Data Security and Privacy - SANY | Science Academies of New York Charter Schools

Internet Use Policy

Purpose

The purpose of this policy is to govern all electronic activity of users using and accessing the SANY’s Internet systems, including SANY e-mail and SANY-provided access to the Internet, and applies to the use of the SANY Internet Systems both on and off SANY property.

Accountability

Under the direction of the District Superintendent or his/her designee shall ensure compliance with this policy. The Operations Managers, Deans, and other members of management will implement this policy in their respective areas.

Applicability

This policy applies to all members of the SANY who access and use the SANY's Internet Systems both on and off SANY property.

By using the SANY’s Internet Systems, a user agrees to follow this policy and all applicable SANY regulations, policies and guidelines. All users must report any misuse of the network or Internet or receipt of any communication that violates this policy to a teacher, supervisor or other appropriate SANY personnel.

Definitions

Refer to the Technology Terms and Definitions for terms and definitions that are used in this policy.

Policy

General

Internet access and e-mail provided by the SANY are intended for educational use, instruction, research and the facilitation of communication, collaboration, and other SANY related purposes. Users are subject to the same standards expected in a classroom and/or professional workplace.

Monitoring and Privacy

Users have no right to privacy while using the SANY’s Internet Systems. The SANY monitors users’ online activities and reserves the right to access, review, copy, store, or delete any electronic communications or files. This includes any items stored on SANY-provided devices, such as files, e-mails, cookies, and Internet history.

The SANY reserves the right to disclose any electronic activity, including electronic communications, to law enforcement officials or third parties, as appropriate and consistent with applicable law. The SANY will fully cooperate with local, state, or federal officials in any lawful investigation concerning or relating to any illegal activities conducted through the SANY ’s Internet Systems.

Prohibited Uses of the SANY’s Internet Systems

Users may not engage in any of the activities prohibited by this policy when using or accessing the SANY ’s Internet Systems.

If users are uncertain whether behavior is prohibited, they should contact a teacher, supervisor or other appropriate SANY. personnel. The SANY reserves the right to take immediate action regarding activities that (1) create security and/or safety issues for the SANY, students, employees, schools, network or computer resources, or (2) expend SANY resources on content the SANY determines lacks legitimate educational or SANY content or purpose, or (3) the SANY determines are inappropriate.

Below is a non-exhaustive list of examples of prohibited behavior:

Causing harm to others, damage to their property or SANY property, such as:
1. Using, posting or distributing profane, lewd, vulgar, threatening, or abusive language in e-mail messages, material posted on SANY web pages, or professional social media sites;
2. Accessing, using, posting, or distributing information or materials that are pornographic or otherwise obscene, advocate illegal or dangerous acts, or advocate violence or discrimination. If users inadvertently access such information, they should immediately disclose the inadvertent access in a manner specified by their school or district office;
3. Accessing, posting or distributing harassing, discriminatory, inflammatory, or hateful material, or making damaging or false statements about others;
4. Sending, posting, or otherwise distributing chain letters or engaging in spamming;
5. Damaging computer equipment, files, data or the SANY's Internet System in any way, including spreading computer viruses, vandalizing data, software or equipment, damaging or disabling others’ electronic property, or engaging in conduct that could interfere or cause a danger of disruption to the SANY’s educational or business environment;
6. Using the SANY’s Internet System in a manner that interferes with the education of the user or others or the job duties of the user or others;
7. Downloading, posting, reproducing or distributing music, photographs, video or other works in violation of applicable copyright laws. Any music, photographs and/or video should only be downloaded for SANY, and not personal purposes. If a work specifies how that work may be used, the user should follow the expressed requirements. If users are unsure whether or not they can use a work, they should request permission from the copyright or trademark owner; or
8. Engaging in plagiarism. Plagiarism is taking the ideas or writings of others and presenting them as if they were original to the user.
Gaining or attempting to gain unauthorized access to the SANY’s Internet Systems, or to any third party’s computer system, such as:
1. Malicious tampering, phishing or hacking activities;
2. Intentionally seeking information about passwords belonging to other users;
3. Disclosing a user’s password to the SANY’s Internet Systems to other individuals. However, students may share their SANY password with their parents.
4. Modifying passwords belonging to other users;
5. Attempting to log in through another person's account;
6. Attempting to gain access to material that is blocked or filtered by the SANY;
7. Accessing, copying, or modifying another user’s files without authorization;
8. Disguising a user’s identity;
9. Using the password or identifier of an account that does not belong to the user; or
10. Engaging in uses that jeopardize access into others’ accounts or other computer networks.
Using the SANY’s Internet Systems for commercial purposes, such as:
1. Using the SANY’s Internet Systems for personal financial gain;
2. Conducting for-profit business activities, personal advertising, or other non-SANY business communications;
3. Engaging in fundraising; or
4. Using the SANY’s Internet Systems on behalf of any elected official, candidate, candidates, slate of candidates or a political organization or committee.
Engaging in criminal or other unlawful activities.

