Rev.

7-29-14
1

PARENTS BILL OF RIGHTS
FOR DATA PRIVACY AND SECURITY

To satisfy their responsibilities regarding the provision of education to students in pre-
kindergarten through grade twelve, educational agencies (as defined below) in the State of
New York collect and maintain certain personally identifiable information from the education
records of their students. As part of the Common Core Implementation Reform Act, Education
Law 2-d requires that each educational agency in the State of New York must develop a
Parents Bill of Rights for Data Privacy and Security (Parents Bill of Rights). The Parents Bill
of Rights must be published on the website of each educational agency, and must be included
with every contract the educational agency enters into with a third party contractor (as defined
below) where the third party contractor receives student data, or certain protected
teacher/principal data related to Annual Professional Performance Reviews that is designated as
confidential pursuant to Education Law 3012-c (APPR data).

The purpose of the Parents Bill of Rights is to inform parents (which also include legal
guardians or persons in parental relation to a student, but generally not the parents of a student
who is age eighteen or over) of the legal requirements regarding privacy, security and use of
student data. In addition to the federal Family Educational Rights and Privacy Act (FERPA),
Education Law 2-d provides important new protections for student data, and new remedies for
breaches of the responsibility to maintain the security and confidentiality of such data.

A. What are the essential parents rights under the Family Educational Rights and Privacy
Act (FERPA) relating to personally identifiable information in their childs student
records?

The rights of parents under FERPA are summarized in the Model Notification of Rights
prepared by the United States Department of Education for use by schools in providing
annual notification of rights to parents. It can be accessed at
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html, and a copy is attached to
this Parents Bill of Rights. Complete student records are maintained by schools and school
districts, and not at the New York State Education Department (NYSED). Further, NYSED
would need to establish and implement a means to verify a parents identity and right of
access to records before processing a request for records to the school or school district.
Therefore, requests to access student records will be most efficiently managed at the school
or school district level.

Parents rights under FERPA include:

1. The right to inspect and review the student's education records within 45 days after
the day the school or school district receives a request for access.
2. The right to request amendment of the students education records that the parent or
eligible student believes are inaccurate, misleading, or otherwise in violation of the
students privacy rights under FERPA. Complete student records are maintained by
schools and school districts and not at NYSED, which is the secondary repository of
Rev. 7-29-14
2

data, and NYSED make amendments to school or school district records. Schools and
school districts are in the best position to make corrections to students education
records.
3. The right to provide written consent before the school discloses personally
identifiable information (PII) from the student's education records, except to the
extent that FERPA authorizes disclosure without consent (including but not limited to
disclosure under specified conditions to: (i) school officials within the school or
school district with legitimate educational interests; (ii) officials of another school for
purposes of enrollment or transfer; (iii) third party contractors providing services to,
or performing functions for an educational agency; (iv) authorized representatives of
the U. S. Comptroller General, the U. S. Attorney General, the U.S. Secretary of
Education, or State and local educational authorities, such as NYSED; (iv) (v)
organizations conducting studies for or on behalf of educational agencies) and (vi) the
public where the school or school district has designated certain student data as
directory information (described below). The attached FERPA Model Notification
of Rights more fully describes the exceptions to the consent requirement under
FERPA).
4. Where a school or school district has a policy of releasing directory information
from student records, the parent has a right to refuse to let the school or school district
designate any all of such information as directory information. Directory
information, as defined in federal regulations, includes: the students name, address,
telephone number, email address, photograph, date and place of birth, major field of
study, grade level, enrollment status, dates of attendance, participation in officially
recognized activities and sports, weight and height of members of athletic teams,
degrees, honors and awards received and the most recent educational agency or
institution attended. Where disclosure without consent is otherwise authorized under
FERPA, however, a parents refusal to permit disclosure of directory information
does not prevent disclosure pursuant to such separate authorization.
5. The right to file a complaint with the U.S. Department of Education concerning
alleged failures by the School to comply with the requirements of FERPA.
B. What are parents rights under the Personal Privacy Protection Law (PPPL), Article 6-
A of the Public Officers Law relating to records held by State agencies?
The PPPL (Public Officers Law 91-99) applies to all records of State agencies and is not
specific to student records or to parents. It does not apply to school districts or other local
educational agencies. It imposes duties on State agencies to have procedures in place to
protect from disclosure of personal information, defined as information which because of a
name, number, symbol, mark or other identifier, can be used to identify a data subject (in
this case the student or the students parent). Like FERPA, the PPPL confers a right on the
data subject (student or the students parent) to access to State agency records relating to
them and requires State agencies to have procedures for correction or amendment of records.
Rev. 7-29-14
3

