On March 31, 2014, Gov. Cuomo signed state budget legislation that created section 2-d of the state Education Law, which requires districts to take steps to protect student information and inform parents of their rights regarding such information. While the law includes specific requirements, it states that additional requirements, a model policy and guidance will be promulgated by the State Education Department (SED).

More than a year later, SED has yet to publish regulations to enumerate those requirements or otherwise establish procedures for proper implementation of this new section of law. Former Education Commissioner John King Jr. appointed an interim chief privacy officer – Tina Sciocchetti, SED’s Executive Director for Test Security and Educator Integrity. But in 2015 budget legislation, the Legislature amended section 2-d to require the commissioner to appoint a full-time chief privacy officer.

As a result, school districts have been on their own in their efforts to comply with section 2-d, which requires districts to:

• Publish a Parents’ Bill of Rights.
• Ensure that contracts under which contractors will receive student data include a data security and privacy plan.
• Develop and adopt a district policy on data security and privacy.

The language of section 2-d makes it clear that contractors have an independent obligation to protect and secure student data in their custody through various methods, including encryption, as well as develop a data security and privacy plan that is consistent with the law and school district policy.

Until state regulations specify all requirements, districts cannot be certain that they are fully complying with the intent of the Legislature. In the absence of such regulations, best practice is to comply with the letter and spirit of section 2-d by taking steps to protect the privacy of student information and provide parents with information regarding how student data is maintained by third party contractors.

While section 2-d also extends protection to teacher and/or principal data, this article will focus on known requirements involving student data.

Developing your Parents’ Bill of Rights
The required statutory elements are straightforward regarding the Parents’ Bill of Rights. Each school district’s Bill of Rights must state the following, in plain English:

• A student’s personally identifiable information cannot be sold or released for any commercial purpose.
• Parents have the right to inspect and review the complete contents of their child’s education record.
• State and federal law protect confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including, but not limited to, encryption, firewalls,
  and password protection, must be in place when data is stored or transferred.
• A complete list of all student data elements collected by the state is available for public review at www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx.
• Parents have the right to have complaints about possible breaches of student data addressed, and to whom complaints should be directed.

However, the law states that the Parents’ Bill of Rights must also include supplemental information and “additional elements” that have yet to be developed by the commissioner of education and promulgated in regulations. For instance, how should complaints from parents or others be handled? Until regulations are issued, there will be no uniform answer to such questions.

While the statute enumerates the supplemental information regarding third party contractors that must be included in the school district’s Parents’ Bill of Rights, such as contractor’s encryption practices and plans for data upon expiration of the contract with the school district, it is unclear at this time how this supplemental information should be made available to parents. For example, should each third party contractor’s supplemental information be appended to the Parents’ Bill of Rights to comprise one complete document? Or should such information be maintained as independent documents that are separate from the Parents’ Bill of Rights but publicly available? In the interim, school districts should request this “supplemental” information from contractors to have it available in the event a parent requests such information.

Until regulations are issued by SED, districts can only provide parents with a preliminary version of the Parents’ Bill of Rights. Presumably, good faith efforts to address the requirements will satisfy the law. However, your school district should be prepared to revise its Parents’ Bill of Rights once regulations are issued.

The State Education Department’s Parents’ Bill of Rights may be accessed at www.p12.nysed.gov/docs/parents-bill-of-rights.pdf.

Working with contractors
It is common for school districts to work with third party contractors who receive student data. For each such contractor, the district’s contract must include a data security and privacy plan. This plan must be consistent with federal state and local law, as well as the district’s policy on data security and privacy. However, school districts cannot develop this required policy until the commissioner develops one or more model policies. This means that these plans may have to be altered once school districts are able to develop their policies.

Until such policies are developed, it is prudent for school districts to request that contractors provide a written description of how all state, federal and local security and privacy requirements will be addressed over the life of the contract. In addition, third party contractors must also describe what training is required of employees who will have access to protected data and sign the school district’s Parents’ Bill of Rights. Moving forward, school districts can require contractors to submit this information, which comprises the required plan, upon execution of an agreement. School districts can additionally include language in an agreement allowing for appropriate changes to the plan upon adoption of the school district’s student privacy and protection policy and/or modification to the school districts Parents’ Bill of Rights.

In addition to the required plan, section 2-d establishes data security and privacy standards for contractors that possess or have access to student data. As these requirements are statutorily imposed, they are currently in effect and are enforceable even if not explicitly incorporated into written agreements between school districts and contractors. As the state chief privacy officer is authorized to impose penalties for violations of binding contractual obligations relating to data privacy and security, it is prudent for school districts to include these obligations in agreements to contractually bind contractors to these standards. The inclusion of such obligations in agreements will help to better protect student data from unauthorized use and/or disclosure.

Who is a third party contractor?
Under section 2-d of the Education Law, a third party contractor is defined as any person or entity, other than an educational agency (such as school districts and BOCES), who receives student data pursuant to a contract or other written agreement.

Although the definition provides a short list of examples, it is not an all-inclusive list. Therefore, without further guidance, it is impossible to say with certainty how comprehensively the scope of the law will be interpreted.

Also, the law makes no specific mention to “electronic” in the definition of student data. This means that personally identifiable information from student records of an educational agency kept in any format falls within the meaning of “student data.” This broad definition means that a contractor who receives any student information falls within the meaning of “third party contractor” for purposes of section 2-d.

It is hoped that guidance issued in regulations will narrow the scope of these definitions and provide more clarity regarding which entities the Legislature intended to cover.

Section 2-d does not create avenue for litigation against school districts
If a hacker obtains data on students by breaking into the systems of a district contractor or some other form of unauthorized disclosure occurs, can the students and their families successfully sue the school district? No. Education Law Section 2-d explicitly states that it does not create a private right of action against an educational agency. In the event of a data breach, the parent or eligible student cannot bring a claim against the school district. Rather, third party contractors are liable for violations of the statute resulting in unauthorized disclosure of personally identifiable information. Specifically, when suspected violations are reported, the state chief privacy officer is empowered to investigate the third party contractor, and any imposed penalty is borne by the contractor.

Contractors say new privacy requirements difficult to achieve
The desire to protect student data and maintain confidentiality is a familiar one to contractors who work with school districts. In fact, confidentiality provisions have been included in agreements long before the passage of section 2-d.

However, contractors have told school districts that stringent encryption requirements within Education Law Section 2-d are beyond standard practice. This has caused some contracts to fall through, leaving school districts without services that may benefit their students. For example, a contractor intended to provide a district with a virtual classroom but withdrew after stating that it was unable to comply with section 2-d. The contractor explained it was unable to electronically protect the information in its custody and that it does not encrypt data in motion (that is, data moving between devices) to the standard specified in section 2-d.

Members of the New York State Association of School Attorneys represent school boards and school districts. This article was written by Diana M. Cannino of Ingerman Smith, LLP.