§ 2-D — Unauthorized release of personally identifiable information

New York § 2-D

• Jurisdiction: New York
• Law EDN: Education
• Title 1: General Provisions Article 1 Short Title and Definitions (§§
• Art. 1: Short Title and Definitions

Text

§ 2-d. Unauthorized release of personally identifiable information. 1.\nDefinitions. As used in this section the following terms shall have the\nfollowing meanings:\n a. "Building principal" means a building principal subject to annual\nperformance evaluation review under the provisions of section three\nthousand twelve-c, section three thousand twelve-d, or section three\nthousand twelve-e of this chapter.\n b. "Classroom teacher" means a teacher subject to annual performance\nevaluation review under the provisions of section three thousand\ntwelve-c, section three thousand twelve-d, or section three thousand\ntwelve-e of this chapter.\n c. "Educational agency" means a school district, board of cooperative\neducational services, school, or the education department.\n d. "Personally identifiable information," as applied to student data,\nmeans personally identifiable information as defined in section 99.3 of\ntitle thirty-four of the code of federal regulations implementing the\nfamily educational rights and privacy act, section twelve hundred\nthirty-two-g of title twenty of the United States code, and, as applied\nto teacher or principal data, means "personally identifying information"\nas such term is used in subdivision ten of section three thousand\ntwelve-c of this chapter.\n e. "School" means any public elementary or secondary school, universal\npre-kindergarten program authorized pursuant to section thirty-six\nhundred two-e of this chapter, an approved provider of preschool special\neducation, any other publicly funded pre-kindergarten program, a school\nserving children in a special act school district as defined in section\nfour thousand one of this chapter, an approved private school for the\neducation of students with disabilities, a state-supported school\nsubject to the provisions of article eighty-five of this chapter, or a\nstate-operated school subject to the provisions of article eighty-seven\nor eight-eight of this chapter.\n f. "Student" means any person attending or seeking to enroll in an\neducational agency.\n g. "Eligible student" means a student eighteen years or older.\n h. "Parent" means a parent, legal guardian, or person in parental\nrelation to a student.\n i. "Student data" means personally identifiable information from\nstudent records of an educational agency.\n j. "Teacher or principal data" means personally identifiable\ninformation from the records of an educational agency relating to the\nannual professional performance reviews of classroom teachers or\nprincipals that is confidential and not subject to release under the\nprovisions of section three thousand twelve-c of this chapter.\n k. "Third party contractor" shall mean any person or entity, other\nthan an educational agency, that receives student data or teacher or\nprincipal data from an educational agency pursuant to a contract or\nother written agreement for purposes of providing services to such\neducational agency, including but not limited to data management or\nstorage services, conducting studies for or on behalf of such\neducational agency, or audit or evaluation of publicly funded programs.\nSuch term shall include an educational partnership organization that\nreceives student and/or teacher or principal data from a school district\nto carry out its responsibilities pursuant to section two hundred\neleven-e of this title and is not an educational agency as defined in\nparagraph c of this subdivision, and a not-for-profit corporation or\nother non-profit organization, other than an educational agency.\n 2. Chief privacy officer. a. The commissioner shall appoint a chief\nprivacy officer within the department for a term of three years, which\nmay be renewed for three-year terms thereafter. The chief privacy\nofficer shall be qualified by training or experience in state and\nfederal education privacy laws and regulations, civil liberties,\ninformation technology, and information security. The chief privacy\nofficer shall report to the commissioner on matters affecting privacy\nand the security of student, teacher, and principal data.