Filtering

In accordance to Children’s Internet Protection Act (“CIPA”), the SANY blocks or filters content over the Internet that the SANY considers inappropriate for minors. This includes pornography, obscene material, and other material that may be harmful to minors. The SANY may also block or filter other content deemed to be inappropriate, lacking educational or work-related content or that pose a threat to the network. The SANY may, in its discretion, disable such filtering for certain users for bona-fide research or other lawful educational or business purposes.

Users shall not use any website, application, or methods to bypass filtering of the network or perform any other unlawful activities.

See additional information regarding CIPA.

Protection of Personally Identifiable and Confidential Information

The Family Educational Rights and Privacy Act (“FERPA”) prohibits SANY school officials from disclosing personally identifiable information (“PII”) from education records of SANY students and families to third parties without parental consent. However, several exceptions to this general rule may apply.

All users of the SANY’s Internet Systems must comply with FERPA, Confidentiality and Release of Student Records; Records Retention. If you are unsure about whether the activity will comply with FERPA, please contact the SANY district office.

Internal communications with a SANY attorney may also be confidential. Accordingly, users should not forward or distribute such communications without first checking with the attorney. Users should ensure that e-mails that include or attach confidential information are only sent to the intended recipients.

Student Internet Safety

SANY Responsibilities:
1. The SANY will provide curriculum about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response.
2. The SANY will work to protect the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications.
3. As appropriate, the SANY will provide students, staff and parents with guidelines and instructions for student safety while using the Internet.
Students Using the SANY’s Internet Systems
1. Students must not reveal personal information about themselves or other persons on social networking sites, in chat rooms, in emails or other direct electronic communications, or any other forum over the Internet. For example, students must not reveal their home address, or telephone or cell phone number. Students must not display photographs of themselves, or the images of others.
2. Students should not meet in person anyone they have met only on the Internet.
3. Students must promptly disclose to their teacher or other school employee any message or other activity they receive that is inappropriate or makes them feel uncomfortable.
4. Students should not allow SANY computers to save their passwords.
Teachers using the SANY Internet Systems, including Social Media for class activities
1. Teachers should educate students about appropriate and safe online behavior, including interacting with individuals on social networking websites and in chat rooms and cyberbullying awareness and response. Teachers should refer to educational Internet safety resources available on the Internet.
2. Social Media
  1. “Social media” means any form of online publication or presence that allows interactive communication, including, but not limited to, social networks, blogs, Internet websites, internet forums, and wikis. Examples of social media include, but are not limited to, Facebook, Twitter, YouTube, and Flickr.
  2. Schools use a variety of online web-based interactive communication technologies to enhance students’ education and learning. Social media sites must be used only for educational and school related purposes, in connection with lessons and assignments and to facilitate communication with teachers and other students.
  3. The SANY limits access to these sites to individuals within the SANY and SANY school officials. If access to a social media site will extend beyond individuals within the SANY or SANY school officials, then parent consent is required.
  4. Teachers must refer to the SANY’s Social Media Policy, which are incorporated into this policy, if Internet activities will involve social media.
3. Parents:
  1. Although students generally will be supervised when using the SANY’s Internet System on school property, it is not practicable for the SANY to monitor and enforce a wide range of social values in student use of the Internet. Parents are primarily responsible for transmitting their particular set of family values to their children, and discussing with their children what material is and is not acceptable for their children to access through the SANY’s Internet Systems.
  2. Parents are exclusively responsible for monitoring their children's use of the Internet when the SANY’s Internet Systems are accessed from home or a non-school location. The SANY may or may not employ its filtering systems to screen home access to the SANY’s Internet Systems. Parents should inquire with the school or SANY.

