Frequently Asked Questions for DPOs
Click on any of the links below to view the FAQs for that topic.
Compliance Deadline FAQs
| # | Questions | Answers |
| 1 | What is the deadline for compliance with Part 121 of the Commissioner’s regulations? | Education Law §2-d regulation, Part 121 of the Commissioner’s regulations, became effective on January 29, 2020. Educational Agencies should be making plans and taking steps to comply with its requirements and that of the underlying statute now. However, Part 121 was amended in June 2020 to change the date by which educational agencies adopt and publish their data privacy and security policies on their websites to October 1, 2020 instead of July 1, 2020. Nothing else was amended. Again, all educational agencies should be working on compliance with the requirements of the law and statute. |
| 2 | Does the extension of the date by which educational agencies must post their data privacy and security policy on their website from July 1, 2020 until October 1, 2020 also apply to the appointment of the Data Protection Officer or the requirements that apply to third-party contracts? | The extension of time approved by the Board of Regents on June 8, 2019 is only for the adoption and posting of the Data Privacy and Security Policy and does not apply to the appointment of the Data Protection Officers or compliance with third-party contract requirements. |
Applications for Virtual Learning/Classrooms FAQs
| # | Questions | Answers |
| 3 | As schools utilize virtual learning, is there guidance/reminders to assist schools with best practices under these new conditions? | Education Law 2-d and Part 121 of the Commissioner’s Regulations outline requirements for school districts and BOCES related to the protection of the personally identifiable information of students, as well as some teacher and principal APPR information. As districts develop and refine continuity of education plans related to school closures, they should consider privacy and security laws and regulations and build compliance and best practices into their implementation plans. When working with a third-party contractor, such as a computer software company that receives student data, districts must ensure the contracts in place with these contractors are compliant with Education Law §2-d and its implementing regulation. Click wrap agreements and other similar agreements in which a user must agree to terms and conditions prior to using the product or service, are subject to Education Law 2-d requirements. NYSED has developed a Model Data Privacy Agreement that can be used as a supplemental agreement to a service agreement with a third party to bring the service agreement into alignment with Education Law §2-d and Part 121 of the Commissioner’s Regulations. |
| 4 | Could you please direct me to any guidelines or mandates coming from NY State regarding the use of livestreaming for distance learning and virtual classrooms? | Decisions on whether to use any technology tool, content, or service are made at the local level. Your school district is responsible for ensuring that online and digital tools it uses as part of its continuity of learning plan during distance learning comply with all applicable laws and regulations, including FERPA, COPPA, IDEA, Education Law § 2-d, and Part 121 of the Commissioner of Education’s Regulations if personally identifiable information will be utilized. The provision of instruction to students by an educational agency, and the interaction of students with each other and with their instructor in a classroom, whether virtual or not, does not generally constitute a disclosure of education records restricted by the Family Educational Rights and Privacy Act (FERPA) and Education Law §2-d. School districts should ensure that if personally identifiable information will be provided to a third party contractor, written agreements that align with the requirements of Education Law §2-d and Part 121 of the Commissioner’s Regulations should be entered into with the vendors. While using these tools, educators should avoid disclosing personally identifiable information from a student’s education records in a virtual class and take steps to protect such information from falling into the hands of people not authorized to receive it just the same as they would during an in-person class. Vendors of different platforms have posted guidance on ways that users may select strong privacy protections while using their platforms. As a best practice, educators should take care to ensure that the platforms they seek to use have been approved by their school district and that they make selections that make the use of the platform as secure as possible. For example, there have been situations where educators have publicly posted the link to access the class in a public forum, like Twitter, which has allowed individuals not associated with the class to access it and even in some cases hijack the class with inappropriate content. Best practice guidance recommends that links to access closed (non-public) virtual classes should not be posted where they are accessible by the general public. |
