Strengthening Data Privacy and Security in NY State Educational Agencies to Protect Personally ...

NY-ADR

10/23/19 N.Y. St. Reg. EDU-05-19-00008-RP
NEW YORK STATE REGISTER
VOLUME XLI, ISSUE 43
October 23, 2019
RULE MAKING ACTIVITIES
EDUCATION DEPARTMENT
REVISED RULE MAKING
NO HEARING(S) SCHEDULED
 
I.D No. EDU-05-19-00008-RP
Strengthening Data Privacy and Security in NY State Educational Agencies to Protect Personally Identifiable Information
PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following revised rule:
Proposed Action:
Addition of Part 121 to Title 8 NYCRR.
Statutory authority:
Education Law, sections 2-d, 101, 207 and 305
Subject:
Strengthening Data Privacy and Security in NY State Educational Agencies to Protect Personally Identifiable Information.
Purpose:
To protect personally identifiable information.
Substance of revised rule (Full text is posted at the following State website: http://www.counsel.nysed.gov/rules/ full-text-indices):
Strengthening Data Security and Privacy in NY State Educational Agencies to Protect Personally Identifiable Information
§ 121.1 Definitions.
This section provides definitions for specific terms for this Part.
§ 121.2 Educational Agency Data Collection Transparency and Restrictions.
Prohibits educational agencies from selling personally identifiable information (PII) or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII. Prohibits the reporting of certain data elements unless required by law.
§ 121.3 Parents Bill of Rights for Data Privacy and Security.
Requires each educational agency to: publish on its website a parent’s bill of rights for data privacy and security; include it with every contract where a third-party contractor will receive PII; include supplemental information for each contract such as the exclusive purposes for which the data will be used and; how the third-party contractor will comply with all applicable data protection and security requirements. The supplemental information must also be published on the educational agency’s website.
§ 121.4 Parent Complaints of Breach or Unauthorized Release of Personally Identifiable Information.
Educational agencies must establish procedures for parents, eligible students, teachers, principals and staff of the educational agency to file complaints about breaches or unauthorized releases of student data. The procedure will require educational agencies to promptly acknowledge receipt of complaints, commence an investigation, and take the necessary precautions to protect any personally identifiable information.
§ 121.5 Data Security and Privacy Standard.
Adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies. Each educational agency must adopt and publish a data security and privacy policy that complies with the proposed regulations, aligns with the NIST CSF, and includes provisions that require every use and disclosure of PII by the educational agency to benefit students and the educational agency and prohibits the inclusion of personally identifiable information in public reports or other documents. Each educational agency is required to publish its data security and privacy policy on its website and provide notice of the policy to all its officers and employees.
§ 121.6 Data Security and Privacy Plan.
Educational agencies must ensure that their contracts with third-parties that will receive PII include a data security and privacy plan that complies with Education Law § 2-d and provides minimum requirements for the plan.
§ 121.7 Training for Educational Agency Employees.
Educational agencies must provide annual data privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 Educational Agency Data Protection Officer.
Each educational agency must designate a data protection officer to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency.
§ 121.9 Third Party Contractors.
Third-party contractors that will receive PII must adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with whom it contracts; comply with Education Law § 2-d; and the proposed regulations. Contractors are prohibited from selling PII or using it for any marketing or commercial purpose and may not disclose any PII to any other party without the prior written consent of the parent or eligible student. Additionally, where a third-party contractor engages a subcontractor to perform its contractual obligations, the data protection obligations imposed on the third-party contractor are applicable to the subcontractor.
§ 121.10 Reports and Notifications of Breach and Unauthorized Release.
Third-party contractors must notify each educational agency with which it has a contract of any breach or unauthorized release of PII in accordance with requirements set forth in the proposed regulations. Educational agencies must report any breach or unauthorized release of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in the most expedient way possible in accordance with requirements set forth in the proposed regulations. The Chief Privacy Officer is required to report law enforcement any breach or unauthorized release that constitutes criminal conduct.
§ 121.11 Third Party Contractor Civil Penalties.
The Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and impose penalties on third party contractors for unauthorized releases or breaches of PII in accordance with requirements set forth in the proposed regulations.
§ 121.12 Right of Parents and Eligible Students to Inspect and Review Students Education Records.
Consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies must verify the identity of the requestor before releasing the records. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 Chief Privacy Officer’s Powers.
The Chief Privacy Officer shall have the power to access all records, reports, audits, reviews, documents, papers, recommendations, and other materials maintained by an educational agency that relate to student data or teacher or principal data, which shall include but not be limited to records related to any technology product or service that will be utilized to store and/or process personally identifiable information as further described in the proposed regulations. Additionally, the Chief Privacy Officer has the right to exercise any other powers that the Commissioner deems appropriate.
§ 121.14 Severability.
If any provision of this part or its application to any person or circumstances is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of the article or their application to other persons and circumstances, and those remaining provisions shall not be affected but shall remain in full force and effect.
Revised rule making(s) were previously published in the State Register on
July 31, 2019.
Revised rule compared with proposed rule:
Substantial revisions were made in section 121.9(c).
Text of revised proposed rule and any required statements and analyses may be obtained from
Kirti Goswami, Education Department, 89 Washington Avenue, Room 148, Albany, NY 12234, (518) 474-6400, email: kirti.goswami@nysed.gov
Data, views or arguments may be submitted to:
Sara Paupini, Education Department, 89 Washington Avenue, Room 152EB, Albany, New York 12234, (518) 402-9051, email: regcomments@nysed.gov
Public comment will be received until:
45 days after publication of this notice.
Revised Regulatory Impact Statement
Since publication of a Notice of Adoption and Proposed Rule Making in the State Register on July 31, 2019, the following substantial revisions were made to the proposed rule:
• The provisions of section 121.9(c) were removed. Such provision provided which that where a parent or eligible student requests a service or product from a third-party contractor and provides express consent to the use or disclosure of personally identifiable information by the third-party contractor for purposes of providing the requested product or service, such use by the third-party contractor shall not be deemed a marketing or commercial purpose.
• In accordance with Education Law 2-d(7)(a) provides the commissioner, in consultation with the chief privacy officer, shall promulgate regulations establishing procedures to implement the provisions of this section, including but not limited to procedures for the submission of complaints from parents and/or persons in parental relation to students, classroom teachers or building principals, or other staff of an educational agency, making allegations of improper disclosure of student data and/or teacher or principal data by a third party contractor or its officers, employees or assignees. The current regulation only provides a complaint process for parents and eligible students. The regulation has been amended to include a complaint process for teachers, principals and staff of the educational agency for improper disclosure of student data and/or teacher or principal data.
• Ed. Law 2-d(6)(e)(5) it states that “if it is determined that the unauthorized release of student data or teacher or principal data on the part of the third party contractor or assignee was inadvertent and done without intent, knowledge, recklessness or gross negligence, the commissioner may determine that no penalty be issued upon the third party contractor.” Currently, Section 121.11(f) of the Commissioner’s regulations provides that “If the Chief Privacy Officer determines that the breach or unauthorized release of student data or teacher or principal data on the part of the third-party contractor or assignee was inadvertent and done without intent, knowledge, recklessness or gross negligence, the Commissioner may determine that no penalty be issued upon the third-party contractor.” There is no reference, however, in either the law or the regulations regarding the process for how the matter gets from the Chief Privacy Officer to the Commissioner. The regulation has been amended to clarify that the Chief Privacy Officer will make a recommendation to the Commissioner for his/her final determination.
• An additional edit was made to the proposed amendment to clarify that the penalty provisions set forth in section 121.11(b) do not apply to the penalties imposed in subdivision (a) of the same section because they are for different types of violations.
1. STATUTORY AUTHORITY:
Education Law section 101 charges the Department with the general management and supervision of the educational work of the State and establishes the Regents as head of the Department.
Education Law section 207 grants general rule-making authority to the Regents to carry into effect State educational laws and policies.
Education Law section 305(1) authorizes the Commissioner to enforce laws relating to the State educational system and execute Regents educational policies. Section 305(2) provides the Commissioner with general supervision over schools and authority to advise and guide school district officers in their duties and the general management of their schools.
Education Law section 2-d authorizes the Commissioner to enforce laws relating to the privacy and security of personally identifiable information (PII) of students, and certain annual professional performance review (APPR) data of teachers and principals.
