To comply with Education Law §2-d, the Department promulgated Part 121 of the Commissioner’s Regulations, which became effective in January 2020. However, in June the Board of Regents approved the emergency amendment to Part 121 that extended the deadline for educational agencies to post their Data Security and Privacy policy from July 1, 2020 to October 1, 2020. That date has now passed and the NYS Education Department (“Department”) expects that all educational agencies are now aligned with the requirements of both the statute and regulation.

Education Law §2-d requires each educational agency to develop and post certain information to its website. Specifically, each educational agency must adopt a Data Privacy and Security Policy. This policy must be posted on the agency’s website along with its Bill of Rights for Data Privacy and Security (“Bill of Rights”) and Supplemental Information about each contract for services between the agency and a third-party contractor where the contractor receives personally identifiable information protected by Education Law §2-d (“Supplemental Information”). Educational agencies that have not taken these steps should do so.

To aid agencies in their compliance with the above requirements as they further develop their data privacy and security programs, the Department has developed some templates and models that can serve as resources, if needed:

• The Department’s Bill of Rights was revised in 2020. Agencies can use this as a template to develop their own bill of rights to fulfil the requirement of publishing it on the agency’s website and including it in agreements with third party contractors, as defined in Education Law §2-d.
   
• The Department’s Supplemental Information About Contracts with Third Party Contractors for recent agreements is published as well and available as a resource. We continue to develop this page and update it with information about other qualifying contracts. We have noticed that some agencies are simply restating the five requirements outlined in Education Law §2-d(3)(c)(1) to (5) without including information about the agreement such as specifying the purpose for which personally identifiable information will be used or when the agreement will expire. Merely restating the language of the statute without including information about the contract does not meet the requirement of the law. Also, simply posting the agency’s Bill of Rights without including supplemental information is also insufficient. To meet the requirement of the law, the Bill of Rights included in the agreement with a third-party contractor along with supplemental information that, at a minimum, addresses the requirements outlined in Education Law is needed.
   
• The Department’s Data Privacy and Security Policy is also available to use as a model for agencies. Educational agencies should note that the Data Privacy and Security Policy required by Education Law §2-d is different from the third-party contractor’s Data Privacy and Security Plan that is required to be included in the contract. It is a separate document that outlines an educational agency’s policy as it pertains to data privacy and security and is required to align with the National Institute of Standards and Technology’s Cybersecurity Framework v1.1 pursuant to Part 121 of the Commissioner’s Regulations.
   
• A core piece of protecting personally identifiable information is managing the risk of the contractors that educational agencies utilize. One way to do so is to include terms and conditions in contracts that properly address Education Law §2-d requirements. The Department developed a Model Data Privacy Agreement to help agencies negotiate and include protective clauses in their agreements with third party contractors that was distributed to Data Protection Officers in August. It can serve as a tool in negotiations with third parties to address the requirements of the law.

In addition, educational agencies must also start to make plans for annual training of staff on the policies and procedures that govern the agency’s data privacy and security program. It is well recognized that properly trained employees can be an organization’s strongest asset when it comes to data privacy and security.

Finally, we urge the few agencies that have not yet appointed a Data Protection Officer (“DPO”) to please do so. To register or replace a DPO, send a letter on district letterhead to datasupport@nysed.gov that includes the DPO’s name, email address and phone number. The Department regularly communicates with the DPOs about threats that come to our attention, and offer resources through our DPO communication network, and it would be beneficial to educational agencies to have their DPO registered.

We strongly encourage you to please take steps to accomplish the tasks highlighted above as soon as possible to demonstrate to your stakeholders and the public that your agency takes compliance with the law and regulation seriously. Thank you for the work you are doing to protect personally identifiable information and comply with the requirements of Education Law §2-d and Part 121 of the Commissioner’s Regulations.

cc:  Interim Commissioner Betty A. Rosa

       John D’Agati

       Kim Wilkins