Posted on Aug 29, 2016 in Education
| 0 comments
On August 24, 2016, New York State Education Department (SED) announced the appointment of Temitope Akinyemi as its Chief Privacy Officer (CPO), pointing to the likelihood that new privacy mandates and guidelines for both school districts and BOCES will be announced during this school year. The Chief Privacy Officer position has been vacant since its creation pursuant to Education Law § 2-d(2) in 2014. According to the Department, Ms. Akinyemi previously served as the privacy officer for the state’s Office of Information Technology Services. Her appointment is effective September 22, 2016.
Education Law § 2-d(2) governs student, teacher and principal data privacy and security, and encompasses a broad range of policies and practices SED and school districts need to implement to prevent the unauthorized release of information. The law was enacted in response to the controversy over the State’s planned data dashboard and the role of InBloom. The Chief Privacy Officer is responsible to promote the implementation of sound practices for the privacy and security of student, teacher and principal data, assist the Commissioner and educational agencies in meeting their obligations in this regard, and establish protocols for possible data breaches.
Many of the provisions of the statute were not carried out over the last two years because no CPO had been appointed. Most critically, the statute provides for development of implementing regulations regarding the following: the Parents’ Bill of Rights for Data Privacy and Security (Parents’ Bill of Rights); standards for school policies on data security and privacy; and enforcement of standards with regard to third-party contractors.
Presently, the Parents’ Bill of Rights must state that:
- A student’s personally identifiable information cannot be sold or released for any commercial purposes;
- Parents have the right to inspect and review their child’s education records;
- State and federal laws protect the confidentiality of personally identifiable information, and safeguards in accord with industry standards such as encryption, firewalls, and password protection, must be in place when data is transferred or stored;
- A complete list of student data elements collected by the State is available for public review, and must include the website and/or mailing address where a complete list of student data elements collected by the State is available; and
- Parents have the right to have complaints about possible breaches of student data addressed, and the contact information of the official to whom complaints may be directed.
Regulations on the Parents’ Bill of Rights will likely add additional elements, which would in turn require school districts to update their own documents.
Additionally, policies on data security and privacy are mandated by the statute, and will have to be developed by all school districts once new regulations become effective. The policies must cover, at minimum, data privacy and security protections and application of these requirements to third-party contractors. While the CPO will be involved in developing model policies, school districts need to ensure that their policies meet their own unique needs while complying with the law.
In addition, when school districts contract with a third party who will receive student data or teacher or principal data, the Parents’ Bill of Rights must be supplemented with additional information for each such contract. That information includes, among other things, the purposes for which the data will be used, what happens to the data when the contract expires, and what security measures will be taken to protect the data. Contractors are also expected to sign a copy of the District’s Parents’ Bill of Rights. The statute also gives SED the authority to penalize third party contractors for the unauthorized release of student, teacher or principal data.
Due to some ambiguity in the statute, many school districts delayed effectuating this component of the law until implementing regulations are adopted specifying additional elements to the Parents’ Bill of Rights and elaborating on data privacy and security requirements. In any case, third party contracts with providers who receive student, teacher or principal data will need to be reviewed once new regulations are adopted, either to comply with the law for those school districts that delayed doing so or to ensure continued compliance with the eventual regulatory mandates. There is no way to be certain how long it will take after the CPO assumes her duties before regulations are drafted and implemented.
Regulations will also address a new mandated notice regarding parents’ right to request student data, ensuring the security of student data when it is transmitted, and the time period within which school districts must respond to such requests.
The appointment of SED’s CPO will ultimately complete, both for SED and educational agencies around the state, the implementation of the privacy and security requirements under the Education Law. How SED, the Board of Regents and the CPO deal with the implementation of this challenging statutory mandate, that stemmed not from any new educational need, but rather from the backlash over data that was to have been received by InBloom, will be interesting to see. We will continue to follow the developments in the weeks and months ahead, as these data and privacy requirements will impact many aspects of school district operations.