2. LEGISLATIVE OBJECTIVES:
The purpose of the proposed rule is to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014 which outlines certain requirements for educational agencies and their third-party contractors to ensure the privacy and security of the personally identifiable information of students, and certain annual professional performance review (APPR) data of teachers and principals (PII).
3. NEEDS AND BENEFITS:
The proposed rule, consistent with Education Law section 2-d, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII.
4. COSTS:
a. Costs to State government: The proposed amendment implements Education Law § 2-d and does not impose any additional costs on State government, including the State Education Department, beyond those costs imposed by the statute.
b. Costs to local government: Education Law section 2-d, as added by Chapter 56 of the Laws of 2014, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII. The proposed amendment does not impose any direct costs on local governments beyond those imposed by the statute.
§ 5 of Education Law § 2-d requires that the commissioner, in consultation with the Chief Privacy Officer, promulgate regulations that establish a standard for educational agency data security and privacy. The Chief Privacy Officer collaborated with representatives of the local agencies in finalizing the selection of the NIST Cybersecurity Framework v 1.1 as that standard. It would be difficult, if not close to impossible, to determine the costs of compliance with the NIST standards because of the flexibility built in for implementation of the standard and implementation of the standard in each district will not be a one-size-fits-all implementation and many districts are already implementing the NIST.
For example, § 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. However, such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce; so the Department believes there will be minimal, if any costs, associated with the training.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities. Therefore, there should be no additional costs associated with this requirement.
c. Costs to private regulated parties: The rule applies to third party vendors contracting with educational agencies and does not impose any costs on such parties beyond those costs imposed by the statute.
d. Costs to regulatory agency for implementing and continued administration of the rule: The Department anticipates that the regulatory agency will need to dedicate staff hours to accomplish the duties and oversight required by the statute and/or the proposed rule.
5. LOCAL GOVERNMENT MANDATES:
The majority of the requirements in the proposed amendment do not impose any program, service, duty or responsibility on educational agencies beyond those imposed by the statute. The proposed rule requires the following of educational agencies:
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.
§ 121.4 requires educational agencies to establish procedures for parents, eligible students, teachers, principals and staff of the educational agency to file complaints about breaches or unauthorized releases of student data.
§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.
§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.
§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce and should include training on the state and federal laws that protect personally identifiable information, and how employees can comply with such laws.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations. Prohibits third-party contractors from disclosing PII to any other party without the prior written consent of the parent or eligible student.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII and for each violation of Education Law § 2-d.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.
6. PAPERWORK:
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
7. DUPLICATION:
The rule is necessary to implement Education Law section 2-d and does not duplicate existing State or Federal requirements.
8. ALTERNATIVES:
The rule is necessary to implement Education Law section 2-d. No significant alternatives were considered.
9. FEDERAL STANDARDS:
The rule is necessary to implement Education Law section 2-d. There are no applicable Federal standards.
10. COMPLIANCE SCHEDULE:
The proposed amendment will become effective upon adoption. As stated above, section 121.5 of the proposed regulation requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.
Revised Regulatory Flexibility Analysis
(a) Small businesses:
The purpose of the proposed rule is to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014 which outlines certain requirements for educational agencies and their third-party contractors to ensure the privacy and security of the personally identifiable information of students, and certain annual professional performance review data of teachers and principals (PII).
1. EFFECT OF RULE:
The proposed rule, consistent with Education Law section 2-d, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII.
2. COMPLIANCE REQUIREMENTS:
Certain requirements in the proposed rule apply to small businesses that receive PII and do not impose any program, service, duty or responsibility on small businesses beyond those imposed by the statute. Compliance requirements are summarized as follows:
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.
§ 121.4 requires educational agencies to establish procedures for parents, eligible students, teachers, principals and staff of the education al agency to file complaints about breaches or unauthorized releases of student data.
§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.
§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.
§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.
3. PROFESSIONAL SERVICES:
The proposed amendment does not impose any additional professional services requirements on small businesses.
4. COMPLIANCE COSTS:
See the Costs Section of the Regulatory Impact Statement that is published in the State Register on this publication date for an analysis of the costs of the proposed rule.
5. ECONOMIC AND TECHNOLOGICAL FEASIBILITY:
The proposed rule may impose additional technological requirements on small businesses that receive PII. Economic feasibility is addressed above under Compliance Costs.