Policy Compliance

This Internet Use Policy details the rights and privileges of all users regarding the utilization of the worldwide computer network, commonly referred to as the Internet. Through the Internet, users are able to retrieve and share information, conduct research and communicate with others. While the school is able and willing to provide its students and staff with access to the Internet, users must understand and agree to follow the rules and regulations, established by the school to ensure appropriate behavior(s) and action(s) during such use. With the privilege of accessing the Internet comes the responsibility to act in a lawful, ethical manner.

In cases where the school has reason to suspect a user has violated its rule(s) and/or regulation(s) for use of its Internet connection, e-mail system, computers, and/or computer-related equipment, the suspected user(s) will have his/her Internet, email and/or computer account privileges temporarily suspended during an investigation. Potential instances of rule(s) and/or regulation(s) violations include use by an unauthorized person or access or dissemination of materials that are illegal, defamatory, abusive, harassing, and/or sexually explicit.

Suspected violations of this policy by a student must be immediately reported to the school Dean or his/her designee. The school Dean or his/her designee, will, in turn, notify the student’s parent(s) and review the facts of the incident with them. After giving the student an opportunity to be heard and reviewing the details of the case, consistent with the school Code of Conduct, the school Dean will determine an appropriate penalty. If inappropriate student conduct has occurred, the student’s account may be closed for a designated period of time, and disciplinary action ranging from loss of Internet access privileges to suspension from school may be taken. Based upon all the facts and in the discretion of the school Dean or his/her designee, the school Dean will determine the final action to be taken. School will notify appropriate governmental or law enforcement agencies of any violation of this Policy, as required by law.

Suspected violations of the policy by a staff member should also be reported to the school Dean, who will review the facts of the incident and after giving all parties an opportunity to be heard, shall determine whether disciplinary action is required. If such action is appropriate, the user’s account may be closed for a designated period of time, as determined by the school Dean, and disciplinary action may be taken in accordance with the applicable Board Policies and school regulations and the terms of the employee’s employment agreement. Based on all the facts and the school Dean’s discretion, the school Dean will determine the final action to be taken. School will notify appropriate governmental or law enforcement agencies of any violation of this Policy, as required by law.

Access to the Internet, email or a computer account may also be revoked by the school for any established violation of a policy, rule or regulation of school.

All users must promptly disclose to their teacher, supervisor, dean of school or operations manager any information they receive that is inappropriate or makes them feel uncomfortable.

In an effort to ensure that all parties understand and agree to the rules and regulations established in this Internet Use Policy, it is mandated that all users of school computers, computer-related equipment, e-mail, and Internet connection sign an Acceptable Use Agreement. This includes all students, staff and community members. Regarding student use, a parent’s signature shall be required as verification of parental approval of the student’s use and agreement with the policy’s guidelines and procedures. When necessary, a parent’s signature may be subject to verification on a case-by-case basis. All forms will be kept on file at the school. It is further recommended that parents of students using the Internet are informed of the policy’s rules and regulations by receiving a copy of a Student Internet Access letter. Completion of the Internet Use Form will be done on an annual basis.

Limitation of Liability

The SANY makes no guarantees about the quality of the services provided and is not responsible for any claims, losses, damages, costs, or other obligations arising from use of the network or accounts. Any additional charges a user accrues due to the use of the SANY’s network are to be borne by the user. The SANY also denies any responsibility for the accuracy or quality of the information obtained through user access. Any statement, accessible on the computer network or the Internet, is understood to be the author's individual point of view and not that of the SANY, its affiliates, or employees.

