Protecting Personally Identifiable Information

NY-ADR

1/30/19 N.Y. St. Reg. EDU-05-19-00008-P
NEW YORK STATE REGISTER
VOLUME XLI, ISSUE 5
January 30, 2019
RULE MAKING ACTIVITIES
EDUCATION DEPARTMENT
PROPOSED RULE MAKING
NO HEARING(S) SCHEDULED
 
I.D No. EDU-05-19-00008-P
Protecting Personally Identifiable Information
PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following proposed rule:
Proposed Action:
Addition of Part 121 to Title 8 NYCRR.
Statutory authority:
Education Law, sections 2-d, 101, 207 and 305
Subject:
Protecting Personally Identifiable Information.
Purpose:
To implement the provisions of Education Law section 2-d.
Substance of proposed rule (Full text is posted at the following State website: http://www.counsel.nysed.gov/rules/full-text-indices):
§ 121.1 Definitions.
This section provides definitions for specific terms for this Part.
§ 121.2 Educational Agency Data Collection Transparency and Restrictions.
Prohibits educational agencies from selling personally identifiable information (PII) or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.3 Parents Bill of Rights for Data Privacy and Security.
Requires each educational agency to: publish on its website a parent’s bill of rights for data privacy and security; include it with every contract where a third-party contractor will receive PII; include supplemental information for each contract such as the exclusive purposes for which the data will be used and; how the third-party contractor will comply with all applicable data protection and security requirements. The supplemental information must also be published on the educational agency’s website.
§ 121.4 Parent Complaints of Breach or Unauthorized Release of Personally Identifiable Information.
Educational agencies must establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data. The procedure will require educational agencies to promptly acknowledge receipt of complaints, commence an investigation, and take the necessary precautions to protect any personally identifiable information.
§ 121.5 Data Security and Privacy Standard.
Adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies. Each educational agency must adopt and publish a data security and privacy policy that complies with the proposed regulations, aligns with the NIST CSF, and includes provisions that require every use of PII by the educational agency to benefit students and the educational agency and prohibits the inclusion of personally identifiable information in public reports or other documents. Each educational agency is required to publish its data security and privacy policy on its website and provide notice of the policy to all its officers and employees.
§ 121.6 Data Security and Privacy Plan.
Educational agencies must ensure that their contracts with third-parties that will receive PII include a data security and privacy plan that complies with Education Law § 2-d.
§ 121.7 Training for Educational Agency Employees.
Educational agencies must provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 Educational Agency Data Protection Officer.
Each educational agency must designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency.
§ 121.9 Third Party Contractors.
Third-party contractors that will receive PII must adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with whom it contracts; and comply with Education Law § 2-d; and the proposed regulations. Contractors are prohibited from selling PII or using it for any marketing or commercial purpose. Additionally, where a third-party contractor engages a subcontractor to perform its contractual obligations, the data protection obligations imposed on the third-party contractor are applicable to the subcontractor.
§ 121.10 Reports and Notifications of Breach and Unauthorized Release.
Third-party contractors must notify each educational agency with which it has a contract of any breach or unauthorized release of PII in accordance with requirements set forth in the proposed regulations. Educational agencies must report any breach or unauthorized release of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in the most expedient way possible in accordance with requirements set forth in the proposed regulations. The Chief Privacy Officer is required to report law enforcement any breach or unauthorized release that constitutes criminal conduct.
§ 121.11 Third Party Contractor Civil Penalties.
The Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and impose penalties on third party contractors for unauthorized releases or breaches of PII in accordance with requirements set forth in the proposed regulations.
§ 121.12 Right of Parents and Eligible Students to Inspect and Review Students Education Records.
Consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 Chief Privacy Officer’s Powers.
The Chief Privacy Officer shall have the power to access all records, reports, audits, reviews, documents, papers, recommendations, and other materials maintained by an educational agency that relate to student data or teacher or principal data, which shall include but not be limited to records related to any technology product or service that will be utilized to store and/or process personally identifiable information as further described in the proposed regulations.
§ 121.14 Severability.
If any provision of this part or its application to any person or circumstances is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of the article or their application to other persons and circumstances, and those remaining provisions shall not be affected but shall remain in full force and effect.
Text of proposed rule and any required statements and analyses may be obtained from:
Kirti Goswami, NYS Education Department, Office of Higher Education, 89 Washington Avenue, Room 975 EBA, Albany, NY 12234, (518) 474-2238, email: legal@mail.nysed.gov
Data, views or arguments may be submitted to:
Temitope Akinyemi, NYS Education Department, Office of Higher Education, 89 Washington Avenue, Room 975 EBA, Albany, NY 12234, (518) 474-6400, email: regcomments@mail.nysed.gov
Public comment will be received until:
60 days after publication of this notice.