6. MINIMIZING ADVERSE IMPACT:
The rule is necessary to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014. The rule has been carefully drafted to meet statutory requirements.
7. SMALL BUSINESS PARTICIPATION:
The proposed regulation was developed in consultation with stakeholders and the public. In the Spring of 2018, fourteen public forums were held across the state to receive public comment on the law. Electronic comments were also accepted by the Department during this two-month period. These comments were critical to developing the implementing regulations.
(b) Local governments:
1. EFFECT OF RULE:
The proposed rule, consistent with Education Law section 2-d, establishes certain requirements for educational agencies and their third-party contractors to ensure the security and privacy of PII.
2. COMPLIANCE REQUIREMENTS:
The proposed rule applies to educational agencies and does not impose any program, service, duty or responsibility on educational agencies beyond those imposed by the statute. Compliance requirements are summarized as follows:
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.
§ 121.4 requires educational agencies to establish procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.
§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.
§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.
§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce and should include training on the state and federal laws that protect personally identifiable information, and how employees can comply with such laws.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations. Prohibits third-party contractors from disclosing PII to any other party without the prior written consent of the parent or eligible student.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII and for each violation of Education Law § 2-d.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.
3. PROFESSIONAL SERVICES:
§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
4. COMPLIANCE COSTS:
See the Costs Section of the Regulatory Impact Statement that is published in the State Register on this publication date for an analysis of the costs of the proposed rule.
5. ECONOMIC AND TECHNOLOGICAL FEASIBILITY:
The proposed regulation requires each educational agency to ensure it has a policy on data security and privacy. As required by Education Law § 2-d(5), the proposed regulation adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies. No later than July 1, 2020, each educational agency shall adopt and publish a data security and privacy policy that implements the requirements of this Part and aligns with the NIST CSF.
Economic feasibility is addressed above under Compliance Costs.
6. MINIMIZING ADVERSE IMPACT:
The rule is necessary to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014. The rule has been carefully drafted to meet statutory requirements while providing flexibility to educational agencies.
7. LOCAL GOVERNMENT PARTICIPATION:
The proposed regulation was developed in consultation with stakeholders and the public. In the Spring of 2018, fourteen public forums were held across the state to receive public comment on the law. Electronic comments were also accepted by the Department during this two-month period. These comments were critical to developing the implementing regulations. The Department has also coordinated with a Data Privacy Advisory Council (DPAC) and subset Regulatory Drafting Workgroup, to review drafts of the proposed regulation and provide an opportunity for stakeholder comment. The DPAC is comprised of stakeholders from a wide range of industry including parent advocates, administrative and teacher organizations as well as technical experts and district level staff. Finally, the Department is working with an Implementation Workgroup, comprised of RIC Directors, BOCES staff and district technical directors to receive feedback and ensure successful implementation of these regulations.
Revised Rural Area Flexibility Analysis
1. TYPES AND ESTIMATED NUMBERS OF RURAL AREAS:
The proposed amendment applies to all educational agencies in the State, including those located in the 44 rural counties with fewer than 200,000 inhabitants and the 71 towns and urban counties with a population density of 150 square miles or less.
2. REPORTING, RECORDKEEPING, AND OTHER COMPLIANCE REQUIREMENTS; AND PROFESSIONAL SERVICES:
The majority of the requirements in the proposed amendment do not impose any program, service, duty or responsibility on educational agencies beyond those imposed by the statute.
§ 121.2 prohibits educational agencies from selling personally identifiable information or using/disclosing it or allowing any other entity to use or disclose it for any marketing or commercial purpose. Educational agencies must incorporate provisions in its contracts with third party contractors that require the confidentiality of PII.
§ 121.3 requires each educational agency to adopt a parent’s bill of rights for data privacy and security that is included with every contract an educational agency enters with a third-party contractor that receives personally identifiable information and is published on its website.
§ 121.4 requires educational agencies to establish procedures for parents, eligible students, teachers, principals and staff of the educational agency to file complaints about breaches or unauthorized releases of student data.
§ 121.5 requires each educational agency to adopt and publish a data security and privacy policy that complies with the regulations and aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 no later than July 1, 2020.
§ 121.6 requires each educational agency to ensure that its contracts with third-party contractors include a data security and privacy plan.
