The Time for Enforcement of Education Law § 2-d is Coming – Proposed Regulations Regarding Privacy and Security of Student Data and Teacher or Principal Data

The New York State Education Department has released proposed regulations implementing Education Law § 2-d.  The full text of the proposed regulations, which will become Part 121 of the Commissioner’s Regulations, can be accessed on the Department’s website at the following link.  It is expected that the Board of Regents will take final action on the proposed regulations in May, and that they will become effective as of July 1, 2019.  The regulations may bring renewed attention to the statutory requirements, enacted in 2014, and applicable to educational agencies within New York, including school districts and boards of cooperative education.  This legal alert reviews the requirements of the proposed regulations and includes reminders of the components of the statutory mandate. 

Education Law § 2-d – What it Protects

Education Law § 2-d went into effect in April 2014.  The focus of the statute was to foster privacy and security of personally identifiable information (PII) of students and certain PII related to classroom teachers and principals.

          Student PII

The student data protected under the statute consists of the same elements as are protected pursuant to the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232-g.  By definition, PII includes, but is not limited to:

1. The student’s name;
2. The name of the student’s parent or other family members;
3. The address of the student or student’s family;
4. A personal identifier, such as the student’s social security number, student number, or biometric record;
5. Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name;
6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
7. Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

34 CFR §99.3.  We also recommend protection of the additional element identified in the implementing regulations of the Individuals with Disabilities Education Act (IDEA), 20 U.S.C. § 1400 et seq., as PII, with regard to IDEA eligible students, that is:  a list of personal characteristics or other information that would make it possible to identify the child with reasonable certainty.  34 CFR § 300.32.

The confidentiality and privacy provisions do not apply to de-identified data (e.g., data regarding students that uses random identifiers), aggregated data (e.g., data reported at the school district level) or anonymized data that could not be used to identify a particular student.

          Teacher Data or Principal Data

The protections in the statute also extend to teacher data or principal data, defined as PII from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of Education Law §§ 3012-c and 3012-d.

Proposed Part 121 Regulation Requirements

            Data Security and Privacy Standard
Although the proposed regulations largely restate the requirements of Education Law § 2-d, there are new elements, including the adoption by the New York State Education Department of a data security and privacy standard, as was required by the statute.  The Department will adopt the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (CSF or Framework).  NIST is part of the United States Department of Commerce, and was originally established at the turn of the twentieth century to standardize measurement in the United States.   In 2013, NIST was directed by Executive Order to develop a voluntary framework for reducing cyber risks to critical infrastructure based on existing standards, guidelines, and practices.  As a result, the CSF was developed and will now be mandatory for New York educational agencies.

The CSF, which can be accessed through the NIST website here, consists of three components:

1. The Core, designed to provide an easy-to-understand set of desired cybersecurity outcomes;
2. Profiles, which, as developed by an organization, portray its unique requirements, objectives, risk appetite, and resources; and
3. Implementation Tiers, which indicate how an organization manages cybersecurity risks.

The CSF does not provide a single set of requirements, but rather, by following its process, enables individual organizations to develop their own cybersecurity protocols designed to meet their needs.  The process essentially provides a means to conduct a thorough audit of an organization’s cybersecurity issues and needs in order to inform the determination of how those needs are best met.

Educational Agency Data Protection Officer
Another new element in the proposed regulation is the requirement to designate one or more employees to serve as the educational agency’s data protection officer(s).  The data protection officer is tasked with responsibility for implementation of the policies and procedures required by the statute and implementing regulations, and to serve as the agency’s point of contact for data security and privacy.  The officer must have the requisite knowledge, training and experience to administer these functions, and may be fulfilled by a current agency employee who may perform the function in addition to his/her other job duties.

Educational Agency Data Collection Transparency and Restrictions

Elaborating on the statutory mandate, the proposed regulations set forth that educational agencies may not sell PII or use/disclose PII for marketing or commercial purposes, or permit or facilitate its use for marking or commercial purposes by any other party.  Educational agencies must also take steps to minimize the collection, processing and transmission of PII. Agreements with third-party contractors must include provisions, either within the contracts or in separate data sharing and confidentiality agreements, requiring confidentiality of student data or teacher or principal data in accordance with New York and federal law and the educational agency’s data security and privacy policy.

School Districts should note that contracts include those in electronic form, and click wrap agreements used with software licenses, including those downloaded and/or online applications and transactions for educational technologies and other technologies in which a user must agree to terms and conditions prior to using the product or service.

