As we’ve seen in recent weeks, cyber-security has become a serious issue. The shutdown of a gas pipeline by malicious actors resulted in rising gas prices and empty gas stations. Governments are aware of the importance of cyber-security and have put laws into place that will help strengthen security at institutions they control. One such law is section 2-D of the New York Education Law, which passed in early 2020.
What is the New York Education Law? Who all does it apply to? How to make sure your business is compliant with the law? Let’s find out.
What is NY Ed-Law 2D?
The New York Senate saw the rising threat of security breaches and made the decision to strengthen the security standards in place. To establish laws for the collection and handling of data regarding the personal information of students.
To provide security to both the students and their parents, section 2-D of the New York Education Law was drafted. The law establishes a series of guidelines and requirements that educational facilities and third-party contractors have to follow.
Who Does The Education Law Protect?
Various government agencies have regulations and standards in effect that are designed to protect data. NY Ed-Law 2D is aimed at protecting the privacy rights of individuals who have their data stored on school computers. This includes:
- Students — Here students include any person who has provided information to the school in order to seek enrollment there. So students who have graduated or moved, and are not actively enrolled at the moment also get protection. Any personal information provided by students is protected under the law.
- Parents — The parents of students enrolled or seeking to enroll in a school also share data with schools. In this case, the data of the parents is protected as well. Additionally, parents of minor children have a right to understand how their children are affected by data breaches.
- Staff — Information gathered by the school about teachers and principals is also guarded under section 2-D. This includes performance reviews, personally identifiable information, and any other data that is not subject to release under the broader New York Education Law.
Who Is Affected By The New York State Ed-Law 2D?
It’s important for security that data is protected during every step it takes through the educational system. For that reason, requirements are put into place both for the educational agencies themselves and for any third-party contractors that work with them and have access to any of the protected data. For the purposes of the law, the terms are defined as follows:
Any school district, board of cooperative educational services, school, or the education department. The law further defines a school as
- any public elementary or secondary school
- The universal pre-kindergarten program authorized by NY Ed-Law
- An approved provider of preschool special education
- Any other publicly funded pre-kindergarten program
- A school serving children in a special act school district as defined by the law
- An approved private school for the education of students with disabilities
- A state-supported school subject to the provisions of article eighty-five of the law
- A state-operated school subject to the provisions of article eighty-seven or eighty-eight of the law
Any person or agency that receives data about a student, parent, teacher, or principal at the school is a third-party contractor. It shall include any entity that receives this data for the purposes of providing services for the school.
What Requirements Does The Law Impose?
There are five major provisions in the law that impose requirements on how data should be collected. What data is allowed to be collected, and the policies and procedures that must be in place regarding the collection, sharing, and handling of that data. They are outlined in a brief overview below:
- Creation of chief privacy officer — For each department, the commissioner shall appoint a chief privacy officer who is trained or experienced in privacy laws and regulations, civil liberties, information technology, and information security. The privacy officer is appointed for a term of three years and reports directly to the commissioner.
- Disclosure of a parents bill of rights — A parents bill of rights must be created and provided to every parent and third-party contractor that works with the department. The bill of rights should inform parents that their student’s personal information will not be sold or released for commercial purposes, they have a right to inspect and review their child’s entire educational record, laws are in place to protect their personal information, a complete list of data elements collected is available for them to review, and they have a right to be informed about any potential security breaches.
- Data collection requirements — Data collected by the department must be done in the most transparent way practical. In addition, only personally identifiable information that serves an educational purpose may be collected. Protected data may only be required to be released when such a release is required by law.
- Data security and privacy standards — The chief privacy officer shall create a set of standards regarding the security and privacy of any personally identifiable information collected under the law. This provision also includes strict requirements about how third parties are allowed to use the data they obtain from a school.
- Data breaches — Any third party with access to protected data is required to immediately inform the school system of any data breaches that affect that information. Any data breaches that the school system is made aware of must be immediately reported to the chief privacy officer as well as anyone who may be impacted by the breach, including students and their parents.
Whether you’re a part of a school system or a third party working with an entity that is, you are required to meet certain requirements under this law. It’s important that you understand what your responsibilities are. Summaries inherently leave things out, and the law itself can be confusing.
If you need help ensuring that your organization remains compliant with NY Ed-Law 2D, contact WPG to see how we can help.