§ 121.7 requires educational agencies to provide annual information privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce and should include training on the state and federal laws that protect personally identifiable information, and how employees can comply with such laws.
§ 121.8 requires each educational agency to designate one or more employees to serve as the educational agency’s data protection officer(s) to be responsible for the implementation of the policies and procedures required in Education Law § 2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency. This requirement may be fulfilled by a current employee(s) of the educational agency who may perform this function in addition to other job responsibilities.
§ 121.9 requires third-party contractors that will receive PII to adopt technologies, safeguards and practices that align with the NIST Cybersecurity Framework; comply with the data security and privacy policy of the educational agency with which it contracts; Education Law § 2-d; and the regulations. Prohibits third-party contractors from disclosing PII to any other party without the prior written consent of the parent or eligible student.
§ 121.10 requires third-party contractors to notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information. Educational agencies must report breaches or unauthorized releases of PII to the Chief Privacy Officer and notify affected parents, eligible students, teachers and/or principals in accordance with the regulations.
§ 121.11 provides that the Chief Privacy Officer has the authority to investigate reports of breaches or unauthorized releases and may impose civil penalties on third party contractors for breaches or unauthorized releases of PII and for each violation of Education Law § 2-d.
§ 121.12 provides that consistent with FERPA, parents and eligible students shall have the right to inspect and review a student’s education record by making a request directly to the educational agency in a manner prescribed by the educational agency. Educational agencies are required to notify parents annually of their right to request to inspect and review their child’s education record including any student data stored or maintained by an educational agency.
§ 121.13 addresses the Chief Privacy Officer’s powers, including the power to access records and other materials maintained by an educational agency that relate to PII.
3. COSTS:
See the “Costs” Section of the Regulatory Impact Statement that is published in the State Register on this publication date for an analysis of the costs of the proposed rule, which include costs for educational agencies across the State, including those located in rural areas.
4. MINIMIZING ADVERSE IMPACT:
The rule is necessary to implement Education Law section 2-d. The rule has been carefully drafted to meet statutory requirements while providing flexibility educational agencies. Since the statute applies to all educational agencies throughout the State, it was not possible to establish different compliance and reporting requirements for regulated parties in rural areas, or to exempt them from the rule's provisions.
5. RURAL AREA PARTICIPATION:
The proposed regulations were developed in consultation with stakeholders and the public. In the Spring of 2018, fourteen public forums were held across the state to receive public comment on the law including comment from those located in rural areas. Electronic comments were also accepted by the Department during this two-month period. These comments were critical to developing the implementing regulations. The Department has also coordinated with a Data Privacy Advisory Council (DPAC) and subset Regulatory Drafting Workgroup, to review drafts of the proposed regulation and provide an opportunity for stakeholder comment. The DPAC is comprised of stakeholders from a wide range of industry including parent advocates, administrative and teacher organizations as well as technical experts and district level staff including those located in rural areas. Finally, the Department is working with an Implementation Workgroup, comprised of RIC Directors, BOCES staff and district technical directors to receive feedback and ensure successful implementation of these regulations.
Revised Job Impact Statement
The purpose of the revised proposed rule is to implement Education Law section 2-d, as added by Chapter 56 of the Laws of 2014, which protects the privacy and security of personally identifiable information of students, and teacher and principal annual professional performance review (APPR) data. The law outlines certain requirements for educational agencies and the third-party contractors they utilize to ensure the security and privacy of protected information. Because it is evident from the nature of the proposed rule that it will have no impact on the number of jobs or employment opportunities in New York State, no further steps were needed to ascertain that fact and none were taken. Accordingly, a job impact statement is not required and one has not been prepared.
Assessment of Public Comment
This assessment summarizes the comments received on the revised proposed Parts 121 of the Regulations of the Commissioner of the Department of Education, published July 31, 2019. Please refer to the full Assessment of Public Comment for the Department’s complete assessment of public comment.
Commenters wrote to urge the Department not to weaken the provisions of Education Law § 2-d by permitting college testing companies to sell or commercialize student data. No change.
A commenter asked the Department to focus on strengthening the Parent Bill of Rights and rigorously enforcing the law. No change.
A commenter stated that “not all of the NIST CSF standards will be applicable to districts as they do not apply to K-12 education and would be problematic.” The commenter requested a staggered adoption timeline; and asked in situations where a BOCES is the sole party to a contract with a third-party contractor, the proposed regulation allow for an exception to the requirement for direct notification from the educational agency. No change.