| 5 | Can you please confirm or clarify for me that the websites listed on the Continuity of Learning website are 2D compliant? Specifically, those listed on the digital content resources page linked below. http://www.nysed.gov/edtech/digital-content-resources. | The New York State Education Department does not certify whether a product, website or service offered by third party contractors is compliant with state and/or federal laws and does not maintain a list of approved websites. Decisions on whether to use any technology tool, content, or service are made at the local level. NYSED generally does not require the use of specific websites or vendors, nor does it recommend, endorse, or advise on specific vendors or products. Your school district is responsible for ensuring that online and digital tools it uses as part of its continuity of learning plan during distance learning comply with all applicable laws and regulations, including FERPA, COPPA, IDEA, Education Law § 2-d, and the new Part 121 of the Commissioner of Education’s Regulations. We encourage your district to consult with local experts in technology and data privacy and security, such as your local Regional Information Center (RIC), BOCES, and their local counsel, to ensure compliance. |
Third Party Contractor/Vendor FAQs
| # | Questions | Answers |
| 6 | Is there a way for vendors to get approved by NYSED? | The New York State Education Department does not certify whether any product or service offered by third party contractors is compliant with state and/or federal laws and does not maintain a list of approved vendors. School districts are responsible for ensuring that online and digital tools they use as part of continuity of learning comply with all applicable laws and regulations, including FERPA, COPPA, IDEA, Education Law § 2-d, and Part 121 of the Commissioner of Education’s Regulations. If the school district determines that no personally identifiable information (PII), as defined by Education Law §2-d, will be provided to your company when your product is being used, the requirements of Education Law §2-d generally will not apply. If it is determined that your company will receive PII, you must execute a contract with the educational agency (school district) that complies with the requirements of Education Law §2-d. |
| 7 | How can schools that work with a third-party contractor to produce the class photographs or yearbooks comply with the requirements of Education Law § 2-d when the photography and yearbook companies help notify the students/families about yearbooks and class photos and help the schools with the sales process? | Education Law § 2-d defines “Third party contractor” as “any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency.” Part 121 defines “Commercial or Marketing Purpose” as “the sale of student data; or its use or disclosure for purposes of receiving remuneration, whether directly or indirectly; the use of student data for advertising purposes, or to develop, improve or market products or services to students.” The services of a third-party contractor provided to an educational agency pursuant to a valid contract, for the exclusive purpose for which the contract was put in place, is not prohibited commercial or marketing purpose. While the contract with the vendor must comply with the requirements for third-party contractors found in Education Law § 2-d and Part 121 of the Commissioner’s regulations, the vendor is not prohibited from undertaking activities pursuant to the contract to provide the contracted for service(s). Such activities may include notifying parents of class photograph sessions and yearbook sales, as this would be part of the service it is providing to the educational agency. |
Parents' Bill of Rights FAQs
| # | Questions | Answers |
| 8 | Must the School District list the Data Privacy Officer on the Parents' Bill of Rights? | The school district must include the name of the individual designated to receive complaints and that individual’s phone number, email and mailing address. The DPO may be the individual designated to serve this function. Without the inclusion of such information, parents, eligible students, teachers and principals may not know whom to contact at the school district regarding an unauthorized data release complaint. |
E-Mail FAQs
| # | Questions | Answers |
| 9 | Please advise what is the proper syntax for students using school district email. Are we being advised to not have first and last name as part of the username? | Education Law § 2-d(1)(d) incorporates the definition of personally identifiable information (“PII”) contained in the Family Educational Rights and Privacy Act, 20 USC § 1232g, and its’ implementing regulations, 34 CFR § 99.3 (“FERPA”). PII from the student records of an educational agency is subject to the protections of Education Law § 2-d. While a student’s name is always PII, Education Law § 2-d (7)(d) provides that: Nothing in this section shall limit the administrative use of student data or teacher or principal data by a person acting exclusively in the person's capacity as an employee of an educational agency or of the state or any of its political subdivisions, any court or the federal government that is otherwise required by law. Thus, the use of a student’s name by an educational agency employee for an administrative purpose required by law is permissible. Although the use of an email system may not be expressly required by law, such a use has become an integral part of education and its administration in today’s schools, and therefore, Education Law § 2-d (7)(d) would apply. We note that a valid email address, or syntax typically includes three (3) parts: the Username, the “@” or “at symbol,” and the Domain name. The first part, or Username, is a unique name that can be a real name or a nickname but must be unique with the same provider. The username an educational agency utilizes should be given careful consideration based on its intended use, including purposes other than communicating with the teacher and other classroom students. An educational agency should comply with industry standards and best practices for data security and privacy as required by Education Law §2-d and the Part 121 of the Regulations of the Commissioner of Education. As with any issue involving student data privacy and security, please first consult with your LEAs counsel or chief privacy officer. Your LEA and/or ISP may have additional policies and procedures that dictate correct email syntax and appropriate use guidelines. |