Regulatory Impact Statement
1. STATUTORY AUTHORITY:
Education Law section 101 charges the Department with the general management and supervision of the educational work of the State and establishes the Regents as head of the Department.
Education Law section 207 grants general rule-making authority to the Regents to carry into effect State educational laws and policies.
Education Law section 305(1) authorizes the Commissioner to enforce laws relating to the State educational system and execute Regents educational policies. Section 305(2) provides the Commissioner with general supervision over schools and authority to advise and guide school district officers in their duties and the general management of their schools.
Education Law section 2-d authorizes the Commissioner to enforce laws relating to the privacy and security of personally identifiable information (PII) of students, and certain annual professional performance review (APPR) data of teachers and principals.
2. LEGISLATIVE OBJECTIVES:
The purpose of the proposed rule is to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014 which outlines certain requirements for educational agencies and their third-party contractors to ensure the privacy and security of the personally identifiable information of students, and certain annual professional performance review (APPR) data of teachers and principals (PII).
3. NEEDS AND BENEFITS:
The proposed rule, consistent with Education Law section 2-d, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII.
4. COSTS:
a. Costs to State government: The proposed amendment implements Education Law section 2-d and does not impose any additional costs on State government, including the State Education Department, beyond those costs imposed by the statute.
b. Costs to local government: Education Law section 2-d, as added by Chapter 56 of the Laws of 2014, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII. The proposed amendment does not impose any direct costs on local governments beyond those imposed by the statute.
The Department anticipates that educational agencies will need to dedicate existing staff to accomplish the duties required by the statute and/or the proposed rule. However, most educational agencies are or should be already performing these activities.
For example, § 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. However, such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
c. Costs to private regulated parties: The rule applies to third party vendors contracting with educational agencies and does not impose any costs on such parties beyond those costs imposed by the statute.
d. Costs to regulatory agency for implementing and continued administration of the rule: The Department anticipates that the regulatory agency will need to dedicate staff hours to accomplish the duties and oversight required by the statute and/or the proposed rule.
5. LOCAL GOVERNMENT MANDATES:
The majority of the requirements in the proposed amendment do not impose any program, service, duty or responsibility on educational agencies beyond those imposed by the statute. The proposed rule requires the following of educational agencies:
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.
§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.
§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than December 31, 2019.
§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.
§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.
6. PAPERWORK:
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.
§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that implements the requirements of this Part and aligns with the NIST CSF.
§ 121.6 requires educational agencies that enter into a contract with a third-party contracts to ensure that such contract includes a data security and privacy policy.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
7. DUPLICATION:
The rule is necessary to implement Education Law section 2-d and does not duplicate existing State or Federal requirements.
8. ALTERNATIVES:
The rule is necessary to implement Education Law section 2-d. No significant alternatives were considered.
9. FEDERAL STANDARDS:
The rule is necessary to implement Education Law section 2-d. There are no applicable Federal standards.
10. COMPLIANCE SCHEDULE:
The proposed amendment will become effective on its stated effective date. As stated above, section 121.5 of the proposed regulation requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than December 31, 2019.
Regulatory Flexibility Analysis
(a) Small businesses:
The purpose of the proposed rule is to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014 which outlines certain requirements for educational agencies and their third-party contractors to ensure the privacy and security of the personally identifiable information of students, and certain annual professional performance review data of teachers and principals (PII).
1. EFFECT OF RULE:
The proposed rule, consistent with Education Law section 2-d, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII. Some of the third-party contractors with educational agencies may be small businesses.
2. COMPLIANCE REQUIREMENTS:
Certain requirements in the proposed rule apply to small businesses that receive PII and do not impose any program, service, duty or responsibility on small businesses beyond those imposed by the statute. Compliance requirements are summarized as follows:
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.
§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.
§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than December 31, 2019.
§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.
§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.
3. PROFESSIONAL SERVICES:
The proposed amendment does not impose any additional professional services requirements on small businesses.
4. COMPLIANCE COSTS:
See the Costs Section of the Regulatory Impact Statement that is published in the State Register on this publication date for an analysis of the costs of the proposed rule.
5. ECONOMIC AND TECHNOLOGICAL FEASIBILITY:
The proposed rule may impose additional technological requirements on small businesses that receive PII. Economic feasibility is addressed above under Compliance Costs.
6. MINIMIZING ADVERSE IMPACT:
The rule is necessary to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014. The rule has been carefully drafted to meet statutory requirements. Moreover, since the proposed amendment applies to all third party contractors across the State, in order ensure consistency and the privacy of PII across the State, it was not possible to establish different compliance and reporting requirements for regulated parties in rural areas, or to exempt them from the rule's provisions.
7. SMALL BUSINESS PARTICIPATION:
The proposed regulation was developed in consultation with stakeholders and the public. In the Spring of 2018, fourteen public forums were held across the state to receive public comment on the law; which included small businesses. Electronic comments were also accepted by the Department during this two-month period. These comments were critical to developing the implementing regulations.
