§ 121.1 Definitions.

This section provides definitions for specific terms for this Part.

§ 121.2 Educational Agency Data Collection Transparency and Restrictions.

Prohibits educational agencies from selling personally identifiable information (PII) or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII. Prohibits the reporting of certain data elements unless required by law.

§ 121.3 Parents Bill of Rights for Data Privacy and Security.

Requires each educational agency to: publish on its website a parent’s bill of rights for data privacy and security; include it with every contract where a third-party contractor will receive PII; include supplemental information for each contract such as the exclusive purposes for which the data will be used and; how the third-party contractor will comply with all applicable data protection and security requirements. The supplemental information must also be published on the educational agency’s website.

§ 121.4 Parent Complaints of Breach or Unauthorized Release of Personally Identifiable Information.

Educational agencies must establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data. The procedure will require educational agencies to promptly acknowledge receipt of complaints, commence an investigation, and take the necessary precautions to protect any personally identifiable information.

§ 121.5 Data Security and Privacy Standard.

Adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies. Each educational agency must adopt and publish a data security and privacy policy that complies with the proposed regulations, aligns with the NIST CSF, and includes provisions that require every use and disclosure of PII by the educational agency to benefit students and the educational agency and prohibits the inclusion of personally identifiable information in public reports or other documents. Each educational agency is required to publish its data security and privacy policy on its website and provide notice of the policy to all its officers and employees.

§ 121.6 Data Security and Privacy Plan.

Educational agencies must ensure that their contracts with third-parties that will receive PII include a data security and privacy plan that complies with Education Law § 2-d and provides minimum requirements for the plan.

§ 121.7 Training for Educational Agency Employees.

Educational agencies must provide annual data privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.

§ 121.8 Educational Agency Data Protection Officer.

Each educational agency must designate a data protection officer to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency.

§ 121.9 Third Party Contractors.

Third-party contractors that will receive PII must adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with whom it contracts; comply with Education Law § 2-d; and the proposed regulations. Contractors are prohibited from selling PII or using it for any marketing or commercial purpose and may not disclose any PII to any other party without the prior written consent of the parent or eligible student. Additionally, where a third-party contractor engages a subcontractor to perform its contractual obligations, the data protection obligations imposed on the third-party contractor are applicable to the subcontractor. Provides that where a parent or eligible student requests services or a product from a third-party contractor and provides consent to use of PII by such contractor to provide the requested product or service, this will not be deemed a prohibited marketing or commercial purpose.

§ 121.10 Reports and Notifications of Breach and Unauthorized Release.

Third-party contractors must notify each educational agency with which it has a contract of any breach or unauthorized release of PII in accordance with requirements set forth in the proposed regulations. Educational agencies must report any breach or unauthorized release of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in the most expedient way possible in accordance with requirements set forth in the proposed regulations. The Chief Privacy Officer is required to report law enforcement any breach or unauthorized release that constitutes criminal conduct.

§ 121.11 Third Party Contractor Civil Penalties.

The Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and impose penalties on third party contractors for unauthorized releases or breaches of PII in accordance with requirements set forth in the proposed regulations.

§ 121.12 Right of Parents and Eligible Students to Inspect and Review Students Education Records.

Consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies must verify the identity of the requestor before releasing the records. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.

§ 121.13 Chief Privacy Officer’s Powers.

The Chief Privacy Officer shall have the power to access all records, reports, audits, reviews, documents, papers, recommendations, and other materials maintained by an educational agency that relate to student data or teacher or principal data, which shall include but not be limited to records related to any technology product or service that will be utilized to store and/or process personally identifiable information as further described in the proposed regulations. Additionally, the Chief Privacy Officer has the right to exercise any other powers that the Commissioner deems appropriate.

§ 121.14 Severability.

If any provision of this part or its application to any person or circumstances is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of the article or their application to other persons and circumstances, and those remaining provisions shall not be affected but shall remain in full force and effect.

• The Department revised the title to read, “Strengthening Data Security and Privacy in New York State Educational Agencies to Protect Personally Identifiable Information.”

• The Department revised the effective date to be upon adoption.

• The Department has revised the proposed rule to add a new definition for “Encryption” as follows: “methods of rendering personally identifiable information unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified or permitted by the Secretary of the United States department of health and human services in guidance issued under Section 13402(H)(2) of Public Law 111-5.”