          Policy Requirements

The proposed regulations mandate that, by the end of this calendar year (December 31, 2019), all educational agencies must adopt and publish a data security and privacy policy that aligns with the NIST CSF and implements the new regulatory mandates.  The policy must be published on agency websites, and notice of the policy must be provided to all officers and employees of the educational agency.  The draft regulations provide that the policy must address Education Law § 2-d’s data privacy protections as follows:

1. Every use of PII by the educational agency shall benefit students and the educational agency (e.g., improve academic achievement, empower parents and students with information, and/or advance efficient and effective school operations); and
2. PII shall not be included in public reports or other documents.
3. The policy must incorporate the protections afforded to parents or eligible students under FERPA and the IDEA, and their implementing regulations.

The statute itself mandates that the standards for the policy also include:

• Date security protections, including:
  • data systems monitoring;
  • data encryption;
  • incident response plans;
  • limitations on access to PII;
  • safeguards to ensure PII is not accessed by unauthorized individuals when transmitted over communication networks; and
  • destruction of PII when no longer needed; and
• Application of all restrictions, requirements and safeguards to third-party contractors.

Although Education Law § 2-d(5) requires the Commissioner of Education to develop one or more model policies, no model has as yet been released.

             Training for Educational Agency Employees

Educational agencies will be mandated to provide annual information privacy and security awareness training to their officers and employees who have access to PII.  The training may be provided using online training tools, and may be included in other training already offered. 

          Parents Bill of Rights for Data Privacy and Security

The proposed regulations reiterate that educational agencies must publish on their websites a parent’s bill of rights for data privacy and security, as required by Education Law § 2-d(3).  Additionally, the parent’s bill of rights must be included with every contract with a third-party contractor that receives PII.

The parent’s bill of rights must include supplemental information for every contract in which the third-party contractor will receive student data or teacher or principal data, and include the following:

1. The exclusive purposes for which the student data or teacher or principal data will be used, as defined in the contract;
2. How the third-party contractor will ensure that the subcontractors, persons or entities with which the third-party contractor will share the student data or teacher or principal data, if any, will abide by data protection and security requirements, including those mandated by New York State and federal laws and regulations;
3. When the agreement expires and what happens to the student data or teacher or principal data upon expiration of the agreement (e.g., if, when and in what format data will be returned to the educational agency, and/or whether, when and how the data will be destroyed);
4. If and how a parent, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected;
5. Where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected (e.g., offsite storage, using a cloud service provider); and
6. Address encryption of the data to help ensure data is protected while in transit or in its custody.

This supplemental information must also be published in the educational agency’s website, but may be redacted as necessary to safeguard the privacy or security of the agency’s data and/or technology infrastructure.

         Data Security and Privacy Plan

In addition to the requirements above, the proposed regulations mandate that all educational agency contracts with third-party contractors must include a data security and privacy plan that does the following:

1. Outlines how all state, federal, and local data security and privacy contract requirements will be implemented, consistent with the educational agency’s policy on data security and privacy;
2. Includes a signed copy of the parent’s bill of rights;
3. Includes a requirement that any officers or employees of the third-party contractor and its assignees who have access to PII have received or will receive training on the New York and federal laws and regulations governing confidentiality of such data; and
4. Complies with Education Law § 2-d.

Third Party Contractors

The proposed regulations also set forth requirements for all third-party contractors who receive PII.  The mandates are equally applicable to any subcontractor engaged by a third-party contractor.  Third-party contractors must:

1.     Adopt technologies, safeguards and practices that align with the NIST CSF and comply with the educational agency’s data security and privacy policy, Education Law § 2-d and its implementing regulations;

2.     Limit internal access to education records to those employees or subcontractors who require it to provide the contracted services;

3.     Not use PII for any purposes other than those explicitly authorized in its contract;

4.     Except for authorized representatives of the third party contractor to the extent they are carrying out the contract, not disclose any PII to any other party:

         i.       Without the prior written consent of the parent/guardian or eligible student; or

         ii.     Unless required by statute or court order and the party provides a notice of the disclosure to the department, district board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order;

5.     Maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII in its custody;

6.     Use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using controls as specified by the Secretary of HHS in guidance issued under Public Law 111-5, § 13402(h)(2); and

7.     Not sell PII or use or disclose it for any marketing or commercial purpose or facilitate or permit its use or disclosure by any other party for any marketing or commercial purpose.

Reports and Notifications of Breach and Unauthorized Release

The proposed regulations set forth timelines for notifications of breach or unauthorized release of PII and for investigations thereof.  Third-party contractors must promptly notify an educational agency of any breach or unauthorized release of PII no later than seven (7) calendar days after discovery of a breach.  An educational agency must report every discovery or report of a breach or unauthorized release of data, including reports from third-party contractors, no more than ten (10) calendar days thereafter, to the Chief Privacy Officer in a format prescribed by the New York State Education Department.