(b) Local governments:
1. EFFECT OF RULE:
The proposed rule, consistent with Education Law section 2-d, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII.
2. COMPLIANCE REQUIREMENTS:
The proposed rule applies to educational agencies and does not impose any program, service, duty or responsibility on educational agencies beyond those imposed by the statute. Compliance requirements are summarized as follows:
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.
§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.
§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than December 31, 2019.
§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.
§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.
3. PROFESSIONAL SERVICES:
The proposed amendment does not specifically require any regulated parties to use professional services.
However, § 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
4. COMPLIANCE COSTS:
See the Costs Section of the Regulatory Impact Statement that is published in the State Register on this publication date for an analysis of the costs of the proposed rule.
5. ECONOMIC AND TECHNOLOGICAL FEASIBILITY:
The proposed regulation requires each educational agency to ensure it has a policy on data security and privacy. As required by Education Law § 2-d (5), the proposed regulation adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies. No later than December 31, 2019, each educational agency shall adopt and publish a data security and privacy policy that implements the requirements of this Part and aligns with the NIST CSF.
Economic feasibility is addressed above under Compliance Costs.
6. MINIMIZING ADVERSE IMPACT:
The rule is necessary to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014. The rule has been carefully drafted to meet statutory requirements while providing flexibility to educational agencies, to the extent possible. For instance, § 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
7. LOCAL GOVERNMENT PARTICIPATION:
The proposed regulation was developed in consultation with stakeholders and the public. In the Spring of 2018, fourteen public forums were held across the state to receive public comment on the law. Electronic comments were also accepted by the Department during this two-month period. These comments were critical to developing the implementing regulations. The Department has also coordinated with a Data Privacy Advisory Council (DPAC) and subset Regulatory Drafting Workgroup, to review drafts of the proposed regulation and provide an opportunity for stakeholder comment. The DPAC is comprised of stakeholders from a wide range of industry including parent advocates, administrative and teacher organizations as well as technical experts and district level staff. Finally, the Department is working with an Implementation Workgroup, comprised of RIC Directors, BOCES staff and district technical directors to receive feedback and ensure successful implementation of these regulations.
Rural Area Flexibility Analysis
1. TYPES AND ESTIMATED NUMBERS OF RURAL AREAS:
The proposed amendment applies to all educational agencies in the State, including those located in the 44 rural counties with fewer than 200,000 inhabitants and the 71 towns and urban counties with a population density of 150 square miles or less.
2. REPORTING, RECORDKEEPING AND OTHER COMPLIANCE REQUIREMENTS; AND PROFESSIONAL SERVICES:
The majority of the requirements in the proposed amendment do not impose any program, service, duty or responsibility on educational agencies beyond those imposed by the statute.
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.
§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.
§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than December 31, 2019.
§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.
§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.
3. COSTS:
See the “Costs” Section of the Regulatory Impact Statement that is published in the State Register on this publication date for an analysis of the costs of the proposed rule, which include costs for educational agencies across the State, including those located in rural areas.
4. MINIMIZING ADVERSE IMPACT:
The rule is necessary to implement Education Law section 2-d. The rule has been carefully drafted to meet statutory requirements while providing flexibility educational agencies. Since the statute applies to all educational agencies throughout the State, it was not possible to establish different compliance and reporting requirements for regulated parties in rural areas, or to exempt them from the rule's provisions.
5. RURAL AREA PARTICIPATION:
The proposed regulations were developed in consultation with stakeholders and the public. In the Spring of 2018, fourteen public forums were held across the state to receive public comment on the law including comment from those located in rural areas. Electronic comments were also accepted by the Department during this two-month period. These comments were critical to developing the implementing regulations. The Department has also coordinated with a Data Privacy Advisory Council (DPAC) and subset Regulatory Drafting Workgroup, to review drafts of the proposed regulation and provide an opportunity for stakeholder comment. The DPAC is comprised of stakeholders from a wide range of industry including parent advocates, administrative and teacher organizations as well as technical experts and district level staff including those located in rural areas. Finally, the Department is working with an Implementation Workgroup, comprised of RIC Directors, BOCES staff and district technical directors to receive feedback and ensure successful implementation of these regulations.
Job Impact Statement
The purpose of the proposed rule is to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014, which protects the privacy and security of personally identifiable information of students, and teacher and principal annual professional performance review (APPR) data. The law outlines certain requirements for educational agencies and the third-party contractors they utilize to ensure the security and privacy of protected information. Because it is evident from the nature of the proposed rule that it will have no impact on the number of jobs or employment opportunities in New York State, no further steps were needed to ascertain that fact and none were taken. Accordingly, a job impact statement is not required and one has not been prepared.
End of Document© 2019 Thomson Reuters. No claim to original U.S. Government Works.