• The Department revised § 121.1(3)(c)(6) and § 121.9(6) to reference the new definition of “encryption.”

• Revised the definition of ‘breach’ to mean, “the unauthorized acquisition, access, use, or disclosure of student data and/or teacher or principal data by or to a person not authorized to acquire, access, use, or receive the student data and/or teacher or principal data.”

• Revised the term ‘unauthorized release’ to read ‘unauthorized disclosure or unauthorized release.’

• The Department revised § 121.3 for clarity and to add some language from Education Law § 2-d to more fully incorporate the language of the statute.

• The Department revised the proposed rule to remove the examples in § 121.3(c)(5) to avoid any potential interpretation that this section is promoting a specific type of data storage option, and to keep the proposed rule from becoming outdated as technology develops.

• The Department revised § 121.3 of the proposed rule to incorporate the following language from Education Law § 2-d(4)(e): “Except as required by law or in the case of educational enrollment data, school districts shall not report to the Department the following student data elements: (1) juvenile delinquency records; (2) criminal records; (3) medical and health records; and (4) student biometric information.”

• The Department added § 121.4(d) to state “…Educational Agencies may require complaints to be submitted in writing.”

• The Department revised § 121.4(c) to give educational agencies 60 days to complete their investigation.

• The Department also clarified § 121.4 to state that in order to avoid impeding a law enforcement investigation, the educational agency shall provide the parent or eligible student with a written explanation that includes the approximate response date.

• The Department has revised the date by which educational agencies must adopt and publish a data security and privacy policy specified in § 121.5 to July 1, 2020 to give educational agencies additional time to implement the requirements of the proposed rule.

• The Department revised § 121.5(c)(1) to include the word “disclosure”. The provision now reads, “every use and disclosure of personally identifiable information by the educational agency shall benefit students and the educational agency…”

• The Department revised § 121.5(c)(2) to clarify that public reports and public documents are covered by this portion of the Rule.

• The Department revised § 121.6 to provide additional clarification regarding requirements of the data security and privacy plan.

• The Department revised § 121.6(2) requires the third party contractor to “specify the administrative, operational and technical safeguards and practices it has in place to protect personally identifiable information that it will receive under the contract.”

• The Department revised § 121.6(3) requires the third party contractor to comply with the educational agency’s data security and privacy policy.

• The Department revised § 121.6(5) requires the third party contractor to specify if sub-contractors will be utilized and how it will manage those relationships and contracts to ensure personally identifiable information is protected.

• The Department revised § 121.6(6) requires the third party contractor to specify how they will manage data security and privacy incidents that implicate personally identifiable information and requires them to promptly notify the educational agency.

• The Department revised § 121.6(7) requires the third party contractor to describe what will happen to the data at the end of the contract.

• The Department revised § 121.7 of the proposed rule to state that training should be provided on, among other things, “the state and federal laws that protect personally identifiable information, and how employees can comply with such laws.”

• The Department revised § 121.8 for clarity.

• The Department revised § 121.9 for clarity and consistency by renumbering the section and adding that third party contractors shall “limit internal access to personally identifiable information to only those employees or sub-contractors that need access to provide the contracted services,” to mirror Education law § 2-d.

• § 121.9 has been revised to prohibit third party contractors from disclosing any personally identifiable information to any other party without prior written consent.

• § 121.9 has been revised to permit that where a parent or eligible student requests a service or product from a third-party contractor and provides express consent to the use or disclosure of personally identifiable information by such contractor for purposes of providing the requested product or service, this use will not be deemed a prohibited marketing or commercial purpose.

• The Department revised § 121.10(e) to state that educational agencies must notify affected parents, eligible students, teachers and/or principals in the “most expedient way possible and without unreasonable delay, but no more than 60 calendar days after the discovery of a breach or unauthorized release…”

• The Department revised § 121.11 of the proposed rule to include the separate general penalty provisions of Education Law § 2-d(7)(b).

• The Department revised § 121.12 to clarify that an educational agency shall ensure that only authorized individuals access data by verifying identity and the authority of the individual to access such data.

• § 121.12 was revised to permit educational agencies to require requests to inspect and review records be made in writing.

• § 121.13 of the proposed rule has been revised to reference a “risk assessment of data privacy and security risks.”

• The Department revised § 121.13 of the proposed rule to include the additional powers of the chief privacy officer outlined in Education Law § 2-d(2)(c).