An educational agency is also required to notify affected parents, eligible students, teachers and/or principals no more than fourteen (14) calendar days after the discovery of a breach or unauthorized release of PII unless notification would interfere with an ongoing investigation by law enforcement or cause further disclosure of PII due to an as yet uncorrected security vulnerability.  In such an instance, notification must be made within seven (7) calendar days after risk of interference with an investigation ends or risk of further disclosure has been remedied.  Notification must be made via first class mail to the last known address of the affected individuals, by email or by telephone.  We do not recommend making such notification solely by telephone.  This notification must be in plain language that is clear, concise and easy to understand.  It should, to the extent available, include the following:

1. A brief description of the breach/unauthorized release, the dates of the incident and date of discovery, if known;
2. A description of the types of PII affected;
3. An estimate of the number of records affected;
4. A brief description of the agency’s investigation or plan to investigate; and
5. Contact information for representatives who can assist parents or eligible students who have additional questions.

Third-party contractors must cooperate with educational agencies and law enforcement to protect the integrity of investigations regarding breach or unauthorized release of PII.  If a breach or unauthorized release is attributed to a third-party contractor, such contractor shall either pay for or promptly reimburse the educational agency for the full cost of its required notifications.

The Chief Privacy Officer must report any breach or unauthorized release of PII to law enforcement if the incident is believed to constitute criminal conduct.

Parent Complaints of Breach or Unauthorized Release of PII

The proposed regulations require that educational agencies establish and disseminate procedures for parents and eligible students to file complaints about breaches or unauthorized releases of student data.  Those procedures must include prompt acknowledgement of receipt of complaints, an investigation into such complaints, and follow-up with precautions necessary to protect any PII.  Except in extenuating circumstances, the complainant must be provided with a report of the findings within 30 calendar days.  Much like procedures pursuant to the Freedom of Information Law, where the timeline cannot be met, the complainant must be provided a written explanation that includes the approximate date when the report will be released.  Educational agencies are also required to keep a record of all complaints and their resulting dispositions.

Right of Parents and Eligible Students to Inspect and Review Students Education Records

The proposed regulations reiterate from the statute that, consistent with FERPA, parents and students have the right to inspect and review a student’s education record.  Requests to do so must be made directly to the educational agency, not to a third-party contractor, in a manner the agency prescribes.  Each educational agency must require identification or verification of the identity of the parent or eligible student requesting such access.  Compliance with a request must occur within forty-five calendar days after receipt.  If the parent consents, the records may be delivered electronically, however, PII must be transmitted in a way that complies with New York State and federal law and regulations.  Safeguards associated with industry standards and best practices, including but not limited to encryption and password protection, must be in place when education records requested by a parent or eligible student are transmitted electronically.  Parents must be provided annual notification of their right to inspect and review their child’s education record; however the agency’s annual FERPA notice will satisfy this requirement.  No duplicate notice pursuant to Education Law § 2-d is required.

          Third Party Contractor Civil Penalties

The proposed regulations note the civil penalties set forth in Education Law § 2-d for breach or unauthorized release of student data or teacher or principal data by third-party contractors.  Incidents are to be investigated by the Chief Privacy Officer.  Penalties include restrictions on access to PII for up to five years either with regard to the affected educational agency or throughout New York, restrictions on public bidding for up to five years, requiring training for third-party contractor employees and agents in the handling of PII, and monetary fines.

          Chief Privacy Officer’s Powers

Finally, the proposed regulations elaborate on the Chief Privacy Officer’s powers.  The Chief Privacy Officer’s authority to access educational agency records relating to student data or teacher or principal data includes, but is not limited to, records related to any technology product or service that will be utilized to store and/or process PII.  Further, the Chief Privacy Officer may require an educational agency to act to ensure that PII is protected as required by New York and federal laws and regulations.  This includes the authority to require an educational agency to conduct a privacy and security risk assessment. 

Conclusion

Educational agencies should start developing or reviewing their policies to prepare for implementation of the proposed regulations and ensure that their agreements with third-party contractors that receive PII comply with the statute and implementing regulations.  Revisiting security protocols for protection of PII, whether stored on paper or electronically, can help prevent any breach or unauthorized release.Should you have any questions or concerns regarding this legal alert or require assistance with updating your Parents’ Bill of Rights for Data Privacy and Security, developing/reviewing your policy, or updating contracts, please feel free to contact Stephanie Burns or Susan Fine.