Skip to main content


January 14, 2019
For More Information Contact:

JP O'Hare

(518) 474-1201



State Education Department Proposes Regulations to Strengthen the Security of Personally Identifiable Information for Students and School Personnel

Proposed Amendments Outline a Comprehensive Set of Requirements for Educational Agencies and Third-Party Contractors to Ensure the Security and Privacy of Protected Information

60-Day Public Comment Period to Be Held

The State Education Department today proposed regulatory changes to increase information security measures to safeguard the Personally Identifiable Information (PII) of students and certain school personnel. The proposed amendments outline requirements for educational agencies and their third-party contractors to ensure the security and privacy of such protected information and were developed in consultation with stakeholders and the public.

“We teach our children to be smart and safe while online, and we owe it to them to take the same precautions with their personal information,” Board of Regents Chancellor Betty A. Rosa said.  “The Board of Regents and I are committed to protecting student privacy and ensuring that our children’s information and civil liberties are safeguarded. Many stakeholders helped inform the proposed regulations, so they meet the needs of students, parents, educators and administrators while fulfilling our responsibility to protect our children.”

“The Department uses data to help shape policy and improve student outcomes across the state,” State Education Commissioner MaryEllen Elia said.  “Education agencies that collect student and educator data have a responsibility to ensure it is secure. The proposed regulations will have a lasting impact and help protect the valuable information that is in our care as well as the data that local schools have. I thank the members of the Data Privacy Council for its work to craft these proposed regulations.”

The proposed regulations outline the data security and privacy obligations of educational agencies and third-party contractors and establish requirements for contracts and other written agreements where PII will be provided to a third-party contractor. 

Additionally, the regulations establish the National Institute of Standards and Technology (NIST) Cybersecurity Framework as the standard for all educational agencies’ data security and privacy programs and direct educational agencies to ensure that all employees that handle PII receive annual data security and privacy training. The proposed regulations also require that educational agencies identify a data protection officer who will be responsible for the educational agency’s data security and privacy program.

In 2017, the Chief Privacy Officer created the Data Privacy Advisory Council (DPAC) which consists of members drawn from diverse stakeholder groups and includes parents, industry advocates, administrative and teacher organizations and information technology experts. The Council was tasked with assisting in the development of regulatory language and recommending a standard for educational agency data security and privacy policies and practices. To seek public comments and input on additional elements of the parent’s bill of rights and the development of the regulatory proposal, the Department held 14 public forums across the state in May and June and solicited electronic comments during this period. The input received from all stakeholders was critical to developing the draft regulations announced today.

Timetable for Implementation

A Notice of Proposed Rule Making will be published in the State Register about January 30 and commence a 60-day comment period. Comments on the proposed regulation can be submitted by email to

Following the 60-day public comment period required under the State Administrative Procedure Act, it is anticipated that the proposed amendments will be presented to the Board of Regents for adoption at its May 2019 meeting. If adopted, the proposed amendments will become effective July 1.

Public Comment Period Update - 1/30/19

Notice of Proposed Rule Making was published in the State Register on January 30, 2019. NYSED will accept comments on the proposed amendments for 60 days. Please email comments to