\n b. The functions of the chief privacy officer shall include, but not\nbe limited to:\n (1) promoting the implementation of sound information practices for\nprivacy and security of student data or teacher or principal data;\n (2) assisting the commissioner in handling instances of data breaches\nas well as assisting the commissioner in due process proceedings\nregarding any alleged breaches of student data or teacher or principal\ndata;\n (3) providing assistance to educational agencies within the state on\nminimum standards and best practices associated with privacy and the\nsecurity of student data or teacher or principal data;\n (4) formulating a procedure within the department whereby parents,\nstudents, teachers, superintendents, school board members, principals,\nand other persons or entities the chief privacy officer determines is\nappropriate, may request information pertaining to student data or\nteacher or principal data in a timely and efficient manner;\n (5) assisting the commissioner in establishing a protocol for the\nsubmission of complaints of possible breaches of student data or teacher\nor principal data;\n (6) making recommendations as needed regarding privacy and the\nsecurity of student data on behalf of the department to the governor,\nthe speaker of the assembly, the temporary president of the senate, and\nthe chairs of the senate and assembly education committees; and\n (7) issuing an annual report on data privacy and security activities\nand progress, the number and disposition of reported breaches, if any,\nand a summary of any complaint submitted pursuant to subparagraph five\nof this paragraph.\n c. The chief privacy officer shall have the power to:\n (1) access all records, reports, audits, reviews, documents, papers,\nrecommendations, and other materials maintained by an educational agency\nthat relate to student data or teacher or principal data;\n (2) to review and comment upon any department program, proposal,\ngrant, or contract that involves the processing of student data or\nteacher or principal data before the commissioner begins or awards the\nprogram, proposal, grant, or contract; and\n (3) any other powers that the commissioner shall deem appropriate.\n 3. Parents bill of rights for data privacy and security. a. A parents\nbill of rights for data privacy and security shall be published on the\nwebsite of each educational agency and shall be included with every\ncontract an educational agency enters into with a third party contractor\nwhere the third party contractor receives student data or teacher or\nprincipal data.\n b. The parents bill of rights for data privacy and security shall\nstate in clear and plain English terms that:\n (1) A student's personally identifiable information cannot be sold or\nreleased for any commercial purposes;\n (2) Parents have the right to inspect and review the complete contents\nof their child's education record;\n (3) State and federal laws protect the confidentiality of personally\nidentifiable information, and safeguards associated with industry\nstandards and best practices, including but not limited to, encryption,\nfirewalls, and password protection, must be in place when data is stored\nor transferred;\n (4) A complete list of all student data elements collected by the\nState is available for public review at (insert website address here) or\nby writing to (insert mailing address here); and\n (5) Parents have the right to have complaints about possible breaches\nof student data addressed. Complaints should be directed to (insert\nphone number, email and mailing address here).\n c. The parents bill of rights for data privacy and security shall\ninclude supplemental information for each contract an educational agency\nenters into with a third party contractor where the third party\ncontractor receives student data or teacher or principal data. Such\nsupplemental information shall be developed by the educational agency\nand shall include:\n (1) the exclusive purposes for which the student data or teacher or\nprincipal data will be used;\n (2) how the third party contractor will ensure that the\nsubcontractors, persons or entities that the third party contractor will\nshare the student data or teacher or principal data with, if any, will\nabide by data protection and security requirements;\n (3) when the agreement expires and what happens to the student data or\nteacher or principal data upon expiration of the agreement;\n (4) if and how a parent, student, eligible student, teacher or\nprincipal may challenge the accuracy of the student data or teacher or\nprincipal data that is collected; and\n (5) where the student data or teacher or principal data will be stored\n(described in such a manner as to protect data security), and the\nsecurity protections taken to ensure such data will be protected,\nincluding whether such data will be encrypted.\n d. The chief privacy officer, with input from parents and other\neducation and expert stakeholders, shall develop additional elements of\nthe parents bill of rights for data privacy and security. The\ncommissioner shall promulgate regulations for a comment period whereby\nparents and other members of the public may submit comments and\nsuggestions to the chief privacy officer to be considered for inclusion.\nThe parents bill of rights for data privacy and security shall be\ncompleted within one hundred twenty days after the effective date of\nthis section.\n 4. Data collection transparency and restrictions. a. The department\nshall promote the least intrusive data collection policies practicable\nthat advance the goals of improving academic achievement, empowering\nparents with information and advancing efficient and effective school\noperations while minimizing the collection and transmission of\npersonally identifiable information.