A more detailed description of the PPPL is available from the Committee on Open
Government of the New York Department of State. Guidance on what you should know
about the PPPL can be accessed at http://www.dos.ny.gov/coog/shldno1.html. The
Committee on Open Governments address is Committee on Open Government, Department
of State, One Commerce Plaza, 99 Washington Avenue, suite 650, Albany, NY 12231, their
email address is [email protected], and their telephone number is (518) 474-2518.
C. Parents Rights Under Education Law 2-d relating to Unauthorized Release of
Personally Identifiable Information
1. What educational agencies are included in the requirements of Education Law
2-d?

The New York State Education Department (NYSED);
Each public school district;
Each Board of Cooperative Educational Services or BOCES; and
All schools that are:
o a public elementary or secondary school;
o a universal pre-kindergarten program authorized pursuant to Education Law
3602-e;
o an approved provider of preschool special education services;
o any other publicly funded pre-kindergarten program;
o a school serving children in a special act school district as defined in Education
Law 4001; or
o certain schools for the education of students with disabilities - an approved private
school, a state-supported school subject to the provisions of Education Law
Article 85, or a state-operated school subject to Education Law Article 87 or 88.

2. What kind of student data is subject to the confidentiality and security requirements
of Education Law 2-d?

The law applies to personally identifiable information contained in student records of an
educational agency listed above. The term student refers to any person attending or
seeking to enroll in an educational agency, and the term personally identifiable
information (PII) uses the definition provided in FERPA. Under FERPA, personally
identifiable information or PII includes, but is not limited to:

(a) The students name;
(b) The name of the students parent or other family members;
(c) The address of the student or students family;
(d) A personal identifier, such as the students social security number, student
number, or biometric record;
(e) Other indirect identifiers, such as the students date of birth, place of birth, and
Mothers Maiden Name
1
;

1
Please note that NYSED does not collect certain information defined in FERPA, such as students social security
numbers, biometric records, mothers maiden name (unless used as the mothers legal name).
Rev. 7-29-14
4

(f) Other information that, alone or in combination, is linked or linkable to a specific
student that would allow a reasonable person in the school community, who does not
have personal knowledge of the relevant circumstances, to identify the student with
reasonable certainty; or
(g) Information requested by a person who the educational agency or institution
reasonably believes knows the identity of the student to whom the education record
relates.

3. What kind of student data is not subject to the confidentiality and security
requirements of Education Law 2-d?

The confidentiality and privacy provisions of Education Law 2-d and FERPA extend
only to PII, and not to student data that is not personally identifiable. Therefore, de-
identified data (e.g., data regarding students that uses random identifiers), aggregated
data (e.g., data reported at the school district level) or anonymized data that could not be
used to identify a particular student is not considered to be PII and is not within the
purview of Education Law 2-d or within the scope of this Parents Bill of Rights.

4. What are my rights under Education Law 2-d as a parent regarding my students
PII?

Education Law 2-d ensures that, in addition to all of the protections and rights of parents
under the federal FERPA law, certain rights will also be provided under the Education
Law. These rights include, but are not limited to, the following elements:
(A) A student's PII cannot be sold or released by the educational agency for any
commercial or marketing purposes.
o PII may be used for purposes of a contract that provides payment to a vendor
for providing services to an educational agency as permitted by law.
o However, sale of PII to a third party solely for commercial purposes or receipt
of payment by an educational agency, or disclosure of PII that is not related to a
service being provided to the educational agency, is strictly prohibited.

(B) Parents have the right to inspect and review the complete contents of their child's
education record including any student data stored or maintained by an
educational agency.
o This right of inspection is consistent with the requirements of FERPA. In
addition to the right of inspection of the educational record, Education Law
2-d provides a specific right for parents to inspect or receive copies of any
data in the students educational record.
o NYSED will develop policies for annual notification by educational agencies
to parents regarding the right to request student data. Such policies will
specify a reasonable time for the educational agency to comply with such
requests.
Rev. 7-29-14
5

o The policies will also require security measures when providing student data
to parents, to ensure that only authorized individuals receive such data. A
parent may be asked for information or verifications reasonably necessary to
ensure that he or she is in fact the students parent and is authorized to receive
such information pursuant to law.