1. STATUTORY AUTHORITY:

Education Law section 101 charges the Department with the general management and supervision of the educational work of the State and establishes the Regents as head of the Department.

Education Law section 207 grants general rule-making authority to the Regents to carry into effect State educational laws and policies.

Education Law section 305(1) authorizes the Commissioner to enforce laws relating to the State educational system and execute Regents educational policies. Section 305(2) provides the Commissioner with general supervision over schools and authority to advise and guide school district officers in their duties and the general management of their schools.

Education Law section 2-d authorizes the Commissioner to enforce laws relating to the privacy and security of personally identifiable information (PII) of students, and certain annual professional performance review (APPR) data of teachers and principals.

2. LEGISLATIVE OBJECTIVES:

The purpose of the proposed rule is to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014 which outlines certain requirements for educational agencies and their third-party contractors to ensure the privacy and security of the personally identifiable information of students, and certain annual professional performance review (APPR) data of teachers and principals (PII).

3. NEEDS AND BENEFITS:

The proposed rule, consistent with Education Law section 2-d, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII.

4. COSTS:

a. Costs to State government: The proposed amendment implements Education Law § 2-d and does not impose any additional costs on State government, including the State Education Department, beyond those costs imposed by the statute.

b. Costs to local government: Education Law section 2-d, as added by Chapter 56 of the Laws of 2014, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII. The proposed amendment does not impose any direct costs on local governments beyond those imposed by the statute.

§ 5 of Education Law § 2-d requires that the commissioner, in consultation with the Chief Privacy Officer, promulgate regulations that establish a standard for educational agency data security and privacy. The Chief Privacy Officer collaborated with representatives of the local agencies in finalizing the selection of the NIST Cybersecurity Framework v 1.1 as that standard. It would be difficult, if not close to impossible, to determine the costs of compliance with the NIST standards because of the flexibility built in for implementation of the standard and implementation of the standard in each district will not be a one-size-fits-all implementation and many districts are already implementing the NIST.

For example, § 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. However, such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce; so the Department believes there will be minimal, if any costs, associated with the training.

§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities. Therefore, there should be no additional costs associated with this requirement.

c. Costs to private regulated parties: The rule applies to third party vendors contracting with educational agencies and does not impose any costs on such parties beyond those costs imposed by the statute.

d. Costs to regulatory agency for implementing and continued administration of the rule: The Department anticipates that the regulatory agency will need to dedicate staff hours to accomplish the duties and oversight required by the statute and/or the proposed rule.

5. LOCAL GOVERNMENT MANDATES:

The majority of the requirements in the proposed amendment do not impose any program, service, duty or responsibility on educational agencies beyond those imposed by the statute. The proposed rule requires the following of educational agencies:

§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.

§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.

§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.

§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.

§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.

§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce and should include training on the state and federal laws that protect personally identifiable information, and how employees can comply with such laws.

§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.

§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations. Prohibits third-party contractors from disclosing PII to any other party without the prior written consent of the parent or eligible student. Allows a parent or eligible student to release PII to a third-party contractor where the parent or eligible student requests a service or product from a third-party contractor and provides express consent to the use or disclosure of the PII by the third-party contractor for purposes of providing the requested product or service.

§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.

§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII and for each violation of Education Law § 2-d.

§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.

§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.

6. PAPERWORK

§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.

§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.

§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.

§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.

7. DUPLICATION:

The rule is necessary to implement Education Law section 2-d and does not duplicate existing State or Federal requirements.

8. ALTERNATIVES:

The rule is necessary to implement Education Law section 2-d. No significant alternatives were considered.

9. FEDERAL STANDARDS:

The rule is necessary to implement Education Law section 2-d. There are no applicable Federal standards.

10. COMPLIANCE SCHEDULE:

The proposed amendment will become effective upon adoption. As stated above, section 121.5 of the proposed regulation requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.

(a) Small businesses:

The purpose of the proposed rule is to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014 which outlines certain requirements for educational agencies and their third-party contractors to ensure the privacy and security of the personally identifiable information of students, and certain annual professional performance review data of teachers and principals (PII).

1. EFFECT OF RULE:

The proposed rule, consistent with Education Law section 2-d, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII.

2. COMPLIANCE REQUIREMENTS:

Certain requirements in the proposed rule apply to small businesses that receive PII and do not impose any program, service, duty or responsibility on small businesses beyond those imposed by the statute. Compliance requirements are summarized as follows:

§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.