Technology Device Use Policy

Purpose

The purpose of this policy is to state what constitutes the acceptable technology device usage and what constitutes the misuse of SANY IT Resources.

Accountability

Applicability

This policy applies to all members of the SANY Community who access and use the SANY's electronic information and information systems.

Definitions

Refer to the Technology Terms and Definitions for terms and definitions that are used in this policy.

Policy

Computer accounts and network access is provided for exclusive use by an individual or a group of individuals specified by SANY. Providing other individuals or groups access to your account or use of the district network is not allowed.
Attempts to gain unauthorized access to any account, file or network which is not specifically provided for your use, including those systems not operated by SANY is forbidden and WILL result in immediate revocation of ALL accounts and network access provided for your use by SANY.
Attempts to circumvent restrictions placed on your account or network access are forbidden.
Computer services or network access at SANY are not allowed to be used for commercial purposes other than those that are involved in the running of the district.
Incidental use of technology devices for personal, non-work-related purposes is acceptable. However, personal use must be infrequent during staff's free time and must not:
1. Involve any prohibited activity
2. Interfere with the productivity of the employee or his/her coworkers
3. Consume system resources or storage capacity on an ongoing basis
4. Involve large file transfers or otherwise deplete system resources.
5. Result in a negative impact on district related uses.
District network services, equipment, wiring or jacks may not be altered, removed or extended beyond the location of their intended use.
SANY network resources may not be retransmitted outside of the SANY community. Examples include, but are NOT limited to: district licensed software.
The district network is a shared resource. Excessive use of the network resources which inhibits or interferes with the use of the network by others is not permitted.
District network resources may not be used to defame, harass, intimidate or threaten.
Use of SANY's computer services or network access for ILLEGAL purposes are expressly forbidden. Violations of any of the rules and regulations listed above can result in the suspension and/or revocation of any and/or all computer accounts and network access provided to you by SANY. Violations of district regulations or local, state and federal law will be referred to the appropriate authorities.
SANY reserves the right to inspect any information or data residing on any of its systems whenever it is deemed necessary. All information, including personal information, placed on district systems or sent over the district network may be monitored. Use of SANY's computer and network systems, authorized or unauthorized, constitutes consent to monitoring of these systems.

Policy Compliance

IT resources, computer accounts, and network access is provided to students, faculty and staff of SANY as a privilege. The SANY, including district office and schools, reserves the right to terminate any user’s access to SANY IT resources, computer accounts, and network access at any time.

Access to the internet, email or a computer account may also be revoked by the school for any established violation of a policy, rule or regulation of school.

All users must promptly disclose to their teacher, supervisor, dean of school or operations manager any information they receive that is inappropriate or makes them feel uncomfortable.

Limitation of Liability

Parents’ Bill of Rights for Data Privacy and Security

Parents (includes legal guardians or persons in parental relationships) and Eligible Students (student 18 years and older) can expect the following:

A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition.
The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student.
State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act ("FERPA") at 12 U.S.C. 1232g (34 CFR Part 99); Children's Online Privacy Protection Act ("COPPA") at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment ("PPRA") at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information.
Safeguards associated with industry standards and best practices including but not limited to encryption, firewalls and password protection must be in place when student PII is stored or transferred.
A complete list of all student data elements collected by NYSED is available at https://www.nysed.gov/data-privacy-security/student-data-inventory and by writing to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234.
The right to have complaints about possible breaches and unauthorized disclosures of PII addressed. Complaints may be submitted to NYSED at https://www.nysed.gov/data-privacy-security/report-improper-disclosure, by mail to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234; by email to This email address is being protected from spambots. You need JavaScript enabled to view it.; or by telephone at 518-474- 0937.

