In accordance with New York State Education Law Section 2-d, the Fonda-Fultonville Central School District provides the following Parents’ Bill of Rights for Data Privacy and Security, which is applicable to all students and their parents and legal guardians.
(1) A student’s personally identifiable information cannot be sold or released for any commercial purposes
2) In accordance with FERPA and Section 2-d of the New York State Education Law, parents have the right to inspect and review the complete contents of their child’s education record;
(3) State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls and password protection, must be in place when data is stored or transferred;
(4) A complete list of all student data elements collected by the State is available for public review by writing to the Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany NY 12234, email to CPO@mail.nysed.gov. The complaint process is under development and will be established through regulations to be proposed by NYSED’s Chief Privacy Officer, who has not yet been appointed.
(5) Parents have the right to submit complaints about possible breaches of student data. Any such complaint must be submitted, in writing, to the Superintendent of Schools. Please see Appendix for contact information.
Please submit complaints about possible breaches of student data. Any such complain must be submitted in writing to:
Mr. Thomas Ciaccio — Superintendent of Schools
Phone: 518-853-4415 ext. 4230
Address: P.O. Box 1501, 112 Old Johnstown Road, Fonda, NY 12068
Disclosure of Information to Third Party Contractors
In addition to the Parent’s Bill of Rights, Education Law §2-d also imposes obligations with respect to a school district’s disclosure of student information to third party contractors, consultants or vendors. Specifically, the law requires that contracts between school districts and third party contractors/consultants/vendors include a data security and privacy plan that outlines how all state, Federal, and local data security and privacy contract requirements will be implemented over the life of the contract, consistent with the educational agency’s policy on data security and privacy. Such plan shall include, but not be limited to, a signed copy of the parents bill of rights and a requirement that any officers and employees of the contractor, including any assignees, who have access to student data or teacher or principal data have received or will receive training on the federal and state law governing confidentiality of such data prior to receiving access. Please be advised that to date, the standards for a school district’s policy on data and security and privacy have not been promulgated by SED in the form of anticipated Regulations. Thus, our advice to clients may change as to what is included and in what manner as the Regulations develop. We will continue to update our school district clients.
Also, any third party contractor/consultant/vendor that enters into an agreement with an educational agency under which the contractor/consultant/vendor will receive student, teacher or principal data shall include supplemental contractual language regarding confidentiality. “Data” for students is defined as the types of records currently protected by FERPA with which you are already familiar. “Data” for teachers and principals is defined as personally identifiable information relating to annual professional performance reviews.
Although likely the Commissioner’s Regulations will likely impose additional requirements, our office offers the following Statement of Assurances which currently fulfills the obligations imposed by this statute. This could be referenced in and attached to any school district contract with an outside contractor, consultant or vendor who may come into possession of student, teacher, or principal data. What follows provides the basic assurances now known based on the language of the statute:
In compliance with Education Law §2-d and as a condition of the Agreement with the Fonda-Fultonville Central School District (“District”), ____________ (“Contractor/Consultant”) hereby assures and warrants it shall:
(1) Limit internal access to education records to those individuals determined to have legitimate educational interests;
(2) Not use the education records for any other purposes than those explicitly authorized by the School District in the Agreement;
(3) With the exception of authorized representatives of the Contractor carrying out their obligations pursuant to the Agreement, not disclose personally identifiable information to any other party without the prior written consent of the parent or eligible student or unless required by statute or court order and upon notice to the Board of Education prior to disclosure;
(4) Maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable student information in its custody; and
(5) Use encryption technology to protect data from unauthorized disclosure using technology or methodology specified by the secretary of the United States Department of Health and Human Services.
Contractor affirms its employees and officers who will have access to protected data have received or will receive training on federal and state laws governing confidentiality of student, teacher, or principal data prior to receiving any access pursuant to this Agreement. Contractor acknowledges that any breach or unauthorized release of personally identifiable information in violation of applicable state or federal laws, the Parent Bill of Rights, District data privacy and security policies and/or any contractual obligation relating to data privacy and security, shall require immediate notification to the District and may subject the Contractor to civil penalties up to $150,000.
Furthermore, in the event of a breach or unauthorized disclosure of student information or teacher or principal data, the Chief Privacy Officer, after permitting the Contractor notice and an opportunity to be heard, may order the Contractor be (1) precluded from accessing student data from the School District, or if such disclosure was knowing and reckless, from any School District in the State, for a period of up to five (5) years; and/or (2) prohibit the Contractor from being deemed a responsible bidder or offeror on any contract with an educational agency that involves the sharing of student data or teacher or principal data for a period of up to five (5) years; and/or (3) require training to the Contractor’s employees and officers at the Contractor’s expense regarding student confidentiality and data privacy pursuant to State and Federal laws.