The same commenter stated that the regulatory impact statement (RIS) filed by the Department is insufficient. Revisions made.
A commenter wrote that the Department should focus on safety in schools, counseling, and proper education. No change.
A commenter asked the Department to “Please protect student privacy!” No change.
Commenters were concerned that the regulation would impede the access of colleges and universities to student data that enables these organizations from sending targeted mailings to students. Some institutions stated that the regulation appeared to require parental consent for the College Board to release information to colleges and universities contrary to historical practice. Some of these organizations stated that requiring consent would have “a chilling impact on first-generation and underrepresented college student enrollment as well as adversely impact all students on their journey towards making a college choice that is right for them individually and as a family.” Another commenter asked the Department to clarify that students under 18 would be allowed to consent to the disclosure of their PII to colleges and universities. Revision made in part.
A commenter asked the Department not to “give in to yet another effort to turn education and information over to private corporations.” No change.
A commenter stated that “it’s only fair to have all teachers and other school personnel including the superintendent to have the same privacy as students.” No change.
A commenter stated that it is ironic and frightening that legislation is being considered that allows companies and vendors to invade student’s digital privacy without first obtaining consent. No change.
A commenter stated that the proposed changes “should have been flagged and memoed to all schools and been the subject of discussions at PTA meetings.” Additionally, they believed the number of public forums held in 2018 to be inadequate. No change.
Commenters stated that we should be protecting student data, not trying to profit off of it. No change.
A commenter stated that Education Law Section 2-d is designed to deal with relationships between educational institutions and third-party contractors and opined that college admissions testing companies are not third-party contractors. No change.
A commenter asked that an exception be made to permit third party contractors to use PII to provide services contracted by a district if it is for a limited purpose and is in compliance with all applicable laws and regulations. No change.
A commenter expressed concern that the provision of the proposed rule that states that “the Chief Privacy Officer may visit, examine and/or inspect a third party contractor’s facilities and records in the event of a breach or unauthorized release of student or teacher data” may be in conflict with the third party contractor’s similar privacy obligations to others. No change.
Commenters stated that the definition of "Commercial or Marketing Purpose" expands the scope of Education Law § 2-d and may be interpreted in a manner that may restrict beneficial programs or create technical compliance concerns. No change.
A commenter stated that the proposed regulation does not distinguish between the use of "directory information" and more sensitive educational records, which may result in the regulation requiring parent consent for programs that only use a small amount of less-sensitive directory data. Revisions made in part.
A commenter stated that educational agencies should retain flexibility to approve contracts that include communications with students about beneficial educational programs without requiring parent consent. Revisions made in part.
A commenter expressed concern that the requirement to post supplemental information on the educational agency's website may expose information to hackers that could put student data at risk and stated that redaction should be permitted at the request of the contractor or based on a joint determination between the contractor and the agency. No change.
A commenter stated that the clause in the proposed rule that refers to data being deleted, destroyed or transferred back to the educational agency at the end of the contract should also permit the transfer of student-generated content or similar data to a personal account at the request of the student or parent. No change.
A commenter wrote that the provision prohibiting disclosure of PII to any third party without the written consent of the parent or eligible student should also permit the educational agency to consent to disclosures which are part of a school approved service or program. Revisions made.
A commenter suggested more time for educational agencies and third-party contractors to comply. No change.
A commenter stated that the Department should push away from the focus on testing as the end all/be all of tracking student progress/achievement. The commenter also stated that “we need to move towards need based school funding” and provide training in soft skills to students. No change.
A commenter stated that they were pleased that the revised regulation “includes an exception for promotion of colleges, scholarships, tutoring services, educational materials and related resources with prior consent of a parent or legal guardian.” No change.
A commenter wrote to share their discontent with the Department’s consideration of sharing student data for marketing purposes. No change.
A comment stated that the phrase the “use or disclosure for purposes of receiving remuneration, whether directly or indirectly” could prohibit schools from contracting for services with any outside organization. No change.
A commenter agreed that subcontractors should be required to protect data according to the contract signed by the third party provider. No change.