You may also submit a complaint to the District, by mail to: Data Protection Officer, Science Academies of New York Charter Schools, 1409 W Genesee St. Syracuse, NY 13204; by email to This email address is being protected from spambots. You need JavaScript enabled to view it.; or by telephone at 315-671-5470.
To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs.
Educational agency workers that handle PII will receive training on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII.
Educational agency contracts with vendors that receive PII will address statutory and regulatory data privacy and security requirements.

Acceptable Use Policy

Purpose

This policy sets forth the acceptable uses regarding the access and use of SANY's electronic information and information systems.

Accountability

Applicability

This policy applies to all members of the SANY who access and use the SANY's electronic information and information systems.

Definitions

Refer to the Technology Terms and Definitions for terms and definitions that are used in this policy.

Policy

The SANY expects users will access and use the SANY's electronic information and information systems in a manner that:
1. Does not compromise the confidentiality, integrity, or availability of those assets; and
2. Reflects the SANY 's standards as defined in the Code of Conduct/Statement of Principles and its body of policies, and in accordance with all applicable federal, state, and local laws governing the use of computers and the Internet.
These obligations apply regardless of where access and use originate: SANY office, classroom, public space, lab, at home, or elsewhere outside the SANY.
The rules stated in this policy also govern the use of information assets provided by the State of New York, other state and federal agencies, and other entities that have contracted with SANY to provide services to their constituents and/or clients.
This policy and SANY's Code of Conduct also govern access and use of the SANY's electronic information and information systems originating from non-SANY computers, including personal computers and other electronic devices. The access and use of electronic information provided by funding partners to SANY are also governed by this policy.
The use of information systems acquired or created through the use of SANY funds, including grant funds from contracts between the SANY and external funding sources (public and private), are covered by this policy. This includes SANY information systems that are leased or licensed for use by members of the SANY Community. Users are given access to SANY's electronic information and information systems specifically to assist them in the performance of their jobs and education. They are not provided for personal use. They are responsible for all activity conducted using their computer accounts. Access and use of the SANY's electronic information and information systems is a revocable privilege.
SANY recognizes that all members of the SANY Community have an expectation of privacy for information in which they have a substantial personal interest. However, this expectation is limited by SANY's need to comply with applicable laws, protect the integrity of its resources, and protect the rights of all users and the property and operations of SANY. As such, SANY reserves the right to access, quarantine, or hold for further review any files or computing devices on SANY's network or its information technology resources if there is just cause to believe that SANY policies or laws are being violated or if such access is necessary to comply with applicable law or conduct SANY business operations.
Information created, stored, or accessed using SANY information systems may be accessed and reviewed by SANY personnel for legitimate systems purposes, including but not limited to the following:
1. Emergency Problem Resolution
2. To measure, monitor, and address the use, performance, or health of the SANY's information systems, or to respond to information security issues. Internet usage may also be monitored when using the SANY's network.
3. To create data backups of electronic information stored on SANY's information systems.
4. To respond to User Requests approved by the district office.
Information may be accessed, reviewed, and provided to an external party at the SANY's discretion without prior notification with adequate cause and subject to review of the district office to comply with applicable law and to conduct normal SANY operations. Examples include, but are not limited to the following:
1. Compliance with the New York Freedom of Information Law ("FOIL") which requires disclosure of electronic records and other data on the SANY system subject to exemptions under FOIL. Requests will be reviewed by the Operations Managers in conjunction with the district office.
2. Compliance with a valid subpoena, court order, or discovery request. Requests will be reviewed by the district office.
3. Audits, investigations, or inquiries undertaken by governmental entities or appropriate internal investigators or units. Requests will be reviewed by the district office.
4. To conduct necessary business operations.
All electronic information created, stored, or transmitted by use of SANY's information systems is the property of the SANY, unless otherwise explicitly noted.
IT Managers and IT Technicians have greater ability to access information stored on and transmitted through SANY's information systems. As such, IT Managers, IT Technicians, and others with privileged access shall not access such information unless such access is necessary for the purposes outlined above, for systems purposes, or unless such access is supported by adequate cause and reviewed by the district office.
