View Document - New York Codes, Rules and Regulations

8 CRR-NY 121.3NY-CRR

STATE COMPILATION OF CODES, RULES AND REGULATIONS OF THE STATE OF NEW YORK

TITLE 8. EDUCATION DEPARTMENT

CHAPTER II. REGULATIONS OF THE COMMISSIONER

SUBCHAPTER E. ELEMENTARY AND SECONDARY EDUCATION

PART 121. STRENGTHENING DATA PRIVACY AND SECURITY IN NY STATE EDUCATIONAL AGENCIES TO PROTECT PERSONALLY IDENTIFIABLE INFORMATION

8 CRR-NY 121.3

121.3 Bill of rights for data privacy and security.

(a) Each educational agency shall publish on its website a parents bill of rights for data privacy and security (bill of rights) that complies with the provisions of Education Law section 2-d(3).

(b) The bill of rights shall also be included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information.

(c) The bill of rights shall also include supplemental information for each contract the educational agency enters into with a third-party contractor where the third-party contractor receives student data or teacher or principal data. The supplemental information must be developed by the educational agency and include the following information:

(1) the exclusive purposes for which the student data or teacher or principal data will be used by the third-party contractor, as defined in the contract;

(2) how the third-party contractor will ensure that the subcontractors, or other authorized persons or entities to whom the third-party contractor will disclose the student data or teacher or principal data, if any, will abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable State and Federal laws and regulations (e.g., FERPA; Education Law section 2-d);

(3) the duration of the contract, including the contract’s expiration date and a description of what will happen to the student data or teacher or principal data upon expiration of the contract or other written agreement (e.g., whether, when and in what format it will be returned to the educational agency, and/or whether, when and how the data will be destroyed).

(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected;

(5) where the student data or teacher or principal data will be stored, described in such a manner as to protect data security, and the security protections taken to ensure such data will be protected and data security and privacy risks mitigated; and

(6) address how the data will be protected using encryption while in motion and at rest.

(d) Each educational agency shall publish on its website the supplement to the bill of rights for any contract or other written agreement with a third-party contractor that will receive personally identifiable information.

(e) The bill of rights and supplemental information may be redacted to the extent necessary to safeguard the privacy and/or security of the educational agency’s data and/or technology infrastructure.

8 CRR-NY 121.3

Current through August 15, 2021

End of Document