A comment stated that the inclusion of third party providers in the regulatory development process would “have provided other stakeholders and regulators with crucial field information on current use and practice as well as greatly reduce the chance of unintended consequences with the result being robust, balanced protections for students.” The commenter requested that industry participation should be sought in the future. No change.
A commenter questioned whether posting a vendor signed copy of the Bill of Rights from a contract that includes multiple districts would fulfill the supplemental requirement for each individual district. No change.
A commenter questioned whether other vendors/agencies should be able to distribute materials related to Education Law § 2-d without approval from the Department. No change.
A commenter suggested specification that the protections of Education Law § 2-d apply to any contractual relationship established prior to the proposed rule’s effective date. Another commenter stated that the proposed rule would permit educational agencies to structure contractual arrangements to avoid compliance with Education Law § 2-d. No change.
A commenter requests that the definition of “third-party contractor” be revised to include entities that also “have access to” student, teacher, and parent data.” The commenter also suggests including penalties that would apply to a school district for breach of PII. No change.
A commenter raised the issue of educational agency compliance when utilizing systems pursuant to a click-wrap agreement and also stated that complexity of the task of compliance with the supplemental information requirement depends on the final determination on the use of click-wrap agreements. No change.
A commenter stated that “instituting a DPO by December 2019 will present significant implementation challenges.” The commenter highlighted the fact that the DPO may need to dedicate all or most of their time to the data privacy and security tasks and referred to some of the NIST Framework’s provisions and stated that “… it appears to point to full-time work and there would most certainly be a cost to fill such a position.” No change.
A commenter stated that the cost statement in the regulatory impact statement relating to local governments is untrue. Revision made.
A commenter states that they disagree with the department’s response to their comments on the ASVAB from the initial comment period are beyond the scope of the proposed regulation. No change.
A commenter writes that it is imperative for the Department to more carefully address the use of biometric surveillance technology. No change.
A commenter writes that they support the clarification of the required elements of the data security and privacy plan. They believe such plans should be made publicly available. They also support that the proposed regulation adopted their recommendation to include explicit prohibitions on certain types of data being shared. No change.
A commenter writes that the bill of rights should specifically include certain Federal Acts and should also include the section in Education Law § 2-d which provides the Chief Privacy Officer with the authority to expand the Parent Bill of Rights in the future. The commenter also suggest that personally identifiable information of former students and teachers as well as current students and teachers should be covered under the proposed regulation. The commenter writes that the regulation should also include the specific provision in Education Law § 2-d that bars districts from reporting to the state any data regarding (1) juvenile delinquency records; (2) criminal records; (3) medical and health records; and (4) student biometric information, except as required by law or required enrollment data. The commenter writes that in order to collect personal data, vendors should be required to have written contracts with the education agencies. They suggest that the word “license” should be added so that third-party contractors are barred from selling and/or licensing student data for a fee. The commenter suggests that vendors and third-party contractors should be barred from selling data in the case of a bankruptcy. They also state that education agencies should be required to publish their data and security privacy policies on their websites and provide notice of these policies to parents; they should be required to post all contracts with vendors who collect student data; education agencies should have to explain what the educational purpose is for allowing vendors access to this data; data breach notification to parents and affected parties should be carried out by regular mail as well as email; and the regulations should incorporate all the powers and responsibilities of the Chief Privacy Officer as stated in Education Law § 2-d. No change.
A commenter writes that to expect school districts to individually protect their data is not realistic. No change.
Commenters question if and how the Board of Regents plan on incorporating the new NIST privacy framework. No change.
A commenter writes that the consent required in Section 121.9(a)(5) of the proposed regulation should also include a requirement for prior written consent of affected teachers and/or principals and suggests that Section 121.9(a)(8) should permit the educational agency to consent to disclosures that may technically fall within such provision, but which are part of a school-approved service or program. No change.
A commenter writes that they are concerned that if parental consent requirements are imposed without more evaluation, study, realistic protocols and timelines, this would be problematic. No change.
A commenter writes that in the previous comment period they submitted comments that remain unaddressed. Specifically their comment stating that the proposed regulation has a incomplete list of duties of the Chief Privacy Officer, and their comment stating that the NIST CSF data security and privacy standard is not designed to ensure that confidential information is protected and remains confidential. No change.
End of Document© 2019 Thomson Reuters. No claim to original U.S. Government Works.