(C) State and federal laws protect the confidentiality of PII, and safeguards associated
with industry standards and best practices, including, but not limited to,
encryption, firewalls, and password protection, must be in place when data is
stored or transferred.

Education Law 2-d also specifically provides certain limitations on the collection of data
by educational agencies, including, but not limited to:
(A) A mandate that, except as otherwise specifically authorized by law, NYSED shall
only collect PII relating to an educational purpose;

(B) NYSED may only require districts to submit PII, including data on disability
status and student suspensions, where such release is required by law or otherwise
authorized under FERPA and/or the New York State Personal Privacy Law; and
(C) Except as required by law or in the case of educational enrollment data, school
districts shall not report to NYSED student data regarding juvenile delinquency
records, criminal records, medical and health records or student biometric
information.
(D) Parents may access the NYSED Student Data Elements List, a complete list of all
student data elements collected by NYSED, at
http://www.p12.nysed.gov/irs/sirs/documentation/NYSEDstudentData.xlsx, or may
obtain a copy of this list by writing to the Office of Information & Reporting
Services, New York State Education Department, Room 863 EBA, 89
Washington Avenue, Albany, NY 12234; and
(E) Parents have the right to file complaints with an educational agency about
possible breaches of student data by that educational agencys third party
contractors or their employees, officers, or assignees, or with NYSED.
Complaints to NYSED should be directed in writing to the Chief Privacy Officer,
New York State Education Department, 89 Washington Avenue, Albany NY
12234, email to [email protected]. The complaint process is under
development and will be established through regulations to be proposed by
NYSEDs Chief Privacy Officer, who has not yet been appointed.
o Specifically, the Commissioner of Education, after consultation with the
Chief Privacy Officer, will promulgate regulations establishing procedures for
the submission of complaints from parents, classroom teachers or building
principals, or other staff of an educational agency, making allegations of
improper disclosure of student data and/or teacher or principal APPR data by
a third party contractor or its officers, employees or assignees.
Rev. 7-29-14
6

o When appointed, the Chief Privacy Officer of NYSED will also provide a
procedure within NYSED whereby parents, students, teachers,
superintendents, school board members, principals, and other persons or
entities may request information pertaining to student data or teacher or
principal APPR data in a timely and efficient manner.
5. Must additional elements be included in the Parents Bill of Rights.?
Yes. For purposes of further ensuring confidentiality and security of student data, as an
appendix to the Parents Bill of Rights each contract an educational agency enters into
with a third party contractor shall include the following supplemental information:
(A) the exclusive purposes for which the student data, or teacher or principal data, will be
used;

(B) how the third party contractor will ensure that the subcontractors, persons or entities
that the third party contractor will share the student data or teacher or principal data
with, if any, will abide by data protection and security requirements;

(C) when the agreement with the third party contractor expires and what happens to the
student data or teacher or principal data upon expiration of the agreement;

(D) if and how a parent, student, eligible student, teacher or principal may challenge the
accuracy of the student data or teacher or principal data that is collected; and

(E) where the student data or teacher or principal data will be stored (described in such a
manner as to protect data security), and the security protections taken to ensure such
data will be protected, including whether such data will be encrypted.
a. In addition, the Chief Privacy Officer, with input from parents and other
education and expert stakeholders, is required to develop additional elements
of the Parents Bill of Rights to be prescribed in Regulations of the
Commissioner.

6. What protections are required to be in place if an educational agency contracts with
a third party contractor to provide services, and the contract requires the disclosure
of PII to the third party contractor?
Education Law 2-d provides very specific protections for contracts with third party
contractors, defined as any person or entity, other than an educational agency, that
receives student data or teacher or principal data from an educational agency pursuant to
a contract or other written agreement for purposes of providing services to such
educational agency. The term third party contractor also includes an educational
partnership organization that receives student and/or teacher or principal APPR data from
a school district to carry out its responsibilities pursuant to Education Law 211-e, and a
not-for-profit corporation or other non-profit organization, which are not themselves
covered by the definition of an educational agency.

Rev. 7-29-14
7

Services of a third party contractor covered under Education Law 2-d include, but not
limited to, data management or storage services, conducting studies for or on behalf of
the educational agency, or audit or evaluation of publicly funded programs.