| 10 | Is there any guidance regarding PII and communication about students via email? | Education Law § 2-d(5)(b) requires educational agencies to adopt data privacy and data security protections. One of the data security protections is the encryption of data both in motion and at rest, and the adoption of “safeguards to ensure personally identifiable information is not accessed by unauthorized persons when transmitted over communication networks.” Education Law § 2-d(5)(b)(2). Simply, when PII is emailed, it should be encrypted. |
Incident Reporting FAQs
| # | Questions | Answers |
| 11 | Do you require educational agencies to report incidents of unsecured/unencrypted emails that are sent to and received by intended parties? | Section 121.12(f) of Part 121 of the Commissioner of Education’s regulations requires encryption of email messages that include student PII. Part 121 also adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework 1.1 as the standard for educational agency’s privacy and security programs and policies. It addresses practices for protecting data both at rest and in transit. We recommend that your data teams review these, and the encryption requirements set forth in the regulation. With that being said, you do not have to report unencrypted email messages that are received by the intended recipient. You must, however, report incidents where a student’s PII is erroneously disclosed to or received/accessed by a person not authorized to receive it to the Chief Privacy Officer of NYSED. |
| 12 | What incidents need to be reported to the CPO? Should educational agencies report unsuccessful phishing attempts? | You do not have to report the receipt of phishing email. If the phishing email leads to the installation of malware that compromises the security of the educational agency’s network and/or the personally identifiable information it contains, the incident must be reported to the Chief Privacy Officer of NYSED. |
| 13 | When a BOCES is the entity entering into a contract with a third-party vendor for software, and school districts purchase it through a CO-SER, who has the responsibility for notifying individuals in the event of a data breach (8 NYCRR § 121.10)? Although the BOCES would be the party to the contract with the third-party vendor, it would be the school district who would typically discover or receive notice of a breach. School districts would also typically maintain the contact information for any affected students or staff, not the BOCES. Should the BOCES and school districts work together to send out one notice, or do they need to send two separate notices? | When there has been a security breach resulting in unauthorized release of data that includes personally identifiable information (“PII”), Education Law § 2 d(6)(b) requires each educational entity whose data has been subject to an unauthorized release to provide the statutorily prescribed notifications. The Commissioner’s regulations found in 8 NYCRR Part 121 (the “Regulations”) do not change this duty; the Regulations do, however, clarify this duty and provide a definition of the term “breach.” As relevant to your question, § 121.10 of the Regulations provides, among other things, deadlines for notification after a breach or unauthorized release of information that includes PII to affected parents, eligible students, teachers and principals, as well as requirements for such notification. The duty imposed by Education Law § 2 d(6)(b) and § 121.10 of the Regulations, does not change simply because software is purchased through a CO-SER. Unless either the agreement between a School District and BOCES provides otherwise or the third party contractor’s security breach causes the unauthorized release of data including PII that is BOCES data, BOCES is not required provide notice when the disclosed data resulting from the third party contractor’s security breach is data belonging to a School District that purchased the third party contractor’s software through a CO-SER. |
DPO FAQs
| # | Questions | Answers |
| 14 | How do I register my school district or other educational agency’s Data Privacy Officer (DPO) with NYSED? | NYSED has been collecting the names and contact information of DPOs using SEDREF. To register or replace a DPO, the school district must send a letter on district letterhead to datasupport@nysed.gov. The letter should include the DPO’s name, email address and phone number. This procedure is very similar to the process outlined at : http://www.oms.nysed.gov/sedref/home.html. |
| 15 | It makes sense for our school district to appoint two people for the Data Privacy Officer role—one who would specialize in data privacy and legal issues (i.e., the Chief Privacy Officer, currently me), and one who is an expert in data security matters. This latter role would be filled either by the Chief of Staff or (currently vacant but we are looking to fill) the Chief Information Security Officer. Is that allowed? | While the language of the regulation, in section 121.8, appears to envision one DPO, given the large size of your school district, your proposal makes sense and is not prohibited by the regulation. The only caveat I would add is that one person should hold the DPO title (even if it is an additional title) because the regulation provides that the DPO will “serve as a point of contact for data security and privacy for the agency.” |
General FAQs
| # | Questions | Answers |
| 16 | Will there be additional funding for compliance with Part 121 of the Commissioner’s regulations? | We are not aware of any specific plans to provide funding. |