Schedule A: Parents Bill of Rights for Data Privacy and Security
(NYS Ed Law 2-D)

Definitions

“Educational agency” means a school district, board of cooperative educational services, school, or the education department.

“Personally identifiable information,” as applied to student data, means personally identifiable information as defined in section 99.3 of title thirty-four of the code of federal regulations implementing the family educational rights and privacy act, section twelve hundred thirty-two-g of title twenty of the United States Code, and, as applied to the teacher or principal data, means “personally identifying information” as such term is used in subdivision ten of section three thousand twelve-c of this chapter.

“School” means any public elementary or secondary school, universal pre-kindergarten program authorized under section thirty-six hundred two-e of this chapter, an approved provider of preschool special education, any other publicly funded pre-kindergarten program, a school serving children in a special act school district as defined in section four thousand one of this chapter, an approved private school for the education of students with disabilities, a state-supported school subject to the provisions of article eighty-five of this chapter, or a state-operated school subject to the provisions of article eighty-seven or eighty-eight of this chapter.

“Student” means any person attending or seeking to enroll in an educational agency.

“Eligible student” means a student eighteen years or older.

“Parent” means a parent, legal guardian, or person in parental relation to a student.

“Student data” means personally identifiable information from student records of an educational agency.

“Teacher or principal data” means personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that are confidential and not subject to release under the provisions of section three thousand twelve-c of this chapter.

“Third-party contractor” shall mean any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or additional written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs. Such term shall include an educational partnership organization that receives student and/or teacher or principal data from a school district to carry out its responsibilities pursuant to section two hundred eleven-e of this title and is not an educational agency as defined in paragraph c of this subdivision, and a not-for-profit corporation or other non-profit organization, other than an educational agency.

Parents Bill of Rights for Data Privacy and Security

Section 2-D of the NYS Education Law (“Ed Law 2-D”) affords certain protections regarding sensitive and confidential Student Data to Parents (includes legal guardians or persons in parental relationships) and Eligible Students (18 years and older).

  1. A student’s personally identifiable information (PII) cannot be sold or released for any commercial purpose. PII, as defined by Education Law § 2-d and FERPA, includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for a more complete definition.
  2. The right to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student.
  3. State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act (“FERPA”) at 12 USC 1232g (34 CFR Part 99); Children’s Online Privacy Protection Act (“COPPA”) at 15 USC 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment (“PPRA”) at 20 USC 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 USC 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information.
  4. Safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, and password protection, must be in place when student PII is stored or transferred.
  5. A complete list of all student data elements collected by NYSED is available at http://www.nysed.gov/data-privacy-security/student-data-inventory and by writing to Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234.
  6. The right to have complaints about possible breaches and unauthorized disclosures of PII addressed. Complaints may be submitted to NYSED at http://www.nysed.gov/data-privacy- security/report-improper-disclosure, by mail to: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234; by email to privacy@nysed.gov; or by telephone at 518-474- 0937.
  7. To be notified in accordance with applicable laws and regulations if a breach or unauthorized release of PII occurs. Complaints should be directed to support@schoolparency.com.
  8. Educational agency workers that handle PII will receive training on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII.
  9. Educational agencies must contract with third party contractors or vendors that receive student, teacher, or principal PII. Such agreements will address statutory and regulatory data privacy and security requirements, including but not limited to the purpose(s) of which Student Data will be used, the reason it was obtained, the contractual period of any such agreement, third party procedures and policies for data destruction upon the contract end, and the technical and organizational security measures they have in place to protect PII.

SchoolParency is committed to upholding the principles laid out in NYS Ed Law 2-D and protecting Student Data from access by or disclosure to authorized third parties.

The confidentiality and privacy provisions of Education Law §2-d and FERPA extend only to PII and not to student data that is not personally identifiable. Therefore, de-identified data (e.g., data regarding students that uses random identifiers), aggregated data (e.g., data reported at the school district level), or anonymized data that could not be used to identify a particular student is not considered to be PII and is not within the purview of Education Law §2-d or within the scope of this Parents’ Bill of Rights.

Supplemental Information

NYS Education Law 2-D(3)© and Section 121.3 of the implementing regulations require the disclosure of “Supplemental Information” by Educational Agencies, including the following listed here. SchoolParency has formulated a corresponding answer under each question for your perusal.

(A)  the exclusive purposes for which the student data, or teacher or principal data, will be used

– SchoolParency provides a common platform for educators, administrators, students, and parents/guardians on which to stay up to date on school affairs, communicate and share content, review student work, and stay connected. We process student, teacher, and principal data for the purposes of fulfilling these services to you, and we only ever use your PII for the purposes in which it was obtained in relation to the service

(B)  how the third-party contractor will ensure that the subcontractors, persons, or entities that the third-party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;

we enter into agreements with any and all sub-contractors, sub-processors, and any authorized third parties we may consider appropriate when they may receive student data for the purposes of fulfilling their service to us. We ensure that these agreements detail sufficient technical and organizational security measures to protect Student, Teacher, and Principal PII and are compliant with all applicable data protection laws relating to data security.

(C)  when the agreement with the third-party contractor expires and what happens to the student data or teacher or principal data upon expiration of the agreement;

– In our service agreements or terms of service with any and all subcontractors, we look for sufficient data retention and deletion provisions within the contract, ensuring that data is disposed of securely and appropriately once our agreement ends with them. Wherever possible, we try to obtain copies of their data destruction procedures. We expect Student Data to be disposed of, deleted, or anonymized within a reasonable time period following agreement termination, for whatever reason, no later than 30 days. If data is processed by third parties in hard copy, we will ask that this is shredded or some equivalent destruction method, which makes the data uncoverable. If the data is electronic, we ask that it is erased entirely from their systems, including any backups or archives. If data can be satisfactorily anonymized and no longer identifiable to any person, this need not be destroyed.

(D) if and how a parent, student, eligible student, teacher, or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

We expect LEAs to establish and maintain reasonable procedures by which a parent, guardian, or Eligible Student may review the PII contained within their Education Records and correct inaccurate information. If we receive such a request from you, we will respond to this request for rectification within 30 business days. If we receive a request from a parent or guardian wishing to review any Student Data, we will direct them to the LEA to follow their reasonable procedures. Please note that SchoolParency may respond to Right to Access requests directly, as required.

(E) where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections was taken to ensure such data will be protected, including whether such data will be encrypted.

SchoolParency has adopted stringent technical and organizational security measures to ensure Student, Teacher, or Principal Data’s safety during storage. This includes maximum effort to prevent unauthorized disclosure or access by an unauthorized third party. We have embedded the following security measures:

Secure Access to systems including usernames and strong passwords

Personnel have signed a confidentiality agreement/have a confidentiality clause in their T&Cs

No copies, reproductions, or transmitting of student data except where necessary for service provision

All personnel have been provided with appropriate Data Protection and Security training.

We utilize Secure Socket Layer (SSL) to protect PII from being accessed unlawfully

Server Authentication

Data Encryption (rest and transit)

Industry Standard Firewall

Risk Assessments and Security Pen Testing

Maintain secure back-ups of data (copies)