skip to main content

Preparing for Imminent Changes in the New York State Education Law Regarding Data Privacy

Sara M. Richmond, Bond, Schoeneck & King

Cybersecurity and Data Privacy

As part of the New York State budget for the 2014-2015 school year, Education Law §2-d was enacted to make provisions to protect the personally identifiable information contained in student records and in principal and teacher evaluations. Education Law 2-d set out some basic requirements for protection of this data in all consultant agreements and required that all public-school districts adopt a Parent’s Bill of Rights for Data Privacy. The guidance on the law also indicated that regulations would be forthcoming and that a Chief Data Privacy Officer would be appointed by the State Education Department, shortly. 

A Chief Data Privacy Officer was appointed in August 2016 by the New York State Department of Education and over three years later, it appears certain that new regulations, Part 121 of Title 8 of the NYCRR , will be adopted at the January 13-14, 2020 Board of Regents meeting. These regulations will take effect immediately. 

The most notable new requirements in these proposed regulations concerning Education Law §2-d are:

  1. the specific clarification that Ed. Law 2-d and the ensuing regulations apply not only to public school districts but to Charter Schools and state approved special education schools (collectively referred to herein as “Schools”);
  2. a requirement that the Parent’s Bill of Rights must be included in every contract the school has with third party contractors that receive student, teacher or principal data;
  3. a requirement that all Schools must post information on their websites about the third party agreements implicating private data that they are a party to; and
  4. a requirement that as of June 2020 all Schools must adopt a policy and privacy plan that aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Security Version 1.1 (NIST). 

Effectively, these regulations will impact schools and the products many of them rely on in a basic way. Teachers will no longer be able to use “Click through” programs that collect or use protected data with standard “Terms and Conditions.” Contractors regardless of where they do business must accept the specific requirements in compliance with the Part 121 regulations if they are to do business with a School located in New York State. Many of the programs that Schools rely on may therefore be no longer available as some contractors may not want to comply with the new more stringent New York State privacy requirements. Among those at risk are some of the most commonly used Educational software such as Google Classroom and other Google programs as well as Microsoft FlipGrid. 

While the State Education Department is working with some of the larger and more national purveyors of educational software to ensure that their programs will be compliant with the new regulations and Education Law 2-d, in advance of the adoption of the regulations, clients subject to the law should be ensuring that their Bill of Rights aligns with the new regulations, assign a Data Protection officer and begin to compile a list of all programs currently being used by the School and School staff that receive student, teacher or principal data whether in electronic or more traditional paper format. 

There is no doubt that these new regulations will have an impact on educational agencies. Many educational professionals have become reliant on software and programs which are not individually negotiated and whose terms and conditions of service may not be in compliance with the new Part 121 regulations. Clients are urged to contact their school attorney to prepare for the implementation of the regulations in January 2020.

If you have any questions about this memo, please contact Sara Richmond, any of the attorneys in the Cybersecurity and Data Privacy practice, or the attorney in the firm with whom you are regularly in contact.