§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.

§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.

§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.

§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.

§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.

§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.

§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations.

§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.

§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII.

§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.

§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.

3. PROFESSIONAL SERVICES:

The proposed amendment does not impose any additional professional services requirements on small businesses.

4. COMPLIANCE COSTS:

See the Costs Section of the Regulatory Impact Statement that is published in the State Register on this publication date for an analysis of the costs of the proposed rule.

5. ECONOMIC AND TECHNOLOGICAL FEASIBILITY:

The proposed rule may impose additional technological requirements on small businesses that receive PII. Economic feasibility is addressed above under Compliance Costs.

6. MINIMIZING ADVERSE IMPACT:

The rule is necessary to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014. The rule has been carefully drafted to meet statutory requirements.

7. SMALL BUSINESS PARTICIPATION:

The proposed regulation was developed in consultation with stakeholders and the public. In the Spring of 2018, fourteen public forums were held across the state to receive public comment on the law. Electronic comments were also accepted by the Department during this two-month period. These comments were critical to developing the implementing regulations.

(b) Local governments:

1. EFFECT OF RULE:

The proposed rule, consistent with Education Law section 2-d, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII.

2. COMPLIANCE REQUIREMENTS:

The proposed rule applies to educational agencies and does not impose any program, service, duty or responsibility on educational agencies beyond those imposed by the statute. Compliance requirements are summarized as follows:

§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.

§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.

§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.

§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.

§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.

§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce and should include training on the state and federal laws that protect personally identifiable information, and how employees can comply with such laws.

§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.

§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations. Prohibits third-party contractors from disclosing PII to any other party without the prior written consent of the parent or eligible student. Allows a parent or eligible student to release PII to a third-party contractor where the parent or eligible student requests a service or product from a third-party contractor and provides express consent to the use or disclosure of the PII by the third-party contractor for purposes of providing the requested product or service.

§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.

§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII and for each violation of Education Law § 2-d.

§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.

§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.

3. PROFESSIONAL SERVICES:

§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.

§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.

4. COMPLIANCE COSTS:

See the Costs Section of the Regulatory Impact Statement that is published in the State Register on this publication date for an analysis of the costs of the proposed rule.

5. ECONOMIC AND TECHNOLOGICAL FEASIBILITY:

The proposed regulation requires each educational agency to ensure it has a policy on data security and privacy. As required by Education Law § 2-d (5), the proposed regulation adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies. No later than July 1, 2020, each educational agency shall adopt and publish a data security and privacy policy that implements the requirements of this Part and aligns with the NIST CSF.

Economic feasibility is addressed above under Compliance Costs.

6. MINIMIZING ADVERSE IMPACT:

The rule is necessary to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014. The rule has been carefully drafted to meet statutory requirements while providing flexibility to educational agencies.

7. LOCAL GOVERNMENT PARTICIPATION:

The proposed regulation was developed in consultation with stakeholders and the public. In the Spring of 2018, fourteen public forums were held across the state to receive public comment on the law. Electronic comments were also accepted by the Department during this two-month period. These comments were critical to developing the implementing regulations. The Department has also coordinated with a Data Privacy Advisory Council (DPAC) and subset Regulatory Drafting Workgroup, to review drafts of the proposed regulation and provide an opportunity for stakeholder comment. The DPAC is comprised of stakeholders from a wide range of industry including parent advocates, administrative and teacher organizations as well as technical experts and district level staff. Finally, the Department is working with an Implementation Workgroup, comprised of RIC Directors, BOCES staff and district technical directors to receive feedback and ensure successful implementation of these regulations.

1. TYPES AND ESTIMATED NUMBERS OF RURAL AREAS:

The proposed amendment applies to all educational agencies in the State, including those located in the 44 rural counties with fewer than 200,000 inhabitants and the 71 towns and urban counties with a population density of 150 square miles or less.

2. REPORTING, RECORDKEEPING, AND OTHER COMPLIANCE REQUIREMENTS; AND PROFESSIONAL SERVICES:

The majority of the requirements in the proposed amendment do not impose any program, service, duty or responsibility on educational agencies beyond those imposed by the statute.

§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.

§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.

§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.

§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.

§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.

§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce and should include training on the state and federal laws that protect personally identifiable information, and how employees can comply with such laws.