\n b. The chief privacy officer shall develop, regularly update and make\npublicly available on the department's website and through such\nadditional methods as may facilitate accessibility an inventory and\nunderstandable description of the student, teacher and principal data\nelements collected with an explanation and/or legal or regulatory\nauthority outlining the reasons such data elements are collected and the\nintended uses and disclosure of the data.\n c. Except as otherwise specifically authorized by law, the department\nshall only collect personally identifiable information relating to an\neducational purpose.\n d. The department may only require districts to submit personally\nidentifiable information, including data on disability status and\nstudent suspensions, where such release is required by law or otherwise\nauthorized under the family educational rights and privacy act, 20\nU.S.C. section 1232g, and the personal privacy protection law.\n e. Except as required by law or in the case of educational enrollment\ndata, school districts shall not report to the department the following\nstudent data elements:\n (1) juvenile delinquency records;\n (2) criminal records;\n (3) medical and health records; and\n (4) student biometric information.\n f. Personally identifiable information maintained by educational\nagencies, including data provided to third-party contractors and their\nassignees, shall not be sold or used for marketing purposes.\n g. Parents shall have the right to inspect and review their child's\neducational record including any student data stored or maintained by an\neducational agency. The department shall develop policies for school\ndistricts that:\n (1) provide for annual notification to parents of their right to\nrequest student data;\n (2) ensure security when providing student data to parents, including\nthat only authorized individuals receive such data; and\n (3) specify a reasonable amount of time in which school districts\nshould respond to such requests.\n 5. Data security and privacy standards. a. The commissioner, in\nconsultation with the chief privacy officer, shall promulgate\nregulations establishing standards for educational agency data security\nand privacy policies and shall develop one or more model policies for\nuse by educational agencies. The commissioner shall seek the input of\nexperts, including those from security, cyber-security and fields in\naddition to education that have experience with personal data\nprotection, in developing such standards and policies.\n b. The standards for data security and privacy policies shall include,\nbut not be limited to:\n (1) data privacy protections, including criteria for determining\nwhether a proposed use of personally identifiable information would\nbenefit students and educational agencies, and processes to ensure that\npersonally identifiable information is not included in public reports or\nother public documents;\n (2) data security protections, including data systems monitoring, data\nencryption, incident response plans, limitations on access to personally\nidentifiable information, safeguards to ensure personally identifiable\ninformation is not accessed by unauthorized persons when transmitted\nover communication networks, and destruction of personally identifiable\ninformation when no longer needed; and\n (3) application of all such restrictions, requirements and safeguards\nto third-party contractors.\n c. Following promulgation of regulations by the commissioner pursuant\nto paragraph a of this subdivision each educational agency shall ensure\nthat it has a policy on data security and privacy in place that is\nconsistent with applicable state and federal laws and applied to student\ndata and, where applicable, to teacher or principal data. Such policy\nshall be published on the educational agency's website, if it exists,\nand notice of such policy shall be provided to all officers and\nemployees of the educational agency.\n d. As applied to student data, such policy shall provide all\nprotections afforded to parents and persons in parental relationships,\nor students where applicable, required under the family educational\nrights and privacy act, 20 U.S.C. section 1232g, where applicable the\nindividuals with disabilities education act, sections fourteen hundred,\net seq. of title twenty of the United States code, and the federal\nregulations implementing such statutes. Each educational agency shall\nensure that it has in place provisions in its contracts with third party\ncontractors or in separate data sharing and confidentiality agreements\nthat require that confidentiality of the shared student data or teacher\nor principal data be maintained in accordance with federal and state law\nand the educational agency's policy on data security and privacy.