District Websites To Be Monitored For Compliance With Data Security And Privacy Requirements

The New York State Education Department’s (“NYSED”) Privacy Office will begin monitoring educational agencies’ websites for compliance with Education Law § 2-d and the Family Educational Rights Privacy Act (“FERPA”). Monitoring will begin Fall of 2023, so districts should review their websites to ensure compliance with the following requirements:

Education Law § 2-d & Part 121 of the Commissioner’s Regulations

The following must be posted on the District’s website and the information should be easily accessible:

1. The Parent’s Bill of Rights (8 NYCRR §121.3 (a)).

2. There must be clear information as to how parents or eligible students can file a complaint about unauthorized disclosures (8 NYCRR121.4). This information should also be included in the Parent’s Bill of Rights.

3. The Supplemental Information form of a third-party contractor that will receive personally identifiable information (“PII”) (8 NYCRR §121.3 (d)).

4. The district’s data security and privacy policy that implements the requirements of Part 121 and aligns with the NIST CSF (8 NYCRR §121.5 (b)).

 

FERPA

The following should be posted on the District’s website and be easily accessible:

1. The FERPA Annual Notification.
*NYSED determined that a link to the U.S. Department of Education’s FERPA website and/or a link to a board of education policy on privacy is not sufficient FERPA Annual Notification.*

2. The district’s directory information policy which should include the parents’ right to refuse (opt-out of) any or all of the types of information determined to be directory; and the method (including time period) to notify the district of the parent’s choice to opt-out of directory information disclosure (20 USC 1232g (a)(5)(A) and (B) and 34 CFR § 99.37).

3. Although it is best practice to post these items on the website, if the FERPA Annual Notification and the district’s directory information policy is not published on the district’s website, NYSED’s Privacy Office may inquire as to how the district provides this information to parents and eligible students, as it is required to do so.

Although not required, model compliance with Education Law 2-d and FERPA includes maintaining a separate webpage devoted to privacy requirements with distinct sections addressing the following:

  • The requirements of NY Education Law § 2-d.
  • The district’s data security and privacy policies including the directory information policy.
  • The Parents Bill of Rights.
  • The district’s approved software list including the link to the Supplemental Information form of each third-party contractor that will receive PII.
  • Federal laws that protect student data.
  • FERPA Annual Notification including an attached/linked parental opt-out form.
  • Parent resources for data security and privacy.
  • How to report/file complaints of unauthorized disclosures.
  • The District’s Data Protection Officer’s name and contact information.

In addition, districts should expect an email from NYSED’s Privacy Office verifying the accuracy of data protection officer information on file with NYSED. In addition, some districts will be asked to share information with NYSED’s Privacy Office regarding their annual data privacy and security awareness training as required by 8 NYCRR § 121.7[1]. NYSED’s Privacy Office may also request training sign–in sheets or certifications of completion, dates of training, the training itself, and/or the name of a training service.

PPRA

Moreover, Districts should post all Protection of Pupil Rights Amendment (PPRA) notices on their websites. The PPRA requires school districts to adopt several policies regarding surveys of students, instructional materials, physical examinations, personal information used for marketing, and the like. Parents must be notified of these policies at least annually at the beginning of the school year and within a reasonable time after any substantial change to the policies.

If a district plans to (1) use students’ personal information for selling or marketing purposes; (2) administer any survey about any of the eight topics listed in the statute (political beliefs, income, sex behavior or attitudes, etc.); or (3) administer certain non-emergency, invasive physical examinations, the district must directly notify parents, at least annually at the beginning of the school year, of the specific or approximate dates when these activities are scheduled, or expected to be scheduled.

NYSED has provided some sample model websites accessible via the guidance memo found at the following link.  A FERPA model Notification of Rights and Model Notice for Directory Information may also be accessed through that memo.

https://www.nysed.gov/sites/default/files/programs/data-privacy-security/nysed-privacy-office-website-monitoring-memo-7.19.23.pdf

We hope you find this information helpful. Should you need assistance ensuring compliance with the foregoing, please contact Karen Pokorny at kpokorny@jaspanllp.com.

More information is available via the link below.

https://studentprivacy.ed.gov/sites/default/files/resource_document/file/LEA%20Transparency%20Best%20Practices%20final.pdf

 

[1] The Commissioner’s Regulations require educational agencies to annually provide data privacy and security awareness training to their officers and employees with access to personally identifiable information. Such training should include but not be limited to training on the State and Federal laws that protect personally identifiable information, and how employees can comply with such laws. Such training may be delivered using online training tools and may be included as part of training the educational agency already offers to its workforce.