When an educational agency enters into a contract with a third party contractor, under
which the third party contractor will receive student data, the contract or agreement must
include a data security and privacy plan that outlines how all state, federal, and local data
security and privacy contract requirements will be implemented over the life of the
contract, consistent with the educational agency's policy on data security and privacy.
However, the standards for an educational agencys policy on data security and privacy
must be prescribed in Regulations of the Commissioner that have not yet been
promulgated. A signed copy of the Parents Bill of Rights must be included, as well as a
requirement that any officers or employees of the third party contractor and its assignees
who have access to student data or teacher or principal data have received or will receive
training on the federal and state law governing confidentiality of such data prior to
receiving access.
Each third party contractor that enters into a contract or other written agreement with an
educational agency under which the third party contractor will receive student data or teacher or
principal data shall:
o limit internal access to education records to those individuals that are determined
to have legitimate educational interests
o not use the education records for any other purposes than those explicitly
authorized in its contract;
o except for authorized representatives of the third party contractor to the extent
they are carrying out the contract, not disclose any PII to any other party (i)
without the prior written consent of the parent or eligible student; or (ii) unless
required by statute or court order and the party provides a notice of the disclosure
to NYSED, district board of education, or institution that provided the
information no later than the time the information is disclosed, unless providing
notice of the disclosure is expressly prohibited by the statute or court order;
o maintain reasonable administrative, technical and physical safeguards to protect
the security, confidentiality and integrity of PII in its custody; and
o use encryption technology to protect data while in motion or in its custody from
unauthorized disclosure.

7. What steps can and must be taken in the event of a breach of confidentiality or security?

Upon receipt of a complaint or other information indicating that a third party contractor may
have improperly disclosed student data, or teacher or principal APPR data, NYSEDs Chief
Privacy Officer is authorized to investigate, visit, examine and inspect the third party
contractor's facilities and records and obtain documentation from, or require the testimony of,
Rev. 7-29-14
8

any party relating to the alleged improper disclosure of student data or teacher or principal
APPR data.
Where there is a breach and unauthorized release of PII by a by a third party contractor or its
assignees (e.g., a subcontractor): (i) the third party contractor must notify the educational
agency of the breach in the most expedient way possible and without unreasonable delay;
(ii) the educational agency must notify the parent in the most expedient way possible and
without unreasonable delay; and (iii) the third party contractor may be subject to certain
penalties including, but not limited to, a monetary fine; mandatory training regarding federal
and state law governing the confidentiality of student data, or teacher or principal APPR
data; and preclusion from accessing any student data, or teacher or principal APPR data,
from an educational agency for a fixed period up to five years.

8. Data Security and Privacy Standards

Upon appointment, NYSEDs Chief Privacy Officer will be required to develop, with input
from experts, standards for educational agency data security and privacy policies. The
Commissioner will then promulgate regulations implementing these data security and privacy
standards.

9. No Private Right of Action

Please note that Education Law 2-d explicitly states that it does not create a private right of
action against NYSED or any other educational agency, such as a school, school district or
BOCES.
Rev. 7-29-14
9

ATTACHMENT
Model Notification of Rights under FERPA for Elementary and Secondary
Schools

The Family Educational Rights and Privacy Act (FERPA) affords parents and students who are
18 years of age or older ("eligible students") certain rights with respect to the student's education
records. These rights are:
1. The right to inspect and review the student's education records within 45 days after the
day the [Name of school (School)] receives a request for access.
Parents or eligible students should submit to the school principal [or appropriate
school official] a written request that identifies the records they wish to inspect. The
school official will make arrangements for access and notify the parent or eligible
student of the time and place where the records may be inspected.
2. The right to request the amendment of the students education records that the parent
or eligible student believes are inaccurate, misleading, or otherwise in violation of the
students privacy rights under FERPA.
Parents or eligible students who wish to ask the [School] to amend a record should
write the school principal [or appropriate school official], clearly identify the part of
the record they want changed, and specify why it should be changed. If the school
decides not to amend the record as requested by the parent or eligible student, the
school will notify the parent or eligible student of the decision and of their right to a
hearing regarding the request for amendment. Additional information regarding the
hearing procedures will be provided to the parent or eligible student when notified of
the right to a hearing.
3. The right to provide written consent before the school discloses personally
identifiable information (PII) from the student's education records, except to the
extent that FERPA authorizes disclosure without consent.
One exception, which permits disclosure without consent, is disclosure to school
officials with legitimate educational interests. A school official is a person employed
by the school as an administrator, supervisor, instructor, or support staff member
(including health or medical staff and law enforcement unit personnel) or a person
serving on the school board. A school official also may include a volunteer or
contractor outside of the school who performs an institutional service of function for
which the school would otherwise use its own employees and who is under the direct
control of the school with respect to the use and maintenance of PII from education
records, such as an attorney, auditor, medical consultant, or therapist; a parent or
student volunteering to serve on an official committee, such as a disciplinary or
grievance committee; or a parent, student, or other volunteer assisting another school
official in performing his or her tasks. A school official has a legitimate educational
Rev. 7-29-14
10

