifiable information (PII) of students, classroom teachers, and principals. New regulations, called “Proposed Addition of Part 121 to the Regulations of the Commissioner Relating to Student Data Privacy,” were suggested in January, 2019. Since that time, Part 121 has moved forward through phases of development and public comments. 

The new proposed regulations will be added to the earlier requirements of Law 2-d, including the requirement that New York State education agencies will adopt the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (CSF or Framework).

Another new requirement is that every state education agency or organization, including school districts, is to designate one or more employees as the agency’s data protection officer(s). These officers have the responsibility to implement the policies and procedures required by the statute; implement regulations; and serve as the agency’s point of contact for data security and privacy.

The law enacted in 2014 will be strengthened by additional requirements, but the primary protection for PII has not changed: education agencies may not sell or disclose PII for marketing or commercial purposes; and minimize the collection, processing or transmission of PII. 

New regulations reiterate that education agencies must publish a parent’s bill of rights for data privacy and security as required by the current Education Law 2-d. In addition, the parent’s bill of rights must be included with every contract with a third party contractor that receives PII.

School Districts should note that contracts include those in electronic form, and click wrap agreements used with software licenses, including those downloaded and/or online applications and transactions for educational technologies and other technologies in which a user must agree to terms and conditions prior to using the product or service.

Sections of the New Proposed Regulations – Part 121

The following section headings outline the type of information included in each of the sections and define terms and responsibilities. For more detail, you can visit the official NY state page.

121.1 Definitions of important terms, including what is included in PII.

121.2 Educational Agency Data Collection Transparency and Restrictions.

121.3 Bill of Rights for Data Privacy and Security.

121.4 Complaints of Breach or Unauthorized Release of Personally Identifiable Information.

121.5 Data Security and Privacy Standard.

121.6 Data Security and Privacy Plan.

121.7 Training for Educational Agency Employees.

121.8 Educational Agency Data Protection Officer.

121.9 Third Party Contractors.

121.10 Reports and Notifications of Breach and Unauthorized Release.

121.11 Third Party Contractor Civil Penalties.

121.12 Right of Parents and Eligible Students to Inspect and Review Students Education Records.

121.13 Chief Privacy Officer’s Powers.

121.14 Severability. 

The current status of these new proposed regulations is that they will be presented to the NY Board of Regents at their October, 2019 meeting. If adopted at that meeting, the regulations will go into effect on October 23, 2019. Educational agencies will have until July 1, 2020 to adopt and publish a data security a privacy policy.

How EdPrivacy Can Help

EdPrivacy utilizes machine learning-based artificial intelligence to create privacy quality scores for thousands of online technology resources commonly used in classrooms across the nation. The scores help educators and administrators quickly identify safe online technologies and easily determine which service providers respect and protect student data privacy. With EdPrivacy, school district leaders better understand school privacy laws for students, and enjoy student data privacy peace of mind. 

For more information on what school and district administrators should know about federal student privacy laws, read EFI’s federal legislation page.


notice of revised rulemaking was published in the State Register on October 23, 2019. A 45-day public comment period is open until December 9, 2019.

October 2019 Update:  Proposed Adoption of Edlaw 2-d Part 121 to the Regulations of the Commissioner Relating to Student Data Privacy and Security

January 2020 Update: Proposed Adoption of Part 121 to the Regulations of the Commissioner of Education Relating to Data Privacy and Security of Student Data and Certain Annual Professional Performance Review Data