§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.

§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations. Prohibits third-party contractors from disclosing PII to any other party without the prior written consent of the parent or eligible student. Allows a parent or eligible student to release PII to a third-party contractor where the parent or eligible student requests a service or product from a third-party contractor and provides express consent to the use or disclosure of the PII by the third-party contractor for purposes of providing the requested product or service.

§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.

§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII and for each violation of Education Law § 2-d.

§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.

§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.

3. COSTS:

See the “Costs” Section of the Regulatory Impact Statement that is published in the State Register on this publication date for an analysis of the costs of the proposed rule, which include costs for educational agencies across the State, including those located in rural areas.

4. MINIMIZING ADVERSE IMPACT:

The rule is necessary to implement Education Law section 2-d. The rule has been carefully drafted to meet statutory requirements while providing flexibility educational agencies. Since the statute applies to all educational agencies throughout the State, it was not possible to establish different compliance and reporting requirements for regulated parties in rural areas, or to exempt them from the rule's provisions.

5. RURAL AREA PARTICIPATION:

The proposed regulations were developed in consultation with stakeholders and the public. In the Spring of 2018, fourteen public forums were held across the state to receive public comment on the law including comment from those located in rural areas. Electronic comments were also accepted by the Department during this two-month period. These comments were critical to developing the implementing regulations. The Department has also coordinated with a Data Privacy Advisory Council (DPAC) and subset Regulatory Drafting Workgroup, to review drafts of the proposed regulation and provide an opportunity for stakeholder comment. The DPAC is comprised of stakeholders from a wide range of industry including parent advocates, administrative and teacher organizations as well as technical experts and district level staff including those located in rural areas. Finally, the Department is working with an Implementation Workgroup, comprised of RIC Directors, BOCES staff and district technical directors to receive feedback and ensure successful implementation of these regulations.

The purpose of the revised proposed rule is to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014, which protects the privacy and security of personally identifiable information of students, and teacher and principal annual professional performance review (APPR) data. The law outlines certain requirements for educational agencies and the third-party contractors they utilize to ensure the security and privacy of protected information. Because it is evident from the nature of the proposed rule that it will have no impact on the number of jobs or employment opportunities in New York State, no further steps were needed to ascertain that fact and none were taken. Accordingly, a job impact statement is not required and one has not been prepared.

This assessment summarizes the comments received on the proposed Parts 121 of the Regulations of the Commissioner of the Department of Education, published January 30, 2019. Please refer to the full Assessment of Public Comment for the Department’s complete assessment of public comment.

§ 121.1 Definitions.

A commenter requested changes to the definition of “data breach”. No change.

A commenter requested that “Commercial or Marketing Purpose” be amended to clarify it does not apply to develop or improve educational products or services. Another recommended the definition exclude third-party contractors corporate restructuring. No change.

Several commenters were concerned the definition of “contract or other written agreement’ could limit usage of software applications. No change.

A commenter stated that Education Law § 2-d and the Rule does not apply to charter schools and referenced Education Law § 2854(1)(b). No change.

A commenter requested that the Department adopt its own definition of PII instead of the definition in the Family Educational Rights and Privacy Act (FERPA). No change.

A commenter recommended that the Rule add a definition for “Encryption Technology” Revision made to add a new definition for the term “Encryption.”

Several commenters express concern about “click-wrap” agreements and compliance. No change.

A commenter requested that the Department add “former student” to the definition of “student.” No change.

A commenter requested “educational purpose” be defined. No change.

Several commenters wanted clarification on how PII is different from Directory Information. No change.

§ 121.2 Educational Agency Data Collection Transparency and Restrictions.

A commenter encouraged the Department to provide training resources. No change.

A commenter requested the Rule include provisions of Education Law § 2-d 4(e) for clarity. Revision made.

A commenter liked § 121.2(a)’s prohibition of the sale of identifiable student data. No change.

§ 121.3 Parents Bill of Rights for Data Privacy and Security.

A commenter requested clarification on whether the Bill of Rights will be provided by the Educational Agency or Third-Party Contractor. No change.

A commenter noted a security risk to require educational agencies to publish information about contracts and third-parties publicly on their website. No change.

A commenter was concerned the requirement to adopt a bill of rights will limit the technology teachers and students can use. No change.

A commenter expressed concern that vendors for multi-year software contracts will not be Education Law § 2-d compliant. No change.

