Pursuant to Education Law Section 2-d, BOCES and school districts are now required to publish, on their websites, a Parents Bill of Rights for Data Privacy and Security and include such information on every contract with a third party contractor whom receives student, teacher and/or principal data. Below, is the Whitesboro Central School District’s Bill of Rights for Data Privacy and Security:
- A student’s personally identifiable information (PII) cannot be sold or released by the Whitesboro Central School District for any commercial or marketing purposes.
- Parents have the right to inspect and review the complete contents of their child's education record, including any student data stored or maintained by the Whitesboro Central School District. This right of inspection is consistent with the requirements of the Family Educational Rights and Privacy Act (FERPA). In addition to the right of inspection of the educational record, Education Law §2-d provides a specific right for parents to inspect or receive copies of any data in the student’s educational record. The New York State Department of Education (NYSED) will develop policies and procedures pertaining to this right.
- State and federal laws protect the confidentiality of PII, and safeguards associated with industry standards and best practices, including, but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred.
- A complete list of all student data elements collected by the State is available for public review at http://www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx, or you may obtain a copy of this list by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, NY 12234.
- Parents have the right to file complaints with the Whitesboro Central School District about possible privacy breaches of student data by the Whitesboro Central School District’s third party contractors or their employees, officers, or assignees, or with NYSED. Complaints regarding student data breaches should be directed to Beth Ann Blynt, Director of Guidance and Pupil Personnel Services, Whitesboro High School, 6000 State Route 291, Marcy, NY 13403; (315) 266-3240; firstname.lastname@example.org. Complaints to NYSED should be directed in writing to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234 or CPO@mail.nysed.gov. The complaint process is under development and will be established through regulations to be proposed by NYSED’s Chief Privacy Officer, who has not yet been appointed.
For purposes of further ensuring confidentiality and security of student data — as well as the security of personally-identifiable teacher or principal data — the Parents’ Bill of Rights (above) and the following supplemental information must be included in each contract that a school district or BOCES enters into with a third-party contractor with access to this information:
In addition, the Chief Privacy Officer (when appointed), with input from parents and other education and expert stakeholders, is required to develop additional elements of the Parents’ Bill of Rights to be prescribed in the Regulations of the Commissioner. Accordingly, this Bill of Rights will be revised from time to time in accordance with further guidance received from the Chief Privacy Officer, the Commissioner of Education and NYSED.
- The exclusive purposes for which the student data, or teacher or principal data, will be used;
- How the third party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;
- When the agreement with the third party contractor expires and what happens to the student data or teacher or principal data upon expiration of the agreement;
- If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and
- Where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.