“Educational agency” means a school district, board of cooperative educational services, school, or the education department.
“Personally identifiable information,” as applied to student data, means personally identifiable information as defined in section 99.3 of title thirty-four of the code of federal regulations implementing the family educational rights and privacy act, section twelve hundred thirty-two-g of title twenty of the United States Code, and, as applied to the teacher or principal data, means “personally identifying information” as such term is used in subdivision ten of section three thousand twelve-c of this chapter.
“School” means any public elementary or secondary school, universal pre-kindergarten program authorized under section thirty-six hundred two-e of this chapter, an approved provider of preschool special education, any other publicly funded pre-kindergarten program, a school serving children in a special act school district as defined in section four thousand one of this chapter, an approved private school for the education of students with disabilities, a state-supported school subject to the provisions of article eighty-five of this chapter, or a state-operated school subject to the provisions of article eighty-seven or eighty-eight of this chapter.
“Student” means any person attending or seeking to enroll in an educational agency.
“Eligible student” means a student eighteen years or older.
“Parent” means a parent, legal guardian, or person in parental relation to a student.
“Student data” means personally identifiable information from student records of an educational agency.
“Teacher or principal data” means personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that are confidential and not subject to release under the provisions of section three thousand twelve-c of this chapter.
“Third-party contractor” shall mean any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or additional written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs. Such term shall include an educational partnership organization that receives student and/or teacher or principal data from a school district to carry out its responsibilities pursuant to section two hundred eleven-e of this title and is not an educational agency as defined in paragraph c of this subdivision, and a not-for-profit corporation or other non-profit organization, other than an educational agency.
Section 2-D of the NYS Education Law (“Ed Law 2-D”) affords certain protections regarding sensitive and confidential Student Data to Parents (includes legal guardians or persons in parental relationships) and Eligible Students (18 years and older).
SchoolParency is committed to upholding the principles laid out in NYS Ed Law 2-D and protecting Student Data from access by or disclosure to authorized third parties.
The confidentiality and privacy provisions of Education Law §2-d and FERPA extend only to PII and not to student data that is not personally identifiable. Therefore, de-identified data (e.g., data regarding students that uses random identifiers), aggregated data (e.g., data reported at the school district level), or anonymized data that could not be used to identify a particular student is not considered to be PII and is not within the purview of Education Law §2-d or within the scope of this Parents’ Bill of Rights.
(A) the exclusive purposes for which the student data, or teacher or principal data, will be used
– SchoolParency provides a common platform for educators, administrators, students, and parents/guardians on which to stay up to date on school affairs, communicate and share content, review student work, and stay connected. We process student, teacher, and principal data for the purposes of fulfilling these services to you, and we only ever use your PII for the purposes in which it was obtained in relation to the service
(B) how the third-party contractor will ensure that the subcontractors, persons, or entities that the third-party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;
– we enter into agreements with any and all sub-contractors, sub-processors, and any authorized third parties we may consider appropriate when they may receive student data for the purposes of fulfilling their service to us. We ensure that these agreements detail sufficient technical and organizational security measures to protect Student, Teacher, and Principal PII and are compliant with all applicable data protection laws relating to data security.
(C) when the agreement with the third-party contractor expires and what happens to the student data or teacher or principal data upon expiration of the agreement;
– In our service agreements or terms of service with any and all subcontractors, we look for sufficient data retention and deletion provisions within the contract, ensuring that data is disposed of securely and appropriately once our agreement ends with them. Wherever possible, we try to obtain copies of their data destruction procedures. We expect Student Data to be disposed of, deleted, or anonymized within a reasonable time period following agreement termination, for whatever reason, no later than 30 days. If data is processed by third parties in hard copy, we will ask that this is shredded or some equivalent destruction method, which makes the data uncoverable. If the data is electronic, we ask that it is erased entirely from their systems, including any backups or archives. If data can be satisfactorily anonymized and no longer identifiable to any person, this need not be destroyed.
(D) if and how a parent, student, eligible student, teacher, or principal may challenge the accuracy of the student data or teacher or principal data that is collected:
We expect LEAs to establish and maintain reasonable procedures by which a parent, guardian, or Eligible Student may review the PII contained within their Education Records and correct inaccurate information. If we receive such a request from you, we will respond to this request for rectification within 30 business days. If we receive a request from a parent or guardian wishing to review any Student Data, we will direct them to the LEA to follow their reasonable procedures. Please note that SchoolParency may respond to Right to Access requests directly, as required.
(E) where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections was taken to ensure such data will be protected, including whether such data will be encrypted.
SchoolParency has adopted stringent technical and organizational security measures to ensure Student, Teacher, or Principal Data’s safety during storage. This includes maximum effort to prevent unauthorized disclosure or access by an unauthorized third party. We have embedded the following security measures:
Secure Access to systems including usernames and strong passwords
Personnel have signed a confidentiality agreement/have a confidentiality clause in their T&Cs
No copies, reproductions, or transmitting of student data except where necessary for service provision
All personnel have been provided with appropriate Data Protection and Security training.
We utilize Secure Socket Layer (SSL) to protect PII from being accessed unlawfully
Data Encryption (rest and transit)
Industry Standard Firewall
Risk Assessments and Security Pen Testing
Maintain secure back-ups of data (copies)