\n e. Each educational agency that enters into a contract or other\nwritten agreement with a third party contractor under which the third\nparty contractor will receive student data or teacher or principal data\nshall ensure that such contract or agreement includes a data security\nand privacy plan that outlines how all state, federal, and local data\nsecurity and privacy contract requirements will be implemented over the\nlife of the contract, consistent with the educational agency's policy on\ndata security and privacy. Such plan shall include, but shall not be\nlimited to, a signed copy of the parents bill of rights for data privacy\nand security, and a requirement that any officers or employees of the\nthird party contractor and its assignees who have access to student data\nor teacher or principal data have received or will receive training on\nthe federal and state law governing confidentiality of such data prior\nto receiving access.\n f. Each third party contractor that enters into a contract or other\nwritten agreement with an educational agency under which the third party\ncontractor will receive student data or teacher or principal data shall:\n (1) limit internal access to education records to those individuals\nthat are determined to have legitimate educational interests;\n (2) not use the education records for any other purposes than those\nexplicitly authorized in its contract;\n (3) except for authorized representatives of the third party\ncontractor to the extent they are carrying out the contract, not\ndisclose any personally identifiable information to any other party:\n (i) without the prior written consent of the parent or eligible\nstudent; or\n (ii) unless required by statute or court order and the party provides\na notice of the disclosure to the department, district board of\neducation, or institution that provided the information no later than\nthe time the information is disclosed, unless providing notice of the\ndisclosure is expressly prohibited by the statute or court order;\n (4) maintain reasonable administrative, technical and physical\nsafeguards to protect the security, confidentiality and integrity of\npersonally identifiable student information in its custody;\n (5) uses encryption technology to protect data while in motion or in\nits custody from unauthorized disclosure using a technology or\nmethodology specified by the secretary of the United States department\nof health and human services in guidance issued under Section\n13402(H)(2) of Public Law 111-5.\n 6. Breach and unauthorized release of personally identifiable\ninformation. a. Each third party contractor that receives student data\nor teacher or principal data pursuant to a contract or other written\nagreement with an educational agency shall be required to notify such\neducational agency of any breach of security resulting in an\nunauthorized release of such data by the third party contractor or its\nassignees in violation of applicable state or federal law, the parents\nbill of rights for student data privacy and security, the data privacy\nand security policies of the educational agency and/or binding\ncontractual obligations relating to data privacy and security, in the\nmost expedient way possible and without unreasonable delay. The\neducational agency shall, upon notification by the third party\ncontractor, be required to report to the chief privacy officer any such\nbreach of security and unauthorized release of such data. The chief\nprivacy officer shall, upon belief that such breach and unauthorized\nrelease constitutes criminal conduct, report such breach and\nunauthorized release to law enforcement in the most expedient way\npossible and without unreasonable delay.\n b. In the case of an unauthorized release of student data, the\neducational agency shall notify the parent or eligible student of the\nunauthorized release of student data that includes personally\nidentifiable information from the student records of such student in the\nmost expedient way possible and without unreasonable delay. In the case\nof an unauthorized release of teacher or principal data, the educational\nagency shall notify each affected teacher or principal of the\nunauthorized release of data that includes personally identifiable\ninformation from the teacher or principal's annual professional\nperformance review in the most expedient way possible and without\nunreasonable delay.\n c. In the case of notification to a parent, eligible student, teacher\nor principal under paragraph b of this subdivision due to the\nunauthorized release of student data by a third-party contractor or its\nassignee, the third-party contractor shall promptly reimburse the\neducational agency for the full cost of such notification.\n d. Each violation of a third party contractor pursuant to paragraph a\nof this subdivision shall be punishable by a civil penalty of the\ngreater of five thousand dollars or up to ten dollars per student,\nteacher, and principal whose data was released, provided that the latter\namount shall not exceed the maximum penalty under paragraph (a) of\nsubdivision six of section eight hundred ninety-nine-aa of the general\nbusiness law.