THE STATE EDUCATION DEPARTMENT / THE UNIVERSITY OF THE STATE OF NEW YORK / ALBANY, NY 12234
快猫成版视频
89 Washington Ave, Albany, NY 12234
(518) 474-0937
To comply with Education Law 搂2-d, the Department promulgated Part 121 of the Commissioner鈥檚 Regulations, which became effective in January 2020. However, in June the Board of Regents approved the emergency amendment to Part 121 that extended the deadline for educational agencies to post their Data Security and Privacy policy from July 1, 2020 to October 1, 2020. That date has now passed and the NYS Education Department (鈥淒epartment鈥) expects that all educational agencies are now aligned with the requirements of both the statute and regulation.
Education Law 搂2-d requires each educational agency to develop and post certain information to its website. Specifically, each educational agency must adopt a Data Privacy and Security Policy. This policy must be posted on the agency鈥檚 website along with its Bill of Rights for Data Privacy and Security (鈥淏ill of Rights鈥) and Supplemental Information about each contract for services between the agency and a third-party contractor where the contractor receives personally identifiable information protected by Education Law 搂2-d (鈥淪upplemental Information鈥). Educational agencies that have not taken these steps should do so.
To aid agencies in their compliance with the above requirements as they further develop their data privacy and security programs, the Department has developed some templates and models that can serve as resources, if needed:
- The Department鈥檚 Bill of Rights was revised in 2020. Agencies can use this as a template to develop their own bill of rights to fulfil the requirement of publishing it on the agency鈥檚 website and including it in agreements with third party contractors, as defined in Education Law 搂2-d.
听 - The Department鈥檚 Supplemental Information About Contracts with Third Party Contractors for recent agreements is published as well and available as a resource. We continue to develop this page and update it with information about other qualifying contracts. We have noticed that some agencies are simply restating the five requirements outlined in Education Law 搂2-d(3)(c)(1) to (5) without including information about the agreement such as specifying the purpose for which personally identifiable information will be used or when the agreement will expire. Merely restating the language of the statute without including information about the contract does not meet the requirement of the law. Also, simply posting the agency鈥檚 Bill of Rights without including supplemental information is also insufficient. To meet the requirement of the law, the Bill of Rights included in the agreement with a third-party contractor along with supplemental information that, at a minimum, addresses the requirements outlined in Education Law is needed.
听 - The Department鈥檚 Data Privacy and Security Policy is also available to use as a model for agencies. Educational agencies should note that the Data Privacy and Security Policy required by Education Law 搂2-d is different from the third-party contractor鈥檚 Data Privacy and Security Plan that is required to be included in the contract. It is a separate document that outlines an educational agency鈥檚 policy as it pertains to data privacy and security and is required to align with the National Institute of Standards and Technology鈥檚 Cybersecurity Framework v1.1 pursuant to Part 121 of the Commissioner鈥檚 Regulations.
听 - A core piece of protecting personally identifiable information is managing the risk of the contractors that educational agencies utilize. One way to do so is to include terms and conditions in contracts that properly address Education Law 搂2-d requirements. The Department developed a Model Data Privacy Agreement to help agencies negotiate and include protective clauses in their agreements with third party contractors that was distributed to Data Protection Officers in August. It can serve as a tool in negotiations with third parties to address the requirements of the law.
In addition, educational agencies must also start to make plans for annual training of staff on the policies and procedures that govern the agency鈥檚 data privacy and security program. It is well recognized that properly trained employees can be an organization鈥檚 strongest asset when it comes to data privacy and security.
Finally, we urge the few agencies that have not yet appointed a Data Protection Officer (鈥淒PO鈥) to please do so. To register or replace a DPO, send a letter on district letterhead to datasupport@nysed.gov that includes the DPO鈥檚 name, email address and phone number. The Department regularly communicates with the DPOs about threats that come to our attention, and offer resources through our DPO communication network, and it would be beneficial to educational agencies to have their DPO registered.
We strongly encourage you to please take steps to accomplish the tasks highlighted above as soon as possible to demonstrate to your stakeholders and the public that your agency takes compliance with the law and regulation seriously. Thank you for the work you are doing to protect personally identifiable information and comply with the requirements of Education Law 搂2-d and Part 121 of the Commissioner鈥檚 Regulations.
cc:听 Interim Commissioner Betty A. Rosa
听 听 听 听John D鈥橝gati
听 听 听 听Kim Wilkins