interest if the official needs to review an education record in order to fulfill his or her
professional responsibility.
[Optional] Upon request, the school discloses education records without consent to
officials of another school district in which a student seeks or intends to enroll, or is
already enrolled if the disclosure is for purposes of the students enrollment or
transfer. [NOTE: FERPA requires a school district to make a reasonable attempt to
notify the parent or student of the records request unless it states in its annual
notification that it intends to forward records on request.]
4. The right to file a complaint with the U.S. Department of Education concerning
alleged failures by the [School] to comply with the requirements of FERPA. The
name and address of the Office that administers FERPA are:
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202
[NOTE: In addition, a school may want to include its directory information public notice, as
required by 99.37 of the regulations, with its annual notification of rights under FERPA.]
[Optional] See the list below of the disclosures that elementary and secondary schools may
make without consent.
FERPA permits the disclosure of PII from students education records, without consent of the
parent or eligible student, if the disclosure meets certain conditions found in 99.31 of the
FERPA regulations. Except for disclosures to school officials, disclosures related to some
judicial orders or lawfully issued subpoenas, disclosures of directory information, and
disclosures to the parent or eligible student, 99.32 of the FERPA regulations requires the school
to record the disclosure. Parents and eligible students have a right to inspect and review the
record of disclosures. A school may disclose PII from the education records of a student without
obtaining prior written consent of the parents or the eligible student
To other school officials, including teachers, within the educational agency or
institution whom the school has determined to have legitimate educational interests.
This includes contractors, consultants, volunteers, or other parties to whom the school
has outsourced institutional services or functions, provided that the conditions listed
in 99.31(a)(1)(i)(B)(1) - (a)(1)(i)(B)(2) are met. (99.31(a)(1))
To officials of another school, school system, or institution of postsecondary
education where the student seeks or intends to enroll, or where the student is already
enrolled if the disclosure is for purposes related to the students enrollment or
transfer, subject to the requirements of 99.34. (99.31(a)(2))
To authorized representatives of the U. S. Comptroller General, the U. S. Attorney
General, the U.S. Secretary of Education, or State and local educational authorities,
Rev. 7-29-14
11

such as the State educational agency in the parent or eligible students State (SEA).
Disclosures under this provision may be made, subject to the requirements of 99.35,
in connection with an audit or evaluation of Federal- or State-supported education
programs, or for the enforcement of or compliance with Federal legal requirements
that relate to those programs. These entities may make further disclosures of PII to
outside entities that are designated by them as their authorized representatives to
conduct any audit, evaluation, or enforcement or compliance activity on their behalf.
(99.31(a)(3) and 99.35)
In connection with financial aid for which the student has applied or which the
student has received, if the information is necessary to determine eligibility for the
aid, determine the amount of the aid, determine the conditions of the aid, or enforce
the terms and conditions of the aid. (99.31(a)(4))
To State and local officials or authorities to whom information is specifically allowed
to be reported or disclosed by a State statute that concerns the juvenile justice system
and the systems ability to effectively serve, prior to adjudication, the student whose
records were released, subject to 99.38. (99.31(a)(5))
To organizations conducting studies for, or on behalf of, the school, in order to: (a)
develop, validate, or administer predictive tests; (b) administer student aid programs;
or (c) improve instruction. (99.31(a)(6))
To accrediting organizations to carry out their accrediting functions. (99.31(a)(7))
To parents of an eligible student if the student is a dependent for IRS tax purposes.
(99.31(a)(8))
To comply with a judicial order or lawfully issued subpoena. (99.31(a)(9))
To appropriate officials in connection with a health or safety emergency, subject to
99.36. (99.31(a)(10)
Information the school has designated as directory information under 99.37.
(99.31(a)(11))