A commenter requested a provision to prohibit subcontractors from using PII for any purpose other than the contracted service and from disclosing such. No change.

A commenter requested the Rule reference: Protection of Pupil Rights Amendment, National School Lunch Act and Children's Online Privacy Protection Act. No change.

A commenter recommends that educational agencies be required to post or make available contracts with vendors receiving PII. No change.

A commenter recommended revising § 121.3(c)(3) to require that data must be returned to the educational agency where it is not destroyed at the end of the contract. No change.

A commenter indicated support for § 121.3 and recommended removing the examples in § 121.3(c)(5). Revision made.

A commenter requested conforming the encryption language in § 121.3(6) to be consistent with the standard in § 121.9. No change.

A commenter wanted a requirement that the Bill of Rights address whether parents could opt out of data collection. No change.

A commenter wanted “if” removed from § 121.3(c)(4). No change.

Another commenter requested that the Rule prohibit the Department from collecting PII including country of birth and suspensions. No change.

A commenter stated that § 121.3 of the Rule should include language from Education Law § 2-d(4)(e). Revision made.

A commenter requested a change requiring third-party contractors to identify subcontractors in supplemental materials. No change.

§ 121.4 Parent Complaints of Breach or Unauthorized Release of Personally Identifiable Information.

A commenter recommended § 121.4 be revised to require complaints and investigation findings be submitted in writing. Revision made allowing agencies to require submissions in writing.

A commenter asked the Department to develop a standardized complaint form. No change.

A commenter recommended § 121.4(c) provide that educational agencies must respond to a complaint within six months. No change.

A commenter recommended § 121.4(d) be clarified to ensure that records of data breaches are available to the public through FOIL. No change.

§ 121.5 Data Security and Privacy Standard.

Commenters noted that the NIST Cyber Security Framework (CSF) is not applicable to the educational sector and not designed to protect confidential information. No change.

A commenter stated the Rule refers to two different encryption standards –the CSF and the HIPAA. No change.

A commenter stated the CSF is restrictive. No change.

A commenter requested the Department make a model Data security and Privacy Policy available before educational agencies must adopt their own policy. No change.

A commenter recommended § 121.5(c) be clarified to state that PII should not be included in public reports or documents. No change.

A commenter recommended Directory Information opt out forms be included in the educational agency’s policy. No change.

A commenter requested each educational agency should provide notice of its Policy to parents and employees. No change.

A commenter believed CSF was adopted because the workgroup did not have the necessary technical expertise. No change.

A commenter recommended outside security experts be utilized in lieu of CSF compliance. No change.

A commenter recommended BOCES provide a list of security engineers and companies, assist with negotiations and state should survey for compliance. No change.

A commenter recommended adding “disclosure” to § 121.5(c)(1). Revision made.

A commenter recommended adding all laws and protections available to parents to the agency’s policy. No change.

A commenter noted the most recent CSF should be referenced. No change.

§ 121.6 Data Security and Privacy Plan.

Several commenters requested the Department develop a centralized list of approved software applications or, negotiate compliant contracts. No change.

A commenter expressed concerns about the vendor community’s willingness to comply with the Rule. No change.

A commenter requested guidance relating to the return of data at the end of the contract. The rule has been revised to require a description of how data will be managed at the end of a contract.

§ 121.7 Training for Educational Agency Employees.

Commenters requested the Rule mandate training content, including CSF, cybersecurity protocols, breach notification and protections provided for in FERPA and HIPAA. Rule revised.

A commenter recommended the training be under 5 minutes. No change.

§ 121.8 Educational Agency Data Protection Officer.

Commenters suggested private entities and BOCES may provide some of the functions of the DPO and expressed concern that current employees could not perform the duties of a DPO in addition to other job responsibilities. No change.

§ 121.9 Third-Party Contractors.

A commenter requested nonprofit organizations be exempted from complying with the requirements. No change.

Commenters noted the Rule may preclude not-for-profits from offering opt-in educational services to students. The rule is revised to permit prior written consent for such services.

A commenter recommended § 121.9 be clarified to exempt the sale of school photographs or yearbooks pursuant to a contract with an educational agency. No change.

A commenter recommended including an explicit prohibition of the licensing of student data. No change.

A commenter recommended contractors provide written assurances of compliance with the educational agency’s Policy. No change.

