New York State Education Law 2-d went into effect in April 2014. The law focuses on the privacy and security of personally identifiable information of students, classroom teachers, and principals.
The regulations state that education agencies must publish a parent’s bill of rights for data privacy and security. In addition, the parent’s bill of rights must be included with every contract with a third party contractor that receives personally identifiable information.
Parents’ Bill of Rights for Data Privacy and Security
The Mayfield Central School District is committed to ensuring student privacy in accordance with local, state and federal regulations and district policies. To this end and pursuant to U.S. Department of Education (DOE) regulations (Education Law §2-d), the district is providing the following Parents’ Bill of Rights for Data Privacy and Security:
A student’s personally identifiable information cannot be sold or released for any commercial or marketing purposes.
Parents/guardians have the right to inspect and review the complete contents of their child’s education record, including any student data maintained by the Mayfield Central School District.
State and federal laws protect the confidentiality of personally identifiable information and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls and password protection, must be in place when data is stored or transferred.
A complete list of all student data elements collected by the state is available for public review in an Excel file at http://www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx.
Parents/guardians may also obtain a copy of this list by writing to the Office of Information and Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, New York 12234.
Parents/guardians have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to Dr. Matthew Lewis at email@example.com.
Data Protection Policy
This policy addresses Mayfield Central School District’s responsibility to adopt appropriate administrative, technical and physical safeguards and controls to protect and maintain the confidentiality, integrity and availability of its data, data systems and information technology resources.
It is the responsibility of MCSD:
- to comply with legal and regulatory requirements governing the collection, retention, dissemination, protection, and destruction of information;
- to maintain a comprehensive Data Privacy and Security Program designed to satisfy its statutory and regulatory obligations, enable and assure core services, and fully support the district’s mission;
- to protect personally identifiable information, and sensitive and confidential information from unauthorized use or disclosure;
- to address the adherence of its vendors with federal, state and SED requirements in its vendor agreements;
- to train its users to share a measure of responsibility for protecting District’s initials student data and data systems;
- to identify its required data security and privacy responsibilities and goals, integrate them into relevant processes, and commit the appropriate resources towards the implementation of such goals; and
- to communicate its required data security and privacy responsibilities and goals and the consequences of non-compliance, to its users.
MCSD will utilize the National Institute of Standards and Technology’s Cybersecurity Framework v 1.1 (NIST CSF or Framework) as the standard for its Data Privacy and Security Program.
- The policy applies to MCSD’s employees, and also to independent contractors, interns, volunteers (” Users”) and third-party contractors who receive or have access to MCSD’s data and/or data systems.
- This policy encompasses all systems, automated and manual, including systems managed or hosted by third parties on behalf of the educational agency and it addresses all information, regardless of the form or format, which is created or used in support of the activities of an educational agency.
- This policy shall be published on MCSD’s website and notice of its existence shall be provided to all employees and users.
BOE/Administrators are responsible for the compliance of their programs and offices with this policy, related policies, and their applicable standards, guidelines and procedures. Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented, and program offices will be directed to adopt corrective practices, as applicable.
MCSD’s data privacy officer shall annually report to its Board of Education on data privacy and security activities and progress, the number and disposition of reported breaches, if any, and a summary of any complaint submitted pursuant to Education Law §2-d.
- Laws such as the Family Educational Rights Privacy Act (FERPA), NYS Education Law §2-d and other state or federal laws establish baseline parameters for what is permissible when sharing student PII.
- Data protected by law must only be used in accordance with law and regulation and SED policies to ensure it is protected from unauthorized use and/or disclosure.
- MCSD has established a data governance team to manage its use of data protected by law. The privacy officer and the data governance team will, together with program offices, determine whether a proposed use of personally identifiable information would benefit students and educational agencies, and to ensure that personally identifiable information is not included in public reports or other public documents, or otherwise publicly disclosed;
- No student data shall be shared with third parties without a written agreement that complies with state and federal laws and regulations. No student data will be provided to third parties unless it is permitted by state and federal laws and regulations. Third-party contracts must include provisions required by state and federal laws and regulation.
- The identity of all individuals requesting personally identifiable information, even where they claim to be a parent or eligible student or the data subject, must be authenticated in accordance with MCSD’s procedures.
- It is MCSD’s policy to provide all protections afforded to parents and persons in parental relationships, or students where applicable, required under the Family Educational Rights and Privacy Act, the Individuals with Disabilities Education Act, and the federal regulations implementing such statutes. Therefore, MCSD shall ensure that its contracts require that the confidentiality of student data or teacher or principal APPR data be maintained in accordance with federal and state law and this policy.
- Contracts with third parties that will receive or have access to personally identifiable information must include a data privacy and security plan that outlines how the contractor will ensure the confidentiality of data is maintained in accordance with state and federal laws and regulations and this policy.
Incident Response and Notification
- The District will respond to data privacy and security critical incidents in accordance with its data breach and cyber incident response policy. All breaches of data and/or data systems must be reported to the Privacy Officer, Superintendent, and Technology Director. All breaches of personally identifiable information or sensitive/confidential data must be reported to the Privacy Officer. For purposes of this policy, a breach means the unauthorized acquisition, access, use, or disclosure of student, teacher or principal PII as defined by Education law §2-d, or any SED sensitive or confidential data or a data system that stores that data, by or to a person not authorized to acquire, access, use, or receive the data.
- State and federal laws require that affected individuals must be notified when there has been a breach or unauthorized disclosure of personally identifiable information. Upon receiving a report of a breach or unauthorized disclosure, the Executive Deputy Commissioner, Chief Privacy Officer, Counsel and other subject matter experts will determine whether notification of affected individuals is required, and where required, effect notification in the most expedient way possible and without unreasonable delay.
Acceptable Use Policy, Password Policy and other Related Department Policies
- Users must comply with the Acceptable Use Policy in using District resources. Access privileges will be granted in accordance with the user’s job responsibilities and will be limited only to those necessary to accomplish assigned tasks in accordance with state entity missions and business functions (i.e., least privilege). Accounts will be removed, and access will be denied for all those who have left the agency or moved to another department.
- Users must comply with the password policy.
- All remote connections must be made through managed points-of-entry in accordance with the remote access policy.
All users of district data, data systems and data assets must annually complete the information security and privacy training offered by the department. Information security and privacy training will be made available to all users. Employees must complete the training annually.