Data Security and Privacy Policy
Policy Statement:
In alignment with the mandates of New York State Education Law §2-d, the District underscores its commitment to implement the requirements delineated in Commissioner’s regulations (8 NYCRR §121). Furthermore, the District places a high priority on safeguarding data security and privacy by adhering to the stringent standards set forth in the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (commonly referred to as the "NIST Cybersecurity Framework" or "NIST CSF"). The Director of Informational & Instructional Technology is entrusted with the responsibility of ensuring the district’s systems are in compliance with the NIST CSF and incorporate technologies, safeguards, and practices that align with this framework.
This comprehensive approach encompasses an assessment of the district’s current cybersecurity state, the establishment of a target future cybersecurity state, identification of opportunities for improvement, tracking progress toward the target state, and effective communication regarding the risks associated with cybersecurity. To oversee the effective implementation of these policies and procedures, the Superintendent will appoint a Privacy and Security Officer, who will also serve as the primary point of contact for data security and privacy within the district.
Use and Disclosure of Personally Identifiable Information (PII):
In adherence to these policies, each instance of using and disclosing personally identifiable information (PII) by the District is directed towards advancing the welfare of students and the District itself. These objectives may include enhancing academic achievement, empowering parents and students with essential information, and optimizing the efficiency and effectiveness of school operations. It is noteworthy that PII shall not be included in public reports or other documents.
The District reaffirms its unwavering commitment to protect the confidentiality of PII by strictly refraining from selling PII, disclosing it for marketing or commercial purposes, facilitating its use or disclosure for any such purposes by third parties, or permitting the same. Additionally, proactive measures will be taken to minimize the collection, processing, and transmission of PII.
The District will ensure that all contracts entered into with third-party contractors reflect the imperative of maintaining the confidentiality of student, teacher, or principal PII in strict accordance with federal and state law, as well as the district's data security and privacy policy.
Compliance with Federal Regulations:
In addition to the above, the District demonstrates full compliance with the regulations set forth in the Family Educational Rights and Privacy Act of 1974 (FERPA). In line with FERPA’s strict stipulations, the District will only release PII contained in student education records when it has received explicit written consent (signed and dated) from a parent or eligible student. Detailed information can be found in Board of Education policy no. 5500 and any pertinent administrative regulations.
Moreover, in acknowledgment of the additional privacy protections afforded by the Individuals with Disabilities Education Act (IDEA) to students receiving special education and related services, the District will keep parents informed of the necessity and timeline for retaining information. Permanent record information, excepted, shall be destroyed upon parental request. The District will diligently adhere to all these privacy provisions, thereby ensuring the confidentiality of PII throughout the collection, storage, disclosure, and destruction stages, as per federal regulations 34 CFR 300.610 through 300.627.
Third-party Contractors:
The district will ensure that contracts with third-party contractors reflect that confidentiality of any student and/or teacher or principal PII be maintained in accordance with federal and state law and the district's data security and privacy policy.
Each third-party contractor that will receive student data or teacher or principal data must:
- adopt technologies, safeguards and practices that align with the NIST CSF;
- comply with the district’s data security and privacy policy and applicable laws impacting the district;
- limit internal access to PII to only those employees or sub-contractors that need access to provide the contracted services;
- not use the PII for any purpose not explicitly authorized in its contract;
- not disclose any PII to any other party without the prior written consent of the parent or eligible student (i.e., students who are eighteen years old or older):
- except for authorized representatives of the third-party contractor to the extent they are carrying out the contract; or
- unless required by statute or court order and the third-party contractor provides notice of disclosure to the district, unless expressly prohibited.
- maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII in its custody;
- use encryption to protect PII in its custody; and
- not sell, use, or disclose PII for any marketing or commercial purpose, facilitate its use or disclosure by others for marketing or commercial purpose, or permit another party to do so. Third party contractors may release PII to subcontractors engaged to perform the contractor’s obligations, but such subcontractors must abide by data protection obligations of state and federal law, and the contract with the district.
If the third-party contractor has a breach or unauthorized release of PII, it will promptly notify the district in the most expedient way possible without unreasonable delay but no more than seven calendar days after the breach’s discovery.
Third-Party Contractors’ Data Security and Privacy Plan:
The district will ensure that contracts with all third-party contractors include the third-party contractor’s data security and privacy plan. This plan must be accepted by the district.
At a minimum, each plan will:
- outline how all state, federal, and local data security and privacy contract requirements over the life of the contract will be met, consistent with this policy;
- specify the safeguards and practices it has in place to protect PII;
- demonstrate that it complies with the requirements of Section 121.3(c) of this Part;
- specify how those who have access to student and/or teacher or principal data receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access;
- specify if the third-party contractor will utilize sub-contractors and how it will manage those relationships and contracts to ensure personally identifiable information is protected;
- specify how the third-party contractor will manage data security and privacy incidents that implicate personally identifiable information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the district;
- describe if, how and when data will be returned to the district, transitioned to a successor contractor, at the district’s direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.
Training:
The District acknowledges the paramount importance of enhancing awareness and understanding of data privacy and security among its employees. Accordingly, annual training on data privacy and security awareness will be provided to all employees who have access to student, teacher, or principal PII.
Complaint Procedures:
The Superintendent, or their duly appointed designee, will undertake the establishment and dissemination of comprehensive procedures that facilitate the submission of complaints by parents, eligible students, and employees in the event of breaches or unauthorized releases of student, teacher, or principal data, as stipulated in 8 NYCRR §121.4. The Superintendent is further vested with the authority to promulgate any and all additional regulations that are deemed necessary and appropriate for the full implementation of this policy.
Notifications:
The Privacy and Security Officer shall act promptly in reporting any discovery or report of a breach or unauthorized release of student, teacher, or principal PII to the State’s Chief Privacy Officer. This report shall be made without undue delay, but in no case more than 10 calendar days after the discovery. Furthermore, the District commits to notifying affected parents, eligible students, teachers, and/or principals in the most expeditious manner, without unreasonable delay, but in no case more than 60 calendar days after the discovery of a breach or unauthorized release or third-party contractor notification. However, it is imperative to note that in circumstances where notification may interfere with an ongoing law enforcement investigation or lead to further disclosure of PII by exposing an unfixed security vulnerability, the district shall notify parents, eligible students, teachers, and/or principals within seven calendar days after the security vulnerability has been remedied, or when the risk of interference with the law enforcement investigation ceases. To facilitate this process, the Superintendent, in consultation with the Privacy and Security Officer, shall establish procedures for notifying affected parties of a breach or unauthorized release of student, teacher, or principal PII, and communicate to parents, eligible students, and district staff a process for filing complaints about breaches or unauthorized releases of such information.
References:
- Education Law §2-d
- 8 NYCRR §121
- Family Educational Rights and Privacy Act of 1974, 20 USC §1232(g), 34 CFR 99
- Individuals with Disabilities Education Act (IDEA), 20 USC §1400 et seq., 34 CFR 300.610–300.627