Prohibited Actions
1. The list of prohibited actions is not intended to be comprehensive. The evolution of technology precludes the SANY from anticipating all potential means of capturing and transmitting information. Therefore, users must take care when handling sensitive information.
2. Users, at minimum, will ensure that they do not:
  1. Distribute information classified as Confidential or Private, or otherwise considered or treated as privileged or sensitive information, unless they are an authoritative SANY source for, and an authorized SANY distributor of that information and the recipient is authorized to receive that information.
  2. Share their passwords with other individuals or institutions (regardless if they are affiliated with SANY or not) or otherwise leave them unprotected.
  3. Attempt to uninstall, bypass, or disable security settings or software protecting the SANY's electronic information, information systems, or computer hardware.
  4. Engage in unauthorized attempts to gain access or use the SANY's electronic information, information systems, or another user's account. Users with privileged access, such as IT Managers and Technicians, shall not engage in unauthorized access, use, or review of information or data, without appropriate approvals.
  5. Use third-party email services to conduct sensitive SANY business or to send or receive SANY information classified as Confidential, Private or Internal or otherwise considered privileged or sensitive information.
  6. Use email auto-forwarding to send SANY information (regardless of classification) to non-SANY email accounts (see #12 Restricted Services).
  7. Distribute or collect copyrighted material without the expressed and written consent of the copyright owner or without lawful right to do so, such as in the case of fair use.
  8. User understands the FERPA Privacy Security rules, especially with regard to Sensitive Electronic Information (SEI), Private Health Information (PHI), and Personally Identifiable Information (PII) and will abide by these rules, including understanding that they will be held accountable for the use of personal devices for conducting SANY business.
Restricted Services
1. This list of restricted services is not intended to be comprehensive. The evolution of technology precludes the SANY from anticipating all potential means of storing, capturing and transmitting information. Therefore, when using third-party technology services not explicitly restricted in this policy, users must exercise care to not compromise sensitive SANY information, particularly when confirmation of receipt or the identity of the recipient is required for business or legal purposes.
2. Restricted services include the following:
  1. Social Media
    1. Social media tools or web content platforms cannot be used to communicate or store SANY information classified as Confidential or Private or otherwise considered privileged or sensitive by SANY. Social media tools include, but are not limited to: Facebook, Twitter, LinkedIn, Instagram, Medium, Reddit, YouTube and Flickr.
    2. For additional requirements on the use of social media, see the Social Media Policy.
  2. Professional Social Media
    1. Professional social media cannot be used to communicate or store SANY information classified as Confidential or Private or otherwise considered privileged or sensitive by SANY.
  3. Cloud Services, Collaboration and Storage
    1. Third-party cloud storage services cannot be used to store SANY information classified as Confidential.
    2. Google Drive is approved for Private, Internal and Public data.
    3. The use of non-approved third-party cloud storage services cannot be used to store SANY information classified as Confidential or Private or otherwise considered privileged or sensitive by SANY. Cloud storage tools include, but are not limited to: iCloud, Carbonite, OneDrive, Box, Dropbox, Evernote, OpenDrive and SugarSync.
  4. Third Party Email Services
    1. Third party email services cannot be used to communicate or store SANY information classified as Confidential or Private or otherwise considered privileged or sensitive.
  5. Email Auto-Forwarding
    1. Faculty, staff and medical students are not permitted to automatically forward or redirect messages from their primary email address to a non-SANY email address.
  6. Texting
    1. Texting cannot be used to communicate or store SANY information classified as Confidential.
  7. Video Conferencing
    1. Video conferencing services are limited to SANY business-use only and must be conducted using SANY equipment. They are to be used strictly for business collaboration between members of the SANY Community or outside entities, or for educational purposes. Users must ensure that video communications are done in a setting or configured to restrict the possibility of non-authorized individuals from viewing or listening to sensitive information.
  8. Chat
    1. The use of non-approved chat services cannot be used to communicate or store SANY information classified as Confidential or Private or otherwise considered privileged or sensitive by SANY. Chat tools include, but are not limited to: Slack and HipChat.
  9. BitTorrent Software
    1. BitTorrent software (or other file sharing software) used to download and share movies, music, and other copyrighted media is strictly forbidden unless it is used for SANY business or academic purposes. The use of this software must be approved by the Director of Information and Instructional Technologies.