\n e. If the chief privacy officer determines that a third party\ncontractor or its assignee, in violation of applicable state or federal\nlaw, the data privacy and security policies of the educational agency\nprovided by such educational agency to the third party contractor and/or\nbinding contractual obligations relating to data privacy and security,\nhas released any student data or teacher or principal data received from\nan educational agency to any person or entity not authorized by law to\nreceive such data pursuant to a lawful subpoena or otherwise, the chief\nprivacy officer, after affording the third party contractor with notice\nand an opportunity to be heard, shall be authorized to:\n (1) order that the third party contractor be precluded from accessing\nstudent data or teacher or principal data, as applicable, from the\neducational agency from which the contractor obtained the data that was\nimproperly disclosed for a fixed period of up to five years; and/or\n (2) order that a third party contractor or assignee who knowingly or\nrecklessly allowed for the unauthorized release of student data or\nteacher or principal data be precluded from accessing student data or\nteacher or principal data from any educational agency in the state for a\nfixed period of up to five years; and/or\n (3) order that a third party contractor or assignee who knowingly or\nrecklessly allowed for the unauthorized release of student data or\nteacher or principal data shall not be deemed a responsible bidder or\nofferer on any contract with an educational agency that involves the\nsharing of student data or teacher or principal data, as applicable for\npurposes of the provisions of section one hundred three of the general\nmunicipal law or paragraph c of subdivision ten of section one hundred\nsixty-three of the state finance law, as applicable, for a fixed period\nof up to five years; and/or\n (4) require the third party contractor to provide training at the\ncontractor's expense on the federal and state law governing\nconfidentiality of student data and/or teacher or principal data and the\nprovisions of this section to all its officers and employees with access\nto such data, prior to being permitted to receive subsequent access to\nsuch data from the educational agency from which the contractor obtained\nthe data that was improperly disclosed or from any educational agency;\nand/or\n (5) if it is determined that the unauthorized release of student data\nor teacher or principal data on the part of the third party contractor\nor assignee was inadvertent and done without intent, knowledge,\nrecklessness or gross negligence, the commissioner may determine that no\npenalty be issued upon the third party contractor.\n 7. Implementation and enforcement. a. The commissioner, in\nconsultation with the chief privacy officer, shall promulgate\nregulations establishing procedures to implement the provisions of this\nsection, including but not limited to procedures for the submission of\ncomplaints from parents and/or persons in parental relation to students,\nclassroom teachers or building principals, or other staff of an\neducational agency, making allegations of improper disclosure of student\ndata and/or teacher or principal data by a third party contractor or its\nofficers, employees or assignees that may be subject to the sanctions\nset forth in subdivision six of this section. Upon receipt of a\ncomplaint or other information indicating that such an improper\ndisclosure by a third party contractor may have occurred, the chief\nprivacy officer shall be authorized to investigate, visit, examine and\ninspect the third party contractor's facilities and records and obtain\ndocumentation from, or require the testimony of, any party relating to\nthe alleged improper disclosure of student data or teacher or principal\ndata.\n b. Except as provided under paragraph d of subdivision six of this\nsection, each violation of any provision of this section by a third\nparty contractor or its assignee shall be punishable by a civil penalty\nof up to one thousand dollars; a second violation by the same third\nparty contractor involving the same student data or teacher or principal\ndata shall be punishable by a civil penalty of up to five thousand\ndollars; any subsequent violation by the same third party contractor\ninvolving the same student date or teacher or principal data shall be\npunishable by a civil penalty of up to ten thousand dollars. Each\nviolation of this subdivision shall be considered a separate violation\nfor purposes of civil penalties and the total penalty shall not exceed\nthe maximum penalty under paragraph (a) of subdivision six of section\neight hundred ninety-nine-aa of the general business law.\n c. Nothing contained in this section shall be construed as creating a\nprivate right of action against the department or an educational agency.\n d. Nothing in this section shall limit the administrative use of\nstudent data or teacher or principal data by a person acting exclusively\nin the person's capacity as an employee of an educational agency or of\nthe state or any of its political subdivisions, any court or the federal\ngovernment that is otherwise required by law.\n