A commenter wanted to extend the consent requirement in Ed Law § 2-d 5(f)(3)(i) to teachers and principals. No change.

A commenter requested the Rule permit the transfer of PII as part of a corporate restructuring. No change.

Commenters suggested language specifying Education Law § 2-d applies to contractual relationships established prior to the Rule’s effective date and, NYSED should audit contracts. No change.

A commenter requested the Rule exempt school attorneys, physicians, psychologists and other professionals. No change.

A commenter requested clarification between (a)(2) and (3). No change.

A commenter requested “reasonable” be the standard in § 121.9(a)(5). No change.

§ 121.10 Reports and Notifications of Breach and Unauthorized Release.

Commenters requested clarification where a district has contracted with BOCES, the responsibility to notify of a breach is the districts’ responsibility. No change.

A commenter recommended that breach notifications to parents be by mail, prohibit the use of email and phone, and include certain additional directions. No change.

A commenter requested language to cover breaches of banking, retirement, and investment information. No change.

A commenter requested clarification concerning notification to parents. No change.

A commenter questioned what penalties would be applicable to districts where a third-party contractor provided a delayed breach notification.

A commenter stated § 121.10(b) and (d) were duplicative. No change.

A commenter requested § 121.10(e) include former students. No change.

§ 121.11 Third-Party Contractor Civil Penalties.

A commenter noted the Rule did not incorporate the separate general penalty provisions of Education Law § 2-d(7)(b). Revision made.

A commenter recommended § 121.11 be revised to state penalties may only be imposed where the third-party has breached or violated duties with intent or recklessness or gross negligence. No change.

§ 121.12 Right of Parents and Eligible Students to Inspect and Review Students Education Records.

A commenter suggested educational agencies should arrange for records to be delivered to the parent or eligible student and require the posting of FERPA opt out forms. No change.

A commenter wanted to extend provision to data stored by contractor. No change.

§ 121.13 Chief Privacy Officer’s Powers.

A commenter recommended references to “privacy risk assessments” be changed to “privacy impact assessments.” Revision made in part.

A commenter noted the Chief Privacy Officer (CPO) had too much authority under Education Law § 2-d while another commented stated that it did not include all the powers of the CPO specified in the statute. Revision made to add the powers of the CPO outlined in the statute.

A commenter requested report be posted January, 1. No change.

General Comments

Commenters stated the Rule should mandate expanding the CPO’s annual report, and requested resources from SED. No change.

Several commenters objected to the Rule as an unfunded mandate. No change.

Commenters requested a revised ASVAB Directive from the Department following New York City’s Rule A-825. Out of scope. No change.

Commenters stated the proposed timeline is too aggressive and requested additional implementation time. Revision made.

A comment was about a Department presentation. No change.

A commenter expressed concerns about liability upon school districts and the level of technical security school districts can provide will fail in the face of a sophisticated cyber-attack. No change.

A commenter requested an extension of the public comment period so educational agencies may better understand the Rule. No change.

Several commenters encouraged the Department to include all stakeholders, including third-party providers, as part of the Data Privacy Advisory Council. No change.

A commenter expressed concern that the Rule was developed to limit the burden on school districts rather than to protect PII. No change.

A commenter recommended that the Rule prohibit the deployment of biometric surveillance systems in educational agencies. No change.

A commenter questioned the sufficiency of anonymizing student names. No change.

A commenter requested a clearinghouse of compliant vendors. No change.

A commenter noted that a PowerPoint presentation by SED referenced the withholding or claw back of any related payments to an agency where the agency is not in compliance all rules and law. No change.

A commenter stated the Department should withdraw the Rule or modify it to include more protections. No change.

A commenter recommended stating the Rule applies to directory information. No change.

A comment noted that compliance with the proposed Rule may require certain procurements.

Another commenter noted that networks and firewalls must be addressed by the Rule. No change.

A commenter noted concerns relating to the ability of vendors to track the IP Address to a student’s home when utilizing a device outside school. No change.

A commenter stated there was a lack of opportunity for public comment. No change.

A commenter questions whether “extensions” were third-party contractors. No change.

A commenter stated the DPAC had limited engagement outside of meetings. No change.

A commenter questions whether expenditures were exempted from the tax cap. No change.

A commenter inquired whether google was compliant. No change.

A commenter stated compliant online terms should be acceptable. No change.

A commenter requested guidance for future software orders. No change.