Policy Compliance

Access to the internet, email or a computer account may also be revoked by the school for any established violation of a policy, rule or regulation of school.

All users must promptly disclose to their teacher, supervisor, dean of school or operations manager any information they receive that is inappropriate or makes them feel uncomfortable.

Limitation of Liability

Data Security and Privacy Policy

Policy Statement:

In alignment with the mandates of New York State Education Law §2-d, the District underscores its commitment to implement the requirements delineated in Commissioner’s regulations (8 NYCRR §121). Furthermore, the District places a high priority on safeguarding data security and privacy by adhering to the stringent standards set forth in the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (commonly referred to as the "NIST Cybersecurity Framework" or "NIST CSF"). The Director of Informational & Instructional Technology is entrusted with the responsibility of ensuring the district’s systems are in compliance with the NIST CSF and incorporate technologies, safeguards, and practices that align with this framework.

This comprehensive approach encompasses an assessment of the district’s current cybersecurity state, the establishment of a target future cybersecurity state, identification of opportunities for improvement, tracking progress toward the target state, and effective communication regarding the risks associated with cybersecurity. To oversee the effective implementation of these policies and procedures, the Superintendent will appoint a Privacy and Security Officer, who will also serve as the primary point of contact for data security and privacy within the district.

Use and Disclosure of Personally Identifiable Information (PII):

In adherence to these policies, each instance of using and disclosing personally identifiable information (PII) by the District is directed towards advancing the welfare of students and the District itself. These objectives may include enhancing academic achievement, empowering parents and students with essential information, and optimizing the efficiency and effectiveness of school operations. It is noteworthy that PII shall not be included in public reports or other documents.

The District reaffirms its unwavering commitment to protect the confidentiality of PII by strictly refraining from selling PII, disclosing it for marketing or commercial purposes, facilitating its use or disclosure for any such purposes by third parties, or permitting the same. Additionally, proactive measures will be taken to minimize the collection, processing, and transmission of PII.

The District will ensure that all contracts entered into with third-party contractors reflect the imperative of maintaining the confidentiality of student, teacher, or principal PII in strict accordance with federal and state law, as well as the district's data security and privacy policy.

Compliance with Federal Regulations:

In addition to the above, the District demonstrates full compliance with the regulations set forth in the Family Educational Rights and Privacy Act of 1974 (FERPA). In line with FERPA’s strict stipulations, the District will only release PII contained in student education records when it has received explicit written consent (signed and dated) from a parent or eligible student. Detailed information can be found in Board of Education policy no. 5500 and any pertinent administrative regulations.

Moreover, in acknowledgment of the additional privacy protections afforded by the Individuals with Disabilities Education Act (IDEA) to students receiving special education and related services, the District will keep parents informed of the necessity and timeline for retaining information. Permanent record information, excepted, shall be destroyed upon parental request. The District will diligently adhere to all these privacy provisions, thereby ensuring the confidentiality of PII throughout the collection, storage, disclosure, and destruction stages, as per federal regulations 34 CFR 300.610 through 300.627.

Third-party Contractors:

The district will ensure that contracts with third-party contractors reflect that confidentiality of any student and/or teacher or principal PII be maintained in accordance with federal and state law and the district's data security and privacy policy.
Each third-party contractor that will receive student data or teacher or principal data must:

adopt technologies, safeguards and practices that align with the NIST CSF;
comply with the district’s data security and privacy policy and applicable laws impacting the district;
limit internal access to PII to only those employees or sub-contractors that need access to provide the contracted services;
not use the PII for any purpose not explicitly authorized in its contract;
not disclose any PII to any other party without the prior written consent of the parent or eligible student (i.e., students who are eighteen years old or older):
1. except for authorized representatives of the third-party contractor to the extent they are carrying out the contract; or
2. unless required by statute or court order and the third-party contractor provides notice of disclosure to the district, unless expressly prohibited.
maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII in its custody;
use encryption to protect PII in its custody; and
not sell, use, or disclose PII for any marketing or commercial purpose, facilitate its use or disclosure by others for marketing or commercial purpose, or permit another party to do so. Third party contractors may release PII to subcontractors engaged to perform the contractor’s obligations, but such subcontractors must abide by data protection obligations of state and federal law, and the contract with the district.

If the third-party contractor has a breach or unauthorized release of PII, it will promptly notify the district in the most expedient way possible without unreasonable delay but no more than seven calendar days after the breach’s discovery.

Third-Party Contractors’ Data Security and Privacy Plan:

The district will ensure that contracts with all third-party contractors include the third-party contractor’s data security and privacy plan. This plan must be accepted by the district.

At a minimum, each plan will:

outline how all state, federal, and local data security and privacy contract requirements over the life of the contract will be met, consistent with this policy;
specify the safeguards and practices it has in place to protect PII;
demonstrate that it complies with the requirements of Section 121.3(c) of this Part;
specify how those who have access to student and/or teacher or principal data receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access;
specify if the third-party contractor will utilize sub-contractors and how it will manage those relationships and contracts to ensure personally identifiable information is protected;
specify how the third-party contractor will manage data security and privacy incidents that implicate personally identifiable information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the district;
describe if, how and when data will be returned to the district, transitioned to a successor contractor, at the district’s direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.

Training:

The District acknowledges the paramount importance of enhancing awareness and understanding of data privacy and security among its employees. Accordingly, annual training on data privacy and security awareness will be provided to all employees who have access to student, teacher, or principal PII.

Complaint Procedures:

The Superintendent, or their duly appointed designee, will undertake the establishment and dissemination of comprehensive procedures that facilitate the submission of complaints by parents, eligible students, and employees in the event of breaches or unauthorized releases of student, teacher, or principal data, as stipulated in 8 NYCRR §121.4. The Superintendent is further vested with the authority to promulgate any and all additional regulations that are deemed necessary and appropriate for the full implementation of this policy.

Notifications:

The Privacy and Security Officer shall act promptly in reporting any discovery or report of a breach or unauthorized release of student, teacher, or principal PII to the State’s Chief Privacy Officer. This report shall be made without undue delay, but in no case more than 10 calendar days after the discovery. Furthermore, the District commits to notifying affected parents, eligible students, teachers, and/or principals in the most expeditious manner, without unreasonable delay, but in no case more than 60 calendar days after the discovery of a breach or unauthorized release or third-party contractor notification. However, it is imperative to note that in circumstances where notification may interfere with an ongoing law enforcement investigation or lead to further disclosure of PII by exposing an unfixed security vulnerability, the district shall notify parents, eligible students, teachers, and/or principals within seven calendar days after the security vulnerability has been remedied, or when the risk of interference with the law enforcement investigation ceases. To facilitate this process, the Superintendent, in consultation with the Privacy and Security Officer, shall establish procedures for notifying affected parties of a breach or unauthorized release of student, teacher, or principal PII, and communicate to parents, eligible students, and district staff a process for filing complaints about breaches or unauthorized releases of such information.

References:

Education Law §2-d
8 NYCRR §121
Family Educational Rights and Privacy Act of 1974, 20 USC §1232(g), 34 CFR 99
Individuals with Disabilities Education Act (IDEA), 20 USC §1400 et seq., 34 CFR 300.610–300.627

NYS Education Law 2-D

Page 2 of 2

We're building SUCCESS one ATOM at a time.

Student Applications for the 2026-27 are open. APPLY NOW.

Internet Use Policy

Technology Device Use Policy

Parents’ Bill of Rights for Data Privacy and Security

Acceptable Use Policy

Data Security and Privacy Policy

SANY

SANY District Office

SANY Schools

Application deadline is April 1, 2026.